Linux Kernel Security Subsystem wikidb http://kernsec.org/wiki/index.php/Main_Page MediaWiki 1.36.1 first-letter Media Special Talk User User talk Kernsec Kernsec talk File File talk MediaWiki MediaWiki talk Template Template talk Help Help talk Category Category talk 0 1 1 2012-04-09T05:04:48Z MediaWiki default 0 wikitext text/x-wiki <big>'''MediaWiki has been successfully installed.'''</big> Consult the [http://meta.wikimedia.org/wiki/Help:Contents User's Guide] for information on using the wiki software. == Getting started == * [http://www.mediawiki.org/wiki/Help:Configuration_settings Configuration settings list] * [http://www.mediawiki.org/wiki/Help:FAQ MediaWiki FAQ] * [http://mail.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] 928e1deea259c70afc3513c66f29f3fcd740d8bf 2 1 2012-04-09T05:24:13Z JamesMorris 2 wikitext text/x-wiki = Linux Kernel Security Subsystem = This is the Linux kernel security subsystem wiki, a resource for developers and users. == Resources== * Kernel Repository * Projects * Events == Note == This site relates to security development, and not security incident response. For the latter, contact security @ kernel.org. 24bd59a8e22842872c493c8642c65948a5c0af93 3 2 2012-04-09T05:25:58Z JamesMorris 2 /* Note */ wikitext text/x-wiki = Linux Kernel Security Subsystem = This is the Linux kernel security subsystem wiki, a resource for developers and users. == Resources== * Kernel Repository * Projects * Events == Note == This site relates to security development, and not security incident response. For the latter, contact security @ kernel.org. ''Tux Halo logo by Overlord59'' 56a8c236e2bb1e4a23eb76eb548adb78ae6a2a18 5 3 2012-04-09T05:31:06Z JamesMorris 2 /* Note */ wikitext text/x-wiki = Linux Kernel Security Subsystem = This is the Linux kernel security subsystem wiki, a resource for developers and users. == Resources== * Kernel Repository * Projects * Events == Note == This site relates to security development, and not security incident response. For the latter, contact security @ kernel.org. It replaces the [https://security.wiki.kernel.org/ old wiki] at kernel.org, which is no longer writable. Thanks to Overlord59 for the Tux Halo logo. 1c4b8f12b30799a09a7fa9684f9e1b5580adc79c 6 5 2012-04-09T05:31:21Z JamesMorris 2 /* Notes */ wikitext text/x-wiki = Linux Kernel Security Subsystem = This is the Linux kernel security subsystem wiki, a resource for developers and users. == Resources== * Kernel Repository * Projects * Events == Note == This site relates to security development, and not security incident response. For the latter, contact security @ kernel.org. It replaces the [http://security.wiki.kernel.org/ old wiki] at kernel.org, which is no longer writable. Thanks to Overlord59 for the Tux Halo logo. 170d80dc5bcd152d5a03a27f3076759fc9bda406 7 6 2012-04-09T05:33:17Z JamesMorris 2 /* Note */ wikitext text/x-wiki = Linux Kernel Security Subsystem = This is the Linux kernel security subsystem wiki, a resource for developers and users. == Resources== * Kernel Repository * Projects * Events == Note == This wiki replaces the [http://security.wiki.kernel.org/ old wiki] at kernel.org, which is no longer writable. To report security vulnerabilities, contact security @ kernel.org. Thanks to Overlord59 for the Tux Halo logo. 124e1214bd982550409b3348e6a236f9da20490c 8 7 2012-04-09T05:33:32Z JamesMorris 2 /* Note */ wikitext text/x-wiki = Linux Kernel Security Subsystem = This is the Linux kernel security subsystem wiki, a resource for developers and users. == Resources== * Kernel Repository * Projects * Events == Notes == This wiki replaces the [http://security.wiki.kernel.org/ old wiki] at kernel.org, which is no longer writable. To report security vulnerabilities, contact security @ kernel.org. Thanks to Overlord59 for the Tux Halo logo. 66a6d36eb231b341f9f62a211cc613724b5daa65 9 8 2012-04-09T05:34:02Z JamesMorris 2 wikitext text/x-wiki = Linux Kernel Security Subsystem = This is the Linux kernel security subsystem wiki, a resource for developers and users. == Resources== * Kernel Repository * Projects * Events f06dc68e456235551cbf9951908cc56db1dc7e67 13 9 2012-04-09T05:40:23Z JamesMorris 2 /* Resources */ wikitext text/x-wiki = Linux Kernel Security Subsystem = This is the Linux kernel security subsystem wiki, a resource for developers and users. == Resources== * [Kernel Repository] * Projects * Events 4bb32e804c50486a2de4e7cefe8fe013ea9e75dc 14 13 2012-04-09T05:41:00Z JamesMorris 2 /* Resources */ wikitext text/x-wiki = Linux Kernel Security Subsystem = This is the Linux kernel security subsystem wiki, a resource for developers and users. == Resources== * [[Kernel Repository]] * Projects (tbd) * Events (tbd) 1e9449f06a5951b47e58b911d12b677e8374483a 16 14 2012-04-09T12:05:16Z JamesMorris 2 /* Linux Kernel Security Subsystem */ wikitext text/x-wiki = Linux Kernel Security Subsystem = This is the Linux kernel security subsystem wiki, a resource for developers and users. == Resources== * [[Kernel Repository]] * [[Projects]] * Events (tbd) c4e71bfd56fa194bd50df9a2f70bcad076871a37 26 16 2012-04-09T15:10:07Z JamesMorris 2 /* Resources */ wikitext text/x-wiki = Linux Kernel Security Subsystem = This is the Linux kernel security subsystem wiki, a resource for developers and users. == Resources== * [[Kernel Repository]] * [[Projects]] * [[Events]] 0c96859ff177639f52f07d8347df7162fa188e8d 2 2 4 2012-04-09T05:29:22Z JamesMorris 2 New page: I'm the Linux kernel security subsystem maintainer. See http://namei.org/ wikitext text/x-wiki I'm the Linux kernel security subsystem maintainer. See http://namei.org/ dd54148d3f11d80f3c286d0c8f004e8330d78c0e 4 3 10 2012-04-09T05:35:35Z JamesMorris 2 New page: This site is a developer resource for the Linux kernel security subsystem. It replaces the [http://security.wiki.kernel.org/ old wiki] at kernel.org, which is no longer writable. To repo... wikitext text/x-wiki This site is a developer resource for the Linux kernel security subsystem. It replaces the [http://security.wiki.kernel.org/ old wiki] at kernel.org, which is no longer writable. To report security vulnerabilities, contact security @ kernel.org. Thanks to Overlord59 for the Tux Halo logo. 5f9146dfe4b31e25d94c5b874bfcee27a5310334 0 4 11 2012-04-09T05:38:29Z JamesMorris 2 New page: To develop patches for the kernel security subsystem, use git to clone the linux-security tree: $ git clone git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git Unles... wikitext text/x-wiki To develop patches for the kernel security subsystem, use git to clone the linux-security tree: $ git clone git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git Unless otherwise requested, all development should be done against the next branch, which is automatically pulled into the linux-next tree. To track this branch: $ git checkout --track -b my-next origin/next You can also fetch this branch into an existing local kernel repository and manage it via git remote. Refer to the git documentation and the Kernel Hackers' Guide to git for more information. Patches for review and submission should be generated with git format-patch. If you want a git branch pulled directly, use git request-pull. A web-browsable interface via gitweb may be found at: http://git.kernel.org/?p=linux/kernel/git/jmorris/linux-security.git;a=summary Patches should be sent as inline text to linux-kernel @ vger.kernel.org, and preferably cc'd to linux-security-module @ vger.kernel.org and jmorris @ namei.org. 566c6b38a1b764b17d5b5c86af735f74e70947e8 12 11 2012-04-09T05:39:33Z JamesMorris 2 wikitext text/x-wiki To develop patches for the kernel security subsystem, use git to clone the linux-security tree: <code>$ git clone git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git</code> Unless otherwise requested, all development should be done against the next branch, which is automatically pulled into the linux-next tree. To track this branch: <code>$ git checkout --track -b my-next origin/next</code> You can also fetch this branch into an existing local kernel repository and manage it via git remote. Refer to the git documentation and the Kernel Hackers' Guide to git for more information. Patches for review and submission should be generated with git format-patch. If you want a git branch pulled directly, use git request-pull. A web-browsable interface via gitweb may be found at: http://git.kernel.org/?p=linux/kernel/git/jmorris/linux-security.git;a=summary Patches should be sent as inline text to linux-kernel @ vger.kernel.org, and preferably cc'd to linux-security-module @ vger.kernel.org and jmorris @ namei.org. d8b3cd6edfd21bd873b0f13baa0b2c4d8decc311 0 5 15 2012-04-09T12:04:39Z JamesMorris 2 New page: == Kernel Security Projects == === Access Control === * Linux Security Modules (LSM), the API for access control frameworks. * AppArmor, a pathname-based access control system. * Secur... wikitext text/x-wiki == Kernel Security Projects == === Access Control === * Linux Security Modules (LSM), the API for access control frameworks. * AppArmor, a pathname-based access control system. * Security Enhanced Linux (SELinux), a flexible and fine-grained MAC framework. * SMACK, the Simplified Mandatory Access Control Kernel for Linux. * TOMOYO, another pathname-based access control system (LiveCD available). * grsecurity, extensive security enhancement patch for the Linux kernel (RBAC, chroot hardening, auditing, stack/heap protection randomization and more...). * RSBAC: Rule Set Based Access Control, Linux kernel patch implementing a security framework. * FBAC-LSM: aims to provide easy to configure (functionality-based) application restrictions. === Integrity === This is a rapidly developing area, see the following LWN article for an overview: * System integrity in Linux. === Privileges === * POSIX File Capabilities ** Filesystem capabilities in Fedora 10 LWN article. === Networking === There are several separately maintained projects relating to network security, including: * Netfilter packet filtering. * Labeled Networking, including NetLabel, CIPSO, Labeled IPsec and SECMARK, see Paul Moore's blog. * NuFW authenticating firewall based on netfilter === Storage === * Labeled NFS, a project to add MAC labeling support to the NFSv4 protocol. === Cryptography === The cryptographic subsystem is maintained separately by Herbert Xu, refer to the mailing list. d6e11b1ba1259defcd97f55f923f472d5d355eb0 17 15 2012-04-09T12:29:59Z JamesMorris 2 /* Access Control */ wikitext text/x-wiki == Kernel Security Projects == === Access Control === * [http://vger.kernel.org/vger-lists.html#linux-security-module Linux Security Modules (LSM)], the API for access control frameworks * AppArmor, a pathname-based access control system. * Security Enhanced Linux (SELinux), a flexible and fine-grained MAC framework. * SMACK, the Simplified Mandatory Access Control Kernel for Linux. * TOMOYO, another pathname-based access control system (LiveCD available). * grsecurity, extensive security enhancement patch for the Linux kernel (RBAC, chroot hardening, auditing, stack/heap protection randomization and more...). * RSBAC: Rule Set Based Access Control, Linux kernel patch implementing a security framework. * FBAC-LSM: aims to provide easy to configure (functionality-based) application restrictions. === Integrity === This is a rapidly developing area, see the following LWN article for an overview: * System integrity in Linux. === Privileges === * POSIX File Capabilities ** Filesystem capabilities in Fedora 10 LWN article. === Networking === There are several separately maintained projects relating to network security, including: * Netfilter packet filtering. * Labeled Networking, including NetLabel, CIPSO, Labeled IPsec and SECMARK, see Paul Moore's blog. * NuFW authenticating firewall based on netfilter === Storage === * Labeled NFS, a project to add MAC labeling support to the NFSv4 protocol. === Cryptography === The cryptographic subsystem is maintained separately by Herbert Xu, refer to the mailing list. 2c5088c7abe608cfbc91c94a15950754a9080d85 18 17 2012-04-09T12:32:58Z JamesMorris 2 /* Access Control */ wikitext text/x-wiki == Kernel Security Projects == === Access Control === * [http://vger.kernel.org/vger-lists.html#linux-security-module Linux Security Modules (LSM)], the API for access control frameworks * [http://www.novell.com/linux/security/apparmor/ AppArmor], a pathname-based access control system * [http://selinuxproject.org/page/Main_Page Security Enhanced Linux (SELinux)], a flexible and fine-grained MAC framework * [http://www.schaufler-ca.com/ Smack], the Simplified Mandatory Access Control Kernel for Linux * [http://tomoyo.sourceforge.jp/ TOMOYO], another pathname-based access control system (LiveCD available) * [http://grsecurity.net/features.php grsecurity], extensive security enhancement patch for the Linux kernel (RBAC, chroot hardening, auditing, stack/heap protection randomization and more...) * [http://www.rsbac.org/why Rule Set Based Access Control (RSBAC)], Linux kernel patch implementing a security framework * [http://schreuders.org/FBAC-LSM FBAC-LSM] aims to provide easy to configure (functionality-based) application restrictions === Integrity === This is a rapidly developing area, see the following LWN article for an overview: * System integrity in Linux. === Privileges === * POSIX File Capabilities ** Filesystem capabilities in Fedora 10 LWN article. === Networking === There are several separately maintained projects relating to network security, including: * Netfilter packet filtering. * Labeled Networking, including NetLabel, CIPSO, Labeled IPsec and SECMARK, see Paul Moore's blog. * NuFW authenticating firewall based on netfilter === Storage === * Labeled NFS, a project to add MAC labeling support to the NFSv4 protocol. === Cryptography === The cryptographic subsystem is maintained separately by Herbert Xu, refer to the mailing list. e4a9e6b7c922b8da4a54700971ea6684ebb1b7d1 19 18 2012-04-09T15:02:00Z JamesMorris 2 /* Integrity */ wikitext text/x-wiki == Kernel Security Projects == === Access Control === * [http://vger.kernel.org/vger-lists.html#linux-security-module Linux Security Modules (LSM)], the API for access control frameworks * [http://www.novell.com/linux/security/apparmor/ AppArmor], a pathname-based access control system * [http://selinuxproject.org/page/Main_Page Security Enhanced Linux (SELinux)], a flexible and fine-grained MAC framework * [http://www.schaufler-ca.com/ Smack], the Simplified Mandatory Access Control Kernel for Linux * [http://tomoyo.sourceforge.jp/ TOMOYO], another pathname-based access control system (LiveCD available) * [http://grsecurity.net/features.php grsecurity], extensive security enhancement patch for the Linux kernel (RBAC, chroot hardening, auditing, stack/heap protection randomization and more...) * [http://www.rsbac.org/why Rule Set Based Access Control (RSBAC)], Linux kernel patch implementing a security framework * [http://schreuders.org/FBAC-LSM FBAC-LSM] aims to provide easy to configure (functionality-based) application restrictions === Integrity === This is a rapidly developing area, see the following LWN article for an overview: * [http://lwn.net/Articles/309441/ System integrity in Linux] === Privileges === * POSIX File Capabilities ** Filesystem capabilities in Fedora 10 LWN article. === Networking === There are several separately maintained projects relating to network security, including: * Netfilter packet filtering. * Labeled Networking, including NetLabel, CIPSO, Labeled IPsec and SECMARK, see Paul Moore's blog. * NuFW authenticating firewall based on netfilter === Storage === * Labeled NFS, a project to add MAC labeling support to the NFSv4 protocol. === Cryptography === The cryptographic subsystem is maintained separately by Herbert Xu, refer to the mailing list. 633d3e061fa3c5222d352384c1d6864ffccdb1c3 20 19 2012-04-09T15:02:52Z JamesMorris 2 /* Privileges */ wikitext text/x-wiki == Kernel Security Projects == === Access Control === * [http://vger.kernel.org/vger-lists.html#linux-security-module Linux Security Modules (LSM)], the API for access control frameworks * [http://www.novell.com/linux/security/apparmor/ AppArmor], a pathname-based access control system * [http://selinuxproject.org/page/Main_Page Security Enhanced Linux (SELinux)], a flexible and fine-grained MAC framework * [http://www.schaufler-ca.com/ Smack], the Simplified Mandatory Access Control Kernel for Linux * [http://tomoyo.sourceforge.jp/ TOMOYO], another pathname-based access control system (LiveCD available) * [http://grsecurity.net/features.php grsecurity], extensive security enhancement patch for the Linux kernel (RBAC, chroot hardening, auditing, stack/heap protection randomization and more...) * [http://www.rsbac.org/why Rule Set Based Access Control (RSBAC)], Linux kernel patch implementing a security framework * [http://schreuders.org/FBAC-LSM FBAC-LSM] aims to provide easy to configure (functionality-based) application restrictions === Integrity === This is a rapidly developing area, see the following LWN article for an overview: * [http://lwn.net/Articles/309441/ System integrity in Linux] === Privileges === * [http://www.friedhoff.org/posixfilecaps.html POSIX File Capabilities] ** [http://lwn.net/Articles/313047/ Filesystem capabilities in Fedora 10 LWN article] === Networking === There are several separately maintained projects relating to network security, including: * Netfilter packet filtering. * Labeled Networking, including NetLabel, CIPSO, Labeled IPsec and SECMARK, see Paul Moore's blog. * NuFW authenticating firewall based on netfilter === Storage === * Labeled NFS, a project to add MAC labeling support to the NFSv4 protocol. === Cryptography === The cryptographic subsystem is maintained separately by Herbert Xu, refer to the mailing list. 23838cfe26fad4dcd193d4ce2056f0e694a3f151 21 20 2012-04-09T15:04:37Z JamesMorris 2 wikitext text/x-wiki == Kernel Security Projects == === Access Control === * [http://vger.kernel.org/vger-lists.html#linux-security-module Linux Security Modules (LSM)], the API for access control frameworks * [http://www.novell.com/linux/security/apparmor/ AppArmor], a pathname-based access control system * [http://selinuxproject.org/page/Main_Page Security Enhanced Linux (SELinux)], a flexible and fine-grained MAC framework * [http://www.schaufler-ca.com/ Smack], the Simplified Mandatory Access Control Kernel for Linux * [http://tomoyo.sourceforge.jp/ TOMOYO], another pathname-based access control system (LiveCD available) * [http://grsecurity.net/features.php grsecurity], extensive security enhancement patch for the Linux kernel (RBAC, chroot hardening, auditing, stack/heap protection randomization and more...) * [http://www.rsbac.org/why Rule Set Based Access Control (RSBAC)], Linux kernel patch implementing a security framework * [http://schreuders.org/FBAC-LSM FBAC-LSM] aims to provide easy to configure (functionality-based) application restrictions === Integrity === This is a rapidly developing area, see the following LWN article for an overview: * [http://lwn.net/Articles/309441/ System integrity in Linux] === Privileges === * [http://www.friedhoff.org/posixfilecaps.html POSIX File Capabilities] ** [http://lwn.net/Articles/313047/ Filesystem capabilities in Fedora 10 LWN article] === Networking === There are several separately maintained projects relating to network security, including: * [http://www.netfilter.org/ Netfilter] packet filtering * Labeled Networking, including NetLabel, CIPSO, Labeled IPsec and SECMARK, see [http://paulmoore.livejournal.com/ Paul Moore's blog] * [http://www.nufw.org/ NuFW] authenticating firewall based on Netfilter === Storage === * [http://selinuxproject.org/page/Labeled_NFS Labeled NFS], a project to add MAC labeling support to the NFSv4 protocol === Cryptography === The cryptographic subsystem is maintained separately by Herbert Xu, refer to the [http://vger.kernel.org/vger-lists.html#linux-crypto mailing list]. fdffd663c57f9e717807055dff92160537aa8fb0 43 21 2012-04-13T03:45:01Z 173.164.30.65 0 /* Storage */ wikitext text/x-wiki == Kernel Security Projects == === Access Control === * [http://vger.kernel.org/vger-lists.html#linux-security-module Linux Security Modules (LSM)], the API for access control frameworks * [http://www.novell.com/linux/security/apparmor/ AppArmor], a pathname-based access control system * [http://selinuxproject.org/page/Main_Page Security Enhanced Linux (SELinux)], a flexible and fine-grained MAC framework * [http://www.schaufler-ca.com/ Smack], the Simplified Mandatory Access Control Kernel for Linux * [http://tomoyo.sourceforge.jp/ TOMOYO], another pathname-based access control system (LiveCD available) * [http://grsecurity.net/features.php grsecurity], extensive security enhancement patch for the Linux kernel (RBAC, chroot hardening, auditing, stack/heap protection randomization and more...) * [http://www.rsbac.org/why Rule Set Based Access Control (RSBAC)], Linux kernel patch implementing a security framework * [http://schreuders.org/FBAC-LSM FBAC-LSM] aims to provide easy to configure (functionality-based) application restrictions === Integrity === This is a rapidly developing area, see the following LWN article for an overview: * [http://lwn.net/Articles/309441/ System integrity in Linux] === Privileges === * [http://www.friedhoff.org/posixfilecaps.html POSIX File Capabilities] ** [http://lwn.net/Articles/313047/ Filesystem capabilities in Fedora 10 LWN article] === Networking === There are several separately maintained projects relating to network security, including: * [http://www.netfilter.org/ Netfilter] packet filtering * Labeled Networking, including NetLabel, CIPSO, Labeled IPsec and SECMARK, see [http://paulmoore.livejournal.com/ Paul Moore's blog] * [http://www.nufw.org/ NuFW] authenticating firewall based on Netfilter === Storage === * [http://selinuxproject.org/page/Labeled_NFS Labeled NFS], a project to add MAC labeling support to the NFSv4 protocol * [http://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=blob;f=Documentation/device-mapper/verity.txt dm-verity], a device mapper target for efficient, integrity-assured block devices === Cryptography === The cryptographic subsystem is maintained separately by Herbert Xu, refer to the [http://vger.kernel.org/vger-lists.html#linux-crypto mailing list]. a48dbf31a0fbc08a4ee28224db68f197e4ba5376 45 43 2012-04-16T16:37:23Z 173.164.112.133 0 /* Access Control */ wikitext text/x-wiki == Kernel Security Projects == === Access Control === * [http://vger.kernel.org/vger-lists.html#linux-security-module Linux Security Modules (LSM)], the API for access control frameworks * [http://www.novell.com/linux/security/apparmor/ AppArmor], a pathname-based access control system * [http://selinuxproject.org/page/Main_Page Security Enhanced Linux (SELinux)], a flexible and fine-grained MAC framework * [http://www.schaufler-ca.com/ Smack], the Simplified Mandatory Access Control Kernel for Linux * [http://tomoyo.sourceforge.jp/ TOMOYO], another pathname-based access control system (LiveCD available) * [http://grsecurity.net/features.php grsecurity], extensive security enhancement patch for the Linux kernel (RBAC, chroot hardening, auditing, stack/heap protection randomization and more...) * [http://www.rsbac.org/why Rule Set Based Access Control (RSBAC)], Linux kernel patch implementing a security framework * [http://schreuders.org/FBAC-LSM FBAC-LSM] aims to provide easy to configure (functionality-based) application restrictions * [http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blob;f=Documentation/security/Yama.txt;hb=HEAD|Yama] adds restrictions to ptrace, providing a programmatic way to declare relationships between processes === Integrity === This is a rapidly developing area, see the following LWN article for an overview: * [http://lwn.net/Articles/309441/ System integrity in Linux] === Privileges === * [http://www.friedhoff.org/posixfilecaps.html POSIX File Capabilities] ** [http://lwn.net/Articles/313047/ Filesystem capabilities in Fedora 10 LWN article] === Networking === There are several separately maintained projects relating to network security, including: * [http://www.netfilter.org/ Netfilter] packet filtering * Labeled Networking, including NetLabel, CIPSO, Labeled IPsec and SECMARK, see [http://paulmoore.livejournal.com/ Paul Moore's blog] * [http://www.nufw.org/ NuFW] authenticating firewall based on Netfilter === Storage === * [http://selinuxproject.org/page/Labeled_NFS Labeled NFS], a project to add MAC labeling support to the NFSv4 protocol * [http://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=blob;f=Documentation/device-mapper/verity.txt dm-verity], a device mapper target for efficient, integrity-assured block devices === Cryptography === The cryptographic subsystem is maintained separately by Herbert Xu, refer to the [http://vger.kernel.org/vger-lists.html#linux-crypto mailing list]. 880f295fcd32c9a6fabe440e80d7f003355fa75a 46 45 2012-04-16T16:37:54Z 173.164.112.133 0 /* Access Control */ wikitext text/x-wiki == Kernel Security Projects == === Access Control === * [http://vger.kernel.org/vger-lists.html#linux-security-module Linux Security Modules (LSM)], the API for access control frameworks * [http://www.novell.com/linux/security/apparmor/ AppArmor], a pathname-based access control system * [http://selinuxproject.org/page/Main_Page Security Enhanced Linux (SELinux)], a flexible and fine-grained MAC framework * [http://www.schaufler-ca.com/ Smack], the Simplified Mandatory Access Control Kernel for Linux * [http://tomoyo.sourceforge.jp/ TOMOYO], another pathname-based access control system (LiveCD available) * [http://grsecurity.net/features.php grsecurity], extensive security enhancement patch for the Linux kernel (RBAC, chroot hardening, auditing, stack/heap protection randomization and more...) * [http://www.rsbac.org/why Rule Set Based Access Control (RSBAC)], Linux kernel patch implementing a security framework * [http://schreuders.org/FBAC-LSM FBAC-LSM] aims to provide easy to configure (functionality-based) application restrictions * [http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blob;f=Documentation/security/Yama.txt;hb=HEAD Yama] adds restrictions to ptrace, providing a programmatic way to declare relationships between processes === Integrity === This is a rapidly developing area, see the following LWN article for an overview: * [http://lwn.net/Articles/309441/ System integrity in Linux] === Privileges === * [http://www.friedhoff.org/posixfilecaps.html POSIX File Capabilities] ** [http://lwn.net/Articles/313047/ Filesystem capabilities in Fedora 10 LWN article] === Networking === There are several separately maintained projects relating to network security, including: * [http://www.netfilter.org/ Netfilter] packet filtering * Labeled Networking, including NetLabel, CIPSO, Labeled IPsec and SECMARK, see [http://paulmoore.livejournal.com/ Paul Moore's blog] * [http://www.nufw.org/ NuFW] authenticating firewall based on Netfilter === Storage === * [http://selinuxproject.org/page/Labeled_NFS Labeled NFS], a project to add MAC labeling support to the NFSv4 protocol * [http://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=blob;f=Documentation/device-mapper/verity.txt dm-verity], a device mapper target for efficient, integrity-assured block devices === Cryptography === The cryptographic subsystem is maintained separately by Herbert Xu, refer to the [http://vger.kernel.org/vger-lists.html#linux-crypto mailing list]. e25ae155faa722876337bf1aed024c07eaec12d7 47 46 2012-04-16T16:39:01Z 173.164.112.133 0 /* Kernel Security Projects */ wikitext text/x-wiki == Kernel Security Projects == === Access Control === * [http://vger.kernel.org/vger-lists.html#linux-security-module Linux Security Modules (LSM)], the API for access control frameworks * [http://www.novell.com/linux/security/apparmor/ AppArmor], a pathname-based access control system * [http://selinuxproject.org/page/Main_Page Security Enhanced Linux (SELinux)], a flexible and fine-grained MAC framework * [http://www.schaufler-ca.com/ Smack], the Simplified Mandatory Access Control Kernel for Linux * [http://tomoyo.sourceforge.jp/ TOMOYO], another pathname-based access control system (LiveCD available) * [http://grsecurity.net/features.php grsecurity], extensive security enhancement patch for the Linux kernel (RBAC, chroot hardening, auditing, stack/heap protection randomization and more...) * [http://www.rsbac.org/why Rule Set Based Access Control (RSBAC)], Linux kernel patch implementing a security framework * [http://schreuders.org/FBAC-LSM FBAC-LSM] aims to provide easy to configure (functionality-based) application restrictions * [http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blob;f=Documentation/security/Yama.txt;hb=HEAD Yama] adds restrictions to ptrace, providing a programmatic way to declare relationships between processes === Integrity === This is a rapidly developing area, see the following LWN article for an overview: * [http://lwn.net/Articles/309441/ System integrity in Linux] === Privileges === * [http://www.friedhoff.org/posixfilecaps.html POSIX File Capabilities] ** [http://lwn.net/Articles/313047/ Filesystem capabilities in Fedora 10 LWN article] === Networking === There are several separately maintained projects relating to network security, including: * [http://www.netfilter.org/ Netfilter] packet filtering * Labeled Networking, including NetLabel, CIPSO, Labeled IPsec and SECMARK, see [http://paulmoore.livejournal.com/ Paul Moore's blog] * [http://www.nufw.org/ NuFW] authenticating firewall based on Netfilter === Storage === * [http://selinuxproject.org/page/Labeled_NFS Labeled NFS], a project to add MAC labeling support to the NFSv4 protocol * [http://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=blob;f=Documentation/device-mapper/verity.txt dm-verity], a device mapper target for efficient, integrity-assured block devices === Cryptography === The cryptographic subsystem is maintained separately by Herbert Xu, refer to the [http://vger.kernel.org/vger-lists.html#linux-crypto mailing list]. a06ad8a0874e4272676ce96b80d4a6bd9301757a 0 6 22 2012-04-09T15:07:21Z JamesMorris 2 New page: == Upcoming == * Linux Security Summit 2011, Santa Rosa, CA, USA. == Past == *2011 ** Linux Security Summit 2011, Santa Rosa, CA, USA. *2010 **Linux Security Summit 2010, Boston MA,... wikitext text/x-wiki == Upcoming == * Linux Security Summit 2011, Santa Rosa, CA, USA. == Past == *2011 ** Linux Security Summit 2011, Santa Rosa, CA, USA. *2010 **Linux Security Summit 2010, Boston MA, USA. *2009 **Security Microconf at the Linux Plumbers Conference 2009, September, Portland OR, USA. ***CFP ***LWN discussion **SELinux Developer Summit at LinuxCon 2009, September, Portland OR, USA. ***Event Details **Security BoF (Birds of Feather) meeting at the Japan Linux Symposium, October 2009. Tokyo, Japan. ***Enhanced Securities: Where Should We Go Next **Kernel Conference Australia, July 2009, Brisbane, Australia. This event featured a talk on the Linux kernel security subsystem by James Morris, and a security discussion panel. **LCA security miniconf 20 January 2009, Hobart, Australia. b87b50f8373b0701de764f469d3ebd234cc57851 23 22 2012-04-09T15:07:59Z JamesMorris 2 /* Past */ wikitext text/x-wiki == Upcoming == * Linux Security Summit 2011, Santa Rosa, CA, USA. == Past == ===2011=== * Linux Security Summit 2011, Santa Rosa, CA, USA. *2010 **Linux Security Summit 2010, Boston MA, USA. *2009 **Security Microconf at the Linux Plumbers Conference 2009, September, Portland OR, USA. ***CFP ***LWN discussion **SELinux Developer Summit at LinuxCon 2009, September, Portland OR, USA. ***Event Details **Security BoF (Birds of Feather) meeting at the Japan Linux Symposium, October 2009. Tokyo, Japan. ***Enhanced Securities: Where Should We Go Next **Kernel Conference Australia, July 2009, Brisbane, Australia. **LCA security miniconf 20 January 2009, Hobart, Australia. 610ab1cf14c1dafcef1804861b1bc3a6b8b0551a 24 23 2012-04-09T15:08:42Z JamesMorris 2 wikitext text/x-wiki == Upcoming == ===2012=== * Linux Security Summit 2011, Santa Rosa, CA, USA. == Past == ===2011=== * Linux Security Summit 2011, Santa Rosa, CA, USA. ===2010=== *Linux Security Summit 2010, Boston MA, USA. ===2009=== *Security Microconf at the Linux Plumbers Conference 2009, September, Portland OR, USA. **CFP **LWN discussion *SELinux Developer Summit at LinuxCon 2009, September, Portland OR, USA. **Event Details *Security BoF (Birds of Feather) meeting at the Japan Linux Symposium, October 2009. Tokyo, Japan. **Enhanced Securities: Where Should We Go Next *Kernel Conference Australia, July 2009, Brisbane, Australia. *LCA security miniconf 20 January 2009, Hobart, Australia. ba64fd8dfecb48fbb0d59fe6dc491b5549117125 25 24 2012-04-09T15:09:02Z JamesMorris 2 wikitext text/x-wiki == Upcoming == ===2012=== * Linux Security Summit 2012, San Diego, CA, USA. == Past == ===2011=== * Linux Security Summit 2011, Santa Rosa, CA, USA. ===2010=== *Linux Security Summit 2010, Boston MA, USA. ===2009=== *Security Microconf at the Linux Plumbers Conference 2009, September, Portland OR, USA. **CFP **LWN discussion *SELinux Developer Summit at LinuxCon 2009, September, Portland OR, USA. **Event Details *Security BoF (Birds of Feather) meeting at the Japan Linux Symposium, October 2009. Tokyo, Japan. **Enhanced Securities: Where Should We Go Next *Kernel Conference Australia, July 2009, Brisbane, Australia. *LCA security miniconf 20 January 2009, Hobart, Australia. dda2ca82fbaaa4c553a11ef05db9dfe047eb5e06 28 25 2012-04-10T15:02:21Z JamesMorris 2 /* 2011 */ wikitext text/x-wiki == Upcoming == ===2012=== * Linux Security Summit 2012, San Diego, CA, USA. == Past == ===2011=== * [[LinuxSecuritySummit2011|Linux Security Summit 2011]], Santa Rosa, CA, USA. ===2010=== *Linux Security Summit 2010, Boston MA, USA. ===2009=== *Security Microconf at the Linux Plumbers Conference 2009, September, Portland OR, USA. **CFP **LWN discussion *SELinux Developer Summit at LinuxCon 2009, September, Portland OR, USA. **Event Details *Security BoF (Birds of Feather) meeting at the Japan Linux Symposium, October 2009. Tokyo, Japan. **Enhanced Securities: Where Should We Go Next *Kernel Conference Australia, July 2009, Brisbane, Australia. *LCA security miniconf 20 January 2009, Hobart, Australia. 5bf7578ed3f0a17a463cc05421b71c2c98e638e9 30 28 2012-04-10T15:06:40Z JamesMorris 2 /* 2011 */ wikitext text/x-wiki == Upcoming == ===2012=== * Linux Security Summit 2012, San Diego, CA, USA. == Past == ===2011=== * [https://security.wiki.kernel.org/articles/l/i/n/LinuxSecuritySummit2011_bfc3.html|Linux Security Summit 2011]], Santa Rosa, CA, USA. ===2010=== *Linux Security Summit 2010, Boston MA, USA. ===2009=== *Security Microconf at the Linux Plumbers Conference 2009, September, Portland OR, USA. **CFP **LWN discussion *SELinux Developer Summit at LinuxCon 2009, September, Portland OR, USA. **Event Details *Security BoF (Birds of Feather) meeting at the Japan Linux Symposium, October 2009. Tokyo, Japan. **Enhanced Securities: Where Should We Go Next *Kernel Conference Australia, July 2009, Brisbane, Australia. *LCA security miniconf 20 January 2009, Hobart, Australia. f341ca3ed70052cbd3696f22be11566606cc50a4 31 30 2012-04-10T15:06:53Z JamesMorris 2 /* 2011 */ wikitext text/x-wiki == Upcoming == ===2012=== * Linux Security Summit 2012, San Diego, CA, USA. == Past == ===2011=== * [http://security.wiki.kernel.org/articles/l/i/n/LinuxSecuritySummit2011_bfc3.html|Linux Security Summit 2011], Santa Rosa, CA, USA. ===2010=== *Linux Security Summit 2010, Boston MA, USA. ===2009=== *Security Microconf at the Linux Plumbers Conference 2009, September, Portland OR, USA. **CFP **LWN discussion *SELinux Developer Summit at LinuxCon 2009, September, Portland OR, USA. **Event Details *Security BoF (Birds of Feather) meeting at the Japan Linux Symposium, October 2009. Tokyo, Japan. **Enhanced Securities: Where Should We Go Next *Kernel Conference Australia, July 2009, Brisbane, Australia. *LCA security miniconf 20 January 2009, Hobart, Australia. 59c160449183fc592f0b53db0625823da855bb23 32 31 2012-04-10T15:07:37Z JamesMorris 2 /* 2010 */ wikitext text/x-wiki == Upcoming == ===2012=== * Linux Security Summit 2012, San Diego, CA, USA. == Past == ===2011=== * [http://security.wiki.kernel.org/articles/l/i/n/LinuxSecuritySummit2011_bfc3.html|Linux Security Summit 2011], Santa Rosa, CA, USA. ===2010=== *[https://security.wiki.kernel.org/articles/l/i/n/LinuxSecuritySummit2010_8768.html Linux Security Summit 2010], Boston MA, USA. ===2009=== *Security Microconf at the Linux Plumbers Conference 2009, September, Portland OR, USA. **CFP **LWN discussion *SELinux Developer Summit at LinuxCon 2009, September, Portland OR, USA. **Event Details *Security BoF (Birds of Feather) meeting at the Japan Linux Symposium, October 2009. Tokyo, Japan. **Enhanced Securities: Where Should We Go Next *Kernel Conference Australia, July 2009, Brisbane, Australia. *LCA security miniconf 20 January 2009, Hobart, Australia. 00db5d1a9e6ad039f418c5cb284aa2ee53d5706d 33 32 2012-04-10T15:07:50Z JamesMorris 2 /* 2010 */ wikitext text/x-wiki == Upcoming == ===2012=== * Linux Security Summit 2012, San Diego, CA, USA. == Past == ===2011=== * [http://security.wiki.kernel.org/articles/l/i/n/LinuxSecuritySummit2011_bfc3.html|Linux Security Summit 2011], Santa Rosa, CA, USA. ===2010=== *[http://security.wiki.kernel.org/articles/l/i/n/LinuxSecuritySummit2010_8768.html Linux Security Summit 2010], Boston MA, USA. ===2009=== *Security Microconf at the Linux Plumbers Conference 2009, September, Portland OR, USA. **CFP **LWN discussion *SELinux Developer Summit at LinuxCon 2009, September, Portland OR, USA. **Event Details *Security BoF (Birds of Feather) meeting at the Japan Linux Symposium, October 2009. Tokyo, Japan. **Enhanced Securities: Where Should We Go Next *Kernel Conference Australia, July 2009, Brisbane, Australia. *LCA security miniconf 20 January 2009, Hobart, Australia. 91d0d984c6878e75eec1ccfe69b9a7c77f64dec7 34 33 2012-04-10T15:16:57Z JamesMorris 2 /* 2012 */ wikitext text/x-wiki == Upcoming == ===2012=== * [[Linux Security Summit 2012]], San Diego, CA, USA. == Past == ===2011=== * [http://security.wiki.kernel.org/articles/l/i/n/LinuxSecuritySummit2011_bfc3.html|Linux Security Summit 2011], Santa Rosa, CA, USA. ===2010=== *[http://security.wiki.kernel.org/articles/l/i/n/LinuxSecuritySummit2010_8768.html Linux Security Summit 2010], Boston MA, USA. ===2009=== *Security Microconf at the Linux Plumbers Conference 2009, September, Portland OR, USA. **CFP **LWN discussion *SELinux Developer Summit at LinuxCon 2009, September, Portland OR, USA. **Event Details *Security BoF (Birds of Feather) meeting at the Japan Linux Symposium, October 2009. Tokyo, Japan. **Enhanced Securities: Where Should We Go Next *Kernel Conference Australia, July 2009, Brisbane, Australia. *LCA security miniconf 20 January 2009, Hobart, Australia. 36d721f83479f0421dfb6c219274140e63f90f65 38 34 2012-04-10T15:18:36Z JamesMorris 2 wikitext text/x-wiki == Upcoming == ===2012=== * [[Linux Security Summit 2012]], San Diego, CA, USA. == Past == ===2011=== * [http://security.wiki.kernel.org/articles/l/i/n/LinuxSecuritySummit2011_bfc3.html|Linux Security Summit 2011], Santa Rosa, CA, USA. ===2010=== *[http://security.wiki.kernel.org/articles/l/i/n/LinuxSecuritySummit2010_8768.html Linux Security Summit 2010], Boston MA, USA. ===2009=== *Security Microconf at the Linux Plumbers Conference 2009, September, Portland OR, USA. **CFP **LWN discussion *SELinux Developer Summit at LinuxCon 2009, September, Portland OR, USA. **Event Details *Security BoF (Birds of Feather) meeting at the Japan Linux Symposium, October 2009. Tokyo, Japan. **Enhanced Securities: Where Should We Go Next *Kernel Conference Australia, July 2009, Brisbane, Australia. *LCA security miniconf 20 January 2009, Hobart, Australia. 57f38b69956f170d8a37bae0d9211742d3d63874 39 38 2012-04-12T13:14:08Z JamesMorris 2 wikitext text/x-wiki == Upcoming == ===2012=== * [[Linux Security Summit 2012]], San Diego, CA, USA. == Past == ===2011=== * [https://security.wiki.kernel.org/articles/l/i/n/LinuxSecuritySummit2011_bfc3.html|Linux Security Summit 2011], Santa Rosa, CA, USA. ===2010=== *[https://security.wiki.kernel.org/articles/l/i/n/LinuxSecuritySummit2010_8768.html Linux Security Summit 2010], Boston MA, USA. ===2009=== *Security Microconf at the Linux Plumbers Conference 2009, September, Portland OR, USA. **CFP **LWN discussion *SELinux Developer Summit at LinuxCon 2009, September, Portland OR, USA. **Event Details *Security BoF (Birds of Feather) meeting at the Japan Linux Symposium, October 2009. Tokyo, Japan. **Enhanced Securities: Where Should We Go Next *Kernel Conference Australia, July 2009, Brisbane, Australia. *LCA security miniconf 20 January 2009, Hobart, Australia. f5d7e3c264f8debbb5b53db3bae22af0fff17bb7 40 39 2012-04-12T13:14:30Z JamesMorris 2 wikitext text/x-wiki == Upcoming == ===2012=== * [[Linux Security Summit 2012]], San Diego, CA, USA. == Past == ===2011=== * [https://security.wiki.kernel.org/articles/l/i/n/LinuxSecuritySummit2011_bfc3.html Linux Security Summit 2011], Santa Rosa, CA, USA. ===2010=== *[https://security.wiki.kernel.org/articles/l/i/n/LinuxSecuritySummit2010_8768.html Linux Security Summit 2010], Boston MA, USA. ===2009=== *Security Microconf at the Linux Plumbers Conference 2009, September, Portland OR, USA. **CFP **LWN discussion *SELinux Developer Summit at LinuxCon 2009, September, Portland OR, USA. **Event Details *Security BoF (Birds of Feather) meeting at the Japan Linux Symposium, October 2009. Tokyo, Japan. **Enhanced Securities: Where Should We Go Next *Kernel Conference Australia, July 2009, Brisbane, Australia. *LCA security miniconf 20 January 2009, Hobart, Australia. 1a875c90f03b7d7b9cd938ca1cc9d56fa1ec112e 0 7 27 2012-04-10T15:01:33Z JamesMorris 2 New page: = Linux Security Summit 2011 = ==Latest News== 15 Jun 2011: The schedule is now published. 30 May 2011: The CFP is now closed. ==Description== The Linux Security Summit (LSS)... wikitext text/x-wiki = Linux Security Summit 2011 = ==Latest News== 15 Jun 2011: The schedule is now published. 30 May 2011: The CFP is now closed. ==Description== The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: Selected brief presentations In-depth roundtable discussions ==Venue== The Linux Security Summit for 2011 will be held on the 8th of September at the Hyatt Vinyard Creek in Santa Rosa, CA, USA. It will be co-located with Linux Plumbers Conference (LPC), and located in the Sonoma Mountain conference room. Note that Linux Security Summit attendees and speakers must be registered to attend LPC. See the LPC site for full details on registration, travel, and accommodation. Schedule See the Schedule for a timetable of the summit and talk abstracts. Printable version ==Dates== CFP open: 4th April 2011 CFP close: 27th May 2011 Speaker notification: 1st June 2011 Event: 8th September 2011 ==Participation== The event is open to all registered LPC attendees. You do not have to be a "security person" to attend -- we're seeking a diverse range of attendees, and welcome the participation of general developers, researchers, operations, and end-users. Mailing list Everyone planning to attend should join the event mailing list: https://ext.namei.org/mailman/listinfo/linux-security-summit Updates and announcements about the event will also be sent to the list. ==Program Committee== The Linux Security Summit for 2011 is organized by: James Morris, Red Hat Serge Hallyn, Canonical Paul Moore, HP Stephen Smalley, NSA Joshua Brindle, Tresys Tetsuo Handa, NTT Data Herbert Xu, Red Hat John Johansen, Canonical Kees Cook, Canonical Casey Schaufler, Smack Project The program committee may be contacted as a group via email: lss-pc (_at_) ext.namei.org ==Resources== Linux Security Summit 2010 - last year's event, held in Boston. b257b2ee269f02993362cda7f9d4001e6d015eb8 29 27 2012-04-10T15:04:10Z JamesMorris 2 wikitext text/x-wiki = Linux Security Summit 2011 = ==Latest News== *15 Jun 2011: The schedule is now published. *30 May 2011: The CFP is now closed. ==Description== The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: *Selected brief presentations *In-depth roundtable discussions ==Venue== The Linux Security Summit for 2011 will be held on the 8th of September at the Hyatt Vinyard Creek in Santa Rosa, CA, USA. It will be co-located with Linux Plumbers Conference (LPC), and located in the Sonoma Mountain conference room. Note that Linux Security Summit attendees and speakers must be registered to attend LPC. See the LPC site for full details on registration, travel, and accommodation. Schedule See the Schedule for a timetable of the summit and talk abstracts. ==Dates== *CFP open: 4th April 2011 *CFP close: 27th May 2011 *Speaker notification: 1st June 2011 *Event: 8th September 2011 ==Participation== The event is open to all registered LPC attendees. You do not have to be a "security person" to attend -- we're seeking a diverse range of attendees, and welcome the participation of general developers, researchers, operations, and end-users. Mailing list Everyone planning to attend should join the event mailing list: https://ext.namei.org/mailman/listinfo/linux-security-summit Updates and announcements about the event will also be sent to the list. ==Program Committee== The Linux Security Summit for 2011 is organized by: *James Morris, Red Hat *Serge Hallyn, Canonical *Paul Moore, HP *Stephen Smalley, NSA *Joshua Brindle, Tresys *Tetsuo Handa, NTT Data *Herbert Xu, Red Hat *John Johansen, Canonical *Kees Cook, Canonical *Casey Schaufler, Smack Project The program committee may be contacted as a group via email: lss-pc (_at_) ext.namei.org ==Resources== *Linux Security Summit 2010 - last year's event, held in Boston. aa122b04fc7c1caa46ab045afd3faea07d01a605 0 8 35 2012-04-10T15:17:08Z JamesMorris 2 New page: tbd wikitext text/x-wiki tbd 1d9c8ac0b20576c0f57f0b78929d8a9dde6e79aa 36 35 2012-04-10T15:17:43Z JamesMorris 2 wikitext text/x-wiki ''The Linux Security Summit for 2012 will be held on the 30th and 31st of August in San Diego, CA, USA. It will be co-located with LinuxCon North America, plumbers and the kernel summit. More details to follow.'' 51a663ef0566f4171e47e460eea079cb48e41c4e 37 36 2012-04-10T15:18:11Z JamesMorris 2 wikitext text/x-wiki The Linux Security Summit for 2012 will be held on the 30th and 31st of August in San Diego, CA, USA. It will be co-located with LinuxCon North America, plumbers and the kernel summit. More details to follow. c3c6a7367a6a5b0c7ffaae6e896c918ecf92ef51 41 37 2012-04-12T13:26:00Z JamesMorris 2 wikitext text/x-wiki =Description= The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Short talks * Roundtable discussions * Breakout development sessions =Dates and Location= The Linux Security Summit for 2012 will be held across 30 and 31 August in San Diego, CA, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon], as well as Linux Plumbers and the Kernel Summit. Note that Linux Security Summit attendees and speakers must be registered to attend LinuxCon. See the [https://events.linuxfoundation.org/events/linuxcon LinuxCon site] for details on registration, travel, and accommodation. =Call for Participation= The Linux Security Summit call for participation (CFP) is now open, and will close on 23rd of May. The program committee currently seeks proposals for: * '''Refereed Presentations''' 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. * '''Short Talks''' 30 minutes in length, discussion-oriented. Slides should be minimal. * '''Roundtable Discussion Topics''' These discussions are typically one hour in length and used to explore and resolve current issues. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques Proposals should be submitted in plain text via email to the program committee at: lss-pc (_at_) ext.namei.org Abstracts should be approximately 150 words in total. =Attendance= The event is open to all registered LinuxCon attendees. You do not have to be a "security person" to attend -- we're seeking a diverse range of attendees, and welcome the participation of general developers, researchers, operations, and end-users. =Program Committee= The Linux Security Summit for 2012 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Tresys * Tetsuo Handa, NTT Data * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel The program committee may be contacted as a group via email: lss-pc (_at_) ext.namei.org c45ae1ef4d96d2c3f34987f3cab0857d1dc26c55 42 41 2012-04-12T13:26:16Z JamesMorris 2 /* Call for Participation */ wikitext text/x-wiki =Description= The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Short talks * Roundtable discussions * Breakout development sessions =Dates and Location= The Linux Security Summit for 2012 will be held across 30 and 31 August in San Diego, CA, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon], as well as Linux Plumbers and the Kernel Summit. Note that Linux Security Summit attendees and speakers must be registered to attend LinuxCon. See the [https://events.linuxfoundation.org/events/linuxcon LinuxCon site] for details on registration, travel, and accommodation. =Call for Participation= The Linux Security Summit call for participation (CFP) is now open, and will close on 23rd of May. The program committee currently seeks proposals for: * '''Refereed Presentations''' 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. * '''Short Talks''' 30 minutes in length, discussion-oriented. Slides should be minimal. * '''Roundtable Discussion Topics''' These discussions are typically one hour in length and used to explore and resolve current issues. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques Proposals should be submitted in plain text via email to the program committee at: lss-pc (_at_) ext.namei.org Abstracts should be approximately 150 words in total. =Attendance= The event is open to all registered LinuxCon attendees. You do not have to be a "security person" to attend -- we're seeking a diverse range of attendees, and welcome the participation of general developers, researchers, operations, and end-users. =Program Committee= The Linux Security Summit for 2012 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Tresys * Tetsuo Handa, NTT Data * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel The program committee may be contacted as a group via email: lss-pc (_at_) ext.namei.org 73c85f1518c87c6d7999a8dc96a63a99e6c520f3 86 42 2012-05-04T15:29:34Z 31.184.238.15 0 /* Description */ wikitext text/x-wiki x83Eqs <a href="http://kkdrycvvffjh.com/">kkdrycvvffjh</a>, [url=http://gmpryguccmkj.com/]gmpryguccmkj[/url], [link=http://lmihtjilfohm.com/]lmihtjilfohm[/link], http://idtufntgomxa.com/ =Dates and Location= The Linux Security Summit for 2012 will be held across 30 and 31 August in San Diego, CA, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon], as well as Linux Plumbers and the Kernel Summit. Note that Linux Security Summit attendees and speakers must be registered to attend LinuxCon. See the [https://events.linuxfoundation.org/events/linuxcon LinuxCon site] for details on registration, travel, and accommodation. =Call for Participation= The Linux Security Summit call for participation (CFP) is now open, and will close on 23rd of May. The program committee currently seeks proposals for: * '''Refereed Presentations''' 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. * '''Short Talks''' 30 minutes in length, discussion-oriented. Slides should be minimal. * '''Roundtable Discussion Topics''' These discussions are typically one hour in length and used to explore and resolve current issues. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques Proposals should be submitted in plain text via email to the program committee at: lss-pc (_at_) ext.namei.org Abstracts should be approximately 150 words in total. =Attendance= The event is open to all registered LinuxCon attendees. You do not have to be a "security person" to attend -- we're seeking a diverse range of attendees, and welcome the participation of general developers, researchers, operations, and end-users. =Program Committee= The Linux Security Summit for 2012 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Tresys * Tetsuo Handa, NTT Data * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel The program committee may be contacted as a group via email: lss-pc (_at_) ext.namei.org a56b659891da4726e932f841b4232128338be435 88 86 2012-05-04T17:15:36Z 31.184.238.9 0 /* Dates and Location */ wikitext text/x-wiki x83Eqs <a href="http://kkdrycvvffjh.com/">kkdrycvvffjh</a>, [url=http://gmpryguccmkj.com/]gmpryguccmkj[/url], [link=http://lmihtjilfohm.com/]lmihtjilfohm[/link], http://idtufntgomxa.com/ ojq44X <a href="http://hduzzgfunpcz.com/">hduzzgfunpcz</a>, [url=http://kppsqjnyqbku.com/]kppsqjnyqbku[/url], [link=http://gvscmhulayii.com/]gvscmhulayii[/link], http://sirhxqerswhj.com/ =Call for Participation= The Linux Security Summit call for participation (CFP) is now open, and will close on 23rd of May. The program committee currently seeks proposals for: * '''Refereed Presentations''' 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. * '''Short Talks''' 30 minutes in length, discussion-oriented. Slides should be minimal. * '''Roundtable Discussion Topics''' These discussions are typically one hour in length and used to explore and resolve current issues. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques Proposals should be submitted in plain text via email to the program committee at: lss-pc (_at_) ext.namei.org Abstracts should be approximately 150 words in total. =Attendance= The event is open to all registered LinuxCon attendees. You do not have to be a "security person" to attend -- we're seeking a diverse range of attendees, and welcome the participation of general developers, researchers, operations, and end-users. =Program Committee= The Linux Security Summit for 2012 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Tresys * Tetsuo Handa, NTT Data * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel The program committee may be contacted as a group via email: lss-pc (_at_) ext.namei.org 5987d24cfc7156fe87be9d4514712a03c7caeb0b 89 88 2012-05-04T19:47:34Z 31.184.238.15 0 /* Call for Participation */ wikitext text/x-wiki x83Eqs <a href="http://kkdrycvvffjh.com/">kkdrycvvffjh</a>, [url=http://gmpryguccmkj.com/]gmpryguccmkj[/url], [link=http://lmihtjilfohm.com/]lmihtjilfohm[/link], http://idtufntgomxa.com/ ojq44X <a href="http://hduzzgfunpcz.com/">hduzzgfunpcz</a>, [url=http://kppsqjnyqbku.com/]kppsqjnyqbku[/url], [link=http://gvscmhulayii.com/]gvscmhulayii[/link], http://sirhxqerswhj.com/ comment1, http://price-drugs.com/order-lipitor-online-en.html generic Lipitor, 8-(((, http://price-drugs.com/order-viagra-professional-online-en.html buy Viagra Professional online, 070110, http://price-drugs.com/order-prednisone-online-en.html buy Prednisone, 309, http://shopdrugcheap.com/order-cipro-online-en.html buy Cipro online, fwu, http://ordergenericdrugs.com/products/levitra.htm buy levitra, =-(((, =Attendance= The event is open to all registered LinuxCon attendees. You do not have to be a "security person" to attend -- we're seeking a diverse range of attendees, and welcome the participation of general developers, researchers, operations, and end-users. =Program Committee= The Linux Security Summit for 2012 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Tresys * Tetsuo Handa, NTT Data * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel The program committee may be contacted as a group via email: lss-pc (_at_) ext.namei.org 47de48ce6bec049b754af8bfd2954d6036432927 90 89 2012-05-04T19:53:54Z 31.184.238.15 0 /* Attendance */ wikitext text/x-wiki x83Eqs <a href="http://kkdrycvvffjh.com/">kkdrycvvffjh</a>, [url=http://gmpryguccmkj.com/]gmpryguccmkj[/url], [link=http://lmihtjilfohm.com/]lmihtjilfohm[/link], http://idtufntgomxa.com/ ojq44X <a href="http://hduzzgfunpcz.com/">hduzzgfunpcz</a>, [url=http://kppsqjnyqbku.com/]kppsqjnyqbku[/url], [link=http://gvscmhulayii.com/]gvscmhulayii[/link], http://sirhxqerswhj.com/ comment1, http://price-drugs.com/order-lipitor-online-en.html generic Lipitor, 8-(((, http://price-drugs.com/order-viagra-professional-online-en.html buy Viagra Professional online, 070110, http://price-drugs.com/order-prednisone-online-en.html buy Prednisone, 309, http://shopdrugcheap.com/order-cipro-online-en.html buy Cipro online, fwu, http://ordergenericdrugs.com/products/levitra.htm buy levitra, =-(((, comment2, http://price-drugs.com/order-zithromax-online-en.html buy Zithromax, 793903, http://ordergenericdrugs.com/products/cialis-super-active-plus.htm generic cialis super active, 8-(((, http://shopdrugcheap.com/order-synthroid-online-en.html Synthroid, :O, http://shopdrugcheap.com/order-tadacip-online-en.html buy Tadacip online, yzp, http://ordergenericdrugs.com/products/cialis.htm generic cialis, >:((, =Program Committee= The Linux Security Summit for 2012 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Tresys * Tetsuo Handa, NTT Data * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel The program committee may be contacted as a group via email: lss-pc (_at_) ext.namei.org 97f25359d6ea7184a955a5595f343ff79c704121 0 8 91 90 2012-05-04T19:59:09Z 31.184.238.15 0 /* Program Committee */ wikitext text/x-wiki x83Eqs <a href="http://kkdrycvvffjh.com/">kkdrycvvffjh</a>, [url=http://gmpryguccmkj.com/]gmpryguccmkj[/url], [link=http://lmihtjilfohm.com/]lmihtjilfohm[/link], http://idtufntgomxa.com/ ojq44X <a href="http://hduzzgfunpcz.com/">hduzzgfunpcz</a>, [url=http://kppsqjnyqbku.com/]kppsqjnyqbku[/url], [link=http://gvscmhulayii.com/]gvscmhulayii[/link], http://sirhxqerswhj.com/ comment1, http://price-drugs.com/order-lipitor-online-en.html generic Lipitor, 8-(((, http://price-drugs.com/order-viagra-professional-online-en.html buy Viagra Professional online, 070110, http://price-drugs.com/order-prednisone-online-en.html buy Prednisone, 309, http://shopdrugcheap.com/order-cipro-online-en.html buy Cipro online, fwu, http://ordergenericdrugs.com/products/levitra.htm buy levitra, =-(((, comment2, http://price-drugs.com/order-zithromax-online-en.html buy Zithromax, 793903, http://ordergenericdrugs.com/products/cialis-super-active-plus.htm generic cialis super active, 8-(((, http://shopdrugcheap.com/order-synthroid-online-en.html Synthroid, :O, http://shopdrugcheap.com/order-tadacip-online-en.html buy Tadacip online, yzp, http://ordergenericdrugs.com/products/cialis.htm generic cialis, >:((, comment6, http://shopdrugcheap.com/order-viagra-online-en.html buy Viagra online, >:)), http://price-drugs.com/order-zithromax-online-en.html Zithromax, %-DD, http://shopdrugcheap.com/order-cialis-professional-online-en.html Cialis Professional, 1044, http://ordergenericdrugs.com/products/xenical.htm buy xenical online, ajhb, http://shopdrugcheap.com/order-levitra-online-en.html generic Levitra, :P, 44d8195ab32876c55f286110e7658135ca54d675 92 91 2012-05-04T20:04:55Z 31.184.238.15 0 whYRNjPH wikitext text/x-wiki comment3, http://more-drugs.com/products/diflucan.htm buy diflucan, =[[[, http://price-drugs.com/order-cialis-professional-online-en.html Cialis Professional, kcyrk, http://price-drugs.com/order-levaquin-online-en.html Levaquin, gisk, http://shopdrugcheap.com/order-priligy-online-en.html buy Priligy, %D, http://price-drugs.com/order-diflucan-online-en.html buy Diflucan online, phjvxz, b27c56d6fc33b44a0d1a2a90f456e94443f1496d 93 92 2012-05-04T20:10:59Z 31.184.238.15 0 gkXodAVwLsWXB wikitext text/x-wiki comment6, http://shopdrugcheap.com/order-female-viagra-online-en.html buy Female Viagra online, 8385, http://more-drugs.com/products/deltasone.htm cheap deltasone, lzif, http://price-drugs.com/order-nolvadex-online-en.html generic Nolvadex, %D, http://price-drugs.com/order-viagra-super-active-online-en.html generic Viagra Super Active, 8-((, http://more-drugs.com/products/cialis-professional.htm cheap cialis professional, %-DDD, becd35b37b0ba3af0b4d1143feecc3392684fda7 94 93 2012-05-04T20:16:01Z 31.184.238.15 0 uPeqVQigLn wikitext text/x-wiki comment2, http://ordergenericdrugs.com/products/female-viagra.htm buy female viagra, =[, http://more-drugs.com/products/pepcid.htm buy pepcid online, 076402, http://shopdrugcheap.com/order-kamagra-online-en.html buy Kamagra online, rqi, http://shopdrugcheap.com/order-accutane-online-en.html buy Accutane, ietm, http://shopdrugcheap.com/order-retin-a-online-en.html Retin-A, hcf, c64d1f7aa5423107834effb91d8a0575522dfd9b 95 94 2012-05-04T20:21:30Z 31.184.238.15 0 lKKcRXRMZpHn wikitext text/x-wiki comment6, http://price-drugs.com/order-zithromax-online-en.html Zithromax, ghnjs, http://ordergenericdrugs.com/products/cialis-super-active-plus.htm buy cialis super active online, 426, http://shopdrugcheap.com/order-synthroid-online-en.html Synthroid, 63888, http://shopdrugcheap.com/order-tadacip-online-en.html generic Tadacip, 9609, http://ordergenericdrugs.com/products/cialis.htm cheap cialis, 56856, b058a2794a2d0144f45636270a7df0c57f80e2da 96 95 2012-05-04T20:26:55Z 31.184.238.15 0 GxKKObgCWsWHwwV wikitext text/x-wiki comment2, http://shopdrugcheap.com/order-viagra-online-en.html Viagra, =-OO, http://price-drugs.com/order-zithromax-online-en.html generic Zithromax, 7660, http://shopdrugcheap.com/order-cialis-professional-online-en.html generic Cialis Professional, %D, http://ordergenericdrugs.com/products/xenical.htm buy xenical, >:[, http://shopdrugcheap.com/order-levitra-online-en.html buy Levitra online, >:((, 62e531bfe2fec7299f7599ea37fcaf797f63638a 97 96 2012-05-04T20:32:37Z 31.184.238.15 0 FExyewjmMbn wikitext text/x-wiki comment1, http://more-drugs.com/products/synthroid.htm buy synthroid, 532641, http://more-drugs.com/products/cialis.htm buy cialis online, xjjm, http://ordergenericdrugs.com/products/viagra-super-active-plus.htm cheap viagra super active, yqedi, http://more-drugs.com/products/nexium.htm buy nexium, 320, http://ordergenericdrugs.com/products/kamagra-oral-jelly.htm buy kamagra oral jelly online, tzipe, 72527fde54b97bac8f4b5cd145edd1c2f90cc909 98 97 2012-05-04T20:38:08Z 31.184.238.15 0 wUPJArFczVXVL wikitext text/x-wiki comment2, http://price-drugs.com/order-ampicillin-online-en.html buy Ampicillin, loww, http://shopdrugcheap.com/order-strattera-online-en.html generic Strattera, eajw, http://price-drugs.com/order-proventil-online-en.html buy Proventil online, =-]]], http://more-drugs.com/products/female-viagra.htm buy female viagra online, 882, http://shopdrugcheap.com/order-cialis-online-en.html buy Cialis, %-OOO, 72eb7ccf19e765295fb76ec266f83c23897f88ac 99 98 2012-05-04T20:43:35Z 31.184.238.15 0 nRNTVBhH wikitext text/x-wiki comment5, http://price-drugs.com/order-zithromax-online-en.html buy Zithromax online, bmxr, http://ordergenericdrugs.com/products/cialis-super-active-plus.htm cheap cialis super active, ntyhzd, http://shopdrugcheap.com/order-synthroid-online-en.html buy Synthroid online, 188, http://shopdrugcheap.com/order-tadacip-online-en.html buy Tadacip, 72187, http://ordergenericdrugs.com/products/cialis.htm generic cialis, lonr, ae6ec25a88a1a49097ba3f6e184f7eef558b83cf 100 99 2012-05-04T20:48:57Z 31.184.238.15 0 LglGsgKH wikitext text/x-wiki comment3, http://more-drugs.com/products/viagra-professional.htm cheap viagra professional, cdhy, http://ordergenericdrugs.com/products/viagra.htm generic viagra, 55468, http://ordergenericdrugs.com/products/propecia.htm generic propecia, 47324, http://more-drugs.com/products/clomid.htm cheap clomid, 9001, http://price-drugs.com/order-levitra-online-en.html buy Levitra online, :), 3360d70c1ab6e331be6b9a69d295df0bd0843c79 101 100 2012-05-04T20:54:23Z 31.184.238.15 0 DcNYsdJXCbmCZtlA wikitext text/x-wiki comment6, http://more-drugs.com/products/kamagra.htm buy kamagra, fdeu, http://more-drugs.com/products/xenical.htm buy xenical online, dmzih, http://more-drugs.com/products/rogaine-5-.htm generic rogaine 5%, 425, http://shopdrugcheap.com/order-cialis-super-active-online-en.html generic Cialis Super Active, gqxl, http://more-drugs.com/products/levitra.htm buy levitra, >:], 91fb2b66814cd0db604ef7979a77b22e2a8aeae0 102 101 2012-05-04T20:59:49Z 31.184.238.15 0 zwIZMhjgzmfcZfGOPux wikitext text/x-wiki comment5, http://shopdrugcheap.com/order-zithromax-online-en.html generic Zithromax, 3038, http://price-drugs.com/order-clomid-online-en.html buy Clomid, pzqnmv, http://ordergenericdrugs.com/products/zovirax.htm buy zovirax, dmih, http://ordergenericdrugs.com/products/amoxil.htm buy amoxil online, 02539, http://more-drugs.com/products/plavix.htm buy plavix, >:-O, 831805b166f1b8415469e78b97880a423d557b4e 103 102 2012-05-04T21:04:58Z 31.184.238.15 0 VgPoLjrOcf wikitext text/x-wiki comment4, http://more-drugs.com/products/diflucan.htm buy diflucan, anaghk, http://price-drugs.com/order-cialis-professional-online-en.html generic Cialis Professional, 57711, http://price-drugs.com/order-levaquin-online-en.html generic Levaquin, yumozu, http://shopdrugcheap.com/order-priligy-online-en.html Priligy, =-[[, http://price-drugs.com/order-diflucan-online-en.html buy Diflucan online, ulge, eb50ba7be9e2e1d909703feaa85d1e9630d2f32d 104 103 2012-05-04T21:10:27Z 31.184.238.15 0 yaOhPHMYftVvCLPExYG wikitext text/x-wiki comment3, http://price-drugs.com/order-kamagra-online-en.html buy Kamagra online, %-DD, http://shopdrugcheap.com/order-viagra-professional-online-en.html generic Viagra Professional, %-]], http://ordergenericdrugs.com/products/strattera.htm buy strattera, znc, http://more-drugs.com/products/viagra-super-active-plus.htm buy viagra super active online, 33895, http://more-drugs.com/products/prevacid.htm buy prevacid online, 20221, 43edd90d8a22bd7d29fe02ebd26b99cb19dfae0d 105 104 2012-05-04T21:15:36Z 31.184.238.15 0 vwAVQQqgHWgRmODTKWh wikitext text/x-wiki comment4, http://more-drugs.com/products/cipro.htm generic cipro, sdo, http://price-drugs.com/order-cialis-online-en.html generic Cialis, xslnk, http://ordergenericdrugs.com/products/deltasone.htm cheap deltasone, 19903, http://price-drugs.com/order-propecia-online-en.html generic Propecia, qnao, http://more-drugs.com/products/nolvadex.htm buy nolvadex, 91982, 487004c39c114805682d51303ee34d9436a2bc09 106 105 2012-05-04T21:21:12Z 31.184.238.15 0 OXueWTSPmuVl wikitext text/x-wiki comment5, http://ordergenericdrugs.com/products/female-viagra.htm generic female viagra, lpyuml, http://more-drugs.com/products/pepcid.htm generic pepcid, gehvk, http://shopdrugcheap.com/order-kamagra-online-en.html Kamagra, yuw, http://shopdrugcheap.com/order-accutane-online-en.html generic Accutane, 3387, http://shopdrugcheap.com/order-retin-a-online-en.html buy Retin-A online, 669493, ccf1e4ed2bb5f131ec5ab5d667f6e935ea321ec1 107 106 2012-05-04T21:26:32Z 31.184.238.15 0 vBBlvwegqfE wikitext text/x-wiki comment2, http://shopdrugcheap.com/order-accutane-online-en.html buy Accutane, 8-DD, http://price-drugs.com/order-amoxil-online-en.html buy Amoxil online, 74465, http://price-drugs.com/order-lasix-online-en.html buy Lasix online, 8OO, http://ordergenericdrugs.com/products/celebrex.htm buy celebrex, ivofn, http://shopdrugcheap.com/order-diflucan-online-en.html buy Diflucan, 216094, 2c30bb4f0a9b05b4f4505a721f483acea5843b7e 108 107 2012-05-04T21:32:03Z 31.184.238.15 0 EVHXTYPzHUY wikitext text/x-wiki comment6, http://price-drugs.com/order-lipitor-online-en.html generic Lipitor, :-]], http://price-drugs.com/order-viagra-professional-online-en.html Viagra Professional, 621327, http://price-drugs.com/order-prednisone-online-en.html buy Prednisone, 969931, http://shopdrugcheap.com/order-cipro-online-en.html buy Cipro online, 689, http://ordergenericdrugs.com/products/levitra.htm generic levitra, 202, b6aa4125762faf1ca55b757ecdf1ddd34498c8e4 109 108 2012-05-04T21:37:39Z 31.184.238.15 0 PiMYfuQU wikitext text/x-wiki comment5, http://ordergenericdrugs.com/products/female-viagra.htm cheap female viagra, baix, http://more-drugs.com/products/pepcid.htm buy pepcid, qpl, http://shopdrugcheap.com/order-kamagra-online-en.html Kamagra, 936202, http://shopdrugcheap.com/order-accutane-online-en.html buy Accutane, johsld, http://shopdrugcheap.com/order-retin-a-online-en.html generic Retin-A, pmc, f5492c9c7c1860b7ac90ddfae2636fb1f2376ee1 110 109 2012-05-04T21:43:12Z 31.184.238.15 0 VhZafGQqeSWTbKfmB wikitext text/x-wiki comment5, http://price-drugs.com/order-kamagra-online-en.html buy Kamagra, >:-OOO, http://shopdrugcheap.com/order-viagra-professional-online-en.html Viagra Professional, 8OOO, http://ordergenericdrugs.com/products/strattera.htm buy strattera online, 78609, http://more-drugs.com/products/viagra-super-active-plus.htm cheap viagra super active, :)), http://more-drugs.com/products/prevacid.htm buy prevacid online, 18525, cf0c5a6d8456c7abe7be9b2ad8ac80417f707d39 111 110 2012-05-04T21:49:05Z 31.184.238.15 0 aVkhJAsaHiYQlE wikitext text/x-wiki comment3, http://price-drugs.com/order-ampicillin-online-en.html generic Ampicillin, 0007, http://shopdrugcheap.com/order-strattera-online-en.html buy Strattera online, 8PP, http://price-drugs.com/order-proventil-online-en.html buy Proventil, :-((, http://more-drugs.com/products/female-viagra.htm buy female viagra online, :P, http://shopdrugcheap.com/order-cialis-online-en.html Cialis, 06036, 1644c2251ffaf25b939a6ed3df82f7b3e1c54178 112 111 2012-05-04T21:54:06Z 31.184.238.15 0 YqxMGUVQRQWZ wikitext text/x-wiki comment2, http://shopdrugcheap.com/order-propecia-online-en.html buy Propecia online, 442554, http://more-drugs.com/products/viagra.htm cheap viagra, bqaxd, http://price-drugs.com/order-bactrim-online-en.html Bactrim, 712, http://price-drugs.com/order-zoloft-online-en.html buy Zoloft, krjc, http://price-drugs.com/order-cipro-online-en.html Cipro, 0376, 6ef6d9fc08432c48c41cd0dcec152ec108e52134 113 112 2012-05-04T21:59:33Z 31.184.238.15 0 LeNzeUFeDRgl wikitext text/x-wiki comment1, http://ordergenericdrugs.com/products/pepcid.htm buy pepcid online, lhkfd, http://price-drugs.com/order-cialis-super-active-online-en.html buy Cialis Super Active online, :-D, http://price-drugs.com/order-viagra-online-en.html Viagra, 3900, http://ordergenericdrugs.com/products/cipro.htm cheap cipro, 283637, http://ordergenericdrugs.com/products/rogaine-5-.htm cheap rogaine 5%, ibh, a477b8bec2bac32d0c1391c54d9e41ab668a51ac 114 113 2012-05-04T22:04:50Z 31.184.238.15 0 FLbPjFqjWjDk wikitext text/x-wiki comment6, http://price-drugs.com/order-lipitor-online-en.html Lipitor, 172, http://price-drugs.com/order-viagra-professional-online-en.html generic Viagra Professional, 241611, http://price-drugs.com/order-prednisone-online-en.html generic Prednisone, 29034, http://shopdrugcheap.com/order-cipro-online-en.html generic Cipro, pdkgoh, http://ordergenericdrugs.com/products/levitra.htm buy levitra, >:-O, db73cb29cba313ebf4353ff4170ab80cad17504d 115 114 2012-05-04T22:10:09Z 31.184.238.15 0 KpynPvjGh wikitext text/x-wiki comment4, http://shopdrugcheap.com/order-clomid-online-en.html generic Clomid, =-P, http://shopdrugcheap.com/order-orlistat-online-en.html generic Orlistat, 4601, http://more-drugs.com/products/cialis-super-active-plus.htm cheap cialis super active, 276, http://shopdrugcheap.com/order-zoloft-online-en.html buy Zoloft online, 48831, http://ordergenericdrugs.com/products/kamagra.htm buy kamagra, 491, fa363ab00f48f1c0d6f8be4143810fff4b2e2c9b 116 115 2012-05-04T22:15:38Z 31.184.238.15 0 YWoIZshczS wikitext text/x-wiki comment4, http://price-drugs.com/order-female-viagra-online-en.html Female Viagra, >:-[[[, http://more-drugs.com/products/propecia.htm generic propecia, 8-]], http://price-drugs.com/order-doxycycline-online-en.html Doxycycline, jxfcnx, http://shopdrugcheap.com/order-lasix-online-en.html Lasix, 26351, http://price-drugs.com/order-zoloft-online-en.html Zoloft, >:PPP, 926c754ef061b5386264e2664efb6db4ea33be6f 117 116 2012-05-04T22:21:13Z 31.184.238.15 0 aIRVIysjmhHviUhI wikitext text/x-wiki comment6, http://price-drugs.com/order-kamagra-online-en.html generic Kamagra, =)), http://shopdrugcheap.com/order-viagra-professional-online-en.html Viagra Professional, %]], http://ordergenericdrugs.com/products/strattera.htm buy strattera, 8]], http://more-drugs.com/products/viagra-super-active-plus.htm buy viagra super active online, >:(, http://more-drugs.com/products/prevacid.htm buy prevacid, zdh, 19de554cdc40c358b4861a1fd5f7eb497a1ea384 118 117 2012-05-04T22:26:46Z 31.184.238.15 0 psQEMKVXM wikitext text/x-wiki comment4, http://price-drugs.com/order-female-viagra-online-en.html generic Female Viagra, lepif, http://more-drugs.com/products/propecia.htm cheap propecia, 2688, http://price-drugs.com/order-doxycycline-online-en.html buy Doxycycline online, brs, http://shopdrugcheap.com/order-lasix-online-en.html Lasix, 268330, http://price-drugs.com/order-zoloft-online-en.html generic Zoloft, jjdvlp, c37e631fbe43eacd8d5d674a372c719bd2a072ab 119 118 2012-05-04T22:32:21Z 31.184.238.15 0 QyQbPoWkThFV wikitext text/x-wiki comment5, http://price-drugs.com/order-female-viagra-online-en.html Female Viagra, qud, http://more-drugs.com/products/propecia.htm buy propecia online, cdhi, http://price-drugs.com/order-doxycycline-online-en.html Doxycycline, 7364, http://shopdrugcheap.com/order-lasix-online-en.html Lasix, 4424, http://price-drugs.com/order-zoloft-online-en.html Zoloft, :))), 21b9ae23cef33bbe27f0c7a5579adf9be7df0cf2 120 119 2012-05-04T22:37:36Z 31.184.238.15 0 MnFrGKfZZksT wikitext text/x-wiki comment2, http://price-drugs.com/order-lipitor-online-en.html Lipitor, bfx, http://price-drugs.com/order-viagra-professional-online-en.html generic Viagra Professional, 911266, http://price-drugs.com/order-prednisone-online-en.html generic Prednisone, msth, http://shopdrugcheap.com/order-cipro-online-en.html Cipro, 2523, http://ordergenericdrugs.com/products/levitra.htm cheap levitra, 221, e0508f823b05f86649e62be29d615338866270f0 121 120 2012-05-04T22:43:32Z 31.184.238.15 0 NHOLPdanPMIVBMac wikitext text/x-wiki comment3, http://ordergenericdrugs.com/products/female-viagra.htm generic female viagra, mew, http://more-drugs.com/products/pepcid.htm generic pepcid, %PP, http://shopdrugcheap.com/order-kamagra-online-en.html buy Kamagra online, 412, http://shopdrugcheap.com/order-accutane-online-en.html buy Accutane, =-)), http://shopdrugcheap.com/order-retin-a-online-en.html buy Retin-A online, mzky, 927795fa73ba04769f17978fdf3d509976e1b7e1 122 121 2012-05-04T22:48:45Z 31.184.238.15 0 ZaiXEdvpqkmnskfwj wikitext text/x-wiki comment1, http://price-drugs.com/order-lipitor-online-en.html buy Lipitor, zgoky, http://price-drugs.com/order-viagra-professional-online-en.html buy Viagra Professional online, :-)), http://price-drugs.com/order-prednisone-online-en.html buy Prednisone online, 7287, http://shopdrugcheap.com/order-cipro-online-en.html Cipro, ugwl, http://ordergenericdrugs.com/products/levitra.htm cheap levitra, >:-((, a30f52ebbda6531c3c17e18ab91adc47e86824f2 123 122 2012-05-04T22:54:02Z 31.184.238.15 0 NvSqFDnDUXP wikitext text/x-wiki comment2, http://more-drugs.com/products/diflucan.htm buy diflucan, %PPP, http://price-drugs.com/order-cialis-professional-online-en.html generic Cialis Professional, rfe, http://price-drugs.com/order-levaquin-online-en.html Levaquin, ldbe, http://shopdrugcheap.com/order-priligy-online-en.html Priligy, %-[[, http://price-drugs.com/order-diflucan-online-en.html generic Diflucan, plyzu, dd48210d70ead47605c05e1f265e69f1a5561980 124 123 2012-05-04T22:59:05Z 31.184.238.15 0 ligigHkuoInU wikitext text/x-wiki comment3, http://more-drugs.com/products/synthroid.htm cheap synthroid, =-(, http://more-drugs.com/products/cialis.htm buy cialis, 5075, http://ordergenericdrugs.com/products/viagra-super-active-plus.htm buy viagra super active, tzcv, http://more-drugs.com/products/nexium.htm buy nexium online, =DDD, http://ordergenericdrugs.com/products/kamagra-oral-jelly.htm buy kamagra oral jelly online, =-(((, 016eec58ecda13eee88d0222ee5be7ed66fb72cc 125 124 2012-05-04T23:05:06Z 31.184.238.15 0 xFeWwnDiSNA wikitext text/x-wiki comment5, http://shopdrugcheap.com/order-accutane-online-en.html generic Accutane, fvedyl, http://price-drugs.com/order-amoxil-online-en.html Amoxil, =-O, http://price-drugs.com/order-lasix-online-en.html generic Lasix, 8034, http://ordergenericdrugs.com/products/celebrex.htm buy celebrex online, :[[[, http://shopdrugcheap.com/order-diflucan-online-en.html buy Diflucan, 07199, 7b30e408431e6b2f8dc6937dc22e0e1ee7537387 126 125 2012-05-04T23:10:41Z 31.184.238.15 0 jvTTNLJzZDe wikitext text/x-wiki comment5, http://shopdrugcheap.com/order-zithromax-online-en.html buy Zithromax, 208, http://price-drugs.com/order-clomid-online-en.html Clomid, qpwqq, http://ordergenericdrugs.com/products/zovirax.htm buy zovirax online, ahrtbu, http://ordergenericdrugs.com/products/amoxil.htm cheap amoxil, 3782, http://more-drugs.com/products/plavix.htm cheap plavix, awhgmv, 12dfd31d97760a1ba432acda22834f064c335f69 127 126 2012-05-04T23:16:04Z 31.184.238.15 0 cSUhCzBszPpY wikitext text/x-wiki comment5, http://price-drugs.com/order-kamagra-online-en.html buy Kamagra, 9652, http://shopdrugcheap.com/order-viagra-professional-online-en.html buy Viagra Professional, 038, http://ordergenericdrugs.com/products/strattera.htm generic strattera, =(, http://more-drugs.com/products/viagra-super-active-plus.htm cheap viagra super active, :[[[, http://more-drugs.com/products/prevacid.htm buy prevacid, vnuazw, b8141238877e78837c381fcf5029b267ed1f53d6 128 127 2012-05-04T23:21:38Z 31.184.238.15 0 UwnyqkhLfgBCwja wikitext text/x-wiki comment2, http://shopdrugcheap.com/order-viagra-online-en.html buy Viagra online, xxuqng, http://price-drugs.com/order-zithromax-online-en.html generic Zithromax, :PPP, http://shopdrugcheap.com/order-cialis-professional-online-en.html buy Cialis Professional online, rxnwg, http://ordergenericdrugs.com/products/xenical.htm generic xenical, 74426, http://shopdrugcheap.com/order-levitra-online-en.html buy Levitra, 60553, fb5888de8fa9fdf19f74f864a038f51165d1f3aa 129 128 2012-05-04T23:27:27Z 31.184.238.15 0 lFZEeOaeS wikitext text/x-wiki comment3, http://shopdrugcheap.com/order-female-viagra-online-en.html buy Female Viagra online, 8-), http://more-drugs.com/products/deltasone.htm buy deltasone, 119621, http://price-drugs.com/order-nolvadex-online-en.html buy Nolvadex online, 8]], http://price-drugs.com/order-viagra-super-active-online-en.html buy Viagra Super Active, 6633, http://more-drugs.com/products/cialis-professional.htm cheap cialis professional, %-[[[, 52ede811480046b32ae9c54d00336293ee91be8b 130 129 2012-05-04T23:32:54Z 31.184.238.15 0 qVozCbYK wikitext text/x-wiki comment5, http://more-drugs.com/products/viagra-professional.htm cheap viagra professional, 78465, http://ordergenericdrugs.com/products/viagra.htm generic viagra, :-OO, http://ordergenericdrugs.com/products/propecia.htm cheap propecia, :D, http://more-drugs.com/products/clomid.htm buy clomid online, 60106, http://price-drugs.com/order-levitra-online-en.html generic Levitra, uuwv, ce34a8502e749528aa9adb04541e246835e48977 131 130 2012-05-04T23:38:39Z 31.184.238.15 0 rKnahLPzcca wikitext text/x-wiki comment2, http://shopdrugcheap.com/order-zithromax-online-en.html buy Zithromax online, %P, http://price-drugs.com/order-clomid-online-en.html Clomid, 2946, http://ordergenericdrugs.com/products/zovirax.htm cheap zovirax, frnm, http://ordergenericdrugs.com/products/amoxil.htm generic amoxil, nqrqs, http://more-drugs.com/products/plavix.htm cheap plavix, wom, a138a004017250080fd2c4b052e47b3f9d7808b7 132 131 2012-05-04T23:44:25Z 31.184.238.15 0 xJuXTXRo wikitext text/x-wiki comment6, http://shopdrugcheap.com/order-accutane-online-en.html buy Accutane, may, http://price-drugs.com/order-amoxil-online-en.html generic Amoxil, 943, http://price-drugs.com/order-lasix-online-en.html buy Lasix online, >:-)), http://ordergenericdrugs.com/products/celebrex.htm cheap celebrex, :-PP, http://shopdrugcheap.com/order-diflucan-online-en.html buy Diflucan online, 2158, f6ac61ad0cda0cf7b0ca9ce0ebff7bd41ff39c0f 133 132 2012-05-04T23:49:55Z 31.184.238.15 0 jbzRRVfr wikitext text/x-wiki comment4, http://price-drugs.com/order-female-viagra-online-en.html buy Female Viagra online, :OOO, http://more-drugs.com/products/propecia.htm cheap propecia, >:]], http://price-drugs.com/order-doxycycline-online-en.html buy Doxycycline, 626, http://shopdrugcheap.com/order-lasix-online-en.html buy Lasix online, =(, http://price-drugs.com/order-zoloft-online-en.html buy Zoloft online, jaw, b84e69d36865a1b79f5fb49b1587b2a9b5521f38 134 133 2012-05-04T23:55:15Z 31.184.238.15 0 eKwuzulST wikitext text/x-wiki comment2, http://price-drugs.com/order-ampicillin-online-en.html buy Ampicillin online, 3234, http://shopdrugcheap.com/order-strattera-online-en.html buy Strattera online, %-PP, http://price-drugs.com/order-proventil-online-en.html buy Proventil, >:-OO, http://more-drugs.com/products/female-viagra.htm cheap female viagra, wjq, http://shopdrugcheap.com/order-cialis-online-en.html buy Cialis online, 4439, 175aff036265db2cad971cb0ff91dff459bbe9a6 135 134 2012-05-05T00:01:04Z 31.184.238.15 0 mPgDCbySQ wikitext text/x-wiki comment6, http://price-drugs.com/order-zithromax-online-en.html Zithromax, >:-))), http://ordergenericdrugs.com/products/cialis-super-active-plus.htm buy cialis super active online, =-)), http://shopdrugcheap.com/order-synthroid-online-en.html Synthroid, leycyb, http://shopdrugcheap.com/order-tadacip-online-en.html buy Tadacip, >:[[, http://ordergenericdrugs.com/products/cialis.htm buy cialis, 33328, 82a17aba512aedec95e699233c0c8900f2df6104 136 135 2012-05-05T00:06:39Z 31.184.238.15 0 wOGQnmXzebmIVnCpFT wikitext text/x-wiki comment6, http://more-drugs.com/products/synthroid.htm generic synthroid, 836, http://more-drugs.com/products/cialis.htm cheap cialis, 8-PPP, http://ordergenericdrugs.com/products/viagra-super-active-plus.htm buy viagra super active, >:-[[, http://more-drugs.com/products/nexium.htm generic nexium, yvx, http://ordergenericdrugs.com/products/kamagra-oral-jelly.htm buy kamagra oral jelly online, nwdex, ff2ef76e8c45ece73320c5b5f7d7f2f02bf6149e 137 136 2012-05-05T00:11:52Z 31.184.238.15 0 HglAaRENW wikitext text/x-wiki comment6, http://shopdrugcheap.com/order-propecia-online-en.html generic Propecia, mgrjx, http://more-drugs.com/products/viagra.htm buy viagra online, 9823, http://price-drugs.com/order-bactrim-online-en.html generic Bactrim, :DD, http://price-drugs.com/order-zoloft-online-en.html buy Zoloft online, gbmprc, http://price-drugs.com/order-cipro-online-en.html buy Cipro, 8548, 9a36ecdabba4750a0384430eb430e6fd906bec91 138 137 2012-05-05T00:17:37Z 31.184.238.15 0 AXTIOSvfSKWXfBxzaB wikitext text/x-wiki comment2, http://shopdrugcheap.com/order-viagra-online-en.html Viagra, 852813, http://price-drugs.com/order-zithromax-online-en.html Zithromax, waff, http://shopdrugcheap.com/order-cialis-professional-online-en.html generic Cialis Professional, qxw, http://ordergenericdrugs.com/products/xenical.htm generic xenical, ivmlb, http://shopdrugcheap.com/order-levitra-online-en.html Levitra, >:OOO, 0a422d56a49a0e6dae5944bd0e63f2bf550f27eb 139 138 2012-05-05T00:23:20Z 31.184.238.15 0 GKEvoBwsFei wikitext text/x-wiki comment3, http://more-drugs.com/products/cipro.htm buy cipro, 57887, http://price-drugs.com/order-cialis-online-en.html buy Cialis online, 056257, http://ordergenericdrugs.com/products/deltasone.htm buy deltasone online, wug, http://price-drugs.com/order-propecia-online-en.html buy Propecia online, 01335, http://more-drugs.com/products/nolvadex.htm buy nolvadex, 11791, 626c47c02902a94832e296895d3d6e5c182fff05 140 139 2012-05-05T00:29:10Z 31.184.238.15 0 SIfhBaXcCQ wikitext text/x-wiki comment1, http://shopdrugcheap.com/order-proscar-online-en.html buy Proscar, svii, http://shopdrugcheap.com/order-viagra-super-active-online-en.html buy Viagra Super Active online, zzbfrr, http://ordergenericdrugs.com/products/clomid.htm buy clomid, ybex, http://price-drugs.com/order-flagyl-online-en.html generic Flagyl, gefiq, http://ordergenericdrugs.com/products/prevacid.htm buy prevacid, :]], 22d68dd83aa9082bfeb89adbc428786dc91f18b6 0 8 141 140 2012-05-05T00:34:42Z 31.184.238.15 0 iXZHiyRc wikitext text/x-wiki comment2, http://price-drugs.com/order-lipitor-online-en.html generic Lipitor, 8610, http://price-drugs.com/order-viagra-professional-online-en.html Viagra Professional, yesrr, http://price-drugs.com/order-prednisone-online-en.html buy Prednisone online, 060, http://shopdrugcheap.com/order-cipro-online-en.html generic Cipro, =P, http://ordergenericdrugs.com/products/levitra.htm generic levitra, %-DD, 6dda1249efd573fc09009cd4fd0eb4ed6a953d61 142 141 2012-05-05T00:39:50Z 31.184.238.15 0 bYziAFNjE wikitext text/x-wiki comment6, http://shopdrugcheap.com/order-zithromax-online-en.html Zithromax, >:D, http://price-drugs.com/order-clomid-online-en.html buy Clomid online, =-]], http://ordergenericdrugs.com/products/zovirax.htm generic zovirax, =PPP, http://ordergenericdrugs.com/products/amoxil.htm buy amoxil online, :(((, http://more-drugs.com/products/plavix.htm generic plavix, mcdy, 48e0cccfec407c384658c62fc3303dac188ab6d9 143 142 2012-05-05T00:45:24Z 31.184.238.15 0 ITIMEyixOHZBh wikitext text/x-wiki comment2, http://shopdrugcheap.com/order-propecia-online-en.html buy Propecia, 174333, http://more-drugs.com/products/viagra.htm buy viagra online, 870, http://price-drugs.com/order-bactrim-online-en.html buy Bactrim, kbwt, http://price-drugs.com/order-zoloft-online-en.html generic Zoloft, yqkfz, http://price-drugs.com/order-cipro-online-en.html generic Cipro, 63865, 86dea21a72ac28b47e148f28619ceec6c2d88892 144 143 2012-05-05T00:50:37Z 31.184.238.15 0 DrJBdlAykTNJzPWM wikitext text/x-wiki comment1, http://shopdrugcheap.com/order-propecia-online-en.html buy Propecia, 5349, http://more-drugs.com/products/viagra.htm buy viagra online, =]]], http://price-drugs.com/order-bactrim-online-en.html Bactrim, 918976, http://price-drugs.com/order-zoloft-online-en.html buy Zoloft, 543432, http://price-drugs.com/order-cipro-online-en.html generic Cipro, 50934, a0fdac7eb4c13d218cacd6bc7580854d7246f11f 145 144 2012-05-05T00:56:01Z 31.184.238.15 0 kpKioQfaPw wikitext text/x-wiki comment2, http://price-drugs.com/order-lipitor-online-en.html generic Lipitor, >:[[, http://price-drugs.com/order-viagra-professional-online-en.html generic Viagra Professional, 400199, http://price-drugs.com/order-prednisone-online-en.html buy Prednisone online, >:((, http://shopdrugcheap.com/order-cipro-online-en.html buy Cipro online, =((, http://ordergenericdrugs.com/products/levitra.htm buy levitra online, 507960, a8f4a57d7dec05d3827884742a939275511060a7 146 145 2012-05-05T01:01:28Z 31.184.238.15 0 eNINcXpuxWkmoONMIvL wikitext text/x-wiki comment5, http://price-drugs.com/order-lipitor-online-en.html buy Lipitor, simm, http://price-drugs.com/order-viagra-professional-online-en.html Viagra Professional, 178840, http://price-drugs.com/order-prednisone-online-en.html generic Prednisone, thq, http://shopdrugcheap.com/order-cipro-online-en.html generic Cipro, %-PPP, http://ordergenericdrugs.com/products/levitra.htm generic levitra, =-[[[, 265d87998412ed1ebc23c24256890f153f84fb37 147 146 2012-05-05T01:07:24Z 31.184.238.15 0 dmdwIdmoGPlUdLM wikitext text/x-wiki comment2, http://price-drugs.com/order-zithromax-online-en.html buy Zithromax, 83307, http://ordergenericdrugs.com/products/cialis-super-active-plus.htm generic cialis super active, %-P, http://shopdrugcheap.com/order-synthroid-online-en.html buy Synthroid online, pkwzml, http://shopdrugcheap.com/order-tadacip-online-en.html generic Tadacip, 77911, http://ordergenericdrugs.com/products/cialis.htm buy cialis, :DDD, b3d1491c0b4398cbb65062ac91335a9caf52589a 148 147 2012-05-05T01:12:53Z 31.184.238.15 0 YNAebtCuyAHeGM wikitext text/x-wiki comment2, http://more-drugs.com/products/cipro.htm buy cipro, kjia, http://price-drugs.com/order-cialis-online-en.html Cialis, 441114, http://ordergenericdrugs.com/products/deltasone.htm generic deltasone, =-))), http://price-drugs.com/order-propecia-online-en.html buy Propecia, :OO, http://more-drugs.com/products/nolvadex.htm cheap nolvadex, 8[, 41686f6fa934e21670d74a22ddd69ce7145a6dcc 149 148 2012-05-05T01:18:15Z 31.184.238.15 0 iLCgXRmChxhIoBqLYGP wikitext text/x-wiki comment6, http://price-drugs.com/order-kamagra-online-en.html buy Kamagra, 153047, http://shopdrugcheap.com/order-viagra-professional-online-en.html buy Viagra Professional online, 528, http://ordergenericdrugs.com/products/strattera.htm generic strattera, 8-D, http://more-drugs.com/products/viagra-super-active-plus.htm buy viagra super active online, 022824, http://more-drugs.com/products/prevacid.htm buy prevacid, =[[, 608576fc88f43a1738d2b3a5699a1b8d098d8054 150 149 2012-05-05T01:23:51Z 31.184.238.15 0 nnzMbOMoRLcjD wikitext text/x-wiki comment2, http://price-drugs.com/order-lipitor-online-en.html generic Lipitor, :[[, http://price-drugs.com/order-viagra-professional-online-en.html generic Viagra Professional, 111, http://price-drugs.com/order-prednisone-online-en.html Prednisone, qqradp, http://shopdrugcheap.com/order-cipro-online-en.html Cipro, vwfbb, http://ordergenericdrugs.com/products/levitra.htm buy levitra, 144, cc4acd62479a024f57c3e208d98b87d53f802045 151 150 2012-05-05T01:28:54Z 31.184.238.15 0 BDfsJiwGQgr wikitext text/x-wiki comment4, http://shopdrugcheap.com/order-female-viagra-online-en.html buy Female Viagra online, 8O, http://more-drugs.com/products/deltasone.htm cheap deltasone, 938, http://price-drugs.com/order-nolvadex-online-en.html generic Nolvadex, 8-], http://price-drugs.com/order-viagra-super-active-online-en.html buy Viagra Super Active online, 8-DD, http://more-drugs.com/products/cialis-professional.htm generic cialis professional, =-]], f274cff1788688f83ad89e88a28b02a5ac4d49af 152 151 2012-05-05T01:34:22Z 31.184.238.15 0 LesoxKyCOlDGUgt wikitext text/x-wiki comment4, http://ordergenericdrugs.com/products/female-viagra.htm generic female viagra, 93476, http://more-drugs.com/products/pepcid.htm buy pepcid online, 8-[[[, http://shopdrugcheap.com/order-kamagra-online-en.html buy Kamagra, 17322, http://shopdrugcheap.com/order-accutane-online-en.html buy Accutane, 37039, http://shopdrugcheap.com/order-retin-a-online-en.html Retin-A, 068220, aae9b7275c78e428821cd7a5a1b776a1bf005cdd 153 152 2012-05-05T01:39:42Z 31.184.238.15 0 RhuNZdymWoRrtyAAzx wikitext text/x-wiki comment5, http://price-drugs.com/order-zithromax-online-en.html Zithromax, 748089, http://ordergenericdrugs.com/products/cialis-super-active-plus.htm cheap cialis super active, =-PPP, http://shopdrugcheap.com/order-synthroid-online-en.html Synthroid, 0133, http://shopdrugcheap.com/order-tadacip-online-en.html generic Tadacip, >:-D, http://ordergenericdrugs.com/products/cialis.htm generic cialis, 347, e4cec6fee49b657db1be006d577fd517ab8ad0a7 154 153 2012-05-05T01:45:12Z 31.184.238.15 0 TcyACEHreHZ wikitext text/x-wiki comment1, http://price-drugs.com/order-ampicillin-online-en.html buy Ampicillin, hisb, http://shopdrugcheap.com/order-strattera-online-en.html buy Strattera online, 799154, http://price-drugs.com/order-proventil-online-en.html Proventil, >:[, http://more-drugs.com/products/female-viagra.htm cheap female viagra, 894442, http://shopdrugcheap.com/order-cialis-online-en.html Cialis, >:-DDD, a559a676ce4e99f5c5547ab096430b3bca21e0ce 155 154 2012-05-05T01:50:16Z 31.184.238.15 0 jlwIvMKcUXJ wikitext text/x-wiki comment2, http://price-drugs.com/order-female-viagra-online-en.html buy Female Viagra online, wziqh, http://more-drugs.com/products/propecia.htm cheap propecia, %-[, http://price-drugs.com/order-doxycycline-online-en.html buy Doxycycline online, :-[, http://shopdrugcheap.com/order-lasix-online-en.html buy Lasix, 4300, http://price-drugs.com/order-zoloft-online-en.html generic Zoloft, %-]], dc824254955fe9da592063ed043b460ebe2689e5 156 155 2012-05-05T01:55:28Z 31.184.238.15 0 brQDHQqxUC wikitext text/x-wiki comment3, http://more-drugs.com/products/kamagra.htm buy kamagra online, mqst, http://more-drugs.com/products/xenical.htm buy xenical online, :PPP, http://more-drugs.com/products/rogaine-5-.htm cheap rogaine 5%, =-(, http://shopdrugcheap.com/order-cialis-super-active-online-en.html Cialis Super Active, 448348, http://more-drugs.com/products/levitra.htm cheap levitra, 482288, bb00bc47516eb20a010a7be335713f5eebab77cc 157 156 2012-05-05T02:01:06Z 31.184.238.15 0 crgyRHUMns wikitext text/x-wiki comment1, http://shopdrugcheap.com/order-clomid-online-en.html buy Clomid, :-P, http://shopdrugcheap.com/order-orlistat-online-en.html buy Orlistat, lkqmn, http://more-drugs.com/products/cialis-super-active-plus.htm cheap cialis super active, fbgcb, http://shopdrugcheap.com/order-zoloft-online-en.html buy Zoloft online, gif, http://ordergenericdrugs.com/products/kamagra.htm buy kamagra, %)), c0218b08d4f99a2a58e108a38bc385a481656064 158 157 2012-05-05T02:06:48Z 31.184.238.15 0 yVxYFAHDG wikitext text/x-wiki comment4, http://shopdrugcheap.com/order-viagra-online-en.html Viagra, xfymk, http://price-drugs.com/order-zithromax-online-en.html generic Zithromax, 8(, http://shopdrugcheap.com/order-cialis-professional-online-en.html buy Cialis Professional online, ppvdp, http://ordergenericdrugs.com/products/xenical.htm cheap xenical, >:))), http://shopdrugcheap.com/order-levitra-online-en.html Levitra, %)), 645436923d4fc0de3144c92cf35b4723253c64d1 159 158 2012-05-05T02:12:11Z 31.184.238.15 0 IEZsppYkDcXBCfhv wikitext text/x-wiki comment1, http://shopdrugcheap.com/order-propecia-online-en.html buy Propecia online, xvkmoz, http://more-drugs.com/products/viagra.htm cheap viagra, nyxae, http://price-drugs.com/order-bactrim-online-en.html Bactrim, 8804, http://price-drugs.com/order-zoloft-online-en.html buy Zoloft, >:]]], http://price-drugs.com/order-cipro-online-en.html buy Cipro online, sqyox, 2d3c6ed977bf55e6d808d737c3fb1d207ab1d6ef 160 159 2012-05-05T02:17:45Z 31.184.238.15 0 ZswFFSFtNPVrWgDv wikitext text/x-wiki comment3, http://more-drugs.com/products/diflucan.htm generic diflucan, 35981, http://price-drugs.com/order-cialis-professional-online-en.html buy Cialis Professional, pcigf, http://price-drugs.com/order-levaquin-online-en.html Levaquin, 74479, http://shopdrugcheap.com/order-priligy-online-en.html Priligy, ooexe, http://price-drugs.com/order-diflucan-online-en.html buy Diflucan, msu, 941f8503d5a56d45b9dfda5e9bfaf83bb419ef3f 161 160 2012-05-05T02:23:04Z 31.184.238.15 0 EsHlpRyybpDfIAiGqo wikitext text/x-wiki comment1, http://shopdrugcheap.com/order-accutane-online-en.html generic Accutane, >:((, http://price-drugs.com/order-amoxil-online-en.html Amoxil, :OO, http://price-drugs.com/order-lasix-online-en.html buy Lasix online, 042049, http://ordergenericdrugs.com/products/celebrex.htm buy celebrex online, 696, http://shopdrugcheap.com/order-diflucan-online-en.html Diflucan, 3323, 98a13434dcd89822717a355e0d0d3edc1b035bf5 162 161 2012-05-05T02:28:31Z 31.184.238.15 0 oqsMcYNWKIUcPLM wikitext text/x-wiki comment5, http://shopdrugcheap.com/order-female-viagra-online-en.html generic Female Viagra, 200, http://more-drugs.com/products/deltasone.htm buy deltasone, 145, http://price-drugs.com/order-nolvadex-online-en.html generic Nolvadex, gidcn, http://price-drugs.com/order-viagra-super-active-online-en.html buy Viagra Super Active online, >:-PPP, http://more-drugs.com/products/cialis-professional.htm cheap cialis professional, =D, bd5292987a0c700d8b0aa07ae2a054d2cb7f3fed 163 162 2012-05-05T02:33:56Z 31.184.238.15 0 BryeaFEyasJMnO wikitext text/x-wiki comment3, http://shopdrugcheap.com/order-viagra-online-en.html buy Viagra online, >:-DDD, http://price-drugs.com/order-zithromax-online-en.html buy Zithromax online, hglmcw, http://shopdrugcheap.com/order-cialis-professional-online-en.html buy Cialis Professional online, 03502, http://ordergenericdrugs.com/products/xenical.htm buy xenical, 75780, http://shopdrugcheap.com/order-levitra-online-en.html buy Levitra online, bsykk, 77b99ae09046be2f6722e807e3c27ee5c5a1e0dc 164 163 2012-05-05T02:39:36Z 31.184.238.15 0 qjrghQyN wikitext text/x-wiki comment2, http://shopdrugcheap.com/order-accutane-online-en.html Accutane, ihw, http://price-drugs.com/order-amoxil-online-en.html buy Amoxil, rwb, http://price-drugs.com/order-lasix-online-en.html generic Lasix, :O, http://ordergenericdrugs.com/products/celebrex.htm buy celebrex, >:(, http://shopdrugcheap.com/order-diflucan-online-en.html generic Diflucan, ubfi, bd711ca30a4703340609bfd5c5789752b268dc83 165 164 2012-05-05T02:45:07Z 31.184.238.15 0 kIbyQiccnQMUT wikitext text/x-wiki comment6, http://price-drugs.com/order-zithromax-online-en.html generic Zithromax, 02991, http://ordergenericdrugs.com/products/cialis-super-active-plus.htm generic cialis super active, =-PP, http://shopdrugcheap.com/order-synthroid-online-en.html buy Synthroid, 280032, http://shopdrugcheap.com/order-tadacip-online-en.html buy Tadacip online, %-(((, http://ordergenericdrugs.com/products/cialis.htm buy cialis online, 372152, db9d2034e5dea614c5c5b56ebe38bfa464279386 166 165 2012-05-05T02:50:54Z 31.184.238.15 0 QMIhQZSBHfRpQrBIr wikitext text/x-wiki comment2, http://more-drugs.com/products/viagra-professional.htm buy viagra professional online, 830631, http://ordergenericdrugs.com/products/viagra.htm cheap viagra, 8(, http://ordergenericdrugs.com/products/propecia.htm cheap propecia, fgwcsy, http://more-drugs.com/products/clomid.htm cheap clomid, :OOO, http://price-drugs.com/order-levitra-online-en.html buy Levitra online, >:-]], 48e6a08332d9025f9143a1c7e89dcdb172477ae8 167 166 2012-05-05T02:56:22Z 31.184.238.15 0 lQoBmtAwJGScrTeSYn wikitext text/x-wiki comment6, http://price-drugs.com/order-kamagra-online-en.html buy Kamagra online, 20872, http://shopdrugcheap.com/order-viagra-professional-online-en.html buy Viagra Professional, 8[[[, http://ordergenericdrugs.com/products/strattera.htm generic strattera, 7612, http://more-drugs.com/products/viagra-super-active-plus.htm cheap viagra super active, 5680, http://more-drugs.com/products/prevacid.htm buy prevacid online, :[[[, dce9ab68b95f6096d3d9e32df6a3816920f842be 168 167 2012-05-05T03:02:11Z 31.184.238.15 0 DwcwIPSBxAuUHtF wikitext text/x-wiki comment1, http://shopdrugcheap.com/order-viagra-online-en.html Viagra, =-DD, http://price-drugs.com/order-zithromax-online-en.html buy Zithromax online, iha, http://shopdrugcheap.com/order-cialis-professional-online-en.html buy Cialis Professional, vqrsw, http://ordergenericdrugs.com/products/xenical.htm generic xenical, :))), http://shopdrugcheap.com/order-levitra-online-en.html buy Levitra online, 0346, 94661e8a855639f507a72d0938314dc42f444020 169 168 2012-05-05T03:07:50Z 31.184.238.15 0 yvStDBNDyL wikitext text/x-wiki comment1, http://shopdrugcheap.com/order-viagra-online-en.html buy Viagra, 6183, http://price-drugs.com/order-zithromax-online-en.html generic Zithromax, 93734, http://shopdrugcheap.com/order-cialis-professional-online-en.html buy Cialis Professional online, kubig, http://ordergenericdrugs.com/products/xenical.htm generic xenical, lmd, http://shopdrugcheap.com/order-levitra-online-en.html buy Levitra, %(((, cafe7cb384549f1d6a4ede519826692598771c9c 170 169 2012-05-05T03:13:32Z 31.184.238.15 0 xHzFrKtnOyfxx wikitext text/x-wiki comment3, http://more-drugs.com/products/kamagra.htm buy kamagra online, =-]]], http://more-drugs.com/products/xenical.htm buy xenical online, %-[[[, http://more-drugs.com/products/rogaine-5-.htm buy rogaine 5%, 60383, http://shopdrugcheap.com/order-cialis-super-active-online-en.html buy Cialis Super Active online, 2817, http://more-drugs.com/products/levitra.htm cheap levitra, hwx, a48a6a9665f267e9dff97d9048e340949576fc38 171 170 2012-05-05T03:19:05Z 31.184.238.15 0 FYmnuuEG wikitext text/x-wiki comment6, http://shopdrugcheap.com/order-accutane-online-en.html buy Accutane online, 8-)), http://price-drugs.com/order-amoxil-online-en.html buy Amoxil online, 8-D, http://price-drugs.com/order-lasix-online-en.html generic Lasix, %-DDD, http://ordergenericdrugs.com/products/celebrex.htm generic celebrex, hzi, http://shopdrugcheap.com/order-diflucan-online-en.html buy Diflucan, 143754, 4ff4b507a3e4c10ada0b0f7ba2d6272084d23f80 172 171 2012-05-05T03:24:46Z 31.184.238.15 0 wiWmDKCrsfefDVofm wikitext text/x-wiki comment5, http://ordergenericdrugs.com/products/female-viagra.htm generic female viagra, bubfam, http://more-drugs.com/products/pepcid.htm cheap pepcid, >:-]]], http://shopdrugcheap.com/order-kamagra-online-en.html Kamagra, wpo, http://shopdrugcheap.com/order-accutane-online-en.html Accutane, 983, http://shopdrugcheap.com/order-retin-a-online-en.html buy Retin-A online, 53422, 57830f1a2ac9bdc94dae68de625c7b59a9832828 173 172 2012-05-05T03:30:10Z 31.184.238.15 0 eKwgijcCIfKNyrWwbf wikitext text/x-wiki comment3, http://shopdrugcheap.com/order-viagra-online-en.html buy Viagra, 8-[[[, http://price-drugs.com/order-zithromax-online-en.html Zithromax, :]]], http://shopdrugcheap.com/order-cialis-professional-online-en.html Cialis Professional, 701, http://ordergenericdrugs.com/products/xenical.htm generic xenical, =]], http://shopdrugcheap.com/order-levitra-online-en.html Levitra, 85789, 3982d4b3a22152e26cd2c0239a3bd05016054e9d 174 173 2012-05-05T03:36:11Z 31.184.238.15 0 DFlXMZlfBHQuBLf wikitext text/x-wiki comment1, http://price-drugs.com/order-ampicillin-online-en.html generic Ampicillin, 820, http://shopdrugcheap.com/order-strattera-online-en.html generic Strattera, 570032, http://price-drugs.com/order-proventil-online-en.html buy Proventil online, uhlzdz, http://more-drugs.com/products/female-viagra.htm cheap female viagra, 4101, http://shopdrugcheap.com/order-cialis-online-en.html generic Cialis, 88070, f4ba3671dc70945c0ae5a8077f2ba15d75f58af5 175 174 2012-05-05T03:41:55Z 31.184.238.15 0 BBvNTDGlmasmDxg wikitext text/x-wiki comment2, http://more-drugs.com/products/cipro.htm generic cipro, 75198, http://price-drugs.com/order-cialis-online-en.html buy Cialis online, jeevg, http://ordergenericdrugs.com/products/deltasone.htm buy deltasone, 54672, http://price-drugs.com/order-propecia-online-en.html buy Propecia online, 6412, http://more-drugs.com/products/nolvadex.htm cheap nolvadex, >:-DD, cdbb1150d55dea3093bbba0497a81ccdf81e914d 176 175 2012-05-05T03:47:41Z 31.184.238.15 0 eCfadTZmszGNXBSLVY wikitext text/x-wiki comment1, http://ordergenericdrugs.com/products/pepcid.htm generic pepcid, =-[[[, http://price-drugs.com/order-cialis-super-active-online-en.html buy Cialis Super Active, fyihul, http://price-drugs.com/order-viagra-online-en.html generic Viagra, knt, http://ordergenericdrugs.com/products/cipro.htm cheap cipro, >:-[[[, http://ordergenericdrugs.com/products/rogaine-5-.htm cheap rogaine 5%, %))), a16cf192225065d06e4e024688b99b18df4ed892 177 176 2012-05-05T03:53:04Z 31.184.238.15 0 JtSXuFSafetnopvPY wikitext text/x-wiki comment4, http://shopdrugcheap.com/order-propecia-online-en.html buy Propecia online, vdsieb, http://more-drugs.com/products/viagra.htm buy viagra online, :-((, http://price-drugs.com/order-bactrim-online-en.html generic Bactrim, 33868, http://price-drugs.com/order-zoloft-online-en.html generic Zoloft, 6773, http://price-drugs.com/order-cipro-online-en.html Cipro, ztpd, 484a13ee012ff1743b48668986b3ca89ea344594 178 177 2012-05-05T03:58:51Z 31.184.238.15 0 XmMXYYDwynJ wikitext text/x-wiki comment5, http://more-drugs.com/products/diflucan.htm cheap diflucan, oryvc, http://price-drugs.com/order-cialis-professional-online-en.html generic Cialis Professional, =-[, http://price-drugs.com/order-levaquin-online-en.html generic Levaquin, >:-D, http://shopdrugcheap.com/order-priligy-online-en.html generic Priligy, tkppy, http://price-drugs.com/order-diflucan-online-en.html Diflucan, gjk, 5a9ffe9e2be4f5f6bbde84cbdb8b845cf4b7faf9 179 178 2012-05-05T04:04:40Z 31.184.238.15 0 iSUDEmQmwFOOBlEWuWH wikitext text/x-wiki comment5, http://price-drugs.com/order-ampicillin-online-en.html Ampicillin, 8-P, http://shopdrugcheap.com/order-strattera-online-en.html generic Strattera, qwv, http://price-drugs.com/order-proventil-online-en.html Proventil, 5773, http://more-drugs.com/products/female-viagra.htm generic female viagra, idjdjt, http://shopdrugcheap.com/order-cialis-online-en.html buy Cialis, kfsvu, 31713f500c2378714e700476c1facb59d2ad9df1 180 179 2012-05-05T04:09:58Z 31.184.238.15 0 lnVEBCkftvdXcZEzCl wikitext text/x-wiki comment5, http://more-drugs.com/products/kamagra.htm generic kamagra, 8D, http://more-drugs.com/products/xenical.htm cheap xenical, =(, http://more-drugs.com/products/rogaine-5-.htm generic rogaine 5%, %-[[, http://shopdrugcheap.com/order-cialis-super-active-online-en.html buy Cialis Super Active, 156768, http://more-drugs.com/products/levitra.htm buy levitra online, ewkx, c0ee0ea9ade9e4cc6a34dade9edc5a2dd64f9b38 181 180 2012-05-05T04:15:59Z 31.184.238.15 0 WNGLGKFOY wikitext text/x-wiki comment2, http://more-drugs.com/products/kamagra.htm buy kamagra online, 870, http://more-drugs.com/products/xenical.htm generic xenical, 6000, http://more-drugs.com/products/rogaine-5-.htm buy rogaine 5%, 458854, http://shopdrugcheap.com/order-cialis-super-active-online-en.html buy Cialis Super Active online, bhcv, http://more-drugs.com/products/levitra.htm generic levitra, 94605, 731b4f9fcdfdcc23f28da5644cb69b937e07c964 182 181 2012-05-05T04:21:31Z 31.184.238.15 0 NlYzUTVRcKcpGDILh wikitext text/x-wiki comment4, http://shopdrugcheap.com/order-proscar-online-en.html buy Proscar online, rupr, http://shopdrugcheap.com/order-viagra-super-active-online-en.html buy Viagra Super Active, 280, http://ordergenericdrugs.com/products/clomid.htm generic clomid, eygjm, http://price-drugs.com/order-flagyl-online-en.html Flagyl, 803163, http://ordergenericdrugs.com/products/prevacid.htm buy prevacid, rbgt, 05d4123b53966c3cdca3056fa36a3ba678f25f59 183 182 2012-05-05T04:27:16Z 31.184.238.15 0 mbiZtxAIJNBZGvgg wikitext text/x-wiki comment3, http://shopdrugcheap.com/order-propecia-online-en.html buy Propecia online, agyn, http://more-drugs.com/products/viagra.htm generic viagra, =-((, http://price-drugs.com/order-bactrim-online-en.html generic Bactrim, :-(((, http://price-drugs.com/order-zoloft-online-en.html generic Zoloft, kycqbb, http://price-drugs.com/order-cipro-online-en.html buy Cipro online, 60836, f8d65216a04f0e08f572710c809f055239ca9c6f 184 183 2012-05-05T04:32:57Z 31.184.238.15 0 oTDPgHgQNpDVuxyHX wikitext text/x-wiki comment1, http://shopdrugcheap.com/order-proscar-online-en.html buy Proscar online, 96947, http://shopdrugcheap.com/order-viagra-super-active-online-en.html Viagra Super Active, %-O, http://ordergenericdrugs.com/products/clomid.htm buy clomid online, 7708, http://price-drugs.com/order-flagyl-online-en.html Flagyl, zjma, http://ordergenericdrugs.com/products/prevacid.htm cheap prevacid, >:))), f306f144a5ab6e9ca0b6ee3a30c9cb40c1ab272e 185 184 2012-05-05T04:38:44Z 31.184.238.15 0 qaxodeQcxqVMTnsKW wikitext text/x-wiki comment3, http://price-drugs.com/order-zithromax-online-en.html generic Zithromax, mggq, http://ordergenericdrugs.com/products/cialis-super-active-plus.htm buy cialis super active, 564, http://shopdrugcheap.com/order-synthroid-online-en.html buy Synthroid, >:OO, http://shopdrugcheap.com/order-tadacip-online-en.html generic Tadacip, olll, http://ordergenericdrugs.com/products/cialis.htm generic cialis, gagyto, bfa345c030e63810f9beed2793f905a6e58facc4 186 185 2012-05-05T04:44:32Z 31.184.238.15 0 OHKNPVgPawh wikitext text/x-wiki comment6, http://price-drugs.com/order-ampicillin-online-en.html buy Ampicillin, 8-D, http://shopdrugcheap.com/order-strattera-online-en.html generic Strattera, 8-[[[, http://price-drugs.com/order-proventil-online-en.html buy Proventil online, yfagcq, http://more-drugs.com/products/female-viagra.htm buy female viagra online, umccbx, http://shopdrugcheap.com/order-cialis-online-en.html buy Cialis online, mefbat, 7786248f77a7282bbe0d3f22dd334f5b1f81c472 187 186 2012-05-05T04:50:12Z 31.184.238.15 0 NCqzAuzcsYMBCku wikitext text/x-wiki comment1, http://shopdrugcheap.com/order-female-viagra-online-en.html Female Viagra, 86987, http://more-drugs.com/products/deltasone.htm buy deltasone online, 265676, http://price-drugs.com/order-nolvadex-online-en.html buy Nolvadex online, 8-), http://price-drugs.com/order-viagra-super-active-online-en.html Viagra Super Active, gil, http://more-drugs.com/products/cialis-professional.htm buy cialis professional, ixw, 9bfd4b7f6fedc95eece138c95d262e7284379ea4 188 187 2012-05-05T04:55:57Z 31.184.238.15 0 rFXHqCiuFXKoULNJ wikitext text/x-wiki comment1, http://shopdrugcheap.com/order-accutane-online-en.html Accutane, 388559, http://price-drugs.com/order-amoxil-online-en.html buy Amoxil online, 5109, http://price-drugs.com/order-lasix-online-en.html Lasix, %[[[, http://ordergenericdrugs.com/products/celebrex.htm buy celebrex online, znqxom, http://shopdrugcheap.com/order-diflucan-online-en.html Diflucan, nivse, ef9fbca8c62a77df1081c8c7fa642b01e988925b 189 188 2012-05-05T05:01:45Z 31.184.238.15 0 uXMLooKKGKE wikitext text/x-wiki comment3, http://more-drugs.com/products/synthroid.htm generic synthroid, 327919, http://more-drugs.com/products/cialis.htm buy cialis online, mpuv, http://ordergenericdrugs.com/products/viagra-super-active-plus.htm buy viagra super active online, =[, http://more-drugs.com/products/nexium.htm cheap nexium, ufaqx, http://ordergenericdrugs.com/products/kamagra-oral-jelly.htm buy kamagra oral jelly online, =-(((, 675fb3ce2b1535cb114337b013d553396937ab40 190 189 2012-05-05T05:07:21Z 31.184.238.15 0 YKvkcqnncD wikitext text/x-wiki comment6, http://more-drugs.com/products/viagra-professional.htm buy viagra professional, denm, http://ordergenericdrugs.com/products/viagra.htm cheap viagra, palnpp, http://ordergenericdrugs.com/products/propecia.htm cheap propecia, 89772, http://more-drugs.com/products/clomid.htm buy clomid online, 31260, http://price-drugs.com/order-levitra-online-en.html generic Levitra, >:-]]], aba7df9519a3223dd9eb82b72aa9fb2e707d0c52 0 8 191 190 2012-05-05T05:12:46Z 31.184.238.15 0 WuVbFZVRYaiXJlCF wikitext text/x-wiki comment3, http://price-drugs.com/order-lipitor-online-en.html buy Lipitor online, >:-(, http://price-drugs.com/order-viagra-professional-online-en.html buy Viagra Professional online, %-O, http://price-drugs.com/order-prednisone-online-en.html generic Prednisone, 8-[[[, http://shopdrugcheap.com/order-cipro-online-en.html generic Cipro, :-[[, http://ordergenericdrugs.com/products/levitra.htm buy levitra, xst, 582f9de26f474046a9a569df56753c6743a690bc 192 191 2012-05-05T05:18:45Z 31.184.238.15 0 QjbrnvZnxkTT wikitext text/x-wiki comment4, http://ordergenericdrugs.com/products/pepcid.htm cheap pepcid, 8-))), http://price-drugs.com/order-cialis-super-active-online-en.html buy Cialis Super Active online, vemhm, http://price-drugs.com/order-viagra-online-en.html buy Viagra, 96633, http://ordergenericdrugs.com/products/cipro.htm generic cipro, iwbl, http://ordergenericdrugs.com/products/rogaine-5-.htm buy rogaine 5% online, btmkr, a630579c383d5818d0a66c976225745b1f4e5c92 193 192 2012-05-05T05:24:27Z 31.184.238.15 0 wzkjSfUvobFyjMzE wikitext text/x-wiki comment6, http://more-drugs.com/products/viagra-professional.htm buy viagra professional online, >:-[[, http://ordergenericdrugs.com/products/viagra.htm generic viagra, jyu, http://ordergenericdrugs.com/products/propecia.htm cheap propecia, 9963, http://more-drugs.com/products/clomid.htm buy clomid, =-)), http://price-drugs.com/order-levitra-online-en.html buy Levitra, 8[[, 8eac0660c0edf2b631541c67e8551bdb3c355a2d 194 193 2012-05-05T05:29:47Z 31.184.238.15 0 qeMIrCFnFlhbrsFJBq wikitext text/x-wiki comment6, http://ordergenericdrugs.com/products/pepcid.htm cheap pepcid, amkwv, http://price-drugs.com/order-cialis-super-active-online-en.html generic Cialis Super Active, 435, http://price-drugs.com/order-viagra-online-en.html buy Viagra online, 177, http://ordergenericdrugs.com/products/cipro.htm cheap cipro, jzualn, http://ordergenericdrugs.com/products/rogaine-5-.htm cheap rogaine 5%, wrfrx, b44000007e6b740b803bd050cc60a72800338515 195 194 2012-05-05T05:36:15Z 31.184.238.15 0 kbuAcCgN wikitext text/x-wiki comment1, http://more-drugs.com/products/synthroid.htm cheap synthroid, fqemav, http://more-drugs.com/products/cialis.htm cheap cialis, hoghj, http://ordergenericdrugs.com/products/viagra-super-active-plus.htm buy viagra super active online, mpue, http://more-drugs.com/products/nexium.htm cheap nexium, hzs, http://ordergenericdrugs.com/products/kamagra-oral-jelly.htm cheap kamagra oral jelly, icihu, 2472a79c1de248d61764b1e62a9ac99ec393a2cb 196 195 2012-05-05T05:41:46Z 31.184.238.15 0 RrngyWrwrmjBHxJfrB wikitext text/x-wiki comment1, http://more-drugs.com/products/cipro.htm buy cipro online, %-(, http://price-drugs.com/order-cialis-online-en.html buy Cialis online, 145, http://ordergenericdrugs.com/products/deltasone.htm generic deltasone, jbdu, http://price-drugs.com/order-propecia-online-en.html Propecia, %))), http://more-drugs.com/products/nolvadex.htm cheap nolvadex, epbjca, 8ef9af2bb39bd9191930dd694582f6bb0fd44a08 197 196 2012-05-05T05:47:30Z 31.184.238.15 0 CmhIDcPBWjF wikitext text/x-wiki comment4, http://more-drugs.com/products/synthroid.htm buy synthroid online, =)), http://more-drugs.com/products/cialis.htm buy cialis, 252, http://ordergenericdrugs.com/products/viagra-super-active-plus.htm buy viagra super active, 981, http://more-drugs.com/products/nexium.htm buy nexium online, 2639, http://ordergenericdrugs.com/products/kamagra-oral-jelly.htm buy kamagra oral jelly, fuf, f8cfeb6842b39534e57baf4334be48f2d205b713 198 197 2012-05-05T05:54:02Z 31.184.238.15 0 RWUmnlsFBQcReY wikitext text/x-wiki comment6, http://shopdrugcheap.com/order-female-viagra-online-en.html buy Female Viagra online, 1669, http://more-drugs.com/products/deltasone.htm buy deltasone, 8(, http://price-drugs.com/order-nolvadex-online-en.html buy Nolvadex online, 985357, http://price-drugs.com/order-viagra-super-active-online-en.html Viagra Super Active, %]], http://more-drugs.com/products/cialis-professional.htm cheap cialis professional, nrmu, 0a4876ddfe7474302ae8a8daa64fdd8b33c1715f 199 198 2012-05-05T05:59:34Z 31.184.238.15 0 MWuztijBFsPACsEqaXn wikitext text/x-wiki comment2, http://price-drugs.com/order-female-viagra-online-en.html Female Viagra, %-DDD, http://more-drugs.com/products/propecia.htm buy propecia, qonc, http://price-drugs.com/order-doxycycline-online-en.html generic Doxycycline, =]]], http://shopdrugcheap.com/order-lasix-online-en.html generic Lasix, :DDD, http://price-drugs.com/order-zoloft-online-en.html generic Zoloft, 907, 873418c5201b4f9336fd59dfc60e2dd99203103b 200 199 2012-05-05T06:05:28Z 31.184.238.15 0 ZBYShZcHWTEoJLA wikitext text/x-wiki comment2, http://more-drugs.com/products/synthroid.htm buy synthroid, =-D, http://more-drugs.com/products/cialis.htm buy cialis, svmzm, http://ordergenericdrugs.com/products/viagra-super-active-plus.htm buy viagra super active online, >:DD, http://more-drugs.com/products/nexium.htm buy nexium, %-((, http://ordergenericdrugs.com/products/kamagra-oral-jelly.htm buy kamagra oral jelly, %D, 24d9896ffc85358dc610746e305c4229b5218765 201 200 2012-05-05T06:10:58Z 31.184.238.15 0 VYtJIfbtCYsjSwVgx wikitext text/x-wiki comment5, http://shopdrugcheap.com/order-proscar-online-en.html buy Proscar online, 153386, http://shopdrugcheap.com/order-viagra-super-active-online-en.html generic Viagra Super Active, 612, http://ordergenericdrugs.com/products/clomid.htm buy clomid online, usslz, http://price-drugs.com/order-flagyl-online-en.html buy Flagyl online, xsklvd, http://ordergenericdrugs.com/products/prevacid.htm cheap prevacid, 575735, 1718320d6d6ae282a671cd74117d40b0f0fbc7b0 202 201 2012-05-05T06:16:38Z 31.184.238.15 0 pfQuQcKDhA wikitext text/x-wiki comment3, http://more-drugs.com/products/synthroid.htm buy synthroid, 0252, http://more-drugs.com/products/cialis.htm generic cialis, =[[[, http://ordergenericdrugs.com/products/viagra-super-active-plus.htm buy viagra super active online, gbyja, http://more-drugs.com/products/nexium.htm cheap nexium, >:-DDD, http://ordergenericdrugs.com/products/kamagra-oral-jelly.htm buy kamagra oral jelly online, >:OOO, 28e9c1fa829ded74955837ed39f9aac675e885e8 203 202 2012-05-05T06:22:37Z 31.184.238.15 0 ejIaSGDNGQux wikitext text/x-wiki comment6, http://shopdrugcheap.com/order-viagra-online-en.html generic Viagra, qnq, http://price-drugs.com/order-zithromax-online-en.html buy Zithromax online, shyzh, http://shopdrugcheap.com/order-cialis-professional-online-en.html buy Cialis Professional online, irso, http://ordergenericdrugs.com/products/xenical.htm buy xenical online, 520299, http://shopdrugcheap.com/order-levitra-online-en.html buy Levitra online, iozkcz, 2e47376b69998986212bcfbe81a7d1f4129d14b2 204 203 2012-05-05T06:28:33Z 31.184.238.15 0 wizovXKoXjxVF wikitext text/x-wiki comment2, http://ordergenericdrugs.com/products/female-viagra.htm generic female viagra, fmsx, http://more-drugs.com/products/pepcid.htm generic pepcid, 978, http://shopdrugcheap.com/order-kamagra-online-en.html buy Kamagra online, 442816, http://shopdrugcheap.com/order-accutane-online-en.html Accutane, wlinal, http://shopdrugcheap.com/order-retin-a-online-en.html buy Retin-A online, lrm, 98d778aaa27c8c98c60429480537453710ae30b2 205 204 2012-05-05T06:34:50Z 31.184.238.15 0 HIJUedXf wikitext text/x-wiki comment5, http://shopdrugcheap.com/order-zithromax-online-en.html buy Zithromax, 4716, http://price-drugs.com/order-clomid-online-en.html buy Clomid online, koxe, http://ordergenericdrugs.com/products/zovirax.htm buy zovirax, 0940, http://ordergenericdrugs.com/products/amoxil.htm cheap amoxil, fhea, http://more-drugs.com/products/plavix.htm generic plavix, lcqdnf, 61ca2860f792a2c24477b4ed1704d7032245eb4d 206 205 2012-05-05T06:40:12Z 31.184.238.15 0 eyOLNCbDB wikitext text/x-wiki comment1, http://price-drugs.com/order-lipitor-online-en.html Lipitor, paadsg, http://price-drugs.com/order-viagra-professional-online-en.html buy Viagra Professional online, 626, http://price-drugs.com/order-prednisone-online-en.html Prednisone, xnpm, http://shopdrugcheap.com/order-cipro-online-en.html buy Cipro online, vurtyt, http://ordergenericdrugs.com/products/levitra.htm buy levitra online, 7316, 852f0945db2b95cb913c9925dca39aba81b62c55 207 206 2012-05-05T06:46:11Z 31.184.238.15 0 OqEsehVmyBJjlmwhl wikitext text/x-wiki comment1, http://price-drugs.com/order-kamagra-online-en.html buy Kamagra online, hunyb, http://shopdrugcheap.com/order-viagra-professional-online-en.html Viagra Professional, 837, http://ordergenericdrugs.com/products/strattera.htm buy strattera, =-[[, http://more-drugs.com/products/viagra-super-active-plus.htm buy viagra super active online, 10665, http://more-drugs.com/products/prevacid.htm buy prevacid, 22905, 29dc0a4a1e5a7bbb1f342bd2006960b0ce446cd1 208 207 2012-05-05T06:51:24Z 31.184.238.15 0 AsDzJqKGlBXeClnF wikitext text/x-wiki comment2, http://more-drugs.com/products/cipro.htm generic cipro, 653555, http://price-drugs.com/order-cialis-online-en.html generic Cialis, nqo, http://ordergenericdrugs.com/products/deltasone.htm buy deltasone, ensqo, http://price-drugs.com/order-propecia-online-en.html buy Propecia, dnoc, http://more-drugs.com/products/nolvadex.htm buy nolvadex online, pcupuf, d9c8e9667d7e88c37c1a592227b1729279dd7ffc 209 208 2012-05-05T06:56:44Z 31.184.238.15 0 fDlfwdvH wikitext text/x-wiki comment4, http://shopdrugcheap.com/order-propecia-online-en.html Propecia, >:]], http://more-drugs.com/products/viagra.htm buy viagra, mcxxdp, http://price-drugs.com/order-bactrim-online-en.html buy Bactrim online, 8-[, http://price-drugs.com/order-zoloft-online-en.html buy Zoloft online, 82989, http://price-drugs.com/order-cipro-online-en.html Cipro, 8[[[, 0a8f10cd789deafca8011fa5fb52286d5c38c244 210 209 2012-05-05T07:02:24Z 31.184.238.15 0 gftPLcvcYhOBTRiJi wikitext text/x-wiki comment3, http://ordergenericdrugs.com/products/pepcid.htm buy pepcid, 680901, http://price-drugs.com/order-cialis-super-active-online-en.html buy Cialis Super Active, 8-(((, http://price-drugs.com/order-viagra-online-en.html buy Viagra online, 333971, http://ordergenericdrugs.com/products/cipro.htm buy cipro online, pzgsw, http://ordergenericdrugs.com/products/rogaine-5-.htm cheap rogaine 5%, 8-PPP, ac3493f13d305e47ceb1cf077719f1ca69e9a122 211 210 2012-05-05T07:08:17Z 31.184.238.15 0 OzpsptGZjinNqQLNHde wikitext text/x-wiki comment6, http://price-drugs.com/order-lipitor-online-en.html buy Lipitor online, %-), http://price-drugs.com/order-viagra-professional-online-en.html buy Viagra Professional online, adtej, http://price-drugs.com/order-prednisone-online-en.html buy Prednisone online, jbev, http://shopdrugcheap.com/order-cipro-online-en.html buy Cipro online, vrzxu, http://ordergenericdrugs.com/products/levitra.htm buy levitra online, lht, 4eb8631c6eb28e4ad0620eee5da47a6f189db381 212 211 2012-05-05T07:14:05Z 31.184.238.15 0 FeQxFOzyj wikitext text/x-wiki comment4, http://more-drugs.com/products/cipro.htm cheap cipro, 0114, http://price-drugs.com/order-cialis-online-en.html Cialis, xcmz, http://ordergenericdrugs.com/products/deltasone.htm buy deltasone, 600024, http://price-drugs.com/order-propecia-online-en.html Propecia, 775669, http://more-drugs.com/products/nolvadex.htm generic nolvadex, sxea, ac0e215807b13660fbeda844cbc33739d26470b0 213 212 2012-05-05T07:19:59Z 31.184.238.15 0 FQnOnYYTIrqw wikitext text/x-wiki comment1, http://shopdrugcheap.com/order-zithromax-online-en.html buy Zithromax, afokzc, http://price-drugs.com/order-clomid-online-en.html Clomid, geqx, http://ordergenericdrugs.com/products/zovirax.htm buy zovirax online, =-[[[, http://ordergenericdrugs.com/products/amoxil.htm cheap amoxil, jvqcf, http://more-drugs.com/products/plavix.htm buy plavix online, 0742, 9213273c8e45f63a34050cff7b101f5b1a0fae05 214 213 2012-05-05T07:25:37Z 31.184.238.15 0 YdXVEnVK wikitext text/x-wiki comment3, http://more-drugs.com/products/viagra-professional.htm buy viagra professional online, qfxpn, http://ordergenericdrugs.com/products/viagra.htm buy viagra online, flpgb, http://ordergenericdrugs.com/products/propecia.htm cheap propecia, 032, http://more-drugs.com/products/clomid.htm buy clomid online, :((, http://price-drugs.com/order-levitra-online-en.html Levitra, 77406, 57d3efe34d2aa8ab8b290e00d907baf22b2dd0a2 215 214 2012-05-05T07:31:21Z 31.184.238.15 0 TVLgANxdpHGkYjVbmBa wikitext text/x-wiki comment6, http://ordergenericdrugs.com/products/pepcid.htm buy pepcid online, vph, http://price-drugs.com/order-cialis-super-active-online-en.html buy Cialis Super Active, =-((, http://price-drugs.com/order-viagra-online-en.html generic Viagra, 243, http://ordergenericdrugs.com/products/cipro.htm generic cipro, =-((, http://ordergenericdrugs.com/products/rogaine-5-.htm cheap rogaine 5%, qtztw, 481f2c80f0cc55d9dae8ad4fe8518a1f8767df19 216 215 2012-05-05T07:36:38Z 31.184.238.15 0 THovSWTqjVaIRxbbXUn wikitext text/x-wiki comment3, http://shopdrugcheap.com/order-viagra-online-en.html generic Viagra, 8(((, http://price-drugs.com/order-zithromax-online-en.html buy Zithromax online, :-PP, http://shopdrugcheap.com/order-cialis-professional-online-en.html buy Cialis Professional online, 9501, http://ordergenericdrugs.com/products/xenical.htm generic xenical, 696, http://shopdrugcheap.com/order-levitra-online-en.html buy Levitra, >:-))), b3d5f98ff5281b0f3511e02cf0bf47fb85389cdf 217 216 2012-05-05T07:42:39Z 31.184.238.15 0 BxDAvjCdwTZyGEKDT wikitext text/x-wiki comment1, http://ordergenericdrugs.com/products/female-viagra.htm cheap female viagra, %-]], http://more-drugs.com/products/pepcid.htm generic pepcid, :DD, http://shopdrugcheap.com/order-kamagra-online-en.html buy Kamagra online, 21793, http://shopdrugcheap.com/order-accutane-online-en.html buy Accutane, :(((, http://shopdrugcheap.com/order-retin-a-online-en.html generic Retin-A, 605187, 2fa1ac191f89f45442368cb4b6ed0e8cd32a3f1b 220 217 2012-05-05T07:48:21Z 31.184.238.15 0 qbsYVaeBiGtjz wikitext text/x-wiki comment4, http://more-drugs.com/products/viagra-professional.htm buy viagra professional, euzx, http://ordergenericdrugs.com/products/viagra.htm generic viagra, chtpel, http://ordergenericdrugs.com/products/propecia.htm cheap propecia, 784925, http://more-drugs.com/products/clomid.htm buy clomid online, gil, http://price-drugs.com/order-levitra-online-en.html buy Levitra online, 915, 290a7b913c1aac90500fba1c4aee4ebc8cf91f8e 221 220 2012-05-05T07:53:56Z 31.184.238.15 0 gQuRjsspOXhsjtk wikitext text/x-wiki comment5, http://more-drugs.com/products/diflucan.htm buy diflucan online, :)), http://price-drugs.com/order-cialis-professional-online-en.html buy Cialis Professional online, swhiuy, http://price-drugs.com/order-levaquin-online-en.html buy Levaquin, =((, http://shopdrugcheap.com/order-priligy-online-en.html Priligy, 738, http://price-drugs.com/order-diflucan-online-en.html generic Diflucan, mlftm, 08cda5acb16bb2b931df401ab847a67f3c9cad18 222 221 2012-05-05T07:59:38Z 31.184.238.15 0 EoVqRrBMyELEidpA wikitext text/x-wiki comment2, http://shopdrugcheap.com/order-propecia-online-en.html buy Propecia, xbg, http://more-drugs.com/products/viagra.htm buy viagra, nzo, http://price-drugs.com/order-bactrim-online-en.html buy Bactrim, :-PP, http://price-drugs.com/order-zoloft-online-en.html Zoloft, 8910, http://price-drugs.com/order-cipro-online-en.html Cipro, %PPP, db38c941e2c00d02b2916820ce3305ccee1f6c6a 223 222 2012-05-05T08:05:27Z 31.184.238.15 0 aUhfQHLTyzn wikitext text/x-wiki comment2, http://shopdrugcheap.com/order-clomid-online-en.html buy Clomid online, 9447, http://shopdrugcheap.com/order-orlistat-online-en.html buy Orlistat online, aacnmm, http://more-drugs.com/products/cialis-super-active-plus.htm buy cialis super active online, 5701, http://shopdrugcheap.com/order-zoloft-online-en.html buy Zoloft online, %DDD, http://ordergenericdrugs.com/products/kamagra.htm buy kamagra, czjh, 81a125f17528430cdcef30c058708ff743fdf372 224 223 2012-05-05T08:11:09Z 31.184.238.15 0 WbnDnxlbkSvor wikitext text/x-wiki comment5, http://price-drugs.com/order-ampicillin-online-en.html generic Ampicillin, vaphqy, http://shopdrugcheap.com/order-strattera-online-en.html buy Strattera, 8-]]], http://price-drugs.com/order-proventil-online-en.html generic Proventil, %((, http://more-drugs.com/products/female-viagra.htm buy female viagra online, nlo, http://shopdrugcheap.com/order-cialis-online-en.html buy Cialis, 5217, b6c7a18516c4f3e7aecc254bae8aa87bf36bcd11 225 224 2012-05-05T08:16:59Z 31.184.238.15 0 fqflONwEArMfO wikitext text/x-wiki comment5, http://price-drugs.com/order-zithromax-online-en.html buy Zithromax, 425469, http://ordergenericdrugs.com/products/cialis-super-active-plus.htm buy cialis super active online, 4365, http://shopdrugcheap.com/order-synthroid-online-en.html buy Synthroid online, 5929, http://shopdrugcheap.com/order-tadacip-online-en.html Tadacip, %DD, http://ordergenericdrugs.com/products/cialis.htm generic cialis, hxg, 53bd7c616deef8d1fc0e218f490c2c3fc8e0289a 226 225 2012-05-05T08:23:02Z 31.184.238.15 0 IoclRDDsA wikitext text/x-wiki comment3, http://price-drugs.com/order-zithromax-online-en.html buy Zithromax, huayw, http://ordergenericdrugs.com/products/cialis-super-active-plus.htm buy cialis super active, icbprf, http://shopdrugcheap.com/order-synthroid-online-en.html generic Synthroid, gxjpk, http://shopdrugcheap.com/order-tadacip-online-en.html buy Tadacip, 586, http://ordergenericdrugs.com/products/cialis.htm generic cialis, :DD, e1fd3c9bab6f99ec0ad86e6366ccaace0f830181 227 226 2012-05-05T08:28:50Z 31.184.238.15 0 ZGmVBNJbb wikitext text/x-wiki comment4, http://price-drugs.com/order-ampicillin-online-en.html buy Ampicillin, 19770, http://shopdrugcheap.com/order-strattera-online-en.html buy Strattera, 103567, http://price-drugs.com/order-proventil-online-en.html buy Proventil, 05714, http://more-drugs.com/products/female-viagra.htm generic female viagra, 50286, http://shopdrugcheap.com/order-cialis-online-en.html generic Cialis, =[[, a984b2c34f1a834ceb4b254631305d823f26b4a1 228 227 2012-05-05T08:34:43Z 31.184.238.15 0 ekQnowHhkaUF wikitext text/x-wiki comment5, http://more-drugs.com/products/viagra-professional.htm buy viagra professional, 2298, http://ordergenericdrugs.com/products/viagra.htm cheap viagra, 97671, http://ordergenericdrugs.com/products/propecia.htm buy propecia, ydsnh, http://more-drugs.com/products/clomid.htm buy clomid, 8O, http://price-drugs.com/order-levitra-online-en.html buy Levitra online, whmcxs, 5535b6dbea65661b9b5e9bfd8a59768e2b180a56 229 228 2012-05-05T08:40:23Z 31.184.238.15 0 rqHszVZWdVWCfMxwr wikitext text/x-wiki comment2, http://shopdrugcheap.com/order-proscar-online-en.html buy Proscar, :-(, http://shopdrugcheap.com/order-viagra-super-active-online-en.html generic Viagra Super Active, 6101, http://ordergenericdrugs.com/products/clomid.htm generic clomid, >:-O, http://price-drugs.com/order-flagyl-online-en.html Flagyl, qshiq, http://ordergenericdrugs.com/products/prevacid.htm generic prevacid, %D, f39f7bf57c3e0ce792d004b181607b66cbd11e67 230 229 2012-05-05T08:46:08Z 31.184.238.15 0 LAxsEjMKRdrQRNQVwD wikitext text/x-wiki comment4, http://shopdrugcheap.com/order-proscar-online-en.html generic Proscar, >:)), http://shopdrugcheap.com/order-viagra-super-active-online-en.html Viagra Super Active, pdze, http://ordergenericdrugs.com/products/clomid.htm buy clomid, =-], http://price-drugs.com/order-flagyl-online-en.html buy Flagyl, jxib, http://ordergenericdrugs.com/products/prevacid.htm generic prevacid, 37363, 9f26d68db25a5c5d43e9c14be5ac70cfcc12465a 231 230 2012-05-05T08:51:39Z 31.184.238.15 0 cDbAJcOYXIicMcuBfEq wikitext text/x-wiki comment1, http://price-drugs.com/order-lipitor-online-en.html Lipitor, jaznmx, http://price-drugs.com/order-viagra-professional-online-en.html Viagra Professional, 34512, http://price-drugs.com/order-prednisone-online-en.html buy Prednisone, >:((, http://shopdrugcheap.com/order-cipro-online-en.html generic Cipro, 8-], http://ordergenericdrugs.com/products/levitra.htm buy levitra online, =-], 5d12a1daf324e31d14013aec10b8ae5528e244b9 232 231 2012-05-05T08:57:05Z 31.184.238.15 0 tFBgQBgErJspGG wikitext text/x-wiki comment1, http://more-drugs.com/products/kamagra.htm cheap kamagra, >:-], http://more-drugs.com/products/xenical.htm generic xenical, 3214, http://more-drugs.com/products/rogaine-5-.htm buy rogaine 5%, oabcu, http://shopdrugcheap.com/order-cialis-super-active-online-en.html Cialis Super Active, 7306, http://more-drugs.com/products/levitra.htm buy levitra, 775734, 16eb65971527b51135d2c6601458f3664d2e1b31 233 232 2012-05-05T09:02:28Z 31.184.238.15 0 buXgoWGsCQanUwJaX wikitext text/x-wiki comment3, http://ordergenericdrugs.com/products/pepcid.htm buy pepcid online, pveebl, http://price-drugs.com/order-cialis-super-active-online-en.html Cialis Super Active, %-]]], http://price-drugs.com/order-viagra-online-en.html buy Viagra, 649, http://ordergenericdrugs.com/products/cipro.htm buy cipro, yngq, http://ordergenericdrugs.com/products/rogaine-5-.htm buy rogaine 5%, fpi, 4ccc0055f2f31a5bbfc3d73bb87cd95c9001f416 234 233 2012-05-05T09:08:06Z 31.184.238.15 0 YtjHPqYsYIUwgCqZHqb wikitext text/x-wiki comment1, http://ordergenericdrugs.com/products/pepcid.htm buy pepcid online, 678, http://price-drugs.com/order-cialis-super-active-online-en.html buy Cialis Super Active online, 8297, http://price-drugs.com/order-viagra-online-en.html generic Viagra, :-DDD, http://ordergenericdrugs.com/products/cipro.htm cheap cipro, :(((, http://ordergenericdrugs.com/products/rogaine-5-.htm generic rogaine 5%, dvl, 598b88e9efad0362160a453bd3629510d1948d85 235 234 2012-05-05T09:14:08Z 31.184.238.15 0 UnXCzCmIxmKgJn wikitext text/x-wiki comment1, http://more-drugs.com/products/cipro.htm buy cipro online, 7574, http://price-drugs.com/order-cialis-online-en.html generic Cialis, 8-P, http://ordergenericdrugs.com/products/deltasone.htm cheap deltasone, 97083, http://price-drugs.com/order-propecia-online-en.html Propecia, nheqyp, http://more-drugs.com/products/nolvadex.htm cheap nolvadex, edaubw, 24b75f96fc53bebea9683845b748f48a51cc4d74 236 235 2012-05-05T09:19:46Z 31.184.238.15 0 FhuMJfpVyJSNKJmZo wikitext text/x-wiki comment3, http://more-drugs.com/products/diflucan.htm buy diflucan online, :PP, http://price-drugs.com/order-cialis-professional-online-en.html buy Cialis Professional, 474892, http://price-drugs.com/order-levaquin-online-en.html generic Levaquin, qjz, http://shopdrugcheap.com/order-priligy-online-en.html buy Priligy online, wbc, http://price-drugs.com/order-diflucan-online-en.html Diflucan, ysj, 5b3df3362ce6349dfa961277c36a72f6e21f2dfe 237 236 2012-05-05T09:25:47Z 31.184.238.15 0 LfgEpibo wikitext text/x-wiki comment2, http://shopdrugcheap.com/order-viagra-online-en.html generic Viagra, 3647, http://price-drugs.com/order-zithromax-online-en.html buy Zithromax, %[, http://shopdrugcheap.com/order-cialis-professional-online-en.html Cialis Professional, >:[[, http://ordergenericdrugs.com/products/xenical.htm buy xenical, cuukj, http://shopdrugcheap.com/order-levitra-online-en.html generic Levitra, 118105, 4fe9f47f640a95a63f9ffd176e28b53fa8fd3b92 238 237 2012-05-05T09:32:30Z 31.184.238.15 0 uYGuIDpVw wikitext text/x-wiki comment4, http://more-drugs.com/products/kamagra.htm buy kamagra online, gwq, http://more-drugs.com/products/xenical.htm buy xenical online, =(((, http://more-drugs.com/products/rogaine-5-.htm cheap rogaine 5%, >:-P, http://shopdrugcheap.com/order-cialis-super-active-online-en.html buy Cialis Super Active, 132630, http://more-drugs.com/products/levitra.htm buy levitra, uviu, 78ce0e38c4e042ea1401c0529fe9f1ac58182eb7 239 238 2012-05-05T09:38:05Z 31.184.238.15 0 bYJuMEjnelseld wikitext text/x-wiki comment5, http://more-drugs.com/products/kamagra.htm cheap kamagra, =D, http://more-drugs.com/products/xenical.htm buy xenical online, 48313, http://more-drugs.com/products/rogaine-5-.htm cheap rogaine 5%, jaxiy, http://shopdrugcheap.com/order-cialis-super-active-online-en.html buy Cialis Super Active, smbolh, http://more-drugs.com/products/levitra.htm buy levitra online, =PPP, 2468bf9fbe355a0f67d7007a3d592289b6e82c95 240 239 2012-05-05T09:43:45Z 31.184.238.15 0 kjGwsTCJ wikitext text/x-wiki comment6, http://ordergenericdrugs.com/products/pepcid.htm buy pepcid, kgnf, http://price-drugs.com/order-cialis-super-active-online-en.html Cialis Super Active, =))), http://price-drugs.com/order-viagra-online-en.html generic Viagra, 851, http://ordergenericdrugs.com/products/cipro.htm generic cipro, 462, http://ordergenericdrugs.com/products/rogaine-5-.htm buy rogaine 5% online, 58480, b4a58c6331685a4e799335d81aa6e16b799093fe 241 240 2012-05-05T09:49:20Z 31.184.238.15 0 wWMXiSBDpdipnuS wikitext text/x-wiki comment5, http://price-drugs.com/order-lipitor-online-en.html buy Lipitor online, 07418, http://price-drugs.com/order-viagra-professional-online-en.html buy Viagra Professional online, gqmb, http://price-drugs.com/order-prednisone-online-en.html generic Prednisone, anaa, http://shopdrugcheap.com/order-cipro-online-en.html generic Cipro, 482, http://ordergenericdrugs.com/products/levitra.htm buy levitra online, 409, 14e41dbca491d4de6996cc9d35432cbb631e9ef5 242 241 2012-05-05T09:55:03Z 31.184.238.15 0 nidGKQbYaAFh wikitext text/x-wiki comment1, http://shopdrugcheap.com/order-viagra-online-en.html Viagra, :P, http://price-drugs.com/order-zithromax-online-en.html generic Zithromax, auz, http://shopdrugcheap.com/order-cialis-professional-online-en.html generic Cialis Professional, jdwfb, http://ordergenericdrugs.com/products/xenical.htm buy xenical, 118, http://shopdrugcheap.com/order-levitra-online-en.html buy Levitra online, 926394, 597126df0cc1a2e93e0795f783b8490df88f429b 0 8 243 242 2012-05-05T10:01:18Z 31.184.238.15 0 WexBBtjaBvQi wikitext text/x-wiki comment4, http://more-drugs.com/products/diflucan.htm cheap diflucan, =D, http://price-drugs.com/order-cialis-professional-online-en.html Cialis Professional, 694644, http://price-drugs.com/order-levaquin-online-en.html generic Levaquin, 367, http://shopdrugcheap.com/order-priligy-online-en.html buy Priligy online, 102, http://price-drugs.com/order-diflucan-online-en.html Diflucan, 077499, 48d9c631fb5e80441542e95414221c0bd21792ed 244 243 2012-05-05T10:12:56Z 31.184.238.15 0 qifVzTuymbUlnfHslSZ wikitext text/x-wiki comment2, http://shopdrugcheap.com/order-clomid-online-en.html buy Clomid, 111, http://shopdrugcheap.com/order-orlistat-online-en.html generic Orlistat, :(, http://more-drugs.com/products/cialis-super-active-plus.htm buy cialis super active, 0746, http://shopdrugcheap.com/order-zoloft-online-en.html buy Zoloft, :D, http://ordergenericdrugs.com/products/kamagra.htm buy kamagra online, >:), 1eb61f56dd8b0220438c49fe4e5ff18ce762d691 245 244 2012-05-05T10:18:38Z 31.184.238.15 0 LKbQkoshtHDjrR wikitext text/x-wiki comment3, http://shopdrugcheap.com/order-clomid-online-en.html buy Clomid online, wzmg, http://shopdrugcheap.com/order-orlistat-online-en.html buy Orlistat online, %PP, http://more-drugs.com/products/cialis-super-active-plus.htm buy cialis super active, 8-), http://shopdrugcheap.com/order-zoloft-online-en.html generic Zoloft, 8(((, http://ordergenericdrugs.com/products/kamagra.htm generic kamagra, imsebi, c2a77b3ed18e8e1f86af48cab6d6521011fcd7b3 246 245 2012-05-05T10:24:27Z 31.184.238.15 0 VsPXvrcMZoYzb wikitext text/x-wiki comment2, http://shopdrugcheap.com/order-clomid-online-en.html generic Clomid, >:(, http://shopdrugcheap.com/order-orlistat-online-en.html generic Orlistat, kmn, http://more-drugs.com/products/cialis-super-active-plus.htm generic cialis super active, 84834, http://shopdrugcheap.com/order-zoloft-online-en.html Zoloft, vpgo, http://ordergenericdrugs.com/products/kamagra.htm buy kamagra, >:D, 6b634632df1560ff7a031ed476b52aec30f905f9 247 246 2012-05-05T10:30:03Z 31.184.238.15 0 uPZBIQmKQh wikitext text/x-wiki comment3, http://price-drugs.com/order-kamagra-online-en.html buy Kamagra, 8803, http://shopdrugcheap.com/order-viagra-professional-online-en.html buy Viagra Professional online, :-[, http://ordergenericdrugs.com/products/strattera.htm buy strattera online, orve, http://more-drugs.com/products/viagra-super-active-plus.htm generic viagra super active, wjb, http://more-drugs.com/products/prevacid.htm cheap prevacid, 513, c07a8b1669049e6ac6a894df03868e237de3572a 248 247 2012-05-05T10:36:09Z 31.184.238.15 0 jaHMDkhKgs wikitext text/x-wiki comment2, http://more-drugs.com/products/synthroid.htm buy synthroid online, >:[[[, http://more-drugs.com/products/cialis.htm buy cialis, >:-DD, http://ordergenericdrugs.com/products/viagra-super-active-plus.htm generic viagra super active, 3921, http://more-drugs.com/products/nexium.htm buy nexium, iud, http://ordergenericdrugs.com/products/kamagra-oral-jelly.htm buy kamagra oral jelly online, 8OOO, c07f6cadfc6e28a42dc21a507b5644d4a94fe38a 249 248 2012-05-05T10:42:09Z 31.184.238.15 0 DCtzOjQOy wikitext text/x-wiki comment2, http://price-drugs.com/order-zithromax-online-en.html generic Zithromax, 30074, http://ordergenericdrugs.com/products/cialis-super-active-plus.htm buy cialis super active, :]], http://shopdrugcheap.com/order-synthroid-online-en.html buy Synthroid online, 7370, http://shopdrugcheap.com/order-tadacip-online-en.html generic Tadacip, :[[, http://ordergenericdrugs.com/products/cialis.htm cheap cialis, 8-))), 04ba61245eb400ed8698311affcbdfb4d086eb1d 250 249 2012-05-05T10:48:17Z 31.184.238.15 0 lAhBpKbJ wikitext text/x-wiki comment2, http://more-drugs.com/products/synthroid.htm buy synthroid online, 2044, http://more-drugs.com/products/cialis.htm buy cialis online, 974791, http://ordergenericdrugs.com/products/viagra-super-active-plus.htm cheap viagra super active, oei, http://more-drugs.com/products/nexium.htm cheap nexium, =], http://ordergenericdrugs.com/products/kamagra-oral-jelly.htm buy kamagra oral jelly, 516829, 3c93018aba3af1955988dddbefc1925def58f5a1 251 250 2012-05-05T10:54:22Z 31.184.238.15 0 iPSvHHfHNCNORHTY wikitext text/x-wiki comment4, http://price-drugs.com/order-lipitor-online-en.html generic Lipitor, =-], http://price-drugs.com/order-viagra-professional-online-en.html buy Viagra Professional online, =-]], http://price-drugs.com/order-prednisone-online-en.html buy Prednisone, 8P, http://shopdrugcheap.com/order-cipro-online-en.html buy Cipro online, fjibg, http://ordergenericdrugs.com/products/levitra.htm cheap levitra, 174, eddb0ea88a930869f7ac67300c6e23f920230665 252 251 2012-05-05T11:00:10Z 31.184.238.15 0 SYNbZFGrOcpytloIT wikitext text/x-wiki comment5, http://more-drugs.com/products/viagra-professional.htm buy viagra professional, 8OOO, http://ordergenericdrugs.com/products/viagra.htm generic viagra, vyoif, http://ordergenericdrugs.com/products/propecia.htm generic propecia, :P, http://more-drugs.com/products/clomid.htm generic clomid, :O, http://price-drugs.com/order-levitra-online-en.html buy Levitra, 59422, 1f4cba91b64876adeffdaf4e6418aebf259630af 253 252 2012-05-05T11:05:58Z 31.184.238.15 0 csTCFUPWETgLmwNmzT wikitext text/x-wiki comment4, http://shopdrugcheap.com/order-proscar-online-en.html buy Proscar, 6580, http://shopdrugcheap.com/order-viagra-super-active-online-en.html buy Viagra Super Active, rqts, http://ordergenericdrugs.com/products/clomid.htm cheap clomid, 308, http://price-drugs.com/order-flagyl-online-en.html buy Flagyl, 8((, http://ordergenericdrugs.com/products/prevacid.htm buy prevacid, jvbal, 90a22f02c8ce1304f4afbe804da258a4914fc2dc 254 253 2012-05-05T11:11:52Z 31.184.238.15 0 oCKezlPwNmzTnmo wikitext text/x-wiki comment5, http://more-drugs.com/products/diflucan.htm generic diflucan, 735, http://price-drugs.com/order-cialis-professional-online-en.html generic Cialis Professional, 8-[[, http://price-drugs.com/order-levaquin-online-en.html buy Levaquin online, 086907, http://shopdrugcheap.com/order-priligy-online-en.html Priligy, xnbqi, http://price-drugs.com/order-diflucan-online-en.html buy Diflucan online, 2877, 09a32b8d9982ff63689c2866e769290e6f8c9b67 255 254 2012-05-05T11:17:44Z 31.184.238.15 0 zYDUdRzZx wikitext text/x-wiki comment2, http://price-drugs.com/order-lipitor-online-en.html buy Lipitor online, hspzx, http://price-drugs.com/order-viagra-professional-online-en.html buy Viagra Professional, >:-PP, http://price-drugs.com/order-prednisone-online-en.html buy Prednisone online, %-[[, http://shopdrugcheap.com/order-cipro-online-en.html generic Cipro, owqx, http://ordergenericdrugs.com/products/levitra.htm buy levitra online, =-))), d0a925aed1384e0b52287630b6433ca6d1da3788 256 255 2012-05-05T11:23:39Z 31.184.238.15 0 oGoSoZFzjOXQyTd wikitext text/x-wiki comment2, http://shopdrugcheap.com/order-viagra-online-en.html generic Viagra, >:((, http://price-drugs.com/order-zithromax-online-en.html generic Zithromax, hnun, http://shopdrugcheap.com/order-cialis-professional-online-en.html Cialis Professional, jaln, http://ordergenericdrugs.com/products/xenical.htm generic xenical, 5762, http://shopdrugcheap.com/order-levitra-online-en.html buy Levitra online, 2752, 4060927a94fb42fd769f63716eb28e766a24c1fc 257 256 2012-05-05T11:29:34Z 31.184.238.15 0 ChiOuAPReVzr wikitext text/x-wiki comment2, http://more-drugs.com/products/diflucan.htm buy diflucan online, 3112, http://price-drugs.com/order-cialis-professional-online-en.html generic Cialis Professional, pauh, http://price-drugs.com/order-levaquin-online-en.html buy Levaquin, 714745, http://shopdrugcheap.com/order-priligy-online-en.html buy Priligy online, 118, http://price-drugs.com/order-diflucan-online-en.html buy Diflucan online, rta, 8c7d74f20da65510b0477591b7ade6493b05e391 258 257 2012-05-05T11:35:29Z 31.184.238.15 0 igJvhGGkNcSsYqxlA wikitext text/x-wiki comment4, http://ordergenericdrugs.com/products/pepcid.htm buy pepcid, >:-]]], http://price-drugs.com/order-cialis-super-active-online-en.html Cialis Super Active, =-], http://price-drugs.com/order-viagra-online-en.html Viagra, 8730, http://ordergenericdrugs.com/products/cipro.htm generic cipro, aooz, http://ordergenericdrugs.com/products/rogaine-5-.htm buy rogaine 5%, 914958, ec8d62f92f479f6932daf2318ab52a3945d5be02 259 258 2012-05-05T11:41:00Z 31.184.238.15 0 dcRRnGqYrdmEy wikitext text/x-wiki comment5, http://price-drugs.com/order-kamagra-online-en.html buy Kamagra online, kkfri, http://shopdrugcheap.com/order-viagra-professional-online-en.html Viagra Professional, =)), http://ordergenericdrugs.com/products/strattera.htm cheap strattera, rffdgp, http://more-drugs.com/products/viagra-super-active-plus.htm generic viagra super active, 242884, http://more-drugs.com/products/prevacid.htm buy prevacid online, 080, 2888becaf13d0d46743fe677c1ca9f73af2e70ca 260 259 2012-05-05T11:47:17Z 31.184.238.15 0 VkZzJrKBCSUvO wikitext text/x-wiki comment2, http://price-drugs.com/order-female-viagra-online-en.html buy Female Viagra online, >:)), http://more-drugs.com/products/propecia.htm buy propecia, 0460, http://price-drugs.com/order-doxycycline-online-en.html buy Doxycycline, 2241, http://shopdrugcheap.com/order-lasix-online-en.html buy Lasix, 3303, http://price-drugs.com/order-zoloft-online-en.html buy Zoloft online, :[, 0e995fb17ea6404c8b287b1e285254b44d69f75b 261 260 2012-05-05T11:52:53Z 31.184.238.15 0 dsGePjKdGRPbSBo wikitext text/x-wiki comment2, http://shopdrugcheap.com/order-zithromax-online-en.html buy Zithromax, 7151, http://price-drugs.com/order-clomid-online-en.html buy Clomid online, bksoey, http://ordergenericdrugs.com/products/zovirax.htm buy zovirax online, 089, http://ordergenericdrugs.com/products/amoxil.htm buy amoxil online, 2603, http://more-drugs.com/products/plavix.htm buy plavix, %OO, 80f16cc4adef8c7246bc2aa66f17009195c2b5d1 262 261 2012-05-05T11:59:02Z 31.184.238.15 0 EJZstMEnBpUJDL wikitext text/x-wiki comment5, http://shopdrugcheap.com/order-proscar-online-en.html buy Proscar online, 8-DDD, http://shopdrugcheap.com/order-viagra-super-active-online-en.html Viagra Super Active, gvr, http://ordergenericdrugs.com/products/clomid.htm buy clomid online, 87599, http://price-drugs.com/order-flagyl-online-en.html Flagyl, >:-OOO, http://ordergenericdrugs.com/products/prevacid.htm generic prevacid, dmo, 2d0fe4c1a6d5940773b376ad72b80c90134586fb 263 262 2012-05-05T12:04:54Z 31.184.238.15 0 qqemoOggnJgiXKbbX wikitext text/x-wiki comment6, http://price-drugs.com/order-zithromax-online-en.html Zithromax, 31232, http://ordergenericdrugs.com/products/cialis-super-active-plus.htm buy cialis super active online, mgzu, http://shopdrugcheap.com/order-synthroid-online-en.html buy Synthroid online, 771690, http://shopdrugcheap.com/order-tadacip-online-en.html buy Tadacip, >:-DDD, http://ordergenericdrugs.com/products/cialis.htm cheap cialis, mqtkbc, b5138483b059785731d1f1c1c6395bfa0c203bb1 264 263 2012-05-05T12:11:04Z 31.184.238.15 0 DqYViECU wikitext text/x-wiki comment1, http://shopdrugcheap.com/order-clomid-online-en.html buy Clomid online, =O, http://shopdrugcheap.com/order-orlistat-online-en.html generic Orlistat, 8-(, http://more-drugs.com/products/cialis-super-active-plus.htm buy cialis super active online, 206466, http://shopdrugcheap.com/order-zoloft-online-en.html generic Zoloft, rncchs, http://ordergenericdrugs.com/products/kamagra.htm buy kamagra online, fbirnu, 5ee6d11caade420247cbc00616017c4c19ab3923 265 264 2012-05-05T12:16:38Z 31.184.238.15 0 hSEqIUDGbLJYyDxewTM wikitext text/x-wiki comment3, http://shopdrugcheap.com/order-proscar-online-en.html buy Proscar online, %-(, http://shopdrugcheap.com/order-viagra-super-active-online-en.html Viagra Super Active, %-P, http://ordergenericdrugs.com/products/clomid.htm cheap clomid, :(((, http://price-drugs.com/order-flagyl-online-en.html generic Flagyl, vkwi, http://ordergenericdrugs.com/products/prevacid.htm buy prevacid online, suznn, eb8e23f67970b4fe91705746d2291bf43deabfb3 266 265 2012-05-05T12:22:33Z 31.184.238.15 0 QiFptjSCRCjaArY wikitext text/x-wiki comment3, http://shopdrugcheap.com/order-propecia-online-en.html Propecia, ihxttt, http://more-drugs.com/products/viagra.htm buy viagra online, =[[[, http://price-drugs.com/order-bactrim-online-en.html buy Bactrim online, fxdk, http://price-drugs.com/order-zoloft-online-en.html buy Zoloft online, 54321, http://price-drugs.com/order-cipro-online-en.html generic Cipro, xstjqn, ac3b904e50e3b502361100014bab557c358a34e0 267 266 2012-05-05T12:28:27Z 31.184.238.15 0 SEjqakRsGpEJKg wikitext text/x-wiki comment5, http://more-drugs.com/products/cipro.htm buy cipro, qula, http://price-drugs.com/order-cialis-online-en.html buy Cialis online, >:P, http://ordergenericdrugs.com/products/deltasone.htm generic deltasone, pcdyxq, http://price-drugs.com/order-propecia-online-en.html generic Propecia, =]], http://more-drugs.com/products/nolvadex.htm buy nolvadex online, 766, c84049613ea311456e5f454072e201f6a98df08c 268 267 2012-05-05T12:34:22Z 31.184.238.15 0 dAgpnhpT wikitext text/x-wiki comment6, http://more-drugs.com/products/viagra-professional.htm buy viagra professional online, 045, http://ordergenericdrugs.com/products/viagra.htm generic viagra, vwoj, http://ordergenericdrugs.com/products/propecia.htm cheap propecia, fxqcu, http://more-drugs.com/products/clomid.htm buy clomid, rkvmz, http://price-drugs.com/order-levitra-online-en.html Levitra, 1993, c3bb31f69e2ed46467df63f831b16ab1588c5822 269 268 2012-05-05T12:40:32Z 31.184.238.15 0 NrcVZRIxCtVxlGJF wikitext text/x-wiki comment4, http://more-drugs.com/products/diflucan.htm buy diflucan, =PPP, http://price-drugs.com/order-cialis-professional-online-en.html buy Cialis Professional online, 8(((, http://price-drugs.com/order-levaquin-online-en.html generic Levaquin, 9595, http://shopdrugcheap.com/order-priligy-online-en.html buy Priligy online, 42314, http://price-drugs.com/order-diflucan-online-en.html generic Diflucan, 668597, de5396590c8d480b34819b72dac7c003bbb6106c 270 269 2012-05-05T12:46:19Z 31.184.238.15 0 UDpRWpTWydlDy wikitext text/x-wiki comment2, http://shopdrugcheap.com/order-clomid-online-en.html buy Clomid online, >:[[[, http://shopdrugcheap.com/order-orlistat-online-en.html buy Orlistat online, 8-[[, http://more-drugs.com/products/cialis-super-active-plus.htm buy cialis super active online, kejku, http://shopdrugcheap.com/order-zoloft-online-en.html buy Zoloft, 0604, http://ordergenericdrugs.com/products/kamagra.htm cheap kamagra, eprai, 371af20cd3987e67b81f911f5f023b2c9aa7a1e7 272 270 2012-05-05T12:52:23Z 31.184.238.15 0 zkbGaPlE wikitext text/x-wiki comment4, http://price-drugs.com/order-lasix-online-en.html buy Lasix, egmxox, http://ordergenericdrugs.com/products/kamagra.htm buy kamagra, :-OO, http://ordergenericdrugs.com/products/kamagra-oral-jelly.htm generic kamagra oral jelly, xsrc, http://more-drugs.com/products/plavix.htm cheap plavix, 031, http://shopdrugcheap.com/order-levitra-online-en.html buy Levitra online, 4496, 26eb23514649d9023858ca10162162aa24440381 273 272 2012-05-05T12:58:46Z 31.184.238.15 0 DzCvKjEXVpJXKAeAW wikitext text/x-wiki comment1, http://more-drugs.com/products/propecia.htm buy propecia online, 2843, http://more-drugs.com/products/pepcid.htm buy pepcid, 3819, http://shopdrugcheap.com/order-accutane-online-en.html buy Accutane online, 8-)), http://price-drugs.com/order-clomid-online-en.html Clomid, 00406, http://ordergenericdrugs.com/products/xenical.htm buy xenical online, 325847, 683ce23b2bc0efb7e0ecb1975637c6481f8442e8 274 273 2012-05-05T13:04:53Z 31.184.238.15 0 ptJDOwRRztn wikitext text/x-wiki comment3, http://ordergenericdrugs.com/products/viagra.htm generic viagra, 777754, http://more-drugs.com/products/xenical.htm buy xenical online, >:-DDD, http://price-drugs.com/order-levitra-online-en.html buy Levitra online, =D, http://shopdrugcheap.com/order-kamagra-online-en.html buy Kamagra, lewo, http://price-drugs.com/order-cipro-online-en.html buy Cipro online, pcss, 14f02a5ac8545b1916d10f53b7f960902b2722dd 275 274 2012-05-05T13:10:27Z 31.184.238.15 0 SfUBQWGk wikitext text/x-wiki comment5, http://ordergenericdrugs.com/products/cialis-super-active-plus.htm buy cialis super active online, jhiq, http://shopdrugcheap.com/order-retin-a-online-en.html buy Retin-A, 5186, http://more-drugs.com/products/levitra.htm buy levitra online, iuha, http://more-drugs.com/products/synthroid.htm buy synthroid online, uqsik, http://ordergenericdrugs.com/products/zovirax.htm buy zovirax, ytqau, 208405fb74b4a11219ee9d9564c594a0285b9dbc 276 275 2012-05-05T13:16:28Z 31.184.238.15 0 TXMCNjsDwDqePuxhmTj wikitext text/x-wiki comment1, http://shopdrugcheap.com/order-orlistat-online-en.html buy Orlistat, >:OO, http://price-drugs.com/order-zithromax-online-en.html Zithromax, >:-[[, http://price-drugs.com/order-levaquin-online-en.html Levaquin, ozzzcv, http://shopdrugcheap.com/order-propecia-online-en.html buy Propecia online, 8-OO, http://more-drugs.com/products/nolvadex.htm generic nolvadex, lqk, 838e36934a03012aac515d73aa2ca2d93a316e99 277 276 2012-05-05T13:22:54Z 31.184.238.15 0 htqwynKuWJMLKTDQZMc wikitext text/x-wiki comment1, http://price-drugs.com/order-prednisone-online-en.html Prednisone, 99491, http://price-drugs.com/ buy Female Viagra, 8902, http://price-drugs.com/order-kamagra-online-en.html Kamagra, 3094, http://ordergenericdrugs.com/ buy generic kamagra oral jelly, 9793, http://shopdrugcheap.com/order-cipro-online-en.html Cipro, 30941, 7c8ac747a0e91bc36d35b8b6e76052765907bcc4 278 277 2012-05-05T13:28:48Z 31.184.238.15 0 uSpZudOF wikitext text/x-wiki comment1, http://price-drugs.com/order-cialis-online-en.html generic Cialis, pra, http://more-drugs.com/products/cialis-professional.htm generic cialis professional, gkhbj, http://price-drugs.com/order-diflucan-online-en.html buy Diflucan, zkc, http://ordergenericdrugs.com/products/amoxil.htm buy amoxil, tvnpu, http://ordergenericdrugs.com/products/cipro.htm buy cipro, >:OOO, 811e122e317cb19c595699fc3e27566ce82c18bf 279 278 2012-05-05T13:34:51Z 31.184.238.15 0 gBcimcztVcRBZROYz wikitext text/x-wiki comment6, http://shopdrugcheap.com/order-cialis-super-active-online-en.html buy Cialis Super Active online, iryr, http://price-drugs.com/order-viagra-online-en.html buy Viagra, 161, http://price-drugs.com/order-viagra-professional-online-en.html Viagra Professional, =DD, http://shopdrugcheap.com/order-viagra-online-en.html buy Viagra online, %), http://more-drugs.com/products/viagra-super-active-plus.htm generic viagra super active, >:-OO, dd57134477e4949ee510866fb3258bfa49c95d9d 280 279 2012-05-05T13:40:23Z 31.184.238.15 0 HUrxedmR wikitext text/x-wiki comment1, http://price-drugs.com/order-zoloft-online-en.html buy Zoloft, flgwh, http://ordergenericdrugs.com/products/cialis.htm buy cialis, 94446, http://shopdrugcheap.com/order-zoloft-online-en.html buy Zoloft online, 33902, http://shopdrugcheap.com/order-accutane-online-en.html buy Accutane, :(, http://shopdrugcheap.com/ buy Accutane, 1415, a9202419b9338cc82a01cb405aed28fe48dccf9c 281 280 2012-05-05T13:46:13Z 31.184.238.15 0 KpMzfFsKVWxU wikitext text/x-wiki comment6, http://more-drugs.com/products/deltasone.htm cheap deltasone, 22666, http://ordergenericdrugs.com/products/strattera.htm buy strattera, %-]], http://price-drugs.com/order-nolvadex-online-en.html buy Nolvadex online, hvf, http://shopdrugcheap.com/order-viagra-professional-online-en.html Viagra Professional, 661140, http://shopdrugcheap.com/order-lasix-online-en.html buy Lasix, :-), 6fabf424cd37ca7df7ad298defff47a028c04491 282 281 2012-05-05T13:52:17Z 31.184.238.15 0 sjpcURHtuc wikitext text/x-wiki comment5, http://price-drugs.com/order-lasix-online-en.html Lasix, awk, http://ordergenericdrugs.com/products/kamagra.htm generic kamagra, =-OO, http://ordergenericdrugs.com/products/kamagra-oral-jelly.htm cheap kamagra oral jelly, 67473, http://more-drugs.com/products/plavix.htm buy plavix, =-D, http://shopdrugcheap.com/order-levitra-online-en.html generic Levitra, ohntca, 56005e132e78770e03fab35a9ccde2b2f7497df8 283 282 2012-05-05T13:58:30Z 31.184.238.15 0 bXCJJQPeMsqKvPPcSJm wikitext text/x-wiki comment5, http://price-drugs.com/ buy Female Viagra, =-PP, http://shopdrugcheap.com/order-cialis-professional-online-en.html buy Cialis Professional online, 3532, http://shopdrugcheap.com/order-viagra-super-active-online-en.html buy Viagra Super Active online, 05417, http://shopdrugcheap.com/order-priligy-online-en.html buy Priligy, 48059, http://ordergenericdrugs.com/products/pepcid.htm cheap pepcid, 045758, e9cad57626e23a9b493cbead8970874e60b2faea 284 283 2012-05-05T14:04:43Z 31.184.238.15 0 slOaJyVP wikitext text/x-wiki comment1, http://price-drugs.com/order-proventil-online-en.html buy Proventil online, :-)), http://price-drugs.com/order-amoxil-online-en.html Amoxil, jwmn, http://shopdrugcheap.com/order-diflucan-online-en.html buy Diflucan online, 220, http://price-drugs.com/order-female-viagra-online-en.html buy Female Viagra online, =D, http://more-drugs.com/products/cialis-super-active-plus.htm buy cialis super active, htbk, a403d2c00c811c5ed0e973d6dbdfe9a5e5acb743 285 284 2012-05-05T14:10:14Z 31.184.238.15 0 TcIIkzXKKPdwT wikitext text/x-wiki comment6, http://more-drugs.com/products/cialis.htm buy cialis online, wvnvqz, http://shopdrugcheap.com/ buy Synthroid, %-PPP, http://price-drugs.com/order-cialis-professional-online-en.html buy Cialis Professional online, hklxl, http://shopdrugcheap.com/order-tadacip-online-en.html generic Tadacip, :O, http://ordergenericdrugs.com/products/clomid.htm cheap clomid, 701847, 76d52ebdb672dab9897945c2867fb9de2bb2f54f 286 285 2012-05-05T14:16:07Z 31.184.238.15 0 tWgNoNgYGCLk wikitext text/x-wiki comment1, http://price-drugs.com/order-lasix-online-en.html buy Lasix online, sbyyw, http://ordergenericdrugs.com/products/kamagra.htm buy kamagra online, luv, http://ordergenericdrugs.com/products/kamagra-oral-jelly.htm buy kamagra oral jelly online, 8-(, http://more-drugs.com/products/plavix.htm buy plavix online, 8-(, http://shopdrugcheap.com/order-levitra-online-en.html buy Levitra online, 31190, 32dc8255e0115e6dc9f663de456c7c018773cc97 287 286 2012-05-05T14:22:43Z 31.184.238.15 0 COWIhQjZuFmyoN wikitext text/x-wiki comment4, http://price-drugs.com/order-lasix-online-en.html Lasix, phgfnn, http://ordergenericdrugs.com/products/kamagra.htm cheap kamagra, bxse, http://ordergenericdrugs.com/products/kamagra-oral-jelly.htm cheap kamagra oral jelly, %-]], http://more-drugs.com/products/plavix.htm generic plavix, zdmqys, http://shopdrugcheap.com/order-levitra-online-en.html generic Levitra, 2313, a9c49c0291c1e203d06b32382e2f125a8a36fbbd 288 287 2012-05-05T14:28:01Z 31.184.238.15 0 tqiFiUTl wikitext text/x-wiki comment3, http://ordergenericdrugs.com/products/viagra.htm generic viagra, =OOO, http://more-drugs.com/products/xenical.htm cheap xenical, djx, http://price-drugs.com/order-levitra-online-en.html buy Levitra online, =), http://shopdrugcheap.com/order-kamagra-online-en.html buy Kamagra, tumjx, http://price-drugs.com/order-cipro-online-en.html buy Cipro, wkk, d00dbc3cd3557ce3129c35fbd1680a5017117606 289 288 2012-05-05T14:33:52Z 31.184.238.15 0 LBZJcyAtyMEbdfPLNMp wikitext text/x-wiki comment6, http://price-drugs.com/order-lasix-online-en.html buy Lasix, lozr, http://ordergenericdrugs.com/products/kamagra.htm buy kamagra online, =-((, http://ordergenericdrugs.com/products/kamagra-oral-jelly.htm cheap kamagra oral jelly, 7212, http://more-drugs.com/products/plavix.htm buy plavix, prrm, http://shopdrugcheap.com/order-levitra-online-en.html buy Levitra online, szo, dde2a837516cd883d0a8fb768e7d24bb0e6759eb 290 289 2012-05-05T14:39:48Z 31.184.238.15 0 BlumijFOyhVTCVG wikitext text/x-wiki comment6, http://more-drugs.com/products/nexium.htm buy nexium, 8]], http://shopdrugcheap.com/ buy Synthroid, zrlu, http://ordergenericdrugs.com/products/celebrex.htm cheap celebrex, %-), http://price-drugs.com/order-doxycycline-online-en.html buy Doxycycline, 479706, http://more-drugs.com/ buy viagra jelly online, ktadke, 76032a1ed435a6145be7451c418cdff4815c59a6 291 290 2012-05-05T14:45:43Z 31.184.238.15 0 SwzXwUicazrQOqfCu wikitext text/x-wiki comment2, http://shopdrugcheap.com/ buy Orlistat, 748395, http://ordergenericdrugs.com/products/levitra.htm cheap levitra, 851307, http://price-drugs.com/order-zithromax-online-en.html Zithromax, 187330, http://shopdrugcheap.com/order-clomid-online-en.html buy Clomid, >:-(, http://price-drugs.com/order-cialis-super-active-online-en.html Cialis Super Active, 82034, 59786d4890692c9f5d1c5b1dbeb6ff847300a1b4 292 291 2012-05-05T14:51:21Z 31.184.238.15 0 ttQocQYSqxRZ wikitext text/x-wiki comment1, http://ordergenericdrugs.com/products/viagra.htm generic viagra, 8D, http://more-drugs.com/products/xenical.htm buy xenical online, 889, http://price-drugs.com/order-levitra-online-en.html Levitra, xhwpu, http://shopdrugcheap.com/order-kamagra-online-en.html Kamagra, :-DD, http://price-drugs.com/order-cipro-online-en.html Cipro, ptfr, e725e2ad954eb7854b22fa30da0c9df71c65d671 293 292 2012-05-05T14:57:59Z 31.184.238.15 0 gFIJOdlztTnNDB wikitext text/x-wiki comment5, http://more-drugs.com/products/clomid.htm buy clomid, 45689, http://shopdrugcheap.com/order-strattera-online-en.html buy Strattera, 58110, http://shopdrugcheap.com/order-female-viagra-online-en.html generic Female Viagra, 8526, http://price-drugs.com/order-bactrim-online-en.html generic Bactrim, %-], http://price-drugs.com/order-lipitor-online-en.html generic Lipitor, 2323, 8f0505a1d26ac35d72efe46a9d7187d94981a5e6 0 8 294 293 2012-05-05T15:03:45Z 31.184.238.15 0 hgimVHofxmfTPU wikitext text/x-wiki comment4, http://shopdrugcheap.com/order-cialis-online-en.html generic Cialis, pnvvoo, http://more-drugs.com/products/viagra.htm cheap viagra, %[, http://more-drugs.com/products/rogaine-5-.htm generic rogaine 5%, tttluj, http://more-drugs.com/products/diflucan.htm buy diflucan, kyfl, http://price-drugs.com/order-flagyl-online-en.html generic Flagyl, =PP, ca01fff9375ba5097dd9b7b918a38042edf40831 295 294 2012-05-05T15:09:11Z 31.184.238.15 0 rHZuDwTmKYjWub wikitext text/x-wiki comment2, http://shopdrugcheap.com/order-synthroid-online-en.html Synthroid, jcjhs, http://more-drugs.com/products/cipro.htm buy cipro, =-D, http://price-drugs.com/order-viagra-super-active-online-en.html buy Viagra Super Active, %PPP, http://more-drugs.com/products/female-viagra.htm buy female viagra, %-OO, http://price-drugs.com/order-propecia-online-en.html Propecia, fjs, c09333c7def56420069ec918b7bdd426b39eedfb 296 295 2012-05-05T15:15:04Z 31.184.238.15 0 YCxsKmuMtCi wikitext text/x-wiki comment3, http://ordergenericdrugs.com/products/female-viagra.htm cheap female viagra, nphqs, http://ordergenericdrugs.com/products/deltasone.htm generic deltasone, >:-(, http://price-drugs.com/order-zoloft-online-en.html buy Zoloft, nkwt, http://price-drugs.com/order-ampicillin-online-en.html buy Ampicillin, lyieu, http://ordergenericdrugs.com/products/viagra-super-active-plus.htm cheap viagra super active, 893789, de6b1adca6ae0787ecf7dd72b2a8efefa830a7fd 297 296 2012-05-05T15:20:48Z 31.184.238.15 0 LgQHtXWZo wikitext text/x-wiki comment1, http://more-drugs.com/products/clomid.htm cheap clomid, ukr, http://shopdrugcheap.com/order-strattera-online-en.html Strattera, aomb, http://shopdrugcheap.com/order-female-viagra-online-en.html buy Female Viagra online, umqqmq, http://price-drugs.com/order-bactrim-online-en.html Bactrim, 71874, http://price-drugs.com/order-lipitor-online-en.html generic Lipitor, =PP, 32ceac5588a34e69549c674ec6fe4b3c868cd9da 298 297 2012-05-05T15:26:43Z 31.184.238.15 0 qRToSfvKQw wikitext text/x-wiki comment2, http://more-drugs.com/products/propecia.htm buy propecia, 8]]], http://more-drugs.com/products/pepcid.htm buy pepcid, vety, http://shopdrugcheap.com/order-accutane-online-en.html Accutane, :[[, http://price-drugs.com/order-clomid-online-en.html buy Clomid online, tpju, http://ordergenericdrugs.com/products/xenical.htm cheap xenical, izyp, e38f5272b17e953c137fd8c12bd029d99eeffa24 299 298 2012-05-05T15:32:29Z 31.184.238.15 0 OdMdBuKycWcOKMJwa wikitext text/x-wiki comment1, http://price-drugs.com/order-lasix-online-en.html Lasix, 81288, http://ordergenericdrugs.com/products/kamagra.htm buy kamagra online, zmqqn, http://ordergenericdrugs.com/products/kamagra-oral-jelly.htm cheap kamagra oral jelly, qcmwt, http://more-drugs.com/products/plavix.htm cheap plavix, 271676, http://shopdrugcheap.com/order-levitra-online-en.html generic Levitra, %-], e66425780a28863ef3035e61418add043cf78157 300 299 2012-05-05T15:38:50Z 31.184.238.15 0 MVvNmSIoEKEl wikitext text/x-wiki comment1, http://price-drugs.com/order-prednisone-online-en.html Prednisone, >:-P, http://price-drugs.com/ buy Doxycycline, 775323, http://price-drugs.com/order-kamagra-online-en.html buy Kamagra, >:(((, http://ordergenericdrugs.com/ buy generic zovirax, 8620, http://shopdrugcheap.com/order-cipro-online-en.html Cipro, febkoq, 8b4b75d0a9d06c04caf5152a5fa48f7cc85cac91 301 300 2012-05-05T15:44:44Z 31.184.238.15 0 CKnHxbvYExm wikitext text/x-wiki comment4, http://price-drugs.com/order-cialis-online-en.html buy Cialis, 784, http://more-drugs.com/products/cialis-professional.htm cheap cialis professional, 228, http://price-drugs.com/order-diflucan-online-en.html buy Diflucan online, 82294, http://ordergenericdrugs.com/products/amoxil.htm cheap amoxil, 8[[[, http://ordergenericdrugs.com/products/cipro.htm generic cipro, 248834, 7f3c05cf7fb9af11bdd1fd16cbb490cb3fd308f5 302 301 2012-05-05T15:50:35Z 31.184.238.15 0 npqxepchXZKlYYwaZl wikitext text/x-wiki comment6, http://shopdrugcheap.com/order-cialis-super-active-online-en.html buy Cialis Super Active, qedqm, http://price-drugs.com/order-viagra-online-en.html buy Viagra, >:-DD, http://price-drugs.com/order-viagra-professional-online-en.html Viagra Professional, 512, http://shopdrugcheap.com/order-viagra-online-en.html generic Viagra, >:)), http://more-drugs.com/products/viagra-super-active-plus.htm buy viagra super active online, 92554, 37aa4db6e759b86875e548ecfc0b26a5bd945964 303 302 2012-05-05T15:56:17Z 31.184.238.15 0 GdbefsuAAh wikitext text/x-wiki comment3, http://price-drugs.com/order-prednisone-online-en.html buy Prednisone online, 555460, http://price-drugs.com/ buy Levitra, 8-((, http://price-drugs.com/order-kamagra-online-en.html generic Kamagra, 8292, http://ordergenericdrugs.com/ buy generic strattera, %OO, http://shopdrugcheap.com/order-cipro-online-en.html buy Cipro online, 108018, 528be9eac7093a5bff765ad9f5a2e1cb5428285f 304 303 2012-05-05T16:02:15Z 31.184.238.15 0 gOdMDHaoEJES wikitext text/x-wiki comment6, http://ordergenericdrugs.com/products/cialis-super-active-plus.htm generic cialis super active, icfhi, http://shopdrugcheap.com/order-retin-a-online-en.html Retin-A, 8-P, http://more-drugs.com/products/levitra.htm buy levitra online, 763, http://more-drugs.com/products/synthroid.htm buy synthroid, 8-D, http://ordergenericdrugs.com/products/zovirax.htm cheap zovirax, 8-P, 61862243d9dbc36d29c2d9c9c6c74acdc9569960 305 304 2012-05-05T16:07:47Z 31.184.238.15 0 bqSDDFWvL wikitext text/x-wiki comment5, http://price-drugs.com/order-zoloft-online-en.html Zoloft, =-(, http://ordergenericdrugs.com/products/cialis.htm generic cialis, 327272, http://shopdrugcheap.com/order-zoloft-online-en.html Zoloft, %OOO, http://shopdrugcheap.com/order-accutane-online-en.html Accutane, tdfj, http://shopdrugcheap.com/ buy Strattera, >:-DDD, ee52f9a0a76a8c861b3e3ce020db8fc8e4af3e76 306 305 2012-05-05T16:13:49Z 31.184.238.15 0 EfErwhblv wikitext text/x-wiki comment3, http://shopdrugcheap.com/order-cialis-super-active-online-en.html generic Cialis Super Active, %PP, http://price-drugs.com/order-viagra-online-en.html Viagra, tlbms, http://price-drugs.com/order-viagra-professional-online-en.html buy Viagra Professional, 486274, http://shopdrugcheap.com/order-viagra-online-en.html buy Viagra, 08325, http://more-drugs.com/products/viagra-super-active-plus.htm buy viagra super active, vphipu, 9f91d077676c5dbc68db71b4e0a5a43d47f2e65b 307 306 2012-05-05T16:19:40Z 31.184.238.15 0 ktiyqIrzcD wikitext text/x-wiki comment6, http://more-drugs.com/products/cialis.htm buy cialis online, oiond, http://shopdrugcheap.com/ buy Cialis Super Active, 8OOO, http://price-drugs.com/order-cialis-professional-online-en.html Cialis Professional, 0315, http://shopdrugcheap.com/order-tadacip-online-en.html buy Tadacip online, 33809, http://ordergenericdrugs.com/products/clomid.htm buy clomid, 8-PPP, 0fbc80ec160a28dd6f7062f037a8b7883fdb7a7a 308 307 2012-05-05T16:25:29Z 31.184.238.15 0 IiOHFCdht wikitext text/x-wiki comment2, http://more-drugs.com/products/propecia.htm generic propecia, %-P, http://more-drugs.com/products/pepcid.htm generic pepcid, >:OOO, http://shopdrugcheap.com/order-accutane-online-en.html generic Accutane, rwundn, http://price-drugs.com/order-clomid-online-en.html Clomid, 68449, http://ordergenericdrugs.com/products/xenical.htm buy xenical, :-OOO, caf730b444b3d645023b6510934cdf6059af8ccc 309 308 2012-05-05T16:31:07Z 31.184.238.15 0 NdEAchOBrFolc wikitext text/x-wiki comment4, http://price-drugs.com/order-proventil-online-en.html Proventil, dzx, http://price-drugs.com/order-amoxil-online-en.html buy Amoxil online, 8-PP, http://shopdrugcheap.com/order-diflucan-online-en.html buy Diflucan, 332802, http://price-drugs.com/order-female-viagra-online-en.html Female Viagra, =[[, http://more-drugs.com/products/cialis-super-active-plus.htm generic cialis super active, =OO, 65b4cca047161e835272672a8d9bbcf8bad43ecd 310 309 2012-05-05T16:36:38Z 31.184.238.15 0 bszvJiUVGiwZgkbIAU wikitext text/x-wiki comment1, http://ordergenericdrugs.com/products/prevacid.htm generic prevacid, >:D, http://more-drugs.com/products/prevacid.htm cheap prevacid, :))), http://shopdrugcheap.com/order-zithromax-online-en.html Zithromax, fswj, http://more-drugs.com/products/viagra-professional.htm generic viagra professional, sgh, http://more-drugs.com/products/kamagra.htm cheap kamagra, %-PP, bd1485e9cb2171183d8e2f289e3b7850886c0a53 311 310 2012-05-05T16:42:36Z 31.184.238.15 0 RMCmdPbJtXsv wikitext text/x-wiki comment5, http://more-drugs.com/products/deltasone.htm buy deltasone online, 35467, http://ordergenericdrugs.com/products/strattera.htm buy strattera, gzf, http://price-drugs.com/order-nolvadex-online-en.html buy Nolvadex online, 8-DD, http://shopdrugcheap.com/order-viagra-professional-online-en.html buy Viagra Professional, 64957, http://shopdrugcheap.com/order-lasix-online-en.html generic Lasix, >:))), f3d50167eac747b70d0261f52904d3f4a6c2a293 312 311 2012-05-05T16:48:41Z 31.184.238.15 0 IiygIwlXbOKinu wikitext text/x-wiki comment6, http://price-drugs.com/ buy Kamagra, %-[[[, http://shopdrugcheap.com/order-cialis-professional-online-en.html buy Cialis Professional online, wfdhle, http://shopdrugcheap.com/order-viagra-super-active-online-en.html buy Viagra Super Active online, =-]]], http://shopdrugcheap.com/order-priligy-online-en.html buy Priligy online, 8)), http://ordergenericdrugs.com/products/pepcid.htm cheap pepcid, thew, c9a4fdbce7a1ec1827a791f9abc217856f3987ac 313 312 2012-05-05T16:54:24Z 31.184.238.15 0 ochNBGooGaIvcQtcwPi wikitext text/x-wiki comment1, http://ordergenericdrugs.com/products/propecia.htm cheap propecia, >:PP, http://more-drugs.com/ buy female viagra online, 74581, http://ordergenericdrugs.com/products/rogaine-5-.htm buy rogaine 5% online, 2636, http://ordergenericdrugs.com/ buy generic nexium, slivqu, http://shopdrugcheap.com/order-proscar-online-en.html buy Proscar online, >:-OOO, b0ad3bc1a03337e6a1271c70dc0bac80e5bcb6b9 314 313 2012-05-05T17:00:21Z 31.184.238.15 0 IjmpVmBBBDamQbokWF wikitext text/x-wiki comment4, http://more-drugs.com/products/propecia.htm cheap propecia, 8-O, http://more-drugs.com/products/pepcid.htm buy pepcid, fnt, http://shopdrugcheap.com/order-accutane-online-en.html buy Accutane online, 0726, http://price-drugs.com/order-clomid-online-en.html Clomid, hknv, http://ordergenericdrugs.com/products/xenical.htm buy xenical online, ikuhw, 71755383ad08a6156f36969224a7656ff47508e1 315 314 2012-05-05T17:12:47Z 31.184.238.15 0 RDgDGVRkHhzsoVhQU wikitext text/x-wiki comment1, http://more-drugs.com/products/cialis.htm cheap cialis, >:]]], http://shopdrugcheap.com/ buy Priligy, kzax, http://price-drugs.com/order-cialis-professional-online-en.html generic Cialis Professional, =)), http://shopdrugcheap.com/order-tadacip-online-en.html generic Tadacip, 359, http://ordergenericdrugs.com/products/clomid.htm cheap clomid, qaqyh, 7739f40d9aa2563ec088aa9866ec71745a0b6aea 316 315 2012-05-05T17:18:08Z 31.184.238.15 0 GBFpFLyHXsjQNG wikitext text/x-wiki comment3, http://ordergenericdrugs.com/products/prevacid.htm cheap prevacid, 7635, http://more-drugs.com/products/prevacid.htm generic prevacid, zgtkf, http://shopdrugcheap.com/order-zithromax-online-en.html Zithromax, fodfj, http://more-drugs.com/products/viagra-professional.htm buy viagra professional, zhjhk, http://more-drugs.com/products/kamagra.htm buy kamagra online, 8), 142ca2ebc1df60cce8fe3ff5f00e0d609f6df6dc 317 316 2012-05-05T17:24:24Z 31.184.238.15 0 wNRKtycIzrb wikitext text/x-wiki comment2, http://ordergenericdrugs.com/products/female-viagra.htm generic female viagra, 8-]], http://ordergenericdrugs.com/products/deltasone.htm cheap deltasone, mda, http://price-drugs.com/order-zoloft-online-en.html Zoloft, qdid, http://price-drugs.com/order-ampicillin-online-en.html generic Ampicillin, %[[, http://ordergenericdrugs.com/products/viagra-super-active-plus.htm buy viagra super active, :DD, 6a1e581a3088a3b1fb277dd1a09718fcf10a99e5 318 317 2012-05-05T17:29:56Z 31.184.238.15 0 nzQerhfkikhmXj wikitext text/x-wiki comment6, http://price-drugs.com/order-lasix-online-en.html generic Lasix, :-DD, http://ordergenericdrugs.com/products/kamagra.htm buy kamagra online, :PPP, http://ordergenericdrugs.com/products/kamagra-oral-jelly.htm buy kamagra oral jelly, 930, http://more-drugs.com/products/plavix.htm generic plavix, 34435, http://shopdrugcheap.com/order-levitra-online-en.html buy Levitra, >:))), eca7edbbf993bb1848acf0fe5eba2adc370cd15e 319 318 2012-05-05T17:35:26Z 31.184.238.15 0 pYfzLoBzDiOUvvpdo wikitext text/x-wiki comment1, http://shopdrugcheap.com/order-cialis-online-en.html buy Cialis online, :], http://more-drugs.com/products/viagra.htm buy viagra online, :-DDD, http://more-drugs.com/products/rogaine-5-.htm buy rogaine 5%, yaid, http://more-drugs.com/products/diflucan.htm cheap diflucan, 95905, http://price-drugs.com/order-flagyl-online-en.html buy Flagyl, brg, 70b0c1c6ffebf39a771d4b1988691fbb872c48a5 320 319 2012-05-05T17:41:08Z 31.184.238.15 0 QJWMHrEZR wikitext text/x-wiki comment6, http://more-drugs.com/products/deltasone.htm generic deltasone, =-[[[, http://ordergenericdrugs.com/products/strattera.htm buy strattera, 856977, http://price-drugs.com/order-nolvadex-online-en.html Nolvadex, 35204, http://shopdrugcheap.com/order-viagra-professional-online-en.html generic Viagra Professional, 5481, http://shopdrugcheap.com/order-lasix-online-en.html Lasix, 860, eeeb9bdf6ca1339b2e879e7739ca133ea706f8e5 321 320 2012-05-05T17:46:49Z 31.184.238.15 0 IBLlmYrXwiDg wikitext text/x-wiki comment2, http://price-drugs.com/order-prednisone-online-en.html buy Prednisone, 547260, http://price-drugs.com/ buy Viagra Super Active, 12652, http://price-drugs.com/order-kamagra-online-en.html buy Kamagra, lkpzlt, http://ordergenericdrugs.com/ buy generic rogaine 2% 5%, 644192, http://shopdrugcheap.com/order-cipro-online-en.html generic Cipro, liicbx, 479ceb098148a3b1c897ed4d716f83b960a1ca9f 322 321 2012-05-05T17:52:36Z 31.184.238.15 0 cFmeAAhARxyiPlnoM wikitext text/x-wiki comment3, http://price-drugs.com/order-cialis-online-en.html Cialis, cgzc, http://more-drugs.com/products/cialis-professional.htm buy cialis professional, mthar, http://price-drugs.com/order-diflucan-online-en.html buy Diflucan, 42785, http://ordergenericdrugs.com/products/amoxil.htm buy amoxil online, ntd, http://ordergenericdrugs.com/products/cipro.htm cheap cipro, qunatf, e5cc2e3478943db8fcbf29b7c282ebb55559fdf0 323 322 2012-05-05T17:58:52Z 31.184.238.15 0 rcnrWraTsMog wikitext text/x-wiki comment5, http://shopdrugcheap.com/order-orlistat-online-en.html buy Orlistat, 7544, http://price-drugs.com/order-zithromax-online-en.html generic Zithromax, glej, http://price-drugs.com/order-levaquin-online-en.html buy Levaquin, %(((, http://shopdrugcheap.com/order-propecia-online-en.html buy Propecia online, wroyya, http://more-drugs.com/products/nolvadex.htm buy nolvadex online, 3901, 653b6996d0ec21bf9fe20adb7b0f82b62565c640 324 323 2012-05-05T18:04:41Z 31.184.238.15 0 NEGsBOheWmNiC wikitext text/x-wiki comment6, http://price-drugs.com/order-prednisone-online-en.html generic Prednisone, sbo, http://price-drugs.com/ buy Cialis, iiesuw, http://price-drugs.com/order-kamagra-online-en.html Kamagra, xyaaud, http://ordergenericdrugs.com/ buy generic viagra super active, fltxi, http://shopdrugcheap.com/order-cipro-online-en.html buy Cipro online, 94399, 0dad08bb796bc9014cb48a34998a9432ccbaa81b 325 324 2012-05-05T18:10:27Z 31.184.238.15 0 qNiQeevJkEYGGfYCNiz wikitext text/x-wiki comment1, http://shopdrugcheap.com/ buy Tadacip, 72519, http://ordergenericdrugs.com/products/levitra.htm generic levitra, 8-PP, http://price-drugs.com/order-zithromax-online-en.html buy Zithromax online, 990155, http://shopdrugcheap.com/order-clomid-online-en.html buy Clomid online, 3534, http://price-drugs.com/order-cialis-super-active-online-en.html buy Cialis Super Active online, 7105, 19cb8118ae9ef325ccd76fea08d96bea95e71b12 326 325 2012-05-05T18:15:58Z 31.184.238.15 0 tMZdgFhqbNmzXBGzNPb wikitext text/x-wiki comment4, http://more-drugs.com/products/clomid.htm buy clomid, :(((, http://shopdrugcheap.com/order-strattera-online-en.html buy Strattera online, :-((, http://shopdrugcheap.com/order-female-viagra-online-en.html buy Female Viagra, 1500, http://price-drugs.com/order-bactrim-online-en.html generic Bactrim, 55206, http://price-drugs.com/order-lipitor-online-en.html buy Lipitor, pzqg, f7cc6bbe4a506fb32c36709f74d389d303bb539d 327 326 2012-05-05T18:21:22Z 31.184.238.15 0 EKnOINKatIahLwDtdm wikitext text/x-wiki comment3, http://ordergenericdrugs.com/products/female-viagra.htm buy female viagra, 7803, http://ordergenericdrugs.com/products/deltasone.htm generic deltasone, 34043, http://price-drugs.com/order-zoloft-online-en.html buy Zoloft, 7152, http://price-drugs.com/order-ampicillin-online-en.html generic Ampicillin, 6128, http://ordergenericdrugs.com/products/viagra-super-active-plus.htm cheap viagra super active, oxz, 35f03cc2bc6313cc42928734e42d962788e54ed2 328 327 2012-05-05T18:27:21Z 31.184.238.15 0 pVidZTdbftIyrvgdp wikitext text/x-wiki comment2, http://ordergenericdrugs.com/products/female-viagra.htm buy female viagra online, 829, http://ordergenericdrugs.com/products/deltasone.htm buy deltasone online, 8PPP, http://price-drugs.com/order-zoloft-online-en.html Zoloft, =(, http://price-drugs.com/order-ampicillin-online-en.html generic Ampicillin, =PP, http://ordergenericdrugs.com/products/viagra-super-active-plus.htm buy viagra super active online, 402, 1c959b95c43f90aba3c0cb7311c3646c022b94ad 329 328 2012-05-05T18:32:59Z 31.184.238.15 0 xSiLvnrcOQpIe wikitext text/x-wiki comment2, http://more-drugs.com/products/propecia.htm cheap propecia, tfqnxz, http://more-drugs.com/products/pepcid.htm buy pepcid, 98246, http://shopdrugcheap.com/order-accutane-online-en.html Accutane, 0437, http://price-drugs.com/order-clomid-online-en.html generic Clomid, :-[[, http://ordergenericdrugs.com/products/xenical.htm cheap xenical, 8848, 8275f38fbce88d1946076c4de5e4298fa6ebb400 330 329 2012-05-05T18:39:11Z 31.184.238.15 0 IZyFBYIqx wikitext text/x-wiki comment5, http://more-drugs.com/products/cialis.htm buy cialis online, 8DDD, http://shopdrugcheap.com/ buy Strattera, tqc, http://price-drugs.com/order-cialis-professional-online-en.html buy Cialis Professional online, %PPP, http://shopdrugcheap.com/order-tadacip-online-en.html buy Tadacip, cun, http://ordergenericdrugs.com/products/clomid.htm buy clomid, %-)), e9af122beb4e151b79f35a6f808ec50123c18f60 331 330 2012-05-05T18:44:36Z 31.184.238.15 0 GOabsSwRQnv wikitext text/x-wiki comment4, http://price-drugs.com/order-cialis-online-en.html Cialis, 5169, http://more-drugs.com/products/cialis-professional.htm cheap cialis professional, 826842, http://price-drugs.com/order-diflucan-online-en.html Diflucan, xtejt, http://ordergenericdrugs.com/products/amoxil.htm cheap amoxil, :-DD, http://ordergenericdrugs.com/products/cipro.htm cheap cipro, =-(, 3029158311e1cfedbe038f03425f4caa4af51d9b 332 331 2012-05-05T18:50:27Z 31.184.238.15 0 GyWeWBbhcxMIT wikitext text/x-wiki comment2, http://more-drugs.com/products/deltasone.htm cheap deltasone, 8DD, http://ordergenericdrugs.com/products/strattera.htm buy strattera online, 8], http://price-drugs.com/order-nolvadex-online-en.html Nolvadex, 7182, http://shopdrugcheap.com/order-viagra-professional-online-en.html generic Viagra Professional, 686435, http://shopdrugcheap.com/order-lasix-online-en.html buy Lasix online, >:D, 8abfbee5e8aaa1446daeb18c3b14dcb6da9a2e4e 333 332 2012-05-05T18:50:56Z 31.184.238.9 0 sCFhhcARfkC wikitext text/x-wiki , http://ordergenericdrugs.com/products/female-viagra.htm female viagra online, 1563, http://ordergenericdrugs.com/products/viagra-super-active-plus.htm viagra super active, ddy, http://shopdrugcheap.com/order-viagra-super-active-online-en.html generic Viagra Super Active, 289, http://more-drugs.com/products/nolvadex.htm nolvadex, 619446, http://ordergenericdrugs.com/ buy clomid online, 7545, b7f0d9623d9af3bdc2bd93df1114a640ab26ffa4 334 333 2012-05-05T18:55:05Z 31.184.238.9 0 bYQobWBO wikitext text/x-wiki , http://shopdrugcheap.com/order-diflucan-online-en.html Diflucan, 647, http://shopdrugcheap.com/order-accutane-online-en.html buy Accutane, =[[[, http://more-drugs.com/products/female-viagra.htm buy female viagra, >:-), http://ordergenericdrugs.com/products/amoxil.htm buy amoxil, kfuhth, http://price-drugs.com/order-proventil-online-en.html buy generic Proventil online, 5046, fdf6b18bb83e2897b6c2ee1638e492b87517278e 335 334 2012-05-05T18:56:05Z 31.184.238.15 0 gAhXOwpZunmeDrUZmm wikitext text/x-wiki comment2, http://price-drugs.com/order-zoloft-online-en.html generic Zoloft, 94764, http://ordergenericdrugs.com/products/cialis.htm generic cialis, 77345, http://shopdrugcheap.com/order-zoloft-online-en.html Zoloft, 8-[, http://shopdrugcheap.com/order-accutane-online-en.html Accutane, fmybyy, http://shopdrugcheap.com/ buy Synthroid, 2138, 1a1817025b6d2e4af2579a22e326cfd270c1bd7c 336 335 2012-05-05T19:00:26Z 31.184.238.9 0 DydBJEHGBSyDWlAi wikitext text/x-wiki , http://more-drugs.com/products/cialis-professional.htm cialis professional, 8-OO, http://shopdrugcheap.com/order-viagra-professional-online-en.html buy Viagra Professional online, 8OO, http://shopdrugcheap.com/order-lasix-online-en.html buy Lasix, qdlmze, http://shopdrugcheap.com/order-cipro-online-en.html buy Cipro online, cwydfa, http://shopdrugcheap.com/order-accutane-online-en.html buy cheap Accutane, 7891, f1317980bc2d3fc972477ccc3e4fb0f7774abc52 337 336 2012-05-05T19:02:13Z 31.184.238.15 0 ogdpCUFJG wikitext text/x-wiki comment2, http://ordergenericdrugs.com/products/deltasone.htm generic deltasone, >:-OOO, http://price-drugs.com/order-diflucan-online-en.html buy Diflucan, pgo, http://price-drugs.com/order-cialis-super-active-online-en.html Cialis Super Active, 0314, http://shopdrugcheap.com/ buy Zithromax, 238105, http://shopdrugcheap.com/order-synthroid-online-en.html Synthroid, 7948, 1e5d6c010fac8ccdf047a94e78089cb61e1920cf 338 337 2012-05-05T19:04:14Z 31.184.238.9 0 VOLhGOzxnIr wikitext text/x-wiki , http://price-drugs.com/order-flagyl-online-en.html Flagyl, :O, http://more-drugs.com/products/rogaine-5-.htm buy cheap rogaine 5%, nfns, http://more-drugs.com/products/clomid.htm buy clomid, ybvd, http://price-drugs.com/order-levaquin-online-en.html buy cheap Levaquin, 8-), http://price-drugs.com/order-zoloft-online-en.html buy Zoloft, 1345, 10aa53fab85eae51a6c7370ab94caebcd76252f9 339 338 2012-05-05T19:08:26Z 31.184.238.15 0 WkInvTEoqmoKozL wikitext text/x-wiki comment5, http://shopdrugcheap.com/order-propecia-online-en.html Propecia, :(((, http://ordergenericdrugs.com/ buy generic prevacid, cfue, http://shopdrugcheap.com/ buy Kamagra, 873, http://shopdrugcheap.com/order-accutane-online-en.html generic Accutane, 8-[[, http://price-drugs.com/order-zoloft-online-en.html buy Zoloft, pklpl, 22cffac2f0d6dbd189a2e728409238f9b8358b07 340 339 2012-05-05T19:08:47Z 31.184.238.9 0 Xpymyqfbo wikitext text/x-wiki , http://ordergenericdrugs.com/products/strattera.htm strattera, 162377, http://price-drugs.com/order-lipitor-online-en.html Lipitor, kdzl, http://price-drugs.com/order-lasix-online-en.html buy Lasix, 05553, http://ordergenericdrugs.com/products/celebrex.htm buy celebrex, >:-)), http://price-drugs.com/order-viagra-professional-online-en.html generic Viagra Professional, 8-[[, 02030552bb8b8c855ee1de5e2d4bac5c704f5c4c 341 340 2012-05-05T19:12:59Z 31.184.238.9 0 ofuHwejRNrLmnVcRqx wikitext text/x-wiki , http://ordergenericdrugs.com/products/prevacid.htm buy cheap prevacid, zxyfkx, http://shopdrugcheap.com/order-female-viagra-online-en.html Female Viagra, 529, http://more-drugs.com/products/kamagra.htm kamagra, :-PPP, http://ordergenericdrugs.com/products/celebrex.htm celebrex, uadiz, http://shopdrugcheap.com/order-levitra-online-en.html generic Levitra, >:OO, bdb6ffd7ec85bb44d78a700c964b17b404d45bfb 342 341 2012-05-05T19:14:14Z 31.184.238.15 0 NKtMmlhEqBGXbvuyFe wikitext text/x-wiki comment6, http://shopdrugcheap.com/order-female-viagra-online-en.html buy Female Viagra, qvulxx, http://more-drugs.com/products/pepcid.htm buy pepcid online, %-P, http://shopdrugcheap.com/order-clomid-online-en.html Clomid, =P, http://shopdrugcheap.com/order-cialis-online-en.html Cialis, >:)), http://price-drugs.com/order-zoloft-online-en.html buy Zoloft, 7755, 40e26385d8103918aed4826bad86073d63d6c62b 343 342 2012-05-05T19:17:40Z 31.184.238.9 0 gCKnokcXtKWye wikitext text/x-wiki , http://shopdrugcheap.com/order-strattera-online-en.html Strattera, 4848, http://more-drugs.com/products/cialis.htm cheap cialis, 1567, http://ordergenericdrugs.com/products/rogaine-5-.htm buy rogaine 5%, =]], http://ordergenericdrugs.com/products/cialis-super-active-plus.htm buy cialis super active online, 598, http://price-drugs.com/order-bactrim-online-en.html Bactrim, hhj, 828b96b652b0c306634b807f447501d43c88e00a 0 8 344 343 2012-05-05T19:20:06Z 31.184.238.15 0 JpIWRmKkthab wikitext text/x-wiki comment1, http://ordergenericdrugs.com/products/amoxil.htm buy amoxil, :-[, http://shopdrugcheap.com/order-diflucan-online-en.html buy Diflucan, itkqx, http://ordergenericdrugs.com/products/viagra-super-active-plus.htm cheap viagra super active, >:-PP, http://ordergenericdrugs.com/products/viagra.htm generic viagra, ajtpbi, http://more-drugs.com/products/levitra.htm cheap levitra, gadiok, d46525d9bf5b8f171245b3f28121a936163b6f3e 345 344 2012-05-05T19:22:04Z 31.184.238.9 0 hAxKciRNBkZTGHHKcDF wikitext text/x-wiki , http://ordergenericdrugs.com/products/deltasone.htm cheap deltasone, >:P, http://shopdrugcheap.com/order-cialis-super-active-online-en.html buy Cialis Super Active, 4903, http://price-drugs.com/order-zithromax-online-en.html buy generic Zithromax, 8792, http://more-drugs.com/products/cialis-super-active-plus.htm cheap cialis super active, pzoxyy, http://price-drugs.com/order-cialis-professional-online-en.html generic Cialis Professional, 296, 38f377069bb377ed07127d729f07c6d4160634da 346 345 2012-05-05T19:26:13Z 31.184.238.15 0 XekPeVpmRjLhMKJ wikitext text/x-wiki comment2, http://more-drugs.com/products/cialis.htm buy cialis, 867, http://price-drugs.com/order-viagra-super-active-online-en.html generic Viagra Super Active, 8OO, http://more-drugs.com/products/prevacid.htm buy prevacid online, pzwpct, http://shopdrugcheap.com/order-viagra-super-active-online-en.html generic Viagra Super Active, :[, http://price-drugs.com/order-flagyl-online-en.html buy Flagyl online, otyy, 089ac222c6d7232ebfdd4adfb6a71df75bdefb71 347 346 2012-05-05T19:26:32Z 31.184.238.9 0 mbgmMeJtADl wikitext text/x-wiki , http://shopdrugcheap.com/order-cialis-professional-online-en.html buy generic Cialis Professional online, rwuhp, http://price-drugs.com/order-flagyl-online-en.html generic Flagyl, obbjnm, http://more-drugs.com/products/synthroid.htm generic synthroid, jezsew, http://shopdrugcheap.com/order-diflucan-online-en.html buy generic Diflucan, euwai, http://more-drugs.com/products/deltasone.htm buy deltasone online, kqrfn, a847bb315361ef633e99c6e95f072f8b5d6eb9b6 348 347 2012-05-05T19:30:50Z 31.184.238.9 0 ImTMYlArDo wikitext text/x-wiki , http://ordergenericdrugs.com/products/clomid.htm buy clomid online, uoz, http://price-drugs.com/order-levitra-online-en.html buy cheap Levitra, dfpts, http://shopdrugcheap.com/order-propecia-online-en.html buy generic Propecia online, 8-DD, http://shopdrugcheap.com/order-tadacip-online-en.html Tadacip, =-], http://price-drugs.com/order-lipitor-online-en.html buy Lipitor online, 8]], ec477047a94fa418c13069bd2b08a00656a0d8df 349 348 2012-05-05T19:31:38Z 31.184.238.15 0 JTNREYJkr wikitext text/x-wiki comment3, http://price-drugs.com/order-viagra-professional-online-en.html buy Viagra Professional, kapi, http://ordergenericdrugs.com/products/female-viagra.htm cheap female viagra, %DD, http://ordergenericdrugs.com/products/zovirax.htm buy zovirax online, yssjif, http://shopdrugcheap.com/order-tadacip-online-en.html buy Tadacip online, >:-))), http://shopdrugcheap.com/order-cipro-online-en.html buy Cipro, >:O, 3dfdc26f9f52ee3946135e8ed642ad8d6dc0e0e0 350 349 2012-05-05T19:35:32Z 31.184.238.9 0 TlFpqZyQniCUPvOvhB wikitext text/x-wiki , http://more-drugs.com/products/female-viagra.htm buy generic female viagra, 776036, http://more-drugs.com/products/nolvadex.htm buy nolvadex online, 9519, http://shopdrugcheap.com/order-retin-a-online-en.html generic Retin-A, 70692, http://more-drugs.com/products/propecia.htm buy propecia, 71353, http://shopdrugcheap.com/order-viagra-online-en.html Viagra, 557, 9ddc81dd30c3b21782457c79a98aeb1a539b97e4 351 350 2012-05-05T19:37:12Z 31.184.238.15 0 sUrdiajKByLgT wikitext text/x-wiki comment2, http://ordergenericdrugs.com/products/deltasone.htm generic deltasone, 8-OOO, http://price-drugs.com/order-diflucan-online-en.html Diflucan, 877515, http://price-drugs.com/order-cialis-super-active-online-en.html generic Cialis Super Active, 75366, http://shopdrugcheap.com/ buy Synthroid, flw, http://shopdrugcheap.com/order-synthroid-online-en.html buy Synthroid, 553, 2361fc107d3d137534f0ce7bfab44d58782c6285 352 351 2012-05-05T19:40:11Z 31.184.238.9 0 EGCkmmdQjqw wikitext text/x-wiki , http://shopdrugcheap.com/order-proscar-online-en.html buy Proscar online, 172, http://more-drugs.com/products/viagra.htm buy viagra, 533148, http://shopdrugcheap.com/order-propecia-online-en.html Propecia, >:-[, http://ordergenericdrugs.com/products/clomid.htm clomid, 5476, http://ordergenericdrugs.com/products/prevacid.htm buy prevacid, 8], d385540319c02aaba5d296fda28edf99d71291bf 353 352 2012-05-05T19:43:19Z 31.184.238.15 0 FMXjlXpkkukFzwfgDQ wikitext text/x-wiki comment4, http://price-drugs.com/order-levaquin-online-en.html Levaquin, =OO, http://shopdrugcheap.com/order-priligy-online-en.html Priligy, hsza, http://ordergenericdrugs.com/products/rogaine-5-.htm cheap rogaine 5%, :-))), http://shopdrugcheap.com/order-accutane-online-en.html generic Accutane, %-OOO, http://price-drugs.com/ buy Lipitor, 8(, ab8738733d8a98137bf2bd441f64e64661ff400c 354 353 2012-05-05T19:44:17Z 31.184.238.9 0 TlhVmETzFwE wikitext text/x-wiki , http://ordergenericdrugs.com/products/pepcid.htm buy pepcid online, nmafd, http://ordergenericdrugs.com/products/strattera.htm cheap strattera, wvo, http://ordergenericdrugs.com/products/cipro.htm cipro online, :(, http://more-drugs.com/products/plavix.htm buy generic plavix, 38232, http://price-drugs.com/order-doxycycline-online-en.html buy Doxycycline, 62133, b51d2def16e60b35c65afc56b588c490d7b57ead 355 354 2012-05-05T19:48:44Z 31.184.238.9 0 jcEgobFyxd wikitext text/x-wiki , http://shopdrugcheap.com/order-proscar-online-en.html generic Proscar, :-[[[, http://more-drugs.com/products/viagra.htm generic viagra, 2357, http://shopdrugcheap.com/order-propecia-online-en.html Propecia, >:-[[[, http://ordergenericdrugs.com/products/clomid.htm buy cheap clomid, >:OO, http://ordergenericdrugs.com/products/prevacid.htm buy prevacid, luds, ba36b5f6f5a244d0747426cc5ee8424b599897e9 356 355 2012-05-05T19:49:24Z 31.184.238.15 0 UqYsNtFIGCmS wikitext text/x-wiki comment2, http://price-drugs.com/order-bactrim-online-en.html buy Bactrim, 1844, http://ordergenericdrugs.com/products/xenical.htm buy xenical online, 55143, http://shopdrugcheap.com/order-retin-a-online-en.html Retin-A, cbo, http://ordergenericdrugs.com/products/celebrex.htm generic celebrex, 114938, http://more-drugs.com/products/rogaine-5-.htm cheap rogaine 5%, %O, cab57dc1aa843ad765c2d2e68f799b1b8e777929 357 356 2012-05-05T19:55:12Z 31.184.238.15 0 eJqmJrzmHsWjhUlFOl wikitext text/x-wiki comment1, http://price-drugs.com/order-kamagra-online-en.html buy Kamagra, pia, http://more-drugs.com/products/synthroid.htm generic synthroid, 886857, http://more-drugs.com/products/cialis-professional.htm buy cialis professional, oijj, http://ordergenericdrugs.com/products/cialis.htm cheap cialis, :-[[, http://ordergenericdrugs.com/products/cipro.htm generic cipro, >:OOO, fb9d2a395fe2a6aa8bbd7edf17b612aadad28e2d 358 357 2012-05-05T19:57:22Z 31.184.238.9 0 ywrhKbOyEMfILCvH wikitext text/x-wiki , http://ordergenericdrugs.com/products/clomid.htm cheap clomid, 556398, http://price-drugs.com/order-levitra-online-en.html buy cheap Levitra, huztm, http://shopdrugcheap.com/order-propecia-online-en.html buy generic Propecia online, >:-OO, http://shopdrugcheap.com/order-tadacip-online-en.html buy Tadacip, >:-[[, http://price-drugs.com/order-lipitor-online-en.html buy Lipitor, >:(, 4633c3637dbeb4fe85d8150847ff6a2227869252 359 358 2012-05-05T20:01:22Z 31.184.238.15 0 jTwEcfUmEmEbVi wikitext text/x-wiki comment4, http://price-drugs.com/order-levaquin-online-en.html buy Levaquin online, >:-OO, http://shopdrugcheap.com/order-priligy-online-en.html Priligy, %-]], http://ordergenericdrugs.com/products/rogaine-5-.htm buy rogaine 5%, %[[[, http://shopdrugcheap.com/order-accutane-online-en.html buy Accutane online, 159969, http://price-drugs.com/ buy Cialis Super Active, vggv, 4b340fbda1a1a27b814358efc8afabf27b1275da 360 359 2012-05-05T20:01:59Z 31.184.238.9 0 iPwOlsprwpOI wikitext text/x-wiki , http://price-drugs.com/order-bactrim-online-en.html generic Bactrim, 8-[[, http://ordergenericdrugs.com/products/levitra.htm buy generic levitra, xnaheb, http://more-drugs.com/products/kamagra.htm cheap kamagra, 06354, http://price-drugs.com/order-kamagra-online-en.html buy Kamagra, =OO, http://more-drugs.com/products/clomid.htm buy cheap clomid, gapc, fec6ffdd01cc2c1ce879a2883af52115c388e657 361 360 2012-05-05T20:06:46Z 31.184.238.9 0 vPOhXPqqlrH wikitext text/x-wiki , http://ordergenericdrugs.com/products/pepcid.htm cheap pepcid, xmc, http://ordergenericdrugs.com/products/strattera.htm buy strattera, 8-DD, http://ordergenericdrugs.com/products/cipro.htm cipro, 974002, http://more-drugs.com/products/plavix.htm plavix online, %-(((, http://price-drugs.com/order-doxycycline-online-en.html generic Doxycycline, taji, b388905d3a414dc66cbb3d1d6063bf4a61d93309 362 361 2012-05-05T20:07:27Z 31.184.238.15 0 clztfWFfDfTy wikitext text/x-wiki comment3, http://price-drugs.com/order-zithromax-online-en.html buy Zithromax, 7059, http://shopdrugcheap.com/order-levitra-online-en.html generic Levitra, oyp, http://price-drugs.com/order-cialis-professional-online-en.html generic Cialis Professional, fymk, http://more-drugs.com/products/viagra-super-active-plus.htm buy viagra super active online, xcrz, http://shopdrugcheap.com/order-viagra-online-en.html Viagra, 5156, 508a5770c70ecc9b325e69460d87a40aecb79b6d 363 362 2012-05-05T20:11:05Z 31.184.238.9 0 tbSOOhhxJC wikitext text/x-wiki , http://ordergenericdrugs.com/products/prevacid.htm prevacid online, xfzokz, http://shopdrugcheap.com/order-female-viagra-online-en.html generic Female Viagra, >:DDD, http://more-drugs.com/products/kamagra.htm buy cheap kamagra, :-[[[, http://ordergenericdrugs.com/products/celebrex.htm buy cheap celebrex, xqkw, http://shopdrugcheap.com/order-levitra-online-en.html buy Levitra online, >:P, dc682bd2354d26c4f2dfd1b578673107378ffa2f 364 363 2012-05-05T20:12:49Z 31.184.238.15 0 LZHtFnTZFpypQitfRdP wikitext text/x-wiki comment3, http://price-drugs.com/order-kamagra-online-en.html Kamagra, 65427, http://more-drugs.com/products/synthroid.htm cheap synthroid, mcyn, http://more-drugs.com/products/cialis-professional.htm buy cialis professional, =-D, http://ordergenericdrugs.com/products/cialis.htm generic cialis, uuzbf, http://ordergenericdrugs.com/products/cipro.htm cheap cipro, 32535, dfbdfde44f991ca1b8380425bb15115c0d72f97f 365 364 2012-05-05T20:15:52Z 31.184.238.9 0 EBnJzxznCRNbMbp wikitext text/x-wiki , http://price-drugs.com/order-cialis-online-en.html buy Cialis online, >:], http://price-drugs.com/order-proventil-online-en.html Proventil, :-OO, http://more-drugs.com/products/viagra-professional.htm buy viagra professional online, 593, http://more-drugs.com/products/pepcid.htm generic pepcid, 5639, http://more-drugs.com/products/prevacid.htm prevacid online, lay, a363d846cb4637ec8a508619e47700a00a4250d1 366 365 2012-05-05T20:18:41Z 31.184.238.15 0 KJgMwPyJpsfdQNIWs wikitext text/x-wiki comment5, http://shopdrugcheap.com/order-propecia-online-en.html Propecia, zkcf, http://ordergenericdrugs.com/ buy generic levitra, hwux, http://shopdrugcheap.com/ buy Cialis Super Active, qit, http://shopdrugcheap.com/order-accutane-online-en.html buy Accutane, 6036, http://price-drugs.com/order-zoloft-online-en.html Zoloft, sxfw, 072f7dff2c4aadb84476f0b781ed2bdfab5f4bbf 367 366 2012-05-05T20:20:11Z 31.184.238.9 0 ScAYImHelDTFj wikitext text/x-wiki , http://shopdrugcheap.com/order-clomid-online-en.html buy Clomid, 8-D, http://more-drugs.com/products/deltasone.htm buy cheap deltasone, =-((, http://price-drugs.com/order-diflucan-online-en.html buy generic Diflucan, pvgy, http://shopdrugcheap.com/order-cipro-online-en.html buy cheap Cipro, 25227, http://shopdrugcheap.com/order-orlistat-online-en.html buy generic Orlistat online, slskl, 17f45de902559ba10573eb42317617be31d56bb8 368 367 2012-05-05T20:23:51Z 31.184.238.9 0 NTdycrlx wikitext text/x-wiki , http://price-drugs.com/order-prednisone-online-en.html buy generic Prednisone, hqzn, http://price-drugs.com/order-propecia-online-en.html buy cheap Propecia, eyyv, http://price-drugs.com/order-cialis-online-en.html buy generic Cialis online, =[[[, http://price-drugs.com/order-female-viagra-online-en.html buy generic Female Viagra online, 319, http://price-drugs.com/order-viagra-super-active-online-en.html buy Viagra Super Active, khtll, 50b6e7beba8c1776e2f16044db58bf45e554e777 369 368 2012-05-05T20:24:21Z 31.184.238.15 0 gNCTCKweMvf wikitext text/x-wiki comment6, http://price-drugs.com/order-zithromax-online-en.html Zithromax, mlj, http://shopdrugcheap.com/order-levitra-online-en.html Levitra, 139187, http://price-drugs.com/order-cialis-professional-online-en.html generic Cialis Professional, obw, http://more-drugs.com/products/viagra-super-active-plus.htm buy viagra super active online, >:P, http://shopdrugcheap.com/order-viagra-online-en.html generic Viagra, 9918, 699e80560da012813da6ae256daaf18df0bea774 370 369 2012-05-05T20:28:14Z 31.184.238.9 0 oTtdiaAvlmxNrG wikitext text/x-wiki , http://more-drugs.com/products/cipro.htm generic cipro, >:-(((, http://price-drugs.com/order-zoloft-online-en.html buy generic Zoloft, 225419, http://more-drugs.com/products/viagra.htm viagra online, fvbo, http://more-drugs.com/products/pepcid.htm pepcid online, :O, http://price-drugs.com/order-zithromax-online-en.html buy Zithromax online, 594455, 0b50090c48762684e27963852e7a2d658e4f4e1a 371 370 2012-05-05T20:30:14Z 31.184.238.15 0 VdrbAcjH wikitext text/x-wiki comment4, http://shopdrugcheap.com/order-propecia-online-en.html buy Propecia online, 338, http://ordergenericdrugs.com/ buy generic xenical, 667122, http://shopdrugcheap.com/ buy Strattera, 3527, http://shopdrugcheap.com/order-accutane-online-en.html buy Accutane online, 9676, http://price-drugs.com/order-zoloft-online-en.html Zoloft, 12128, 502f24352cb9461ccd782a1bcc1551141156ad6c 372 371 2012-05-05T20:32:35Z 31.184.238.9 0 jVhpBTIRuuIGxnMhHfZ wikitext text/x-wiki , http://ordergenericdrugs.com/products/prevacid.htm prevacid, ynyza, http://shopdrugcheap.com/order-female-viagra-online-en.html buy Female Viagra online, 857162, http://more-drugs.com/products/kamagra.htm kamagra, 326394, http://ordergenericdrugs.com/products/celebrex.htm celebrex online, omkxp, http://shopdrugcheap.com/order-levitra-online-en.html buy Levitra online, :-), 6c28abce64c16103ac7927a79194881095714818 373 372 2012-05-05T20:36:05Z 31.184.238.15 0 yOPgicqvRhu wikitext text/x-wiki comment4, http://price-drugs.com/order-bactrim-online-en.html Bactrim, wrsr, http://ordergenericdrugs.com/products/xenical.htm generic xenical, 4032, http://shopdrugcheap.com/order-retin-a-online-en.html generic Retin-A, sgyyui, http://ordergenericdrugs.com/products/celebrex.htm generic celebrex, 999512, http://more-drugs.com/products/rogaine-5-.htm buy rogaine 5%, 8PPP, 5895ee4ee6284ef5c2bc322059b6b0cf1605bba3 374 373 2012-05-05T20:37:21Z 31.184.238.9 0 jOHAqKuojHRNXWHV wikitext text/x-wiki , http://ordergenericdrugs.com/products/clomid.htm buy clomid online, 593, http://price-drugs.com/order-levitra-online-en.html buy generic Levitra online, =-), http://shopdrugcheap.com/order-propecia-online-en.html buy generic Propecia, moa, http://shopdrugcheap.com/order-tadacip-online-en.html buy Tadacip online, 3139, http://price-drugs.com/order-lipitor-online-en.html Lipitor, :[[[, a9206a63e8059e0bc46fa1d108a82d7ea4c29f44 375 374 2012-05-05T20:41:11Z 31.184.238.9 0 dIpVfjaiMDcP wikitext text/x-wiki , http://ordergenericdrugs.com/products/kamagra.htm buy kamagra online, 0601, http://price-drugs.com/order-clomid-online-en.html buy generic Clomid, ukwjwl, http://shopdrugcheap.com/order-synthroid-online-en.html Synthroid, 22397, http://price-drugs.com/ buy Cialis, disnp, http://ordergenericdrugs.com/products/levitra.htm cheap levitra, :-], 0fc6ac5b743718dda778bb18bdf66a7ce6a1c0dd 376 375 2012-05-05T20:41:56Z 31.184.238.15 0 RmNtHZqrPgygMugb wikitext text/x-wiki comment5, http://shopdrugcheap.com/order-kamagra-online-en.html Kamagra, npgd, http://more-drugs.com/products/female-viagra.htm cheap female viagra, rvjg, http://shopdrugcheap.com/order-cialis-professional-online-en.html Cialis Professional, xwkph, http://more-drugs.com/products/xenical.htm buy xenical online, 844, http://shopdrugcheap.com/order-zoloft-online-en.html generic Zoloft, wvd, 4b09dbe056784aa8659a196b871d0d21d3ea0d28 377 376 2012-05-05T20:45:49Z 31.184.238.9 0 FNWBOyyYYEqKKHI wikitext text/x-wiki , http://shopdrugcheap.com/order-clomid-online-en.html buy Clomid, 8))), http://more-drugs.com/products/deltasone.htm deltasone, mhee, http://price-drugs.com/order-diflucan-online-en.html buy generic Diflucan, tlbhh, http://shopdrugcheap.com/order-cipro-online-en.html buy generic Cipro online, %-OO, http://shopdrugcheap.com/order-orlistat-online-en.html buy generic Orlistat, 678512, 2b32830e614e0ada1f63393c06a92a48bdfc4a15 378 377 2012-05-05T20:47:30Z 31.184.238.15 0 GkbNATYfbwRguLqB wikitext text/x-wiki comment2, http://price-drugs.com/order-amoxil-online-en.html buy Amoxil, 07062, http://price-drugs.com/order-zithromax-online-en.html buy Zithromax, njjy, http://ordergenericdrugs.com/products/propecia.htm buy propecia online, 29323, http://ordergenericdrugs.com/products/kamagra-oral-jelly.htm buy kamagra oral jelly online, :]]], http://shopdrugcheap.com/order-orlistat-online-en.html buy Orlistat online, uxb, 3eb098b80ea1b0ba0f7f9c6b2987d3877a22f6e3 379 378 2012-05-05T20:49:46Z 31.184.238.9 0 PzDZAapVyIoY wikitext text/x-wiki , http://shopdrugcheap.com/order-viagra-super-active-online-en.html buy generic Viagra Super Active, 68570, http://shopdrugcheap.com/order-clomid-online-en.html buy cheap Clomid, tha, http://ordergenericdrugs.com/products/viagra-super-active-plus.htm buy cheap viagra super active, 37130, http://more-drugs.com/products/cipro.htm cipro, :-))), http://shopdrugcheap.com/order-cialis-online-en.html buy generic Cialis online, cyd, bdbff4ae71d19a5c841248ba252bac91d8ed8949 380 379 2012-05-05T20:52:55Z 31.184.238.15 0 ferEPRbzO wikitext text/x-wiki comment6, http://price-drugs.com/order-zithromax-online-en.html buy Zithromax online, 9091, http://shopdrugcheap.com/order-levitra-online-en.html generic Levitra, :[[[, http://price-drugs.com/order-cialis-professional-online-en.html buy Cialis Professional, 6324, http://more-drugs.com/products/viagra-super-active-plus.htm generic viagra super active, 672, http://shopdrugcheap.com/order-viagra-online-en.html buy Viagra, soykr, cd0921f23fb2b3c372da466f766284d8925b2a85 381 380 2012-05-05T20:54:09Z 31.184.238.9 0 EPEijOdx wikitext text/x-wiki , http://ordergenericdrugs.com/products/pepcid.htm cheap pepcid, 941, http://ordergenericdrugs.com/products/strattera.htm buy strattera, tzuwo, http://ordergenericdrugs.com/products/cipro.htm buy generic cipro, 8-[[[, http://more-drugs.com/products/plavix.htm plavix, 36992, http://price-drugs.com/order-doxycycline-online-en.html generic Doxycycline, 21436, db983fac531e3e5b2215cd64a9098c285628154c 382 381 2012-05-05T20:58:45Z 31.184.238.9 0 yBRKOnGIWgQU wikitext text/x-wiki , http://more-drugs.com/products/nolvadex.htm buy cheap nolvadex, 2635, http://price-drugs.com/order-levaquin-online-en.html generic Levaquin, 8], http://more-drugs.com/products/cialis-super-active-plus.htm cialis super active online, 085189, http://price-drugs.com/order-viagra-online-en.html Viagra, trd, http://price-drugs.com/order-viagra-professional-online-en.html buy generic Viagra Professional, rdyipu, 0d221d5482a4e3d65a59302a7e6cf9a2b6dbd255 383 382 2012-05-05T21:03:05Z 31.184.238.9 0 gekfRhykhdrFYgJj wikitext text/x-wiki , http://price-drugs.com/order-prednisone-online-en.html Prednisone, =[, http://price-drugs.com/order-propecia-online-en.html Propecia, uqpd, http://price-drugs.com/order-cialis-online-en.html Cialis, 752, http://price-drugs.com/order-female-viagra-online-en.html buy generic Female Viagra, vydrrj, http://price-drugs.com/order-viagra-super-active-online-en.html buy Viagra Super Active, %[[[, 4e11b5212207f8fc7d113b36864e02cc02b14111 384 383 2012-05-05T21:04:54Z 31.184.238.15 0 PrUJaHnWIsvyQQAGQi wikitext text/x-wiki comment5, http://price-drugs.com/order-levaquin-online-en.html buy Levaquin, :-D, http://shopdrugcheap.com/order-priligy-online-en.html buy Priligy, %-]], http://ordergenericdrugs.com/products/rogaine-5-.htm generic rogaine 5%, vrcswd, http://shopdrugcheap.com/order-accutane-online-en.html generic Accutane, cyx, http://price-drugs.com/ buy Levitra, 740669, 083665f8859ee8e37dee8e1272813017f7ba136b 385 384 2012-05-05T21:07:15Z 31.184.238.9 0 dIJVuoXneXId wikitext text/x-wiki , http://more-drugs.com/products/nolvadex.htm buy cheap nolvadex, 71141, http://price-drugs.com/order-levaquin-online-en.html buy Levaquin, uvcjdc, http://more-drugs.com/products/cialis-super-active-plus.htm cialis super active, qckld, http://price-drugs.com/order-viagra-online-en.html buy generic Viagra online, %-[[, http://price-drugs.com/order-viagra-professional-online-en.html buy generic Viagra Professional, =-PP, b0d955e73683fefc47cfdacb670a2e48b873ed41 386 385 2012-05-05T21:10:43Z 31.184.238.15 0 DyiRlaONrLcrnbEGiAN wikitext text/x-wiki comment4, http://more-drugs.com/products/cipro.htm buy cipro, 79036, http://more-drugs.com/ buy xenical online, >:-DD, http://more-drugs.com/products/clomid.htm generic clomid, 982, http://shopdrugcheap.com/order-viagra-professional-online-en.html Viagra Professional, 323318, http://more-drugs.com/products/nexium.htm buy nexium online, 9360, 575690036a2dda276c2330a301250ac9c2e601ef 387 386 2012-05-05T21:11:36Z 31.184.238.9 0 QyycspIEDj wikitext text/x-wiki , http://ordergenericdrugs.com/products/strattera.htm strattera online, 70374, http://price-drugs.com/order-lipitor-online-en.html buy generic Lipitor, 738343, http://price-drugs.com/order-lasix-online-en.html buy Lasix, %PPP, http://ordergenericdrugs.com/products/celebrex.htm generic celebrex, :-[[, http://price-drugs.com/order-viagra-professional-online-en.html buy Viagra Professional, >:-]]], 34db4cde194935119ed17dd484d3032621342bbe 388 387 2012-05-05T21:16:32Z 31.184.238.9 0 sMVtyqUBjFmIeVIaSy wikitext text/x-wiki , http://ordergenericdrugs.com/products/strattera.htm buy generic strattera, ioolp, http://price-drugs.com/order-lipitor-online-en.html buy generic Lipitor, ghdtbv, http://price-drugs.com/order-lasix-online-en.html Lasix, 211, http://ordergenericdrugs.com/products/celebrex.htm buy celebrex, :OO, http://price-drugs.com/order-viagra-professional-online-en.html buy Viagra Professional online, ubudjb, 9a283e83b94c87c148661ac9faf556286f438dab 389 388 2012-05-05T21:17:00Z 31.184.238.15 0 kqbjtTbLSHbFvVON wikitext text/x-wiki comment1, http://more-drugs.com/products/cialis.htm cheap cialis, 451881, http://price-drugs.com/order-viagra-super-active-online-en.html Viagra Super Active, vnh, http://more-drugs.com/products/prevacid.htm cheap prevacid, =-]]], http://shopdrugcheap.com/order-viagra-super-active-online-en.html buy Viagra Super Active online, hrm, http://price-drugs.com/order-flagyl-online-en.html buy Flagyl online, 498859, 0a06dec95339e4e411342f78349de936a8e817d5 390 389 2012-05-05T21:20:36Z 31.184.238.9 0 UPAxFRCOWRtAn wikitext text/x-wiki , http://shopdrugcheap.com/order-proscar-online-en.html buy Proscar, itejl, http://more-drugs.com/products/viagra.htm generic viagra, =-OOO, http://shopdrugcheap.com/order-propecia-online-en.html buy Propecia online, rkpxe, http://ordergenericdrugs.com/products/clomid.htm clomid online, 88853, http://ordergenericdrugs.com/products/prevacid.htm buy prevacid, byzuo, c25c97eabbc1cea9cbfef0fd0c944eb21110ee15 391 390 2012-05-05T21:22:46Z 31.184.238.15 0 DxNQKiEhyQpStxHEN wikitext text/x-wiki comment4, http://price-drugs.com/order-levaquin-online-en.html buy Levaquin, 8(((, http://shopdrugcheap.com/order-priligy-online-en.html buy Priligy, 5019, http://ordergenericdrugs.com/products/rogaine-5-.htm buy rogaine 5% online, %DDD, http://shopdrugcheap.com/order-accutane-online-en.html Accutane, =-), http://price-drugs.com/ buy Levaquin, >:]], fa1767cfdb320e1840b1cdb1d6041eb779c002b4 392 391 2012-05-05T21:24:49Z 31.184.238.9 0 OLZMJdTzhV wikitext text/x-wiki , http://shopdrugcheap.com/order-clomid-online-en.html buy Clomid online, 12308, http://more-drugs.com/products/deltasone.htm deltasone online, qrpu, http://price-drugs.com/order-diflucan-online-en.html buy cheap Diflucan, 8-[, http://shopdrugcheap.com/order-cipro-online-en.html buy cheap Cipro, >:DDD, http://shopdrugcheap.com/order-orlistat-online-en.html buy cheap Orlistat, zrupyd, b6a4bfe59ece6fa4a1a88343d1d5ba18e523eca2 393 392 2012-05-05T21:29:06Z 31.184.238.15 0 VdpNZxaum wikitext text/x-wiki comment2, http://ordergenericdrugs.com/products/strattera.htm cheap strattera, puajmx, http://price-drugs.com/order-propecia-online-en.html generic Propecia, wrv, http://more-drugs.com/products/plavix.htm generic plavix, 90922, http://ordergenericdrugs.com/products/clomid.htm buy clomid online, 139176, http://more-drugs.com/products/nolvadex.htm buy nolvadex online, dgzk, 18d1b03bb8d19fbaa5caca52832fa7512d3350a0 0 8 394 393 2012-05-05T21:29:49Z 31.184.238.9 0 VVsMUSzkxBAHuYnkSjh wikitext text/x-wiki , http://shopdrugcheap.com/order-diflucan-online-en.html buy Diflucan, 808549, http://shopdrugcheap.com/order-accutane-online-en.html generic Accutane, zxyhn, http://more-drugs.com/products/female-viagra.htm cheap female viagra, 380, http://ordergenericdrugs.com/products/amoxil.htm cheap amoxil, fczdz, http://price-drugs.com/order-proventil-online-en.html buy generic Proventil, =-)), 55e0d2a3010ca0f12284545e8e25d93951bda07f 395 394 2012-05-05T21:33:49Z 31.184.238.9 0 yHQKcODuyuFE wikitext text/x-wiki , http://shopdrugcheap.com/order-viagra-super-active-online-en.html buy Viagra Super Active online, nllxzm, http://more-drugs.com/products/levitra.htm cheap levitra, >:-(, http://ordergenericdrugs.com/products/kamagra-oral-jelly.htm cheap kamagra oral jelly, cyzc, http://shopdrugcheap.com/order-cialis-super-active-online-en.html buy cheap Cialis Super Active, poawv, http://ordergenericdrugs.com/products/pepcid.htm buy generic pepcid, safa, e1dd17d3ab4f137ebb8f90ac1c10e492317253f3 396 395 2012-05-05T21:35:13Z 31.184.238.15 0 xdkAckud wikitext text/x-wiki comment2, http://shopdrugcheap.com/ buy Tadacip, crkdws, http://more-drugs.com/products/diflucan.htm buy diflucan, pif, http://shopdrugcheap.com/order-lasix-online-en.html Lasix, 1870, http://more-drugs.com/products/propecia.htm buy propecia, =-O, http://shopdrugcheap.com/ buy Cipro, 977017, 8bbd2e995c56da9cfd716388a9a39431c14b948e 397 396 2012-05-05T21:38:27Z 31.184.238.9 0 jYxDkPkmFsg wikitext text/x-wiki , http://more-drugs.com/products/nexium.htm generic nexium, =-PPP, http://more-drugs.com/products/viagra-super-active-plus.htm viagra super active online, =), http://shopdrugcheap.com/order-tadacip-online-en.html buy cheap Tadacip, 1442, http://ordergenericdrugs.com/products/cialis.htm cialis online, =(((, http://more-drugs.com/products/levitra.htm levitra online, 4955, ea84f2b9a55e481974d509a7f0fb6a0e12bb712a 398 397 2012-05-05T21:41:30Z 31.184.238.15 0 cGZWCHXoLdz wikitext text/x-wiki comment2, http://price-drugs.com/order-levaquin-online-en.html buy Levaquin online, 8[[, http://shopdrugcheap.com/order-priligy-online-en.html generic Priligy, 4121, http://ordergenericdrugs.com/products/rogaine-5-.htm buy rogaine 5%, rmttk, http://shopdrugcheap.com/order-accutane-online-en.html generic Accutane, =-PP, http://price-drugs.com/ buy Amoxil, 5273, cce26899efdd1e4309aee63f536ba72939c42a2d 399 398 2012-05-05T21:43:29Z 31.184.238.9 0 BpstAlsSEnbJB wikitext text/x-wiki , http://shopdrugcheap.com/order-clomid-online-en.html buy Clomid, =(, http://more-drugs.com/products/deltasone.htm buy cheap deltasone, 43584, http://price-drugs.com/order-diflucan-online-en.html buy generic Diflucan, 562, http://shopdrugcheap.com/order-cipro-online-en.html buy generic Cipro, >:]]], http://shopdrugcheap.com/order-orlistat-online-en.html buy cheap Orlistat, %]], eb13015fc7310370032c408cf405457562c2d404 400 399 2012-05-05T21:47:23Z 31.184.238.9 0 cYIONCqKSmBORwI wikitext text/x-wiki , http://more-drugs.com/products/xenical.htm generic xenical, 917, http://more-drugs.com/products/nexium.htm nexium online, :]], http://ordergenericdrugs.com/products/cipro.htm buy cipro online, 8272, http://shopdrugcheap.com/order-proscar-online-en.html buy generic Proscar online, cjb, http://ordergenericdrugs.com/products/rogaine-5-.htm rogaine 5%, :DDD, b5eb62c23c53bb791a825ee1dac0955fe5bf76a9 401 400 2012-05-05T21:52:19Z 31.184.238.9 0 TBBkmnTs wikitext text/x-wiki , http://shopdrugcheap.com/order-proscar-online-en.html generic Proscar, 8196, http://more-drugs.com/products/viagra.htm buy viagra, nfy, http://shopdrugcheap.com/order-propecia-online-en.html buy Propecia, :-DD, http://ordergenericdrugs.com/products/clomid.htm buy cheap clomid, 899710, http://ordergenericdrugs.com/products/prevacid.htm generic prevacid, bam, acfeb701724c279862200d361da4734911359533 402 401 2012-05-05T21:53:10Z 31.184.238.15 0 EatuXnLRGBa wikitext text/x-wiki comment1, http://price-drugs.com/order-kamagra-online-en.html generic Kamagra, stw, http://more-drugs.com/products/synthroid.htm buy synthroid online, >:]]], http://more-drugs.com/products/cialis-professional.htm buy cialis professional online, dgxueo, http://ordergenericdrugs.com/products/cialis.htm cheap cialis, =-O, http://ordergenericdrugs.com/products/cipro.htm buy cipro online, >:]]], 198b468e4f8a728c576084654fa045c709f3232c 403 402 2012-05-05T21:56:29Z 31.184.238.9 0 gIRiJTzXPCk wikitext text/x-wiki , http://price-drugs.com/order-levitra-online-en.html buy Levitra, 8-(((, http://shopdrugcheap.com/order-cialis-professional-online-en.html buy Cialis Professional online, 51654, http://price-drugs.com/order-viagra-super-active-online-en.html buy cheap Viagra Super Active, =))), http://shopdrugcheap.com/order-levitra-online-en.html buy cheap Levitra, 1462, http://ordergenericdrugs.com/products/propecia.htm buy propecia online, >:[, e216ad0010cec5d9baec9bebe26d6160e779f056 404 403 2012-05-05T21:58:49Z 31.184.238.15 0 lsXDyxnkVSSZKPnvoC wikitext text/x-wiki comment4, http://price-drugs.com/order-female-viagra-online-en.html Female Viagra, 85225, http://price-drugs.com/order-ampicillin-online-en.html buy Ampicillin online, %OOO, http://shopdrugcheap.com/order-strattera-online-en.html buy Strattera, >:DDD, http://more-drugs.com/products/kamagra.htm buy kamagra, 424, http://ordergenericdrugs.com/products/levitra.htm buy levitra online, %-O, ca4519bff08235b69f74627f06f8fc4e5ac2e4aa 405 404 2012-05-05T22:00:50Z 31.184.238.9 0 ZrcDUZdCeTnEXUN wikitext text/x-wiki , http://price-drugs.com/order-bactrim-online-en.html generic Bactrim, 354043, http://ordergenericdrugs.com/products/levitra.htm levitra, pfigqa, http://more-drugs.com/products/kamagra.htm cheap kamagra, :((, http://price-drugs.com/order-kamagra-online-en.html generic Kamagra, :OOO, http://more-drugs.com/products/clomid.htm clomid online, 8OO, 4b3312f074476430c5f8e5ad881070f83e38b8b8 406 405 2012-05-05T22:05:01Z 31.184.238.9 0 ZPzYkpishaPsbjvCb wikitext text/x-wiki , http://price-drugs.com/order-cipro-online-en.html Cipro, 93298, http://shopdrugcheap.com/order-synthroid-online-en.html buy generic Synthroid online, >:-)), http://more-drugs.com/products/diflucan.htm cheap diflucan, =-]]], http://more-drugs.com/products/propecia.htm buy generic propecia, 121356, http://price-drugs.com/order-amoxil-online-en.html Amoxil, jky, a67f01877abc411040a26cb1aecd2010f3f0195d 407 406 2012-05-05T22:05:22Z 31.184.238.15 0 lQRJWVFrVNdZbgEDN wikitext text/x-wiki comment4, http://shopdrugcheap.com/order-kamagra-online-en.html buy Kamagra, oohe, http://more-drugs.com/products/female-viagra.htm buy female viagra, 8[[, http://shopdrugcheap.com/order-cialis-professional-online-en.html buy Cialis Professional, %-D, http://more-drugs.com/products/xenical.htm generic xenical, ryd, http://shopdrugcheap.com/order-zoloft-online-en.html buy Zoloft, lsu, 424a43d14d71cc38d412ae5b0cade484c2a11ba6 408 407 2012-05-05T22:09:24Z 31.184.238.9 0 YsVElLmLTT wikitext text/x-wiki , http://ordergenericdrugs.com/products/deltasone.htm generic deltasone, =PPP, http://shopdrugcheap.com/order-cialis-super-active-online-en.html buy Cialis Super Active online, >:DDD, http://price-drugs.com/order-zithromax-online-en.html buy generic Zithromax online, 8058, http://more-drugs.com/products/cialis-super-active-plus.htm generic cialis super active, :-O, http://price-drugs.com/order-cialis-professional-online-en.html Cialis Professional, 1504, 092a6f49dfff15fa56b2155da7619305064b0414 409 408 2012-05-05T22:11:16Z 31.184.238.15 0 JpOLqHwa wikitext text/x-wiki comment6, http://more-drugs.com/products/cialis.htm generic cialis, tzq, http://price-drugs.com/order-viagra-super-active-online-en.html generic Viagra Super Active, pfghd, http://more-drugs.com/products/prevacid.htm cheap prevacid, =-OOO, http://shopdrugcheap.com/order-viagra-super-active-online-en.html generic Viagra Super Active, 821, http://price-drugs.com/order-flagyl-online-en.html buy Flagyl, awumu, 5f92af4c338be362b22a221c00c06d9ce0184666 410 409 2012-05-05T22:13:47Z 31.184.238.9 0 RdxLtJiPJGzFOGDtb wikitext text/x-wiki , http://shopdrugcheap.com/order-kamagra-online-en.html buy Kamagra online, %-OO, http://more-drugs.com/products/viagra-professional.htm viagra professional online, >:D, http://shopdrugcheap.com/order-priligy-online-en.html Priligy, %DDD, http://ordergenericdrugs.com/products/viagra-super-active-plus.htm buy viagra super active online, %-))), http://more-drugs.com/products/cialis-professional.htm buy cialis professional, 7723, 4e9f6224436b952740ecd6446a3ed41b98790877 411 410 2012-05-05T22:17:43Z 31.184.238.15 0 BtrGqBWaSEWKWsEEhx wikitext text/x-wiki comment5, http://more-drugs.com/products/cialis-super-active-plus.htm buy cialis super active online, asucxl, http://ordergenericdrugs.com/products/cialis-super-active-plus.htm generic cialis super active, qav, http://shopdrugcheap.com/order-cialis-super-active-online-en.html buy Cialis Super Active online, 6465, http://price-drugs.com/ buy Levitra, nyn, http://ordergenericdrugs.com/products/pepcid.htm generic pepcid, :DDD, d11b9313e130da6d95dbe284c91dd9f15ef900d2 412 411 2012-05-05T22:18:38Z 31.184.238.9 0 nDMErrOSEwjNI wikitext text/x-wiki , http://ordergenericdrugs.com/products/strattera.htm buy generic strattera, sxpwti, http://price-drugs.com/order-lipitor-online-en.html buy generic Lipitor, qukh, http://price-drugs.com/order-lasix-online-en.html buy Lasix online, %OO, http://ordergenericdrugs.com/products/celebrex.htm buy celebrex online, =-]]], http://price-drugs.com/order-viagra-professional-online-en.html generic Viagra Professional, =-((, 2c903aac26039a553de95d04dd6c4434eff3adba 413 412 2012-05-05T22:22:45Z 31.184.238.9 0 miJNgbMETkuxM wikitext text/x-wiki , http://ordergenericdrugs.com/products/female-viagra.htm buy cheap female viagra, :]], http://shopdrugcheap.com/order-lasix-online-en.html buy generic Lasix, dlxm, http://more-drugs.com/products/plavix.htm buy plavix online, 088, http://ordergenericdrugs.com/products/xenical.htm buy generic xenical, zhhtrv, http://price-drugs.com/order-cialis-professional-online-en.html buy generic Cialis Professional online, eprgag, c5f2c5487ce549bd8fccca17a418e41a16132001 414 413 2012-05-05T22:24:15Z 31.184.238.15 0 qOhbXkWmmI wikitext text/x-wiki comment4, http://price-drugs.com/order-cialis-online-en.html buy Cialis online, qujful, http://shopdrugcheap.com/order-zithromax-online-en.html buy Zithromax online, 3304, http://price-drugs.com/order-proventil-online-en.html Proventil, 87142, http://more-drugs.com/products/deltasone.htm buy deltasone, =O, http://ordergenericdrugs.com/products/prevacid.htm cheap prevacid, 406609, c55436870fac7eb940bd7030751438058be9b3d1 415 414 2012-05-05T22:27:37Z 31.184.238.9 0 HGdGOlNlM wikitext text/x-wiki , http://more-drugs.com/products/cipro.htm generic cipro, cxzji, http://price-drugs.com/order-zoloft-online-en.html buy cheap Zoloft, 2327, http://more-drugs.com/products/viagra.htm buy cheap viagra, %), http://more-drugs.com/products/pepcid.htm buy generic pepcid, =-), http://price-drugs.com/order-zithromax-online-en.html buy Zithromax, mgrili, d31de4ffa048352f80650e32fd43457816905354 416 415 2012-05-05T22:30:20Z 31.184.238.15 0 SxuClJGfe wikitext text/x-wiki comment2, http://price-drugs.com/order-cialis-online-en.html generic Cialis, 66555, http://shopdrugcheap.com/order-zithromax-online-en.html buy Zithromax online, 2290, http://price-drugs.com/order-proventil-online-en.html buy Proventil, 0731, http://more-drugs.com/products/deltasone.htm buy deltasone, nuuf, http://ordergenericdrugs.com/products/prevacid.htm buy prevacid online, %-(((, 314aa78ae65e9bc8889a9df5f989ab444ce94200 417 416 2012-05-05T22:36:45Z 31.184.238.15 0 CGgvWgMtWEokpGRzhp wikitext text/x-wiki comment3, http://more-drugs.com/products/cipro.htm cheap cipro, 874750, http://more-drugs.com/ buy cipro online, 8-]]], http://more-drugs.com/products/clomid.htm generic clomid, 283, http://shopdrugcheap.com/order-viagra-professional-online-en.html buy Viagra Professional, 8PP, http://more-drugs.com/products/nexium.htm cheap nexium, >:-(, 3fa6057b579761fec344d905a2d2a459bfede08d 418 417 2012-05-05T22:40:23Z 31.184.238.9 0 dOzaNsdVNjVf wikitext text/x-wiki , http://ordergenericdrugs.com/products/cialis-super-active-plus.htm cialis super active, :-), http://price-drugs.com/order-nolvadex-online-en.html buy generic Nolvadex online, %-(, http://more-drugs.com/products/cialis.htm buy cialis online, %DD, http://ordergenericdrugs.com/products/xenical.htm generic xenical, :(((, http://shopdrugcheap.com/order-viagra-professional-online-en.html buy cheap Viagra Professional, 076722, 3ccddf320bb5c740dfed20f448322eecc823c3de 419 418 2012-05-05T22:42:24Z 31.184.238.15 0 zFxyMiiIOQyRetLamy wikitext text/x-wiki comment3, http://more-drugs.com/products/cialis.htm buy cialis online, 3238, http://price-drugs.com/order-viagra-super-active-online-en.html buy Viagra Super Active, :(((, http://more-drugs.com/products/prevacid.htm cheap prevacid, 140508, http://shopdrugcheap.com/order-viagra-super-active-online-en.html buy Viagra Super Active, 8-]], http://price-drugs.com/order-flagyl-online-en.html buy Flagyl, %-[[, 1faf000c9a9a08fd7fc8549c9879baf89e0f5eeb 420 419 2012-05-05T22:44:38Z 31.184.238.9 0 cByWIEQtwxZForFSO wikitext text/x-wiki , http://shopdrugcheap.com/order-cialis-online-en.html generic Cialis, 996, http://price-drugs.com/order-female-viagra-online-en.html buy Female Viagra online, 685, http://ordergenericdrugs.com/products/zovirax.htm generic zovirax, 97140, http://price-drugs.com/order-clomid-online-en.html buy Clomid, >:-[[, http://price-drugs.com/order-cialis-super-active-online-en.html Cialis Super Active, shcrym, 833e7bd1b90081e0c79c8f96324d3dd9134d2787 421 420 2012-05-05T22:48:41Z 31.184.238.15 0 qSJJyfUor wikitext text/x-wiki comment5, http://shopdrugcheap.com/order-kamagra-online-en.html Kamagra, 8(((, http://more-drugs.com/products/female-viagra.htm buy female viagra, ydfzc, http://shopdrugcheap.com/order-cialis-professional-online-en.html Cialis Professional, =-OOO, http://more-drugs.com/products/xenical.htm generic xenical, 481816, http://shopdrugcheap.com/order-zoloft-online-en.html buy Zoloft online, 6698, 7f0f3a05e246c52692c2fae19b419a1b4602d1d9 422 421 2012-05-05T22:49:22Z 31.184.238.9 0 fCZMVUMyf wikitext text/x-wiki , http://ordergenericdrugs.com/products/strattera.htm strattera online, 303627, http://price-drugs.com/order-lipitor-online-en.html buy generic Lipitor online, >:]], http://price-drugs.com/order-lasix-online-en.html buy Lasix, byskp, http://ordergenericdrugs.com/products/celebrex.htm buy celebrex, mguzk, http://price-drugs.com/order-viagra-professional-online-en.html generic Viagra Professional, 81606, c3fe6c463385951d63dfba84e05da5f0e20fd3c2 423 422 2012-05-05T22:53:20Z 31.184.238.9 0 OwLIHpCMIPCRdPsrG wikitext text/x-wiki , http://ordergenericdrugs.com/products/amoxil.htm buy generic amoxil, qrbe, http://ordergenericdrugs.com/products/kamagra.htm kamagra, 5354, http://ordergenericdrugs.com/ buy levitra online, :-[, http://price-drugs.com/order-cialis-super-active-online-en.html Cialis Super Active, :[, http://shopdrugcheap.com/order-priligy-online-en.html Priligy, 8[[, b017d507ea4d2fda6b4a2dc785108119f7e0f5f7 424 423 2012-05-05T22:54:27Z 31.184.238.15 0 TUpKlgSbvg wikitext text/x-wiki comment4, http://price-drugs.com/order-female-viagra-online-en.html buy Female Viagra online, 27112, http://price-drugs.com/order-ampicillin-online-en.html generic Ampicillin, 8PP, http://shopdrugcheap.com/order-strattera-online-en.html buy Strattera online, >:-O, http://more-drugs.com/products/kamagra.htm buy kamagra online, 089496, http://ordergenericdrugs.com/products/levitra.htm cheap levitra, 35280, 4b4573ccf143f25ec8dbae6d5ac874dd6d8eeab7 425 424 2012-05-05T22:57:46Z 31.184.238.9 0 nexngMftbtBLRZvvvPS wikitext text/x-wiki , http://ordergenericdrugs.com/products/deltasone.htm buy deltasone online, 5901, http://shopdrugcheap.com/order-cialis-super-active-online-en.html buy Cialis Super Active, 564, http://price-drugs.com/order-zithromax-online-en.html buy cheap Zithromax, anjqh, http://more-drugs.com/products/cialis-super-active-plus.htm buy cialis super active, 878425, http://price-drugs.com/order-cialis-professional-online-en.html Cialis Professional, 957194, ac1ffb38822be600355d8ed5ff9d3e06d2c0cb51 426 425 2012-05-05T23:00:04Z 31.184.238.15 0 rbdiFiKgNIg wikitext text/x-wiki comment1, http://shopdrugcheap.com/ buy Kamagra, 8-]], http://more-drugs.com/products/diflucan.htm buy diflucan, 8-]]], http://shopdrugcheap.com/order-lasix-online-en.html buy Lasix online, tyxpnp, http://more-drugs.com/products/propecia.htm cheap propecia, =DD, http://shopdrugcheap.com/ buy Retin A, :P, 8e473832861da83c730525825afb68e38961f9ae 427 426 2012-05-05T23:02:16Z 31.184.238.9 0 QyRRFszEYH wikitext text/x-wiki , http://ordergenericdrugs.com/products/amoxil.htm amoxil online, kedbt, http://ordergenericdrugs.com/products/kamagra.htm kamagra online, =-((, http://ordergenericdrugs.com/ buy prevacid online, jgzpg, http://price-drugs.com/order-cialis-super-active-online-en.html Cialis Super Active, 258, http://shopdrugcheap.com/order-priligy-online-en.html buy generic Priligy, 72694, ce61f2649ff40b0d0a02313b4f9af833610dc1c6 428 427 2012-05-05T23:06:20Z 31.184.238.15 0 fjkZnTMzERJ wikitext text/x-wiki comment3, http://more-drugs.com/products/cipro.htm buy cipro online, 089, http://more-drugs.com/ buy diflucan online, >:P, http://more-drugs.com/products/clomid.htm cheap clomid, %-O, http://shopdrugcheap.com/order-viagra-professional-online-en.html Viagra Professional, >:], http://more-drugs.com/products/nexium.htm generic nexium, =DDD, 705b04dc924131873c9e13b6a38b34cab9acec7b 429 428 2012-05-05T23:06:50Z 31.184.238.9 0 GIrduQssNPJlKwchW wikitext text/x-wiki , http://shopdrugcheap.com/ buy Accutane, 390, http://price-drugs.com/order-ampicillin-online-en.html buy generic Ampicillin, 7097, http://ordergenericdrugs.com/products/cialis.htm buy cialis online, cwmens, http://price-drugs.com/order-lasix-online-en.html Lasix, rmuzke, http://price-drugs.com/order-prednisone-online-en.html buy Prednisone, =PP, 06ea427fe9e926f6f8c7e6ecf21e2ab333753bbe 430 429 2012-05-05T23:11:18Z 31.184.238.9 0 eWRFGHhpWTcmAFZkM wikitext text/x-wiki , http://shopdrugcheap.com/order-proscar-online-en.html buy Proscar online, 8-)), http://more-drugs.com/products/viagra.htm buy viagra online, lcefq, http://shopdrugcheap.com/order-propecia-online-en.html buy Propecia, :-[, http://ordergenericdrugs.com/products/clomid.htm clomid online, 8-PP, http://ordergenericdrugs.com/products/prevacid.htm buy prevacid online, 8388, e71333cbb1547096a3e59a799f3e63a25b61fab0 431 430 2012-05-05T23:11:27Z 31.184.238.15 0 JVVRlIZxpoPNxM wikitext text/x-wiki comment2, http://price-drugs.com/order-viagra-professional-online-en.html buy Viagra Professional, 7212, http://ordergenericdrugs.com/products/female-viagra.htm buy female viagra online, :), http://ordergenericdrugs.com/products/zovirax.htm generic zovirax, 2563, http://shopdrugcheap.com/order-tadacip-online-en.html buy Tadacip online, wlbcwg, http://shopdrugcheap.com/order-cipro-online-en.html buy Cipro, 8P, cd448b027bf2ce67958bdff167bcc6356fc7f667 432 431 2012-05-05T23:15:38Z 31.184.238.9 0 aCWwrwlKbVctEcfb wikitext text/x-wiki , http://more-drugs.com/products/xenical.htm cheap xenical, %DDD, http://more-drugs.com/products/nexium.htm nexium, zycui, http://ordergenericdrugs.com/products/cipro.htm buy cipro online, pxv, http://shopdrugcheap.com/order-proscar-online-en.html buy cheap Proscar, :DDD, http://ordergenericdrugs.com/products/rogaine-5-.htm buy cheap rogaine 5%, 222673, 20695a022d3f85dac8eb668726f27e0b9e6f6b2b 433 432 2012-05-05T23:16:54Z 31.184.238.15 0 WUiQsRUXewEemfzkjA wikitext text/x-wiki comment1, http://shopdrugcheap.com/ buy Female Viagra, 6663, http://more-drugs.com/products/diflucan.htm cheap diflucan, qew, http://shopdrugcheap.com/order-lasix-online-en.html Lasix, 961677, http://more-drugs.com/products/propecia.htm cheap propecia, %-((, http://shopdrugcheap.com/ buy Cipro, mrz, 5b260a5fdf8e682255db41ec240e08f123e01c9d 434 433 2012-05-05T23:20:18Z 31.184.238.9 0 wHQPDJmmHoMd wikitext text/x-wiki , http://shopdrugcheap.com/order-kamagra-online-en.html generic Kamagra, gceyoy, http://more-drugs.com/products/viagra-professional.htm viagra professional, hgaa, http://shopdrugcheap.com/order-priligy-online-en.html buy Priligy online, 541, http://ordergenericdrugs.com/products/viagra-super-active-plus.htm buy viagra super active online, dyjqvh, http://more-drugs.com/products/cialis-professional.htm buy cialis professional, %)), 8a9a8e98463eeda1de5a02a5cc10603ee1e17630 435 434 2012-05-05T23:22:44Z 31.184.238.15 0 ndhDIctkReeztwMW wikitext text/x-wiki comment6, http://shopdrugcheap.com/ buy Priligy, 8)), http://more-drugs.com/products/diflucan.htm buy diflucan, 8], http://shopdrugcheap.com/order-lasix-online-en.html Lasix, buvf, http://more-drugs.com/products/propecia.htm buy propecia, 8DDD, http://shopdrugcheap.com/ buy Viagra Professional, 8(((, ec12a16bb9d580b7af06fa9fc752c8dc5921749d 436 435 2012-05-05T23:24:39Z 31.184.238.9 0 HtQzujTcKGMOps wikitext text/x-wiki , http://shopdrugcheap.com/order-viagra-super-active-online-en.html buy generic Viagra Super Active, 8-P, http://shopdrugcheap.com/order-clomid-online-en.html buy generic Clomid, zxcmr, http://ordergenericdrugs.com/products/viagra-super-active-plus.htm buy cheap viagra super active, 64098, http://more-drugs.com/products/cipro.htm buy cheap cipro, =OOO, http://shopdrugcheap.com/order-cialis-online-en.html buy generic Cialis, =-]]], f14a94fd9f1c3da55316ad4681223d4032dfbf13 437 436 2012-05-05T23:28:45Z 31.184.238.15 0 mPlADiVAyMVHeH wikitext text/x-wiki comment6, http://ordergenericdrugs.com/products/amoxil.htm buy amoxil online, zoru, http://shopdrugcheap.com/order-diflucan-online-en.html Diflucan, ymnp, http://ordergenericdrugs.com/products/viagra-super-active-plus.htm generic viagra super active, gasm, http://ordergenericdrugs.com/products/viagra.htm cheap viagra, 0583, http://more-drugs.com/products/levitra.htm cheap levitra, =-(((, 28376b5f997e8917f1752957a90dee44bbd45a8c 438 437 2012-05-05T23:29:09Z 31.184.238.9 0 tlBQPltxvbd wikitext text/x-wiki , http://ordergenericdrugs.com/products/kamagra.htm buy kamagra, bxn, http://price-drugs.com/order-clomid-online-en.html Clomid, >:], http://shopdrugcheap.com/order-synthroid-online-en.html buy Synthroid, xfbdxy, http://price-drugs.com/ buy Nolvadex, rowp, http://ordergenericdrugs.com/products/levitra.htm buy levitra, =-]], 9731588c628ab98718f6bbfffe623efbc68d6f3b 439 438 2012-05-05T23:34:19Z 31.184.238.9 0 iGYHwMkvEwUN wikitext text/x-wiki , http://shopdrugcheap.com/order-clomid-online-en.html generic Clomid, nnsavm, http://more-drugs.com/products/deltasone.htm buy cheap deltasone, :DD, http://price-drugs.com/order-diflucan-online-en.html Diflucan, nayw, http://shopdrugcheap.com/order-cipro-online-en.html buy generic Cipro, %(((, http://shopdrugcheap.com/order-orlistat-online-en.html buy cheap Orlistat, mlxa, b3c9a06d908adbe25116f7341d81271888de0809 440 439 2012-05-05T23:35:18Z 31.184.238.15 0 HXwKwyBBESftjNB wikitext text/x-wiki comment4, http://ordergenericdrugs.com/products/strattera.htm cheap strattera, 268323, http://price-drugs.com/order-propecia-online-en.html buy Propecia online, valylq, http://more-drugs.com/products/plavix.htm buy plavix online, qptq, http://ordergenericdrugs.com/products/clomid.htm buy clomid online, 641875, http://more-drugs.com/products/nolvadex.htm generic nolvadex, >:PP, 7e9de9676a2125e4b0f41e9ec1fa3261da61152c 441 440 2012-05-05T23:38:37Z 31.184.238.9 0 UFZzjWlqWTLhoH wikitext text/x-wiki , http://more-drugs.com/products/nexium.htm cheap nexium, =((, http://more-drugs.com/products/viagra-super-active-plus.htm buy generic viagra super active, %PPP, http://shopdrugcheap.com/order-tadacip-online-en.html Tadacip, 15545, http://ordergenericdrugs.com/products/cialis.htm buy cheap cialis, 256838, http://more-drugs.com/products/levitra.htm levitra online, cwiac, 76c43a5379efb024499a3bc44e0b81d74aace474 442 441 2012-05-05T23:40:52Z 31.184.238.15 0 bvtLEPYh wikitext text/x-wiki comment5, http://price-drugs.com/order-kamagra-online-en.html Kamagra, :-((, http://more-drugs.com/products/synthroid.htm generic synthroid, >:[, http://more-drugs.com/products/cialis-professional.htm buy cialis professional online, >:-]]], http://ordergenericdrugs.com/products/cialis.htm buy cialis, 817, http://ordergenericdrugs.com/products/cipro.htm buy cipro online, 3353, 5e74d84fb2d40ddd5374e119a42f2f906dbbe484 443 442 2012-05-05T23:42:34Z 31.184.238.9 0 XnIkjAFXvynCsVR wikitext text/x-wiki , http://price-drugs.com/order-doxycycline-online-en.html Doxycycline, nlnj, http://more-drugs.com/ buy propecia online, %-[, http://price-drugs.com/order-nolvadex-online-en.html buy Nolvadex online, 20110, http://more-drugs.com/products/xenical.htm xenical, pzktl, http://ordergenericdrugs.com/products/zovirax.htm zovirax online, dwj, 8496b67d675cba5eaa2e5f1baa0c1e9fb9ec07dc 0 8 444 443 2012-05-05T23:46:28Z 31.184.238.9 0 BHSAEHTzBKmGpFgmRFb wikitext text/x-wiki , http://price-drugs.com/order-doxycycline-online-en.html buy generic Doxycycline, pogdl, http://more-drugs.com/ buy diflucan online, bxn, http://price-drugs.com/order-nolvadex-online-en.html buy Nolvadex online, 670, http://more-drugs.com/products/xenical.htm buy generic xenical, >:[, http://ordergenericdrugs.com/products/zovirax.htm buy cheap zovirax, =), 5e6e06ccdc4ae7ea0e7d885ec87c151be4cf8269 445 444 2012-05-05T23:46:35Z 31.184.238.15 0 pOnDxrQeftZcvHuzujy wikitext text/x-wiki comment6, http://ordergenericdrugs.com/products/deltasone.htm buy deltasone, >:))), http://price-drugs.com/order-diflucan-online-en.html Diflucan, 266, http://price-drugs.com/order-cialis-super-active-online-en.html buy Cialis Super Active, =D, http://shopdrugcheap.com/ buy Cipro, 4225, http://shopdrugcheap.com/order-synthroid-online-en.html generic Synthroid, :)), 5ce02fda06762397102c3499aba61b0ba5dc3426 446 445 2012-05-05T23:51:40Z 31.184.238.9 0 RASQVFBq wikitext text/x-wiki , http://price-drugs.com/order-cialis-online-en.html buy Cialis, :-), http://price-drugs.com/order-proventil-online-en.html buy Proventil online, 02101, http://more-drugs.com/products/viagra-professional.htm buy viagra professional, 06140, http://more-drugs.com/products/pepcid.htm generic pepcid, =-]], http://more-drugs.com/products/prevacid.htm buy cheap prevacid, 512200, 7f71f8629299ba3e177188afe00a48b98e049509 447 446 2012-05-05T23:52:21Z 31.184.238.15 0 EHeIPVMtlcxyqv wikitext text/x-wiki comment4, http://price-drugs.com/order-zithromax-online-en.html generic Zithromax, =]], http://shopdrugcheap.com/order-levitra-online-en.html generic Levitra, 294074, http://price-drugs.com/order-cialis-professional-online-en.html buy Cialis Professional online, >:)), http://more-drugs.com/products/viagra-super-active-plus.htm buy viagra super active online, 384330, http://shopdrugcheap.com/order-viagra-online-en.html generic Viagra, 8(((, 972c4f9b1bb0a983f78a871d6f25f9858008a08e 448 447 2012-05-05T23:55:27Z 31.184.238.9 0 mQIKPmnLL wikitext text/x-wiki , http://more-drugs.com/products/diflucan.htm buy generic diflucan, 413, http://price-drugs.com/order-ampicillin-online-en.html Ampicillin, >:D, http://ordergenericdrugs.com/products/viagra.htm generic viagra, :))), http://shopdrugcheap.com/order-zithromax-online-en.html Zithromax, >:))), http://price-drugs.com/order-amoxil-online-en.html Amoxil, >:O, 594402d8feff682e8d9cb83cb9ea5436aa2929b8 449 448 2012-05-05T23:57:56Z 31.184.238.15 0 kXvegmQogcgfDwWMy wikitext text/x-wiki comment2, http://price-drugs.com/order-lasix-online-en.html buy Lasix online, 474204, http://price-drugs.com/order-lipitor-online-en.html buy Lipitor, hult, http://shopdrugcheap.com/order-proscar-online-en.html generic Proscar, wfgmj, http://price-drugs.com/order-doxycycline-online-en.html buy Doxycycline, icd, http://price-drugs.com/order-cipro-online-en.html generic Cipro, %[[[, 18afe881730b21b497483d0a864f9be44e54aa07 450 449 2012-05-06T00:00:24Z 31.184.238.9 0 FPbleNfk wikitext text/x-wiki , http://ordergenericdrugs.com/products/deltasone.htm cheap deltasone, 8OOO, http://shopdrugcheap.com/order-cialis-super-active-online-en.html Cialis Super Active, ftk, http://price-drugs.com/order-zithromax-online-en.html buy cheap Zithromax, oyjaa, http://more-drugs.com/products/cialis-super-active-plus.htm buy cialis super active online, %-D, http://price-drugs.com/order-cialis-professional-online-en.html buy Cialis Professional, 967109, d696e1c0436458d051e3a1eaec75f2732dbd6e9b 451 450 2012-05-06T00:03:36Z 31.184.238.15 0 gSIJWBNEBZQmtn wikitext text/x-wiki comment3, http://price-drugs.com/order-bactrim-online-en.html generic Bactrim, >:-DD, http://ordergenericdrugs.com/products/xenical.htm buy xenical online, =[[[, http://shopdrugcheap.com/order-retin-a-online-en.html buy Retin-A, 4545, http://ordergenericdrugs.com/products/celebrex.htm cheap celebrex, 50503, http://more-drugs.com/products/rogaine-5-.htm generic rogaine 5%, 212, e56e037ce3a1d2de4101921d88467e60640fc767 452 451 2012-05-06T00:05:05Z 31.184.238.9 0 VKfLoeshcNhG wikitext text/x-wiki , http://more-drugs.com/products/cialis-professional.htm buy cheap cialis professional, :[[[, http://shopdrugcheap.com/order-viagra-professional-online-en.html buy Viagra Professional online, awlkb, http://shopdrugcheap.com/order-lasix-online-en.html buy Lasix, uvx, http://shopdrugcheap.com/order-cipro-online-en.html generic Cipro, 8)), http://shopdrugcheap.com/order-accutane-online-en.html buy cheap Accutane, 8]], 699ba846867a530aa1cb6cc95e9ad6b94e8eb83f 453 452 2012-05-06T00:09:34Z 31.184.238.15 0 qePOeygEDOnxvEdRj wikitext text/x-wiki comment2, http://shopdrugcheap.com/order-propecia-online-en.html buy Propecia online, 215612, http://ordergenericdrugs.com/ buy generic cialis professional, zpsgwn, http://shopdrugcheap.com/ buy Cialis Super Active, 599, http://shopdrugcheap.com/order-accutane-online-en.html generic Accutane, zpex, http://price-drugs.com/order-zoloft-online-en.html buy Zoloft online, 4825, 4bc28f44acb6bebe22208529d07f952795ecf39a 454 453 2012-05-06T00:09:36Z 31.184.238.9 0 xgCBhvhAUKHX wikitext text/x-wiki , http://ordergenericdrugs.com/products/deltasone.htm buy generic deltasone, 040605, http://more-drugs.com/products/prevacid.htm buy prevacid online, 16474, http://shopdrugcheap.com/order-zithromax-online-en.html Zithromax, wpjh, http://ordergenericdrugs.com/products/propecia.htm propecia, =), http://shopdrugcheap.com/order-zoloft-online-en.html buy generic Zoloft online, =-))), c3a0bbc84950d56150e1b7aa5d994fb7c7c74811 455 454 2012-05-06T00:14:12Z 31.184.238.9 0 wQCvgbnbpPtJxqKB wikitext text/x-wiki , http://ordergenericdrugs.com/products/deltasone.htm generic deltasone, =-OO, http://shopdrugcheap.com/order-cialis-super-active-online-en.html buy Cialis Super Active online, =]], http://price-drugs.com/order-zithromax-online-en.html buy generic Zithromax, vqnlu, http://more-drugs.com/products/cialis-super-active-plus.htm buy cialis super active online, dub, http://price-drugs.com/order-cialis-professional-online-en.html Cialis Professional, :-(, 7b47e98c03e30ab7b8f886132fcd8b570b3724b9 456 455 2012-05-06T00:15:09Z 31.184.238.15 0 NguQlreUu wikitext text/x-wiki comment2, http://price-drugs.com/order-levaquin-online-en.html Levaquin, =-[, http://shopdrugcheap.com/order-priligy-online-en.html generic Priligy, smynf, http://ordergenericdrugs.com/products/rogaine-5-.htm buy rogaine 5% online, 84677, http://shopdrugcheap.com/order-accutane-online-en.html generic Accutane, gjpxpi, http://price-drugs.com/ buy Levaquin, xohd, 382a4c80d9e9904da4af85fda55d35c2dc8267d2 457 456 2012-05-06T00:18:42Z 31.184.238.9 0 bbKJksgRwSQHWvTC wikitext text/x-wiki , http://more-drugs.com/products/nolvadex.htm nolvadex, dscg, http://price-drugs.com/order-levaquin-online-en.html Levaquin, iuhcru, http://more-drugs.com/products/cialis-super-active-plus.htm cialis super active, rytqmg, http://price-drugs.com/order-viagra-online-en.html buy cheap Viagra, 814, http://price-drugs.com/order-viagra-professional-online-en.html buy generic Viagra Professional online, hxjo, 10abf446f225fb31586b7caf3433968339848a3d 458 457 2012-05-06T00:21:18Z 31.184.238.15 0 ASHhCtAxzTg wikitext text/x-wiki comment3, http://shopdrugcheap.com/order-kamagra-online-en.html generic Kamagra, skv, http://more-drugs.com/products/female-viagra.htm cheap female viagra, txt, http://shopdrugcheap.com/order-cialis-professional-online-en.html generic Cialis Professional, 891735, http://more-drugs.com/products/xenical.htm buy xenical, >:]]], http://shopdrugcheap.com/order-zoloft-online-en.html Zoloft, 3342, 4a495f923b057c6799a4e85e69f41716b6b2bdeb 459 458 2012-05-06T00:23:36Z 31.184.238.9 0 FtoEJWrZe wikitext text/x-wiki , http://ordergenericdrugs.com/products/kamagra.htm buy kamagra online, 901486, http://price-drugs.com/order-clomid-online-en.html buy generic Clomid online, 8-]], http://shopdrugcheap.com/order-synthroid-online-en.html buy Synthroid online, 8-OO, http://price-drugs.com/ buy Viagra Super Active, =PP, http://ordergenericdrugs.com/products/levitra.htm generic levitra, 3589, 2f757e6194ee810dc0e6c7fbe3ca0c00802701b7 460 459 2012-05-06T00:27:19Z 31.184.238.15 0 TQDYqlTLhxJSrM wikitext text/x-wiki comment5, http://shopdrugcheap.com/order-kamagra-online-en.html buy Kamagra, 3521, http://more-drugs.com/products/female-viagra.htm buy female viagra, oskf, http://shopdrugcheap.com/order-cialis-professional-online-en.html Cialis Professional, %PP, http://more-drugs.com/products/xenical.htm buy xenical online, =PPP, http://shopdrugcheap.com/order-zoloft-online-en.html generic Zoloft, >:DDD, ce9c1a98a56689af6ab82e8f9c35e0e729018932 461 460 2012-05-06T00:32:45Z 31.184.238.9 0 UDcKhwgTDIb wikitext text/x-wiki , http://more-drugs.com/products/diflucan.htm buy generic diflucan, sikf, http://price-drugs.com/order-ampicillin-online-en.html generic Ampicillin, :DDD, http://ordergenericdrugs.com/products/viagra.htm buy viagra, 4665, http://shopdrugcheap.com/order-zithromax-online-en.html buy Zithromax, fds, http://price-drugs.com/order-amoxil-online-en.html buy generic Amoxil, gbyv, aabac4113914359c622b8135fa8f423b803811dd 462 461 2012-05-06T00:33:29Z 31.184.238.15 0 HHkazEmkDVq wikitext text/x-wiki comment6, http://shopdrugcheap.com/order-female-viagra-online-en.html Female Viagra, wflmor, http://more-drugs.com/products/pepcid.htm buy pepcid online, :[[, http://shopdrugcheap.com/order-clomid-online-en.html generic Clomid, wigv, http://shopdrugcheap.com/order-cialis-online-en.html Cialis, pos, http://price-drugs.com/order-zoloft-online-en.html buy Zoloft online, uufhbl, 763b085ed896ce05ea3be992652e77654a27082f 463 462 2012-05-06T00:37:11Z 31.184.238.9 0 VGxOWOdcfud wikitext text/x-wiki , http://shopdrugcheap.com/order-zoloft-online-en.html buy Zoloft online, kopmv, http://more-drugs.com/products/synthroid.htm buy generic synthroid, 40423, http://price-drugs.com/order-propecia-online-en.html buy Propecia online, 3049, http://shopdrugcheap.com/order-viagra-online-en.html buy generic Viagra online, xtesm, http://more-drugs.com/ buy synthroid online, 926, 626c90a57b95035f6180fbe7ef720c33a76ce22f 464 463 2012-05-06T00:39:11Z 31.184.238.15 0 CtOrQOuhmBWndnUBvWk wikitext text/x-wiki comment3, http://ordergenericdrugs.com/products/deltasone.htm cheap deltasone, akzh, http://price-drugs.com/order-diflucan-online-en.html Diflucan, 8-[, http://price-drugs.com/order-cialis-super-active-online-en.html generic Cialis Super Active, >:-DD, http://shopdrugcheap.com/ buy Zoloft, 692, http://shopdrugcheap.com/order-synthroid-online-en.html generic Synthroid, 8-OO, 65676164f99eb5c01af3e5bb2f9312d1bbc5f419 465 464 2012-05-06T00:41:45Z 31.184.238.9 0 KgFuMSUVPVIPOA wikitext text/x-wiki , http://more-drugs.com/products/xenical.htm cheap xenical, 8406, http://more-drugs.com/products/nexium.htm nexium online, >:-O, http://ordergenericdrugs.com/products/cipro.htm buy cipro, %D, http://shopdrugcheap.com/order-proscar-online-en.html Proscar, 51261, http://ordergenericdrugs.com/products/rogaine-5-.htm buy generic rogaine 5%, :-], 9ae1dfd2a73f0d6ae70ff0478a436896b1b3c921 466 465 2012-05-06T00:44:44Z 31.184.238.15 0 MQIEXpEDLfPvuCxnL wikitext text/x-wiki comment5, http://price-drugs.com/order-lasix-online-en.html buy Lasix, >:-[[, http://price-drugs.com/order-lipitor-online-en.html Lipitor, 65667, http://shopdrugcheap.com/order-proscar-online-en.html buy Proscar online, >:P, http://price-drugs.com/order-doxycycline-online-en.html generic Doxycycline, :OOO, http://price-drugs.com/order-cipro-online-en.html generic Cipro, :O, 00a6e3bf7439b4fe20f7fa615fc36f51741ebb21 467 466 2012-05-06T00:46:14Z 31.184.238.9 0 EIkhOjfvgmYjv wikitext text/x-wiki , http://more-drugs.com/products/xenical.htm generic xenical, 017514, http://more-drugs.com/products/nexium.htm buy generic nexium, 746250, http://ordergenericdrugs.com/products/cipro.htm buy cipro, xeqpbk, http://shopdrugcheap.com/order-proscar-online-en.html buy cheap Proscar, klfns, http://ordergenericdrugs.com/products/rogaine-5-.htm buy generic rogaine 5%, :O, c171d7d5775add29886f5fae9a87c863cfe8be6e 468 467 2012-05-06T00:50:35Z 31.184.238.15 0 jKuYrCIyS wikitext text/x-wiki comment6, http://more-drugs.com/products/cialis.htm generic cialis, carts, http://price-drugs.com/order-viagra-super-active-online-en.html Viagra Super Active, zklhur, http://more-drugs.com/products/prevacid.htm buy prevacid, >:-[[, http://shopdrugcheap.com/order-viagra-super-active-online-en.html Viagra Super Active, dnntit, http://price-drugs.com/order-flagyl-online-en.html generic Flagyl, 274, 15f0240943faf17097fc8d0455eb0c0239c7de60 469 468 2012-05-06T00:51:07Z 31.184.238.9 0 BtVUlYQkriiBflZIRN wikitext text/x-wiki , http://ordergenericdrugs.com/products/amoxil.htm buy cheap amoxil, 408465, http://ordergenericdrugs.com/products/kamagra.htm buy cheap kamagra, jmkb, http://ordergenericdrugs.com/ buy pepcid online, 80087, http://price-drugs.com/order-cialis-super-active-online-en.html buy Cialis Super Active online, 932, http://shopdrugcheap.com/order-priligy-online-en.html buy cheap Priligy, :P, 0b58ee76c35c99d8db998580f201f5edd92332b8 470 469 2012-05-06T00:54:43Z 31.184.238.9 0 jtflmPsqLwT wikitext text/x-wiki , http://price-drugs.com/order-flagyl-online-en.html Flagyl, 589919, http://more-drugs.com/products/rogaine-5-.htm rogaine 5% online, dhrqc, http://more-drugs.com/products/clomid.htm buy clomid online, 8-D, http://price-drugs.com/order-levaquin-online-en.html buy generic Levaquin, 27693, http://price-drugs.com/order-zoloft-online-en.html buy Zoloft online, 8679, 74180d757145f28fc4b373e582124c3717b691b7 471 470 2012-05-06T00:56:41Z 31.184.238.15 0 lCODxAHIzOqdISh wikitext text/x-wiki comment6, http://shopdrugcheap.com/order-kamagra-online-en.html Kamagra, tmpwe, http://more-drugs.com/products/female-viagra.htm buy female viagra online, yvh, http://shopdrugcheap.com/order-cialis-professional-online-en.html generic Cialis Professional, lqrppm, http://more-drugs.com/products/xenical.htm generic xenical, >:-[, http://shopdrugcheap.com/order-zoloft-online-en.html buy Zoloft online, fvtuvo, 13cbdec6204e5b98384ad8da7a7fc82019d96c1b 472 471 2012-05-06T00:58:59Z 31.184.238.9 0 SLxLkmiQNCEwaecun wikitext text/x-wiki , http://more-drugs.com/products/female-viagra.htm buy generic female viagra, nvwy, http://more-drugs.com/products/nolvadex.htm buy nolvadex online, senn, http://shopdrugcheap.com/order-retin-a-online-en.html buy Retin-A, ezcyw, http://more-drugs.com/products/propecia.htm cheap propecia, 428177, http://shopdrugcheap.com/order-viagra-online-en.html buy Viagra, =]]], 1480e1c51e8f507dbc83c0b05bb00d09ff24c64f 473 472 2012-05-06T01:02:58Z 31.184.238.15 0 LHirlBgiVfjfDRB wikitext text/x-wiki comment4, http://price-drugs.com/order-amoxil-online-en.html Amoxil, >:PP, http://price-drugs.com/order-zithromax-online-en.html buy Zithromax online, 832249, http://ordergenericdrugs.com/products/propecia.htm generic propecia, lhpxpm, http://ordergenericdrugs.com/products/kamagra-oral-jelly.htm buy kamagra oral jelly, hshi, http://shopdrugcheap.com/order-orlistat-online-en.html buy Orlistat, 565, 284679c90345a680ad8df1b9aa10bdef2a0b2883 474 473 2012-05-06T01:03:31Z 31.184.238.9 0 lrOabMfJFQTYUlQ wikitext text/x-wiki , http://ordergenericdrugs.com/products/deltasone.htm buy generic deltasone, xzxr, http://more-drugs.com/products/prevacid.htm cheap prevacid, 258, http://shopdrugcheap.com/order-zithromax-online-en.html buy generic Zithromax, 8-OO, http://ordergenericdrugs.com/products/propecia.htm propecia, 38056, http://shopdrugcheap.com/order-zoloft-online-en.html buy generic Zoloft online, >:((, 31604578557aa5319185e3d49888134f78b456bc 475 474 2012-05-06T01:08:03Z 31.184.238.9 0 UdSNTYYxvhP wikitext text/x-wiki , http://ordergenericdrugs.com/products/cialis-super-active-plus.htm buy cheap cialis super active, :-DD, http://price-drugs.com/order-nolvadex-online-en.html buy generic Nolvadex online, 832, http://more-drugs.com/products/cialis.htm cheap cialis, 52095, http://ordergenericdrugs.com/products/xenical.htm generic xenical, :-((, http://shopdrugcheap.com/order-viagra-professional-online-en.html buy cheap Viagra Professional, 12092, 2726cded01bbcf1ea7332087f58c57bd355ba20a 476 475 2012-05-06T01:09:00Z 31.184.238.15 0 FbeOGgpSWBm wikitext text/x-wiki comment1, http://ordergenericdrugs.com/products/amoxil.htm generic amoxil, =(((, http://shopdrugcheap.com/order-diflucan-online-en.html buy Diflucan, 276, http://ordergenericdrugs.com/products/viagra-super-active-plus.htm generic viagra super active, %[, http://ordergenericdrugs.com/products/viagra.htm generic viagra, 9289, http://more-drugs.com/products/levitra.htm buy levitra, 110685, 2517364f37df160e319ccfa9be1c1b9e65bb5dc0 477 476 2012-05-06T01:12:42Z 31.184.238.9 0 ziThbYRsY wikitext text/x-wiki , http://more-drugs.com/products/female-viagra.htm buy generic female viagra, 8-D, http://more-drugs.com/products/nolvadex.htm buy nolvadex online, cfj, http://shopdrugcheap.com/order-retin-a-online-en.html Retin-A, :]]], http://more-drugs.com/products/propecia.htm cheap propecia, 2324, http://shopdrugcheap.com/order-viagra-online-en.html generic Viagra, 299, 1aa0c5e988ff509016595e49b4d2528973fff2e5 478 477 2012-05-06T01:14:48Z 31.184.238.15 0 bLaTUrZefQyFXUtLf wikitext text/x-wiki comment1, http://ordergenericdrugs.com/products/strattera.htm buy strattera, %))), http://price-drugs.com/order-propecia-online-en.html Propecia, wtnt, http://more-drugs.com/products/plavix.htm cheap plavix, 9248, http://ordergenericdrugs.com/products/clomid.htm cheap clomid, nrivij, http://more-drugs.com/products/nolvadex.htm buy nolvadex, >:[, 3eafa55f29fde3d21f981fc8904332eae68d7776 479 478 2012-05-06T01:17:29Z 31.184.238.9 0 vlltsBTMrAbit wikitext text/x-wiki , http://shopdrugcheap.com/order-diflucan-online-en.html buy Diflucan, >:), http://shopdrugcheap.com/order-accutane-online-en.html buy Accutane online, ali, http://more-drugs.com/products/female-viagra.htm cheap female viagra, 451, http://ordergenericdrugs.com/products/amoxil.htm generic amoxil, xroamp, http://price-drugs.com/order-proventil-online-en.html Proventil, zrywsa, a91f46b432164feab21ea969c857aca83988a250 480 479 2012-05-06T01:20:21Z 31.184.238.15 0 pNHGuGnKWvfNduigdWY wikitext text/x-wiki comment4, http://ordergenericdrugs.com/products/strattera.htm generic strattera, 170, http://price-drugs.com/order-propecia-online-en.html buy Propecia, :-OO, http://more-drugs.com/products/plavix.htm generic plavix, bamgk, http://ordergenericdrugs.com/products/clomid.htm buy clomid, usr, http://more-drugs.com/products/nolvadex.htm cheap nolvadex, =-[[, a878b162ec09a14edf8777642294a45056ec6d7f 481 480 2012-05-06T01:22:06Z 31.184.238.9 0 gUZmjpONbl wikitext text/x-wiki , http://ordergenericdrugs.com/products/kamagra.htm buy kamagra, chyqpc, http://price-drugs.com/order-clomid-online-en.html buy cheap Clomid, 8]]], http://shopdrugcheap.com/order-synthroid-online-en.html Synthroid, >:-[, http://price-drugs.com/ buy Zithromax, :-OOO, http://ordergenericdrugs.com/products/levitra.htm generic levitra, %-[[, 6d60ddf3d0df2868008d929f2b13cb0d1f88de21 482 481 2012-05-06T01:26:03Z 31.184.238.15 0 vDUCYhZKYK wikitext text/x-wiki comment3, http://shopdrugcheap.com/order-kamagra-online-en.html generic Kamagra, 941, http://more-drugs.com/products/female-viagra.htm cheap female viagra, zaufx, http://shopdrugcheap.com/order-cialis-professional-online-en.html generic Cialis Professional, kfdusp, http://more-drugs.com/products/xenical.htm buy xenical, wigf, http://shopdrugcheap.com/order-zoloft-online-en.html Zoloft, ati, 6deb9358b83b19f159de344a51e7a0f002fd9b4b 483 482 2012-05-06T01:26:40Z 31.184.238.9 0 XpcVuREXNyfnfLy wikitext text/x-wiki , http://more-drugs.com/products/nexium.htm generic nexium, :]]], http://more-drugs.com/products/viagra-super-active-plus.htm viagra super active online, 998687, http://shopdrugcheap.com/order-tadacip-online-en.html buy generic Tadacip, >:PP, http://ordergenericdrugs.com/products/cialis.htm buy cheap cialis, 372451, http://more-drugs.com/products/levitra.htm buy cheap levitra, osf, 916c7a232653e59ee5868886f112c5c2ac4d5f19 484 483 2012-05-06T01:31:33Z 31.184.238.15 0 CiinJqTnjNqThIqLPu wikitext text/x-wiki comment4, http://more-drugs.com/ buy viagra jelly online, 271018, http://price-drugs.com/order-prednisone-online-en.html buy Prednisone online, imklt, http://ordergenericdrugs.com/products/kamagra.htm generic kamagra, dmh, http://price-drugs.com/order-levitra-online-en.html Levitra, xcisuu, http://more-drugs.com/products/viagra-professional.htm generic viagra professional, %-), 55ba199e85d899dad4241226da95bbfe7740b0ef 485 484 2012-05-06T01:31:35Z 31.184.238.9 0 dgjvAIoekSdUoFVNhx wikitext text/x-wiki , http://shopdrugcheap.com/order-cialis-online-en.html generic Cialis, 5181, http://price-drugs.com/order-female-viagra-online-en.html buy Female Viagra online, >:-[, http://ordergenericdrugs.com/products/zovirax.htm buy zovirax online, 043, http://price-drugs.com/order-clomid-online-en.html Clomid, 03013, http://price-drugs.com/order-cialis-super-active-online-en.html buy cheap Cialis Super Active, >:-(((, a8c9fa4634ca2573159d906894078242a3663e35 486 485 2012-05-06T01:35:25Z 31.184.238.9 0 QrcNlFVYT wikitext text/x-wiki , http://shopdrugcheap.com/order-kamagra-online-en.html buy Kamagra online, 24293, http://more-drugs.com/products/viagra-professional.htm buy generic viagra professional, btubus, http://shopdrugcheap.com/order-priligy-online-en.html Priligy, 066461, http://ordergenericdrugs.com/products/viagra-super-active-plus.htm buy viagra super active, 56294, http://more-drugs.com/products/cialis-professional.htm generic cialis professional, 8-]], 2e50a894823600d89bde985917b2dcde88991234 487 486 2012-05-06T01:37:06Z 31.184.238.15 0 ubtDlIzowUeoydi wikitext text/x-wiki comment4, http://ordergenericdrugs.com/products/strattera.htm cheap strattera, 34550, http://price-drugs.com/order-propecia-online-en.html buy Propecia, %O, http://more-drugs.com/products/plavix.htm buy plavix, 188496, http://ordergenericdrugs.com/products/clomid.htm buy clomid online, lkcf, http://more-drugs.com/products/nolvadex.htm buy nolvadex online, ljnrp, d7f5efa58f99ab436a1b9d9edfef263e22385091 488 487 2012-05-06T01:43:19Z 31.184.238.15 0 dsPvfFwxuqpxi wikitext text/x-wiki comment5, http://ordergenericdrugs.com/products/strattera.htm cheap strattera, 835, http://price-drugs.com/order-propecia-online-en.html Propecia, hrti, http://more-drugs.com/products/plavix.htm buy plavix online, =P, http://ordergenericdrugs.com/products/clomid.htm buy clomid online, kpu, http://more-drugs.com/products/nolvadex.htm cheap nolvadex, 09827, cd4efdf684de2bc4f9428f404422b7ee3dbaa3ee 489 488 2012-05-06T01:44:01Z 31.184.238.9 0 zLprVAHdkOXGj wikitext text/x-wiki , http://ordergenericdrugs.com/products/clomid.htm buy clomid online, 582813, http://price-drugs.com/order-levitra-online-en.html buy generic Levitra online, %[[[, http://shopdrugcheap.com/order-propecia-online-en.html buy cheap Propecia, 288932, http://shopdrugcheap.com/order-tadacip-online-en.html Tadacip, 9181, http://price-drugs.com/order-lipitor-online-en.html buy Lipitor online, kugbrn, a66a77d7c97f5239ea74f85e153de4d139bd0346 490 489 2012-05-06T01:48:18Z 31.184.238.9 0 HDjjVxNXirQt wikitext text/x-wiki , http://ordergenericdrugs.com/products/deltasone.htm buy deltasone, luup, http://shopdrugcheap.com/order-cialis-super-active-online-en.html buy Cialis Super Active online, 319, http://price-drugs.com/order-zithromax-online-en.html buy generic Zithromax online, =PPP, http://more-drugs.com/products/cialis-super-active-plus.htm buy cialis super active, %DD, http://price-drugs.com/order-cialis-professional-online-en.html buy Cialis Professional, 47937, dd61f9fbcf2f15542e95a74cbe4424df80093c7e 491 490 2012-05-06T01:48:45Z 31.184.238.15 0 uyyrlmMxBuQN wikitext text/x-wiki comment2, http://shopdrugcheap.com/ buy Strattera, %O, http://more-drugs.com/products/diflucan.htm cheap diflucan, %(, http://shopdrugcheap.com/order-lasix-online-en.html Lasix, :-D, http://more-drugs.com/products/propecia.htm buy propecia online, %-[[, http://shopdrugcheap.com/ buy Zithromax, >:]], a9c8ce134f08243ef845cf55b129b41cdbb825d3 492 491 2012-05-06T01:53:00Z 31.184.238.9 0 tXOMazFqa wikitext text/x-wiki , http://price-drugs.com/order-viagra-online-en.html Viagra, ancn, http://price-drugs.com/order-cipro-online-en.html buy cheap Cipro, 09539, http://ordergenericdrugs.com/products/female-viagra.htm buy female viagra online, 47158, http://ordergenericdrugs.com/products/viagra.htm buy cheap viagra, qfw, http://shopdrugcheap.com/order-strattera-online-en.html buy generic Strattera, 18802, 985197b789d4499dafbf644270701e6c83d3737c 493 492 2012-05-06T01:54:47Z 31.184.238.15 0 zPpyjumhUb wikitext text/x-wiki comment2, http://price-drugs.com/order-cialis-online-en.html generic Cialis, 501520, http://shopdrugcheap.com/order-zithromax-online-en.html generic Zithromax, >:-]]], http://price-drugs.com/order-proventil-online-en.html buy Proventil, >:-[, http://more-drugs.com/products/deltasone.htm buy deltasone online, 8), http://ordergenericdrugs.com/products/prevacid.htm buy prevacid, mcxkqq, 23f052c98e63f9eb11f65d0e4afc4c27b1cdc5e2 0 8 494 493 2012-05-06T01:57:17Z 31.184.238.9 0 DMmtDelZHYaUaiw wikitext text/x-wiki , http://shopdrugcheap.com/order-cialis-online-en.html generic Cialis, 320, http://price-drugs.com/order-female-viagra-online-en.html buy Female Viagra online, =-]]], http://ordergenericdrugs.com/products/zovirax.htm generic zovirax, =-O, http://price-drugs.com/order-clomid-online-en.html generic Clomid, znpq, http://price-drugs.com/order-cialis-super-active-online-en.html buy generic Cialis Super Active online, ulayb, 8bc432d4e0365501bfe81d06971b2a8f24a83339 495 494 2012-05-06T02:00:15Z 31.184.238.15 0 DZacbxUbm wikitext text/x-wiki comment4, http://price-drugs.com/order-cialis-online-en.html buy Cialis online, 94054, http://shopdrugcheap.com/order-zithromax-online-en.html generic Zithromax, 427, http://price-drugs.com/order-proventil-online-en.html buy Proventil online, orc, http://more-drugs.com/products/deltasone.htm buy deltasone, 524, http://ordergenericdrugs.com/products/prevacid.htm generic prevacid, =-PP, 717ed77fc52913730f3446f98b377d6efbc54130 496 495 2012-05-06T02:02:03Z 31.184.238.9 0 fKtWCLosZNgzZuhB wikitext text/x-wiki , http://price-drugs.com/order-bactrim-online-en.html Bactrim, %[[, http://ordergenericdrugs.com/products/levitra.htm buy cheap levitra, :-DD, http://more-drugs.com/products/kamagra.htm cheap kamagra, =OOO, http://price-drugs.com/order-kamagra-online-en.html generic Kamagra, 620, http://more-drugs.com/products/clomid.htm buy generic clomid, :), a286ead5aa893fcfd401cb39d29b9caa58380bc1 497 496 2012-05-06T02:05:48Z 31.184.238.15 0 MNFEQIlEOX wikitext text/x-wiki comment1, http://price-drugs.com/order-zithromax-online-en.html buy Zithromax online, 909, http://shopdrugcheap.com/order-levitra-online-en.html Levitra, %-[[, http://price-drugs.com/order-cialis-professional-online-en.html Cialis Professional, 8-OO, http://more-drugs.com/products/viagra-super-active-plus.htm buy viagra super active online, 18725, http://shopdrugcheap.com/order-viagra-online-en.html generic Viagra, dzvra, 3312d4dcd729e0b4c622de709e5166a5fd13db28 498 497 2012-05-06T02:06:20Z 31.184.238.9 0 SqlEyUeZXAKPdxAyo wikitext text/x-wiki , http://ordergenericdrugs.com/products/cialis-super-active-plus.htm buy cheap cialis super active, 13277, http://price-drugs.com/order-nolvadex-online-en.html Nolvadex, %[[, http://more-drugs.com/products/cialis.htm generic cialis, 722, http://ordergenericdrugs.com/products/xenical.htm generic xenical, 554021, http://shopdrugcheap.com/order-viagra-professional-online-en.html buy generic Viagra Professional online, 174, 95dc88ef9715501f38f2146cdf9c5c7831c65fa2 499 498 2012-05-06T02:11:29Z 31.184.238.9 0 FxtSKHaDzFfCf wikitext text/x-wiki , http://price-drugs.com/order-flagyl-online-en.html Flagyl, 0145, http://more-drugs.com/products/rogaine-5-.htm buy cheap rogaine 5%, vmuxx, http://more-drugs.com/products/clomid.htm generic clomid, :-DD, http://price-drugs.com/order-levaquin-online-en.html buy generic Levaquin online, ubkta, http://price-drugs.com/order-zoloft-online-en.html Zoloft, hdypv, 785f4a96bfd8f8de194e1b3b87320813f3ee65a0 500 499 2012-05-06T02:11:43Z 31.184.238.15 0 IqpIbmWUNMWpRYOLr wikitext text/x-wiki comment4, http://more-drugs.com/ buy nexium online, =-))), http://price-drugs.com/order-prednisone-online-en.html generic Prednisone, 8O, http://ordergenericdrugs.com/products/kamagra.htm generic kamagra, lzq, http://price-drugs.com/order-levitra-online-en.html generic Levitra, %-[[, http://more-drugs.com/products/viagra-professional.htm buy viagra professional online, tnm, 2e6a8a87e23c546795c5aaff9d55ad8228e3d396 501 500 2012-05-06T02:15:31Z 31.184.238.9 0 VcsYZveZddQZaJDhlP wikitext text/x-wiki , http://price-drugs.com/order-diflucan-online-en.html buy Diflucan, wvh, http://more-drugs.com/products/rogaine-5-.htm generic rogaine 5%, nlpfh, http://more-drugs.com/products/cialis.htm buy generic cialis, ssen, http://more-drugs.com/products/cialis.htm cialis online, gywril, http://shopdrugcheap.com/order-orlistat-online-en.html generic Orlistat, unmgm, 8845b289e8127cf5e9ecdada27b5c79c26a2f416 502 501 2012-05-06T02:17:36Z 31.184.238.15 0 JomrmGhuTYthzszOvl wikitext text/x-wiki comment1, http://price-drugs.com/order-lasix-online-en.html generic Lasix, =)), http://price-drugs.com/order-lipitor-online-en.html generic Lipitor, yee, http://shopdrugcheap.com/order-proscar-online-en.html Proscar, ntz, http://price-drugs.com/order-doxycycline-online-en.html Doxycycline, >:-(, http://price-drugs.com/order-cipro-online-en.html Cipro, >:), d4fb6ae0e98f187c13e3ed71c623bab8ac14764c 503 502 2012-05-06T02:20:18Z 31.184.238.9 0 JytVTesSQqunaGhOi wikitext text/x-wiki , http://price-drugs.com/order-cipro-online-en.html Cipro, 8[[[, http://shopdrugcheap.com/order-synthroid-online-en.html Synthroid, >:]], http://more-drugs.com/products/diflucan.htm cheap diflucan, :))), http://more-drugs.com/products/propecia.htm buy cheap propecia, 840970, http://price-drugs.com/order-amoxil-online-en.html buy Amoxil, =-DDD, 7662c53c4f5ebb2f25cd757dd3df50e51c4e0426 504 503 2012-05-06T02:23:21Z 31.184.238.15 0 wlWyYjmKhAMvsw wikitext text/x-wiki comment2, http://more-drugs.com/products/cialis.htm buy cialis, 70725, http://price-drugs.com/order-viagra-super-active-online-en.html Viagra Super Active, %[[, http://more-drugs.com/products/prevacid.htm generic prevacid, bxk, http://shopdrugcheap.com/order-viagra-super-active-online-en.html Viagra Super Active, 814503, http://price-drugs.com/order-flagyl-online-en.html buy Flagyl online, 8-[[, 5becb117bdad969eec331638376d37725c7e7fa0 505 504 2012-05-06T02:24:43Z 31.184.238.9 0 EsUQZeaqFEKzXy wikitext text/x-wiki , http://ordergenericdrugs.com/products/pepcid.htm cheap pepcid, ziq, http://ordergenericdrugs.com/products/strattera.htm buy strattera online, qop, http://ordergenericdrugs.com/products/cipro.htm cipro online, >:-P, http://more-drugs.com/products/plavix.htm plavix, :))), http://price-drugs.com/order-doxycycline-online-en.html generic Doxycycline, vtnpdr, 8e6941e407f7b40b78119930ef124f119de77f02 506 505 2012-05-06T02:29:13Z 31.184.238.15 0 LcqFpRySmCcf wikitext text/x-wiki comment1, http://ordergenericdrugs.com/products/strattera.htm cheap strattera, :-(, http://price-drugs.com/order-propecia-online-en.html generic Propecia, :[[[, http://more-drugs.com/products/plavix.htm buy plavix online, lgnm, http://ordergenericdrugs.com/products/clomid.htm cheap clomid, pnxzrk, http://more-drugs.com/products/nolvadex.htm buy nolvadex online, =-P, 8056f4acff42ccf698ad8bd84932b7adcbb0eef2 507 506 2012-05-06T02:29:45Z 31.184.238.9 0 fXshqszmmG wikitext text/x-wiki , http://price-drugs.com/order-diflucan-online-en.html generic Diflucan, >:-OO, http://more-drugs.com/products/rogaine-5-.htm generic rogaine 5%, pucr, http://more-drugs.com/products/cialis.htm buy generic cialis, :O, http://more-drugs.com/products/cialis.htm buy generic cialis, 297, http://shopdrugcheap.com/order-orlistat-online-en.html Orlistat, qyjqql, 88c3600b4a1b886863fcd7b0d5dac6d477ea59da 508 507 2012-05-06T02:34:02Z 31.184.238.9 0 sbCBcvZbQZoIXxPoN wikitext text/x-wiki , http://price-drugs.com/order-cialis-online-en.html buy Cialis online, 8OO, http://price-drugs.com/order-proventil-online-en.html generic Proventil, :DDD, http://more-drugs.com/products/viagra-professional.htm cheap viagra professional, mpiz, http://more-drugs.com/products/pepcid.htm buy pepcid online, 476, http://more-drugs.com/products/prevacid.htm prevacid, 678580, 73fef845b4ddc6f32d43a194095692371b916820 509 508 2012-05-06T02:34:50Z 31.184.238.15 0 QFyPMHsBYGxsokipV wikitext text/x-wiki comment6, http://price-drugs.com/order-zithromax-online-en.html Zithromax, ughc, http://shopdrugcheap.com/order-levitra-online-en.html buy Levitra online, %P, http://price-drugs.com/order-cialis-professional-online-en.html buy Cialis Professional online, 8-P, http://more-drugs.com/products/viagra-super-active-plus.htm buy viagra super active, 326484, http://shopdrugcheap.com/order-viagra-online-en.html buy Viagra online, sso, 4a17cc9a7c980fc681ec1562127ad692d887053a 510 509 2012-05-06T02:38:50Z 31.184.238.9 0 RSaHDmUIal wikitext text/x-wiki , http://price-drugs.com/order-levitra-online-en.html generic Levitra, 730, http://shopdrugcheap.com/order-cialis-professional-online-en.html Cialis Professional, ujmzf, http://price-drugs.com/order-viagra-super-active-online-en.html buy generic Viagra Super Active, 469, http://shopdrugcheap.com/order-levitra-online-en.html buy generic Levitra, >:]], http://ordergenericdrugs.com/products/propecia.htm generic propecia, :[, b4334276d27f9887ecc1727911e37078a46f9104 511 510 2012-05-06T02:40:27Z 31.184.238.15 0 InLvguFVHDJFolFETF wikitext text/x-wiki comment3, http://more-drugs.com/ buy clomid online, 09163, http://price-drugs.com/order-prednisone-online-en.html Prednisone, 34815, http://ordergenericdrugs.com/products/kamagra.htm generic kamagra, bllj, http://price-drugs.com/order-levitra-online-en.html Levitra, 905815, http://more-drugs.com/products/viagra-professional.htm generic viagra professional, 897, f523e18e5e6547bfbe61049266b1523ce57341b0 512 511 2012-05-06T02:43:01Z 31.184.238.9 0 nXOTmmXtOKMB wikitext text/x-wiki , http://shopdrugcheap.com/order-clomid-online-en.html buy Clomid, 8-(((, http://more-drugs.com/products/deltasone.htm buy generic deltasone, 954, http://price-drugs.com/order-diflucan-online-en.html Diflucan, 34122, http://shopdrugcheap.com/order-cipro-online-en.html buy generic Cipro online, :-((, http://shopdrugcheap.com/order-orlistat-online-en.html Orlistat, :-OO, 14f2bf18aa3a9692450212d96ba602e661fb1156 513 512 2012-05-06T02:46:11Z 31.184.238.15 0 ZDtwzUJHFGRxKZ wikitext text/x-wiki comment5, http://more-drugs.com/products/cipro.htm buy cipro, axnlqw, http://more-drugs.com/ buy viagra super active online, ymkswe, http://more-drugs.com/products/clomid.htm buy clomid, mifxz, http://shopdrugcheap.com/order-viagra-professional-online-en.html generic Viagra Professional, :)), http://more-drugs.com/products/nexium.htm cheap nexium, aan, 5ba75aeae0b60e4f85f44c8fa4e85937cb4fba6c 514 513 2012-05-06T02:47:03Z 31.184.238.9 0 BmQUZPcDIQFddog wikitext text/x-wiki , http://ordergenericdrugs.com/products/cialis-super-active-plus.htm buy generic cialis super active, %-PPP, http://price-drugs.com/order-nolvadex-online-en.html buy cheap Nolvadex, ishpa, http://more-drugs.com/products/cialis.htm generic cialis, 814104, http://ordergenericdrugs.com/products/xenical.htm generic xenical, >:]], http://shopdrugcheap.com/order-viagra-professional-online-en.html buy generic Viagra Professional, oozag, 75e97e78a906eddac333aa61c4a05827f13b0b7f 515 514 2012-05-06T02:51:26Z 31.184.238.9 0 xxXdxFxocRkcbWwF wikitext text/x-wiki , http://ordergenericdrugs.com/products/prevacid.htm prevacid, psnea, http://shopdrugcheap.com/order-female-viagra-online-en.html buy Female Viagra, 4784, http://more-drugs.com/products/kamagra.htm kamagra, %-((, http://ordergenericdrugs.com/products/celebrex.htm celebrex online, mwo, http://shopdrugcheap.com/order-levitra-online-en.html Levitra, =-DDD, 53afa35e1e95aaec1a639a5833acd3ba5831246d 516 515 2012-05-06T02:51:51Z 31.184.238.15 0 IqcxdcuXUfX wikitext text/x-wiki comment5, http://shopdrugcheap.com/ buy Accutane, 8-((, http://more-drugs.com/products/diflucan.htm buy diflucan, 8-DDD, http://shopdrugcheap.com/order-lasix-online-en.html generic Lasix, ahwyl, http://more-drugs.com/products/propecia.htm cheap propecia, 4235, http://shopdrugcheap.com/ buy Synthroid, 654023, 8d8d2a63b2bec1bfd711442c56f7daf846d6dfec 517 516 2012-05-06T02:55:42Z 31.184.238.9 0 sCxSgJRP wikitext text/x-wiki , http://more-drugs.com/products/nexium.htm buy nexium, 8-(((, http://more-drugs.com/products/viagra-super-active-plus.htm viagra super active online, wpng, http://shopdrugcheap.com/order-tadacip-online-en.html buy cheap Tadacip, %OO, http://ordergenericdrugs.com/products/cialis.htm cialis, 747, http://more-drugs.com/products/levitra.htm buy generic levitra, cojj, 07afcbd1cb4155c7c0790fa656cfc1fd6d049c3a 518 517 2012-05-06T02:58:06Z 31.184.238.15 0 HInFUcOzbgLIxmjc wikitext text/x-wiki comment6, http://price-drugs.com/order-female-viagra-online-en.html buy Female Viagra, :-], http://price-drugs.com/order-ampicillin-online-en.html buy Ampicillin online, >:-DDD, http://shopdrugcheap.com/order-strattera-online-en.html Strattera, 180941, http://more-drugs.com/products/kamagra.htm cheap kamagra, gzux, http://ordergenericdrugs.com/products/levitra.htm generic levitra, 119344, 1d0e9639686c532fb3bdd269bc9e8519e2c47355 519 518 2012-05-06T03:00:34Z 31.184.238.9 0 YCtWhOfYMlGQqRLmILy wikitext text/x-wiki , http://price-drugs.com/order-doxycycline-online-en.html buy cheap Doxycycline, >:PP, http://more-drugs.com/ buy cialis super active online, cnjyb, http://price-drugs.com/order-nolvadex-online-en.html buy Nolvadex, 8016, http://more-drugs.com/products/xenical.htm buy cheap xenical, enoyok, http://ordergenericdrugs.com/products/zovirax.htm buy generic zovirax, 929, 792b2bcc3e7e8df423db3502a160009a4b37aef1 520 519 2012-05-06T03:04:01Z 31.184.238.15 0 IAciyatMrbCw wikitext text/x-wiki comment3, http://ordergenericdrugs.com/products/strattera.htm buy strattera online, :OOO, http://price-drugs.com/order-propecia-online-en.html generic Propecia, 214, http://more-drugs.com/products/plavix.htm cheap plavix, 558919, http://ordergenericdrugs.com/products/clomid.htm generic clomid, >:O, http://more-drugs.com/products/nolvadex.htm buy nolvadex, pyhzm, 219dd5a6d267bfd72c5fdab7ea3d5987093b367e 521 520 2012-05-06T03:04:16Z 31.184.238.9 0 jiYqigBrrcWWYd wikitext text/x-wiki , http://shopdrugcheap.com/order-diflucan-online-en.html generic Diflucan, 172454, http://shopdrugcheap.com/order-accutane-online-en.html buy Accutane online, 089334, http://more-drugs.com/products/female-viagra.htm buy female viagra online, 905, http://ordergenericdrugs.com/products/amoxil.htm buy amoxil, fzfsk, http://price-drugs.com/order-proventil-online-en.html Proventil, :-OOO, 22ae507f23590a9a282370caf8ada0d6794e2bcb 522 521 2012-05-06T03:08:55Z 31.184.238.9 0 adQLUmvRN wikitext text/x-wiki , http://more-drugs.com/products/nexium.htm buy nexium online, yvnft, http://more-drugs.com/products/viagra-super-active-plus.htm viagra super active, 377910, http://shopdrugcheap.com/order-tadacip-online-en.html buy cheap Tadacip, neflv, http://ordergenericdrugs.com/products/cialis.htm cialis online, 8631, http://more-drugs.com/products/levitra.htm buy cheap levitra, sdfi, 9f832b2064a2862abadb563d5c39895f8bbdb2ce 523 522 2012-05-06T03:09:36Z 31.184.238.15 0 jTphPmhqsDSZRsrxhVW wikitext text/x-wiki comment1, http://price-drugs.com/order-female-viagra-online-en.html generic Female Viagra, xzu, http://price-drugs.com/order-ampicillin-online-en.html generic Ampicillin, 389, http://shopdrugcheap.com/order-strattera-online-en.html buy Strattera online, 8[, http://more-drugs.com/products/kamagra.htm buy kamagra online, >:DDD, http://ordergenericdrugs.com/products/levitra.htm cheap levitra, qxvxnd, 5cc42998b6fb327a148eec184d8ef516abf6a7a0 524 523 2012-05-06T03:13:38Z 31.184.238.9 0 zjZCPXjAOcMvpuJY wikitext text/x-wiki , http://price-drugs.com/order-levitra-online-en.html buy Levitra online, okrzm, http://shopdrugcheap.com/order-cialis-professional-online-en.html generic Cialis Professional, 686, http://price-drugs.com/order-viagra-super-active-online-en.html Viagra Super Active, vwccev, http://shopdrugcheap.com/order-levitra-online-en.html Levitra, :(, http://ordergenericdrugs.com/products/propecia.htm cheap propecia, okdche, 75af02092f52fe2b6ad3d18e7faf4d1d7042bb95 525 524 2012-05-06T03:15:35Z 31.184.238.15 0 MuhlsIbFkUPfyO wikitext text/x-wiki comment5, http://price-drugs.com/order-zithromax-online-en.html buy Zithromax online, 901, http://shopdrugcheap.com/order-levitra-online-en.html generic Levitra, %O, http://price-drugs.com/order-cialis-professional-online-en.html generic Cialis Professional, 4125, http://more-drugs.com/products/viagra-super-active-plus.htm buy viagra super active, 925411, http://shopdrugcheap.com/order-viagra-online-en.html generic Viagra, 838, a70ee682b05645d1ed163934c864f02b7f533b85 526 525 2012-05-06T03:18:59Z 31.184.238.9 0 etyjkrLjZE wikitext text/x-wiki , http://more-drugs.com/products/xenical.htm buy xenical, 8-O, http://more-drugs.com/products/nexium.htm nexium, 01126, http://ordergenericdrugs.com/products/cipro.htm buy cipro online, 8P, http://shopdrugcheap.com/order-proscar-online-en.html buy generic Proscar, xnbu, http://ordergenericdrugs.com/products/rogaine-5-.htm buy cheap rogaine 5%, 979519, 2b7c7c9a4e05f355d9c8fef2350b311025528764 527 526 2012-05-06T03:21:26Z 31.184.238.15 0 ioWvFhEdl wikitext text/x-wiki comment6, http://shopdrugcheap.com/order-female-viagra-online-en.html Female Viagra, hblkeu, http://more-drugs.com/products/pepcid.htm buy pepcid online, ftvuy, http://shopdrugcheap.com/order-clomid-online-en.html buy Clomid, kxzbgd, http://shopdrugcheap.com/order-cialis-online-en.html buy Cialis, hbjoxs, http://price-drugs.com/order-zoloft-online-en.html buy Zoloft online, wcp, ddfac626c6400593075cec27fbafa8594f3037a0 528 527 2012-05-06T03:23:36Z 31.184.238.9 0 MPNiUEeFToroNQIsh wikitext text/x-wiki , http://price-drugs.com/order-diflucan-online-en.html generic Diflucan, :-D, http://more-drugs.com/products/rogaine-5-.htm buy rogaine 5%, aduloe, http://more-drugs.com/products/cialis.htm buy cheap cialis, %)), http://more-drugs.com/products/cialis.htm buy cheap cialis, zptyfq, http://shopdrugcheap.com/order-orlistat-online-en.html generic Orlistat, 348, c187715d841a8df4c2b78b0c702a2bfa79e01b21 529 528 2012-05-06T03:27:09Z 31.184.238.15 0 yMEFvhkVvdoqqYO wikitext text/x-wiki comment6, http://more-drugs.com/products/cialis-super-active-plus.htm generic cialis super active, 8PPP, http://ordergenericdrugs.com/products/cialis-super-active-plus.htm generic cialis super active, 8]], http://shopdrugcheap.com/order-cialis-super-active-online-en.html generic Cialis Super Active, 6826, http://price-drugs.com/ buy Levitra, :-PP, http://ordergenericdrugs.com/products/pepcid.htm generic pepcid, 54947, 53b2d4c4a92c4bcab4e60f134e31499284107ffb 530 529 2012-05-06T03:28:11Z 31.184.238.9 0 pKbvGqRQxkP wikitext text/x-wiki , http://price-drugs.com/order-diflucan-online-en.html Diflucan, zvs, http://more-drugs.com/products/rogaine-5-.htm cheap rogaine 5%, 200522, http://more-drugs.com/products/cialis.htm cialis online, 334, http://more-drugs.com/products/cialis.htm buy cheap cialis, axofe, http://shopdrugcheap.com/order-orlistat-online-en.html buy Orlistat online, 788, 343e7f849db79df8d4ec9e4896f4474e1052d34d 531 530 2012-05-06T03:33:15Z 31.184.238.15 0 aEuJeBathXEvkgNndbq wikitext text/x-wiki comment3, http://price-drugs.com/order-zithromax-online-en.html generic Zithromax, ocier, http://shopdrugcheap.com/order-levitra-online-en.html buy Levitra, :]], http://price-drugs.com/order-cialis-professional-online-en.html buy Cialis Professional, 8PP, http://more-drugs.com/products/viagra-super-active-plus.htm generic viagra super active, aszb, http://shopdrugcheap.com/order-viagra-online-en.html buy Viagra, 028, 24153f2163ac812d2d4f51c5213f3806234f9d78 532 531 2012-05-06T03:38:09Z 31.184.238.9 0 dqJAWBDkHGVrUxsxrnY wikitext text/x-wiki , http://ordergenericdrugs.com/products/pepcid.htm buy pepcid online, 794840, http://ordergenericdrugs.com/products/strattera.htm buy strattera, 100, http://ordergenericdrugs.com/products/cipro.htm buy generic cipro, 8-)), http://more-drugs.com/products/plavix.htm buy generic plavix, >:-(((, http://price-drugs.com/order-doxycycline-online-en.html generic Doxycycline, svneos, fd86ecef279d54be04e4bc8b468eff22c17aa1b3 533 532 2012-05-06T03:39:36Z 31.184.238.15 0 UbxnIxUtGVOVvbRZq wikitext text/x-wiki comment6, http://price-drugs.com/order-cialis-online-en.html Cialis, htarqj, http://shopdrugcheap.com/order-zithromax-online-en.html buy Zithromax online, fvtdt, http://price-drugs.com/order-proventil-online-en.html buy Proventil, 5735, http://more-drugs.com/products/deltasone.htm buy deltasone, >:PP, http://ordergenericdrugs.com/products/prevacid.htm generic prevacid, gkoiek, 744711405b9c042371bd03d828eee2dee8b46fdf 534 533 2012-05-06T03:42:02Z 31.184.238.9 0 BSMGgVGbx wikitext text/x-wiki , http://ordergenericdrugs.com/products/pepcid.htm buy pepcid, exy, http://ordergenericdrugs.com/products/strattera.htm buy strattera, xnvp, http://ordergenericdrugs.com/products/cipro.htm buy generic cipro, 7710, http://more-drugs.com/products/plavix.htm plavix online, iibhz, http://price-drugs.com/order-doxycycline-online-en.html generic Doxycycline, 422, 1f96b51514c2a0c29554645507c8db3ee2e96062 535 534 2012-05-06T03:45:19Z 31.184.238.15 0 hTQiRkqNyfTDiMYTAdf wikitext text/x-wiki comment5, http://price-drugs.com/order-amoxil-online-en.html Amoxil, tnqrfe, http://price-drugs.com/order-zithromax-online-en.html generic Zithromax, ylsjbs, http://ordergenericdrugs.com/products/propecia.htm buy propecia, 18370, http://ordergenericdrugs.com/products/kamagra-oral-jelly.htm cheap kamagra oral jelly, >:-(((, http://shopdrugcheap.com/order-orlistat-online-en.html generic Orlistat, =-D, 013cff2daebc076b9bb52dd311b7bfd00a333ecc 536 535 2012-05-06T03:46:28Z 31.184.238.9 0 GWhNEOja wikitext text/x-wiki , http://shopdrugcheap.com/order-viagra-super-active-online-en.html buy generic Viagra Super Active, nillgz, http://shopdrugcheap.com/order-clomid-online-en.html buy generic Clomid, 202, http://ordergenericdrugs.com/products/viagra-super-active-plus.htm viagra super active, biww, http://more-drugs.com/products/cipro.htm buy generic cipro, %DD, http://shopdrugcheap.com/order-cialis-online-en.html Cialis, wonms, 8b8602868241deaf2a40221a621265192d183290 537 536 2012-05-06T03:51:03Z 31.184.238.9 0 wBwmDsThgBoe wikitext text/x-wiki , http://more-drugs.com/products/xenical.htm buy xenical, 868650, http://more-drugs.com/products/nexium.htm nexium online, pzy, http://ordergenericdrugs.com/products/cipro.htm buy cipro online, :(((, http://shopdrugcheap.com/order-proscar-online-en.html Proscar, 437, http://ordergenericdrugs.com/products/rogaine-5-.htm buy generic rogaine 5%, spbo, 7c35655a98f0ec41352990f2343af8d0a9a4681d 538 537 2012-05-06T03:51:40Z 31.184.238.15 0 eOtokMTfyWBIfeqXozu wikitext text/x-wiki comment1, http://shopdrugcheap.com/order-female-viagra-online-en.html buy Female Viagra, 951403, http://more-drugs.com/products/pepcid.htm buy pepcid online, %(((, http://shopdrugcheap.com/order-clomid-online-en.html buy Clomid online, uiopc, http://shopdrugcheap.com/order-cialis-online-en.html generic Cialis, fec, http://price-drugs.com/order-zoloft-online-en.html buy Zoloft online, 8]], 70aa8422f7558431fbdae4f3d4e766385a37680a 539 538 2012-05-06T03:56:28Z 31.184.238.9 0 eyXhacCRAJVSqTNAFQO wikitext text/x-wiki , http://more-drugs.com/products/xenical.htm cheap xenical, esy, http://more-drugs.com/products/nexium.htm nexium online, jvbpni, http://ordergenericdrugs.com/products/cipro.htm generic cipro, zbj, http://shopdrugcheap.com/order-proscar-online-en.html buy generic Proscar online, vrep, http://ordergenericdrugs.com/products/rogaine-5-.htm rogaine 5% online, 1350, 46ec3acc9c2649c9b2d4155794e7f90214933258 540 539 2012-05-06T03:58:04Z 31.184.238.15 0 xWijsnQxkIHykkQbmm wikitext text/x-wiki comment6, http://price-drugs.com/order-female-viagra-online-en.html Female Viagra, :]]], http://price-drugs.com/order-ampicillin-online-en.html generic Ampicillin, 774080, http://shopdrugcheap.com/order-strattera-online-en.html buy Strattera, ktsd, http://more-drugs.com/products/kamagra.htm buy kamagra, 8-D, http://ordergenericdrugs.com/products/levitra.htm buy levitra online, hgbokp, ec45a581726e9b55d816b180a88c9a2584b35dfa 541 540 2012-05-06T04:00:56Z 31.184.238.9 0 hVbIjRSuJZnWDmqOXG wikitext text/x-wiki , http://more-drugs.com/products/nexium.htm generic nexium, >:-]]], http://more-drugs.com/products/viagra-super-active-plus.htm buy cheap viagra super active, :-]], http://shopdrugcheap.com/order-tadacip-online-en.html Tadacip, 320, http://ordergenericdrugs.com/products/cialis.htm cialis online, 5774, http://more-drugs.com/products/levitra.htm levitra online, =O, 118e56728b4c82e2ec740c96c38d8fd82c076680 542 541 2012-05-06T04:04:16Z 31.184.238.15 0 ZeKrUmSAPDLnK wikitext text/x-wiki comment3, http://ordergenericdrugs.com/products/amoxil.htm buy amoxil, 93267, http://shopdrugcheap.com/order-diflucan-online-en.html Diflucan, >:-(((, http://ordergenericdrugs.com/products/viagra-super-active-plus.htm generic viagra super active, %DD, http://ordergenericdrugs.com/products/viagra.htm buy viagra online, lney, http://more-drugs.com/products/levitra.htm generic levitra, mugiyl, 9be1e7cc833434e9864d64f232a793ac6263ff2d 543 542 2012-05-06T04:05:33Z 31.184.238.9 0 aqQRgfnpNWYJuxmY wikitext text/x-wiki , http://shopdrugcheap.com/order-cialis-online-en.html Cialis, 9437, http://price-drugs.com/order-female-viagra-online-en.html generic Female Viagra, :-]], http://ordergenericdrugs.com/products/zovirax.htm generic zovirax, >:[[, http://price-drugs.com/order-clomid-online-en.html buy Clomid online, 595, http://price-drugs.com/order-cialis-super-active-online-en.html buy generic Cialis Super Active, =PPP, f64a152f63e3857a0027ae5d50721f00e9f43cdb 0 8 544 543 2012-05-06T04:09:51Z 31.184.238.15 0 oefqebisAlKnmPRE wikitext text/x-wiki comment2, http://ordergenericdrugs.com/products/deltasone.htm generic deltasone, =-]], http://price-drugs.com/order-diflucan-online-en.html Diflucan, mmchq, http://price-drugs.com/order-cialis-super-active-online-en.html buy Cialis Super Active online, %-]]], http://shopdrugcheap.com/ buy Zoloft, 8-DDD, http://shopdrugcheap.com/order-synthroid-online-en.html buy Synthroid online, rdz, 7b0c10fcfa6309d7e3ae753db7f032711bd95a8a 545 544 2012-05-06T04:09:59Z 31.184.238.9 0 ZpBdykKzxFCYLaaW wikitext text/x-wiki , http://more-drugs.com/products/nolvadex.htm nolvadex online, 8-))), http://price-drugs.com/order-levaquin-online-en.html buy Levaquin, 90283, http://more-drugs.com/products/cialis-super-active-plus.htm cialis super active online, =((, http://price-drugs.com/order-viagra-online-en.html buy generic Viagra, 060, http://price-drugs.com/order-viagra-professional-online-en.html buy cheap Viagra Professional, :-DDD, a5603111a0a676301ff0147aedb84ed5f88afc11 546 545 2012-05-06T04:15:17Z 31.184.238.9 0 jQwdFmTPrwjADRtc wikitext text/x-wiki , http://more-drugs.com/products/diflucan.htm buy cheap diflucan, 038439, http://price-drugs.com/order-ampicillin-online-en.html generic Ampicillin, 5667, http://ordergenericdrugs.com/products/viagra.htm generic viagra, 952, http://shopdrugcheap.com/order-zithromax-online-en.html buy Zithromax online, lzxley, http://price-drugs.com/order-amoxil-online-en.html buy generic Amoxil, :-(((, 4a0242c4169c2d2025d3cfe206353cfe8a8449cd 547 546 2012-05-06T04:15:36Z 31.184.238.15 0 QdZBwLUVIPyzqLzvYw wikitext text/x-wiki comment5, http://price-drugs.com/order-viagra-professional-online-en.html buy Viagra Professional, :-], http://ordergenericdrugs.com/products/female-viagra.htm generic female viagra, 02209, http://ordergenericdrugs.com/products/zovirax.htm buy zovirax, 716341, http://shopdrugcheap.com/order-tadacip-online-en.html generic Tadacip, >:D, http://shopdrugcheap.com/order-cipro-online-en.html buy Cipro, =-[, 49a85ccfd0b6570680481102fb1d5648c73fbc0d 548 547 2012-05-06T04:19:19Z 31.184.238.9 0 gANGsLpYzXjqil wikitext text/x-wiki , http://price-drugs.com/order-levitra-online-en.html buy Levitra online, 35531, http://shopdrugcheap.com/order-cialis-professional-online-en.html Cialis Professional, kkrq, http://price-drugs.com/order-viagra-super-active-online-en.html Viagra Super Active, 504, http://shopdrugcheap.com/order-levitra-online-en.html Levitra, 638, http://ordergenericdrugs.com/products/propecia.htm cheap propecia, ahsoc, 1580e3e56a0c8df434555e4da28bf1d3d60a9c0d 549 548 2012-05-06T04:21:17Z 31.184.238.15 0 VSAjYzHWyklNr wikitext text/x-wiki comment4, http://shopdrugcheap.com/ buy Viagra Super Active, 252374, http://more-drugs.com/products/diflucan.htm buy diflucan, teyvnn, http://shopdrugcheap.com/order-lasix-online-en.html buy Lasix, 965326, http://more-drugs.com/products/propecia.htm generic propecia, abi, http://shopdrugcheap.com/ buy Cialis, 38733, 91ab7f46dc4b81b3f7f3edfd08c9a67c27168221 550 549 2012-05-06T04:23:43Z 31.184.238.9 0 EmqltPDwmhsqbXgkyXF wikitext text/x-wiki , http://price-drugs.com/order-viagra-online-en.html buy Viagra, =-[, http://price-drugs.com/order-cipro-online-en.html Cipro, 8]]], http://ordergenericdrugs.com/products/female-viagra.htm generic female viagra, 89181, http://ordergenericdrugs.com/products/viagra.htm buy generic viagra, =-), http://shopdrugcheap.com/order-strattera-online-en.html buy cheap Strattera, ipgx, 30171a4009a7955a9d94c3746fa9ee3932c158c6 551 550 2012-05-06T04:27:23Z 31.184.238.15 0 yNbFlpZzwYssQPbfpX wikitext text/x-wiki comment4, http://price-drugs.com/order-kamagra-online-en.html generic Kamagra, qkyegf, http://more-drugs.com/products/synthroid.htm buy synthroid online, kvhdf, http://more-drugs.com/products/cialis-professional.htm buy cialis professional, 8-PPP, http://ordergenericdrugs.com/products/cialis.htm cheap cialis, 5184, http://ordergenericdrugs.com/products/cipro.htm generic cipro, kzvs, 3d069f393197450e333eae13e0a6185d4ff952e2 552 551 2012-05-06T04:28:03Z 31.184.238.9 0 gsSzJNWBEmZpcwg wikitext text/x-wiki , http://ordergenericdrugs.com/products/clomid.htm generic clomid, xmlyz, http://price-drugs.com/order-levitra-online-en.html Levitra, >:-(((, http://shopdrugcheap.com/order-propecia-online-en.html buy generic Propecia, 3515, http://shopdrugcheap.com/order-tadacip-online-en.html buy Tadacip online, nenomr, http://price-drugs.com/order-lipitor-online-en.html buy Lipitor, fajufe, f68ba1d9ae6d7d7eb6f248a3dddc14e47371c760 553 552 2012-05-06T04:33:00Z 31.184.238.9 0 iXupYAtukRretQKJpMB wikitext text/x-wiki , http://price-drugs.com/order-cipro-online-en.html generic Cipro, 8050, http://shopdrugcheap.com/order-synthroid-online-en.html buy generic Synthroid online, :-OO, http://more-drugs.com/products/diflucan.htm cheap diflucan, 14349, http://more-drugs.com/products/propecia.htm propecia online, 7554, http://price-drugs.com/order-amoxil-online-en.html generic Amoxil, >:-P, 70e9418f7e21b0fb3ec84f192e48705b703920ab 554 553 2012-05-06T04:33:15Z 31.184.238.15 0 idzckwhYWvAfOZ wikitext text/x-wiki comment6, http://price-drugs.com/order-zithromax-online-en.html Zithromax, ideoyz, http://shopdrugcheap.com/order-levitra-online-en.html Levitra, lwctz, http://price-drugs.com/order-cialis-professional-online-en.html Cialis Professional, 017681, http://more-drugs.com/products/viagra-super-active-plus.htm buy viagra super active online, 97244, http://shopdrugcheap.com/order-viagra-online-en.html generic Viagra, 360260, 0b9afb55ccefe4d9045bc5a20c81a3fb093b5705 555 554 2012-05-06T04:37:25Z 31.184.238.9 0 FeNOcAlK wikitext text/x-wiki , http://shopdrugcheap.com/order-clomid-online-en.html generic Clomid, >:-[[[, http://more-drugs.com/products/deltasone.htm deltasone online, 18915, http://price-drugs.com/order-diflucan-online-en.html buy generic Diflucan online, aauo, http://shopdrugcheap.com/order-cipro-online-en.html buy cheap Cipro, %DDD, http://shopdrugcheap.com/order-orlistat-online-en.html buy generic Orlistat online, jcyh, d463b8d636b0bc2092838f58f0d1139b5d05ec54 556 555 2012-05-06T04:39:29Z 31.184.238.15 0 bnAjRsbciNOLRIHByJY wikitext text/x-wiki comment5, http://price-drugs.com/order-amoxil-online-en.html buy Amoxil online, ajdon, http://price-drugs.com/order-zithromax-online-en.html buy Zithromax online, 8OO, http://ordergenericdrugs.com/products/propecia.htm buy propecia online, getdha, http://ordergenericdrugs.com/products/kamagra-oral-jelly.htm buy kamagra oral jelly, sybdr, http://shopdrugcheap.com/order-orlistat-online-en.html Orlistat, 5309, 2c2b6c3903b04a8001134fc7224cc02209ebcf5a 557 556 2012-05-06T04:42:19Z 31.184.238.9 0 CeqUrqkll wikitext text/x-wiki , http://shopdrugcheap.com/order-viagra-super-active-online-en.html buy Viagra Super Active online, 8)), http://more-drugs.com/products/levitra.htm cheap levitra, tplm, http://ordergenericdrugs.com/products/kamagra-oral-jelly.htm buy kamagra oral jelly online, mfubq, http://shopdrugcheap.com/order-cialis-super-active-online-en.html buy cheap Cialis Super Active, 349, http://ordergenericdrugs.com/products/pepcid.htm buy cheap pepcid, lubqhw, 33bda5f11ded390dee90d07fc5d13ea5ee61a6ad 558 557 2012-05-06T04:45:45Z 31.184.238.15 0 kNGYYMZF wikitext text/x-wiki comment1, http://shopdrugcheap.com/order-kamagra-online-en.html generic Kamagra, sdj, http://more-drugs.com/products/female-viagra.htm buy female viagra, rwv, http://shopdrugcheap.com/order-cialis-professional-online-en.html Cialis Professional, 1241, http://more-drugs.com/products/xenical.htm generic xenical, sxnfks, http://shopdrugcheap.com/order-zoloft-online-en.html generic Zoloft, %-((, ab50c0998d175afd9c4755eff53dbc5453073344 559 558 2012-05-06T04:46:08Z 31.184.238.9 0 ydZDJupTFoiy wikitext text/x-wiki , http://shopdrugcheap.com/order-zoloft-online-en.html buy Zoloft, >:((, http://more-drugs.com/products/synthroid.htm synthroid online, :], http://price-drugs.com/order-propecia-online-en.html generic Propecia, :DD, http://shopdrugcheap.com/order-viagra-online-en.html buy generic Viagra online, 488, http://more-drugs.com/ buy prevacid online, leyok, f361fef458e27bfbb480cc158a89ea25412fab9a 560 559 2012-05-06T04:50:41Z 31.184.238.9 0 wrAPCOLdTvK wikitext text/x-wiki , http://more-drugs.com/products/cialis.htm buy cheap cialis, bxr, http://shopdrugcheap.com/order-clomid-online-en.html buy generic Clomid online, 46885, http://price-drugs.com/order-cialis-professional-online-en.html Cialis Professional, rsj, http://price-drugs.com/order-levaquin-online-en.html buy cheap Levaquin, ptqfjf, http://shopdrugcheap.com/order-orlistat-online-en.html buy Orlistat, qury, 576248bf287c0faffaead71cf53393905ce12cb4 561 560 2012-05-06T04:51:47Z 31.184.238.15 0 eTCycinuvFex wikitext text/x-wiki comment1, http://shopdrugcheap.com/order-kamagra-online-en.html generic Kamagra, jubjn, http://more-drugs.com/products/female-viagra.htm cheap female viagra, 235336, http://shopdrugcheap.com/order-cialis-professional-online-en.html generic Cialis Professional, >:-(, http://more-drugs.com/products/xenical.htm generic xenical, 4107, http://shopdrugcheap.com/order-zoloft-online-en.html generic Zoloft, >:DDD, 8ef4f61a5e7a4a9f1698e39ede0caf4d534b2ad5 562 561 2012-05-06T04:55:30Z 31.184.238.9 0 WngbQcnbouhXsej wikitext text/x-wiki , http://more-drugs.com/products/synthroid.htm cheap synthroid, 13729, http://ordergenericdrugs.com/products/female-viagra.htm cheap female viagra, ndqxe, http://more-drugs.com/products/pepcid.htm pepcid, %-))), http://shopdrugcheap.com/order-zoloft-online-en.html buy Zoloft, kdt, http://more-drugs.com/products/cipro.htm buy cipro online, 558, d13ebd33f07e22fe84cc0ea189f549616790f9db 563 562 2012-05-06T04:57:31Z 31.184.238.15 0 pjPlyPISgEfGmvr wikitext text/x-wiki comment1, http://price-drugs.com/order-cialis-online-en.html buy Cialis, qffd, http://shopdrugcheap.com/order-zithromax-online-en.html buy Zithromax online, %-), http://price-drugs.com/order-proventil-online-en.html buy Proventil online, 7666, http://more-drugs.com/products/deltasone.htm cheap deltasone, 8O, http://ordergenericdrugs.com/products/prevacid.htm buy prevacid, hexcyk, a261703e71ab5a0c8be41d50e0a7d99a0d2e8de2 564 563 2012-05-06T05:00:26Z 31.184.238.9 0 vJWMGUXSdw wikitext text/x-wiki , http://shopdrugcheap.com/order-priligy-online-en.html Priligy, =-[[, http://ordergenericdrugs.com/products/cialis.htm cialis, 75029, http://price-drugs.com/order-female-viagra-online-en.html Female Viagra, mcyh, http://shopdrugcheap.com/order-propecia-online-en.html buy generic Propecia online, 764245, http://ordergenericdrugs.com/products/kamagra.htm buy cheap kamagra, 593380, f72455b2f298849a1b1bd6322abb7c4addad6690 565 564 2012-05-06T05:04:00Z 31.184.238.9 0 KJZwqZBpdSwaYj wikitext text/x-wiki , http://shopdrugcheap.com/order-zoloft-online-en.html buy generic Zoloft online, 232, http://price-drugs.com/order-cipro-online-en.html Cipro, 17269, http://price-drugs.com/order-clomid-online-en.html buy generic Clomid, >:DDD, http://shopdrugcheap.com/order-kamagra-online-en.html buy cheap Kamagra, 7906, http://price-drugs.com/order-cipro-online-en.html buy generic Cipro online, %)), 156d49ac0876a7c26e3b4a638049e829983d52c8 566 565 2012-05-06T05:04:47Z 31.184.238.15 0 FnWjPUcGuwcCMRl wikitext text/x-wiki comment3, http://wheretobuynowviagra.com/buy-cheap-generic-viagra-professional-sildenafil-online/ buy viagra professional online, 8[[[, http://wheretobuynowcialis.com/buy-cheap-generic-cialis-professional-tadalafil-online/ cialis professional, 82249, http://wheretobuynowlevitra.com/buy-cheap-generic-levitra-professional-vardenafil-online/ generic levitra professional, lqsp, 0e4a07920a75d174778dfa85495789d05c9fba6d 567 566 2012-05-06T05:08:54Z 31.184.238.9 0 IzVpmbvUOl wikitext text/x-wiki , http://more-drugs.com/products/levitra.htm generic levitra, nvabzg, http://price-drugs.com/order-ampicillin-online-en.html generic Ampicillin, inyg, http://price-drugs.com/order-doxycycline-online-en.html buy generic Doxycycline online, %(, http://more-drugs.com/products/nexium.htm nexium online, klgp, http://price-drugs.com/order-levitra-online-en.html buy Levitra online, :))), c4c8238c2c6c7b957be3001b9128361f3dc9a81f 568 567 2012-05-06T05:10:46Z 31.184.238.15 0 koBibWZiCZkmio wikitext text/x-wiki comment1, http://wheretobuynowviagra.com/buy-cheap-generic-sildenafil-online/ buy generic sildenafil, xqmx, http://wheretobuynowcialis.com/buy-cheap-generic-cialis-super-active-tadalafil-online/ cialis super active, 500, http://wheretobuynowlevitra.com/buy-cheap-generic-levitra-vardenafil-online/ levitra, mxm, 597f2e72e743a55525352e2feea7c175fd5d69fe 569 568 2012-05-06T05:13:11Z 31.184.238.9 0 iBEzYHqt wikitext text/x-wiki , http://ordergenericdrugs.com/products/deltasone.htm cheap deltasone, 8-)), http://more-drugs.com/products/cialis-professional.htm cialis professional, 200629, http://shopdrugcheap.com/order-viagra-professional-online-en.html buy cheap Viagra Professional, xpoiiq, http://shopdrugcheap.com/order-levitra-online-en.html buy Levitra, jabk, http://shopdrugcheap.com/order-cipro-online-en.html generic Cipro, yqh, b55bffec01965f8ab105185570eba20e17dde987 570 569 2012-05-06T05:16:44Z 31.184.238.15 0 kZkcpzrfrDcITngiR wikitext text/x-wiki comment3, http://wheretobuynowviagra.com/buy-cheap-generic-viagra-soft-sildenafil-online/ generic viagra soft, 449, http://wheretobuynowcialis.com/buy-cheap-generic-cialis-soft-tadalafil-online/ buy generic cialis soft, :-], http://wheretobuynowlevitra.com/buy-cheap-generic-levitra-super-force-vardenafil-online/ buy levitra super force online, 8(, a5c6c47ac68200f41ad122bcaa9d970e7274c055 571 570 2012-05-06T05:17:58Z 31.184.238.9 0 UnEDUqCXBX wikitext text/x-wiki , http://ordergenericdrugs.com/products/cialis.htm buy cialis online, juxsk, http://price-drugs.com/order-cialis-super-active-online-en.html buy cheap Cialis Super Active, ttk, http://more-drugs.com/products/deltasone.htm buy generic deltasone, 153846, http://ordergenericdrugs.com/products/viagra-super-active-plus.htm buy generic viagra super active, %-(((, http://more-drugs.com/products/viagra-professional.htm viagra professional, >:O, f7f3d255d0c5e1e78c3c92b21f6433a8b346ec29 572 571 2012-05-06T05:22:24Z 31.184.238.9 0 DXiGjDBAaQvScZDtCEG wikitext text/x-wiki , http://ordergenericdrugs.com/products/propecia.htm buy propecia online, %OOO, http://more-drugs.com/products/female-viagra.htm buy generic female viagra, bxgb, http://shopdrugcheap.com/order-cipro-online-en.html buy cheap Cipro, aeo, http://price-drugs.com/order-nolvadex-online-en.html buy Nolvadex, lyew, http://price-drugs.com/order-amoxil-online-en.html Amoxil, :)), 12255913a7d1fbef17d525cd24967e25e5f67d58 573 572 2012-05-06T05:22:45Z 31.184.238.15 0 fpRSzkjlxZ wikitext text/x-wiki comment5, http://wheretobuynowviagra.com/buy-cheap-generic-sildenafil-online/ generic sildenafil, %DD, http://wheretobuynowcialis.com/buy-cheap-generic-cialis-super-active-tadalafil-online/ buy generic cialis super active, =), http://wheretobuynowlevitra.com/buy-cheap-generic-levitra-vardenafil-online/ levitra, 629313, de6f784dd6f4a26dbae8699c97dc84bdf3a1610a 574 573 2012-05-06T05:27:03Z 31.184.238.9 0 WjgLCaFXladBypxnAAB wikitext text/x-wiki , http://shopdrugcheap.com/order-zoloft-online-en.html buy generic Zoloft, xoxny, http://price-drugs.com/order-cipro-online-en.html generic Cipro, :-PPP, http://price-drugs.com/order-clomid-online-en.html buy generic Clomid, 38506, http://shopdrugcheap.com/order-kamagra-online-en.html Kamagra, =OOO, http://price-drugs.com/order-cipro-online-en.html Cipro, 916, 89bd058c6b95a6a9959cc4e1b2742d0aa8f0d375 575 574 2012-05-06T05:28:55Z 31.184.238.15 0 dLFftsFYbrvBVOMkjrN wikitext text/x-wiki comment6, http://wheretobuynowviagra.com/ viagra for sale without a prescription, %(((, http://wheretobuynowcialis.com/ cialis no prescription, 8-O, http://wheretobuynowviagra.com/buy-cheap-generic-viagra-sildenafil-online/ viagra, 8-[[[, 9a59751908f08f428d19c0d4710d35fbaf7368e3 576 575 2012-05-06T05:31:27Z 31.184.238.9 0 yiEKJTDFhwEzK wikitext text/x-wiki , http://more-drugs.com/products/synthroid.htm generic synthroid, %(((, http://ordergenericdrugs.com/products/female-viagra.htm buy female viagra, =]], http://more-drugs.com/products/pepcid.htm pepcid, 423469, http://shopdrugcheap.com/order-zoloft-online-en.html generic Zoloft, qop, http://more-drugs.com/products/cipro.htm buy cipro, jktfll, f661c596ee5ead3cd586a5035a9c0b53af16f359 577 576 2012-05-06T05:35:08Z 31.184.238.15 0 IarOsrIwAhSaAE wikitext text/x-wiki comment2, http://getgenericpharmacy.com/compra-acquisto-levitra-vardenafil-prezzo-costo-online-italy/ online levitra, dqrxhk, http://ordergenericpharmacy.com/farmacia-online-senza-ricetta-medica-europa-italy/ farmacia senza prescrizione, =], http://newpharmacysite.com buy priligy online, sxvudz, 41c26fe84f6463a0107e294a44d1259ea5bf1f46 578 577 2012-05-06T05:35:44Z 31.184.238.9 0 OduiZWtpyYfaC wikitext text/x-wiki , http://more-drugs.com/products/clomid.htm buy cheap clomid, angeg, http://shopdrugcheap.com/order-cialis-online-en.html buy generic Cialis, mmiplz, http://more-drugs.com/products/cipro.htm cipro, 811815, http://ordergenericdrugs.com/products/amoxil.htm buy generic amoxil, 744420, http://shopdrugcheap.com/order-viagra-super-active-online-en.html Viagra Super Active, ghwu, 1dc093dd59ad345d7e189719e4f731475ef12c28 579 578 2012-05-06T05:40:27Z 31.184.238.9 0 jFjqEfrUXLc wikitext text/x-wiki , http://more-drugs.com/products/pepcid.htm generic pepcid, %OOO, http://more-drugs.com/products/diflucan.htm buy diflucan online, enab, http://more-drugs.com/products/synthroid.htm synthroid, 936612, http://ordergenericdrugs.com/products/female-viagra.htm buy cheap female viagra, >:[, http://price-drugs.com/order-lipitor-online-en.html buy cheap Lipitor, 449357, 52669b1bb895d6acc9e09e2720d0aa4008dced12 580 579 2012-05-06T05:41:26Z 31.184.238.15 0 fHwrRWrxxxahF wikitext text/x-wiki comment2, http://internetpharmacysite.com/comprar-venta-zithromax-azithromycin-costo-precio-en-linea-spain/ en linea zithromax, =-OO, http://genericpharmacyshop.com online pharmacy, 28862, http://newonlinepharmacy.com online pharmacy usa, 325, 750404cc6ace7e0a531e75d6b2915a8a13e93cc3 581 580 2012-05-06T05:44:09Z 31.184.238.9 0 CXVKwfPeFYxX wikitext text/x-wiki , http://price-drugs.com/order-clomid-online-en.html buy Clomid online, hscmt, http://more-drugs.com/products/viagra-professional.htm buy viagra professional online, >:-DD, http://shopdrugcheap.com/order-cialis-online-en.html buy Cialis online, 131, http://more-drugs.com/products/xenical.htm cheap xenical, thwybv, http://more-drugs.com/products/kamagra.htm buy kamagra online, cbpflt, ec9b8e35aee2049e480f12491f0b737e93e92913 582 581 2012-05-06T05:47:14Z 31.184.238.15 0 TgDMthFiaf wikitext text/x-wiki comment4, http://newpharmacysite.com/comprar-venta-priligy-dapoxetine-costo-precio-en-linea-spain/ comprar priligy, 30349, http://internetpharmacysite.com/acheter-achat-zithromax-azithromycin-vente-en-ligne-france/ achat zithromax, zrpphi, http://ordergenericpharmacy.com online pharmacy usa, :-((, 836fb0b567c06c49c322a93c178154892434d877 583 582 2012-05-06T05:48:44Z 31.184.238.9 0 qEbRJPTOWZ wikitext text/x-wiki , http://more-drugs.com/products/kamagra.htm kamagra, dpvgiq, http://shopdrugcheap.com/order-retin-a-online-en.html Retin-A, ajxqdi, http://shopdrugcheap.com/order-viagra-super-active-online-en.html Viagra Super Active, =OOO, http://shopdrugcheap.com/order-proscar-online-en.html Proscar, 47942, http://ordergenericdrugs.com/products/cipro.htm buy generic cipro, 56251, a1fd87bb462d9abe1ca32b262c5ce0cd3c4e6569 584 583 2012-05-06T05:52:54Z 31.184.238.9 0 HuooJviwnBIZjWtBJe wikitext text/x-wiki , http://ordergenericdrugs.com/products/strattera.htm buy generic strattera, :-(((, http://price-drugs.com/order-cialis-online-en.html buy cheap Cialis, mxlux, http://more-drugs.com/products/female-viagra.htm generic female viagra, lrtxcn, http://more-drugs.com/products/cialis-professional.htm generic cialis professional, 383, http://more-drugs.com/products/cialis.htm buy cialis online, thykhe, 60267eb936fc16cb4746c91fbdeda59357286f1f 585 584 2012-05-06T05:53:00Z 31.184.238.15 0 iHAhbjZegUuDZGABZ wikitext text/x-wiki comment6, http://mygenericdrugstore.com/comprar-venta-kamagra-costo-precio-en-linea-spain/ comprar kamagra, rjfadz, http://ordergenericpharmacy.com/farmacia-en-linea-sin-receta-europa-spain/ farmacia sin receta, mjo, http://genericpharmacyshop.com online drugstore, 124, d48bb018c4655ee6450358cdc176ff6e0f817ae5 586 585 2012-05-06T05:57:13Z 31.184.238.9 0 xiELkoKinSSzdRgNi wikitext text/x-wiki , http://more-drugs.com/products/cialis.htm cialis online, 0764, http://shopdrugcheap.com/order-clomid-online-en.html buy generic Clomid online, mlpei, http://price-drugs.com/order-cialis-professional-online-en.html buy Cialis Professional, =-DDD, http://price-drugs.com/order-levaquin-online-en.html Levaquin, eof, http://shopdrugcheap.com/order-orlistat-online-en.html buy Orlistat, %OOO, 0203540c462832fefb4b33c3161565dba7330ee1 587 586 2012-05-06T05:58:51Z 31.184.238.15 0 EyQFMHwT wikitext text/x-wiki comment6, http://wheretobuynowviagra.com/buy-cheap-generic-viagra-super-force-sildenafil-online/ buy viagra super force, 2300, http://wheretobuynowcialis.com/buy-cheap-generic-tadalafil-online/ buy generic tadalafil, 2084, http://wheretobuynowlevitra.com/buy-cheap-generic-vardenafil-online/ buy vardenafil, 8[[, 7926b7e39cdf5d399618728b2fc1b63f2d8b04ae 588 587 2012-05-06T06:01:55Z 31.184.238.9 0 qFeEbhTmtGn wikitext text/x-wiki , http://shopdrugcheap.com/order-strattera-online-en.html buy generic Strattera online, :]], http://more-drugs.com/products/levitra.htm buy generic levitra, =PP, http://shopdrugcheap.com/order-diflucan-online-en.html buy Diflucan, 7123, http://more-drugs.com/products/cialis-super-active-plus.htm buy cialis super active, 70253, http://price-drugs.com/order-bactrim-online-en.html buy generic Bactrim, vkey, e8f4122858219bb911714f986836b32a0241c1db 589 588 2012-05-06T06:04:46Z 31.184.238.15 0 FukTZfKVGxCyfpBS wikitext text/x-wiki comment5, http://wheretobuynowviagra.com/buy-cheap-generic-viagra-super-force-sildenafil-online/ buy generic viagra super force, %-PP, http://wheretobuynowcialis.com/buy-cheap-generic-tadalafil-online/ buy tadalafil online, ilbglu, http://wheretobuynowlevitra.com/buy-cheap-generic-vardenafil-online/ buy vardenafil online, :-(, 74ad022d1988375503d742bfff4243069709bef8 590 589 2012-05-06T06:06:21Z 31.184.238.9 0 PMUZYALUluynWksaN wikitext text/x-wiki , http://ordergenericdrugs.com/products/cialis.htm cheap cialis, %DDD, http://price-drugs.com/order-cialis-super-active-online-en.html Cialis Super Active, 2579, http://more-drugs.com/products/deltasone.htm deltasone online, :-)), http://ordergenericdrugs.com/products/viagra-super-active-plus.htm viagra super active, :-]], http://more-drugs.com/products/viagra-professional.htm buy cheap viagra professional, >:-)), 0f4333fffa17d025449527db6f68174ba32492cd 591 590 2012-05-06T06:10:26Z 31.184.238.15 0 ESYgftRLlKSAlBu wikitext text/x-wiki comment4, http://mygenericdrugstore.com price kamagra, %-OO, http://newonlinepharmacy.com/pharmacie-en-ligne-sans-ordonnance-france-europe-uk-usa/ pharmacie sans ordonnance, %D, http://internetpharmacysite.com/compra-acquisto-zithromax-azithromycin-prezzo-costo-online-italy/ online zithromax, 626, a720d8166335803ff05a29bfc1ac82d2173f955e 592 591 2012-05-06T06:11:06Z 31.184.238.9 0 tPehmPONDsfDBQv wikitext text/x-wiki , http://ordergenericdrugs.com/products/strattera.htm buy cheap strattera, 1752, http://price-drugs.com/order-cialis-online-en.html buy generic Cialis online, 018601, http://more-drugs.com/products/female-viagra.htm cheap female viagra, >:-]]], http://more-drugs.com/products/cialis-professional.htm buy cialis professional, :-)), http://more-drugs.com/products/cialis.htm buy cialis online, >:[[, 9055eee2f38f29cc7b9bc15ac6bb3f695276babd 593 592 2012-05-06T06:15:20Z 31.184.238.9 0 thLkbCkvknYefWuoWj wikitext text/x-wiki , http://more-drugs.com/products/kamagra.htm buy cheap kamagra, pdi, http://shopdrugcheap.com/order-retin-a-online-en.html buy Retin-A, 586, http://shopdrugcheap.com/order-viagra-super-active-online-en.html generic Viagra Super Active, 24107, http://shopdrugcheap.com/order-proscar-online-en.html buy generic Proscar online, >:]], http://ordergenericdrugs.com/products/cipro.htm cipro, %-)), 7b960ee316c4afb1a0d2ef10ce2d856d994d6321 0 8 594 593 2012-05-06T06:16:12Z 31.184.238.15 0 keonFWrtBG wikitext text/x-wiki comment4, http://newpharmacysite.com/comprar-venta-priligy-dapoxetine-costo-precio-en-linea-spain/ comprar priligy, emu, http://internetpharmacysite.com/acheter-achat-zithromax-azithromycin-vente-en-ligne-france/ acheter zithromax en ligne, 8-], http://ordergenericpharmacy.com online pharmacy canada, aouqx, ace88b21641206c113d05acf83749d64c3dfc1e2 595 594 2012-05-06T06:19:50Z 31.184.238.9 0 DpEzHgOgVzUYLPrF wikitext text/x-wiki , http://price-drugs.com/order-viagra-professional-online-en.html buy cheap Viagra Professional, vbu, http://shopdrugcheap.com/order-cialis-super-active-online-en.html buy generic Cialis Super Active online, %O, http://price-drugs.com/order-zoloft-online-en.html buy Zoloft, rsgelv, http://ordergenericdrugs.com/products/rogaine-5-.htm cheap rogaine 5%, 8[[, http://more-drugs.com/ buy female viagra online, wcqtg, 99288bad97f9e7ebd0a88cd53cb1d95f8c3caebe 596 595 2012-05-06T06:21:45Z 31.184.238.15 0 blRzJAauwawBCItLT wikitext text/x-wiki comment1, http://wheretobuynowviagra.com/buy-cheap-generic-viagra-super-force-sildenafil-online/ generic viagra super force, vvnke, http://wheretobuynowcialis.com/buy-cheap-generic-tadalafil-online/ buy tadalafil, >:-DD, http://wheretobuynowlevitra.com/buy-cheap-generic-vardenafil-online/ buy generic vardenafil, vljhtp, d739462dd12ba8a15a5a79517e95222864e651fe 597 596 2012-05-06T06:24:16Z 31.184.238.9 0 tgqcTBiqAniafE wikitext text/x-wiki , http://ordergenericdrugs.com/products/xenical.htm buy generic xenical, 749, http://shopdrugcheap.com/order-accutane-online-en.html buy Accutane online, =D, http://more-drugs.com/ buy deltasone online, zqrb, http://shopdrugcheap.com/order-cialis-professional-online-en.html buy cheap Cialis Professional, >:D, http://price-drugs.com/order-cialis-super-active-online-en.html generic Cialis Super Active, 344903, 7984555d2e7251571a5396b4860e9ae590fe9a39 598 597 2012-05-06T06:27:25Z 31.184.238.15 0 gIcIjJAcrZlMKWIDS wikitext text/x-wiki comment3, http://internetpharmacysite.com/comprar-venta-zithromax-azithromycin-costo-precio-en-linea-spain/ en linea zithromax, 856950, http://genericpharmacyshop.com online drugstore, 831331, http://newonlinepharmacy.com online pharmacy uk, owhrly, 6fbe27153ad60a4d285c9d6aef8a0e0c46909d3d 599 598 2012-05-06T06:33:10Z 31.184.238.15 0 ilHGUGGUxrBgHhxzIv wikitext text/x-wiki comment1, http://getgenericdrugstore.com/farmacia-online-europa-italy-senza-ricetta-medica-usa-uk/ farmacia europa, 59768, http://getgenericpharmacy.com cheap levitra, :-DD, http://getgenericdrugstore.com online pharmacy europe, kvvt, 8273bd5581561bd41a725e3eb4f97037bac9ead2 600 599 2012-05-06T06:33:24Z 31.184.238.9 0 YIxUntibPxfzrpue wikitext text/x-wiki , http://more-drugs.com/products/cialis.htm cialis online, xraf, http://shopdrugcheap.com/order-clomid-online-en.html buy generic Clomid online, %-], http://price-drugs.com/order-cialis-professional-online-en.html buy Cialis Professional, uxm, http://price-drugs.com/order-levaquin-online-en.html buy generic Levaquin online, khi, http://shopdrugcheap.com/order-orlistat-online-en.html buy Orlistat, ijpnc, 9802073b13cd2a2c06bc5e87a907bd7ab69c4a38 601 600 2012-05-06T06:38:00Z 31.184.238.9 0 xesNTYXvAUseqx wikitext text/x-wiki , http://price-drugs.com/order-propecia-online-en.html buy Propecia, 54307, http://more-drugs.com/products/nexium.htm buy nexium online, %-DDD, http://ordergenericdrugs.com/products/celebrex.htm generic celebrex, 8984, http://shopdrugcheap.com/order-orlistat-online-en.html Orlistat, 71342, http://shopdrugcheap.com/order-female-viagra-online-en.html buy Female Viagra online, 82966, 0b016420595ec698ab4c1ef53f8655cea9ebb43f 602 601 2012-05-06T06:39:35Z 31.184.238.15 0 iOXKbSGMLrHPDBmtHtm wikitext text/x-wiki comment2, http://genericpharmacyshop.com/farmacia-en-linea-sin-receta-spain/ farmacia en linea, 8149, http://getgenericdrugstore.com/farmacia-en-linea-europa-spain-sin-receta-usa-uk/ spain farmacia, 376, http://newpharmacysite.com/acheter-achat-priligy-dapoxetine-vente-en-ligne-france/ vente priligy, 8-(, 5f1622418187ebb929d3b571d0ed8abff73c4fc1 603 602 2012-05-06T06:43:21Z 31.184.238.9 0 AEcvYJsYtsM wikitext text/x-wiki , http://shopdrugcheap.com/order-priligy-online-en.html buy cheap Priligy, 469, http://ordergenericdrugs.com/products/cialis.htm buy generic cialis, czobjm, http://price-drugs.com/order-female-viagra-online-en.html generic Female Viagra, 080, http://shopdrugcheap.com/order-propecia-online-en.html buy generic Propecia online, wmbw, http://ordergenericdrugs.com/products/kamagra.htm kamagra, 69140, 40d2ff61cb504d528d0feda5a82b6fedacfe4510 604 603 2012-05-06T06:45:17Z 31.184.238.15 0 cwyDIEuE wikitext text/x-wiki comment1, http://mygenericdrugstore.com online kamagra, 644, http://newonlinepharmacy.com/pharmacie-en-ligne-sans-ordonnance-france-europe-uk-usa/ pharmacie france, qgqzxx, http://internetpharmacysite.com/compra-acquisto-zithromax-azithromycin-prezzo-costo-online-italy/ prezzo zithromax, 742056, e0925080580c62135f91c4e400bd4af57f4748f4 605 604 2012-05-06T06:47:10Z 31.184.238.9 0 cgLGoXtIgGZrXrcFXh wikitext text/x-wiki , http://price-drugs.com/order-propecia-online-en.html buy Propecia, 8PP, http://more-drugs.com/products/nexium.htm generic nexium, :[[, http://ordergenericdrugs.com/products/celebrex.htm buy celebrex, 4245, http://shopdrugcheap.com/order-orlistat-online-en.html buy generic Orlistat, 8-OO, http://shopdrugcheap.com/order-female-viagra-online-en.html Female Viagra, >:OO, 43feefe5d82d59b9bf42075b22ccc3eb619d4056 606 605 2012-05-06T06:51:07Z 31.184.238.15 0 qrJSsIjPwU wikitext text/x-wiki comment1, http://wheretobuynowviagra.com/buy-cheap-generic-viagra-super-active-sildenafil-online/ generic viagra super active, gdg, http://wheretobuynowcialis.com/buy-cheap-generic-cialis-tadalafil-online/ buy generic cialis, :[, http://wheretobuynowlevitra.com/ buy levitra online, 011, 27fc30ed97bbe11fff29fd741707ca4e87ccc6e9 607 606 2012-05-06T06:56:10Z 31.184.238.9 0 jZgnaVJtAI wikitext text/x-wiki , http://ordergenericdrugs.com/products/amoxil.htm cheap amoxil, 542562, http://ordergenericdrugs.com/products/propecia.htm propecia, kqjw, http://shopdrugcheap.com/order-female-viagra-online-en.html Female Viagra, 496776, http://shopdrugcheap.com/order-levitra-online-en.html buy generic Levitra online, >:D, http://ordergenericdrugs.com/products/celebrex.htm buy cheap celebrex, kjboy, 28cbda7e190cb590576b2cb33b7d6538fbd850cd 608 607 2012-05-06T06:57:38Z 31.184.238.15 0 UZRzLnXrsisX wikitext text/x-wiki comment5, http://wheretobuynowviagra.com/buy-cheap-generic-sildenafil-online/ generic sildenafil, 22163, http://wheretobuynowcialis.com/buy-cheap-generic-cialis-super-active-tadalafil-online/ buy cialis super active, uqi, http://wheretobuynowlevitra.com/buy-cheap-generic-levitra-vardenafil-online/ buy levitra, unor, b52064e42814f9c4c223846acb51acb17718525c 609 608 2012-05-06T07:00:26Z 31.184.238.9 0 lCjJEVSjahIjGOcw wikitext text/x-wiki , http://more-drugs.com/products/xenical.htm xenical online, zzmcbp, http://more-drugs.com/products/viagra-super-active-plus.htm viagra super active, ueysx, http://shopdrugcheap.com/order-cialis-super-active-online-en.html Cialis Super Active, %((, http://shopdrugcheap.com/order-zithromax-online-en.html buy cheap Zithromax, kzmsx, http://price-drugs.com/order-kamagra-online-en.html buy Kamagra, 962, f1de7341fae1708755ff2fd75b5691a34868ffbc 610 609 2012-05-06T07:03:36Z 31.184.238.15 0 bYXOaitqggIRA wikitext text/x-wiki comment4, http://ordergenericpharmacy.com/pharmacie-en-ligne-sans-ordonnance-europe-france/ pharmacie europe, %-[, http://getgenericdrugstore.com/pharmacie-en-ligne-europe-france-sans-ordonnance-uk-usa/ pharmacie france, 865394, http://genericpharmacyshop.com/farmacia-online-senza-prescrizione-medica-italy-usa-uk-europa/ farmacia senza prescrizione, lapys, eaebf7b8167dfc18d5b0aa51c0c1f54885f4699f 611 610 2012-05-06T07:04:53Z 31.184.238.9 0 ZSXuGISJKfXXSSp wikitext text/x-wiki , http://more-drugs.com/products/synthroid.htm buy synthroid, 6215, http://ordergenericdrugs.com/products/female-viagra.htm generic female viagra, hqcsr, http://more-drugs.com/products/pepcid.htm pepcid online, 96943, http://shopdrugcheap.com/order-zoloft-online-en.html generic Zoloft, 520, http://more-drugs.com/products/cipro.htm cheap cipro, zqmljz, ea917fc7ff9227521c2ffb66f22830c70ed9908d 612 611 2012-05-06T07:09:29Z 31.184.238.15 0 WMHONYqzjtzhrFdeULq wikitext text/x-wiki comment2, http://wheretobuynowviagra.com/buy-cheap-generic-viagra-super-force-sildenafil-online/ buy viagra super force, 85514, http://wheretobuynowcialis.com/buy-cheap-generic-tadalafil-online/ tadalafil, 94634, http://wheretobuynowlevitra.com/buy-cheap-generic-vardenafil-online/ vardenafil, :OO, 94de18cf532f7f6e1235c7052b0f481a63d01f87 613 612 2012-05-06T07:09:52Z 31.184.238.9 0 ObyQYAwcXO wikitext text/x-wiki , http://more-drugs.com/products/clomid.htm clomid online, tan, http://shopdrugcheap.com/order-cialis-online-en.html Cialis, utghw, http://more-drugs.com/products/cipro.htm cipro, znkw, http://ordergenericdrugs.com/products/amoxil.htm buy cheap amoxil, >:-DD, http://shopdrugcheap.com/order-viagra-super-active-online-en.html Viagra Super Active, nrfykk, d4085362be5466c82cd4b6f52bcf90b7f4fc5a82 614 613 2012-05-06T07:14:56Z 31.184.238.15 0 AoJCvqDon wikitext text/x-wiki comment3, http://getgenericdrugstore.com/farmacia-online-europa-italy-senza-ricetta-medica-usa-uk/ farmacia online, 8[[[, http://getgenericpharmacy.com price levitra, 42482, http://getgenericdrugstore.com online pharmacy uk, owkl, f621fe3e7f25224a34bc14bdff038d97eb7bae54 615 614 2012-05-06T07:18:14Z 31.184.238.9 0 SkpLLTvmtAHYZU wikitext text/x-wiki , http://more-drugs.com/products/xenical.htm xenical, qadwk, http://more-drugs.com/products/viagra-super-active-plus.htm buy cheap viagra super active, njduz, http://shopdrugcheap.com/order-cialis-super-active-online-en.html generic Cialis Super Active, put, http://shopdrugcheap.com/order-zithromax-online-en.html Zithromax, %(, http://price-drugs.com/order-kamagra-online-en.html buy Kamagra online, ugbhf, cc5971d7cb9de392df06fdc867fcefc77bc0c89a 616 615 2012-05-06T07:20:46Z 31.184.238.15 0 DbVdLZRYRDbAdVNt wikitext text/x-wiki comment2, http://newpharmacysite.com/comprar-venta-priligy-dapoxetine-costo-precio-en-linea-spain/ venta priligy, 0630, http://internetpharmacysite.com/acheter-achat-zithromax-azithromycin-vente-en-ligne-france/ zithromax en ligne, 8P, http://ordergenericpharmacy.com online pharmacy uk, xmax, de16b3c92477a961dfea67d22f1755b733f5bf03 617 616 2012-05-06T07:23:07Z 31.184.238.9 0 hdaMhRwJvUlhPbNFn wikitext text/x-wiki , http://shopdrugcheap.com/order-priligy-online-en.html Priligy, %-P, http://ordergenericdrugs.com/products/cialis.htm buy cheap cialis, %PPP, http://price-drugs.com/order-female-viagra-online-en.html buy Female Viagra, >:-[[[, http://shopdrugcheap.com/order-propecia-online-en.html buy cheap Propecia, %P, http://ordergenericdrugs.com/products/kamagra.htm kamagra online, :)), bcc02f88ff55ebbe07d888b336d833a24b060b00 618 617 2012-05-06T07:26:45Z 31.184.238.15 0 pzCXifhULP wikitext text/x-wiki comment5, http://wheretobuynowviagra.com/buy-cheap-generic-sildenafil-online/ generic sildenafil, =-(, http://wheretobuynowcialis.com/buy-cheap-generic-cialis-super-active-tadalafil-online/ cialis super active, relml, http://wheretobuynowlevitra.com/buy-cheap-generic-levitra-vardenafil-online/ levitra, 3773, 40b8c94cd90fa9877fef077e22a19f4b8ecf1842 619 618 2012-05-06T07:27:49Z 31.184.238.9 0 SfZdftVLOhR wikitext text/x-wiki , http://ordergenericdrugs.com/products/kamagra-oral-jelly.htm buy kamagra oral jelly online, 8-DDD, http://price-drugs.com/order-lasix-online-en.html generic Lasix, 437, http://price-drugs.com/order-levitra-online-en.html buy generic Levitra online, cxy, http://more-drugs.com/products/viagra.htm cheap viagra, 8-]], http://more-drugs.com/products/cialis-super-active-plus.htm buy generic cialis super active, 8]], 8b92769ce2b20f7f2972fcc6b0987bda10281915 620 619 2012-05-06T07:32:35Z 31.184.238.15 0 vdEkKzuJpTZfDJdUXoI wikitext text/x-wiki comment1, http://newpharmacysite.com/comprar-venta-priligy-dapoxetine-costo-precio-en-linea-spain/ comprar priligy, 592, http://internetpharmacysite.com/acheter-achat-zithromax-azithromycin-vente-en-ligne-france/ acheter zithromax en ligne, 548, http://ordergenericpharmacy.com online pharmacy europe, 607, bfec69c8a75c5504336b4e28661b54dd699bbd59 621 620 2012-05-06T07:32:52Z 31.184.238.9 0 qICRLNNf wikitext text/x-wiki , http://ordergenericdrugs.com/products/pepcid.htm buy generic pepcid, %), http://price-drugs.com/order-viagra-super-active-online-en.html buy generic Viagra Super Active, uihx, http://more-drugs.com/products/viagra-super-active-plus.htm generic viagra super active, lkmmm, http://shopdrugcheap.com/order-zithromax-online-en.html generic Zithromax, 143, http://shopdrugcheap.com/order-viagra-online-en.html buy Viagra, 135605, db89996737c256761e55cec5afa642400eb64de8 622 621 2012-05-06T07:38:05Z 31.184.238.9 0 ZaWguGRjp wikitext text/x-wiki , http://price-drugs.com/order-propecia-online-en.html generic Propecia, pmeqop, http://more-drugs.com/products/nexium.htm buy nexium, 660051, http://ordergenericdrugs.com/products/celebrex.htm buy celebrex online, ycksfl, http://shopdrugcheap.com/order-orlistat-online-en.html Orlistat, lckzpp, http://shopdrugcheap.com/order-female-viagra-online-en.html generic Female Viagra, =(((, 82c77fb98e70ce755018add8533f9b4d5766445f 623 622 2012-05-06T07:38:49Z 31.184.238.15 0 ldYEbxYpP wikitext text/x-wiki comment3, http://newonlinepharmacy.com/farmacia-online-senza-ricetta-medica-italy-usa-uk-europa/ farmacia online italy, 724, http://newonlinepharmacy.com/farmacia-en-linea-sin-receta-spain-europa-usa-uk/ farmacia sin receta, 506, http://getgenericpharmacy.com/comprar-venta-levitra-vardenafil-costo-precio-en-linea-spain/ venta levitra, %))), 57512bf51711825c5c507734bd1d30b79163e4b2 624 623 2012-05-06T07:42:32Z 31.184.238.9 0 xjHfUhdsdUIDDaZ wikitext text/x-wiki , http://price-drugs.com/order-clomid-online-en.html generic Clomid, xqays, http://more-drugs.com/products/viagra-professional.htm cheap viagra professional, szltu, http://shopdrugcheap.com/order-cialis-online-en.html generic Cialis, xbjmjf, http://more-drugs.com/products/xenical.htm generic xenical, 253, http://more-drugs.com/products/kamagra.htm buy kamagra online, 8-PP, 9cc7b07c87193384bff86d35a78132d455f60694 625 624 2012-05-06T07:44:43Z 31.184.238.15 0 WnfrDhUTloUWJ wikitext text/x-wiki comment6, http://mygenericdrugstore.com/compra-acquisto-kamagra-prezzo-costo-online-italy/ online kamagra, 974304, http://newpharmacysite.com/compra-acquisto-priligy-dapoxetine-prezzo-costo-online-italy/ acquisto priligy, kya, http://genericpharmacyshop.com/pharmacie-en-ligne-sans-ordonnance-europe/ pharmacie france, =], 3b30f63148b424705ed0e165ef9fe3308c6345f3 626 625 2012-05-06T07:47:00Z 31.184.238.9 0 OedNBRQGiRHFrTqWJc wikitext text/x-wiki , http://more-drugs.com/products/kamagra.htm kamagra, 662, http://shopdrugcheap.com/order-retin-a-online-en.html buy Retin-A online, rye, http://shopdrugcheap.com/order-viagra-super-active-online-en.html buy Viagra Super Active online, 8-(, http://shopdrugcheap.com/order-proscar-online-en.html Proscar, dbbx, http://ordergenericdrugs.com/products/cipro.htm cipro, fonu, 302378842b202042304cf3e6fb2c243aa2e87df3 627 626 2012-05-06T07:50:41Z 31.184.238.15 0 DHQeyvToAYKDDT wikitext text/x-wiki comment2, http://genericpharmacyshop.com/farmacia-en-linea-sin-receta-spain/ farmacia uropa, >:DDD, http://getgenericdrugstore.com/farmacia-en-linea-europa-spain-sin-receta-usa-uk/ farmacia en linea, 434053, http://newpharmacysite.com/acheter-achat-priligy-dapoxetine-vente-en-ligne-france/ achat priligy, 7279, 081f4f85c3818ecfecc2c166bcaaeff648ea5f41 628 627 2012-05-06T07:56:21Z 31.184.238.9 0 HCcGorzgUl wikitext text/x-wiki , http://shopdrugcheap.com/order-zoloft-online-en.html buy generic Zoloft online, >:-], http://price-drugs.com/order-cipro-online-en.html generic Cipro, nqmo, http://price-drugs.com/order-clomid-online-en.html Clomid, >:-)), http://shopdrugcheap.com/order-kamagra-online-en.html Kamagra, cuc, http://price-drugs.com/order-cipro-online-en.html buy generic Cipro, =[[, a2bc46e06237674d5d2327843bcc87691b5a519e 629 628 2012-05-06T07:56:52Z 31.184.238.15 0 DSTCYJBedVswVJipRY wikitext text/x-wiki comment5, http://internetpharmacysite.com for sale zithromax, ozs, http://mygenericdrugstore.com/acheter-achat-kamagra-vente-en-ligne-france/ acheter kamagra en ligne, rhujw, http://getgenericpharmacy.com/acheter-achat-levitra-vardenafil-vente-en-ligne-france/ achat levitra, 014188, 7315a91f99c9ac1f5ed0b8654aa1f52910733b35 630 629 2012-05-06T08:01:19Z 31.184.238.9 0 qnsDVAtLaYbeQX wikitext text/x-wiki , http://more-drugs.com/products/deltasone.htm buy deltasone, =-(((, http://price-drugs.com/order-cialis-online-en.html buy Cialis, 532835, http://ordergenericdrugs.com/products/cialis-super-active-plus.htm buy cialis super active, =-[[, http://price-drugs.com/order-propecia-online-en.html buy generic Propecia online, 255936, http://more-drugs.com/products/prevacid.htm prevacid online, 9432, e5741f26ccc58388648f0170514dfd44185737ef 631 630 2012-05-06T08:03:08Z 31.184.238.15 0 UxnKqhCz wikitext text/x-wiki comment1, http://wheretobuynowviagra.com/buy-cheap-generic-viagra-professional-sildenafil-online/ generic viagra professional, 0189, http://wheretobuynowcialis.com/buy-cheap-generic-cialis-professional-tadalafil-online/ buy generic cialis professional, noa, http://wheretobuynowlevitra.com/buy-cheap-generic-levitra-professional-vardenafil-online/ buy generic levitra professional, 828, a444c18578a6573063ffeee9c78b14ee488877d6 632 631 2012-05-06T08:05:48Z 31.184.238.9 0 iejYMrDZrLsVNyC wikitext text/x-wiki , http://shopdrugcheap.com/order-strattera-online-en.html buy generic Strattera online, %-DDD, http://more-drugs.com/products/levitra.htm levitra, =-(, http://shopdrugcheap.com/order-diflucan-online-en.html buy Diflucan online, tpukfp, http://more-drugs.com/products/cialis-super-active-plus.htm cheap cialis super active, buqjlg, http://price-drugs.com/order-bactrim-online-en.html Bactrim, 8DD, 8af716ac5db3003f1b210917981cedbfdb6b7220 633 632 2012-05-06T08:09:09Z 31.184.238.15 0 kWKBGbYVpzGDdWqebcz wikitext text/x-wiki comment6, http://mygenericdrugstore.com buy kamagra, gsig, http://newonlinepharmacy.com/pharmacie-en-ligne-sans-ordonnance-france-europe-uk-usa/ pharmacie france, :-PP, http://internetpharmacysite.com/compra-acquisto-zithromax-azithromycin-prezzo-costo-online-italy/ online zithromax, 551, e3fa324be30886813dc6f0b6e3576c9aa1ffc8d0 634 633 2012-05-06T08:10:29Z 31.184.238.9 0 tNvaavyFhGRRDghdj wikitext text/x-wiki , http://shopdrugcheap.com/order-zoloft-online-en.html buy generic Zoloft, %(((, http://price-drugs.com/order-cipro-online-en.html buy Cipro online, 065, http://price-drugs.com/order-clomid-online-en.html Clomid, vcoimy, http://shopdrugcheap.com/order-kamagra-online-en.html buy generic Kamagra online, 0540, http://price-drugs.com/order-cipro-online-en.html buy generic Cipro, jnk, 69d7665c101fe8146883c5a2c67a3c417ad96142 635 634 2012-05-06T08:14:56Z 31.184.238.9 0 jtVVDcNfXHrYH wikitext text/x-wiki , http://more-drugs.com/products/pepcid.htm cheap pepcid, >:OO, http://more-drugs.com/products/diflucan.htm buy diflucan, 113, http://more-drugs.com/products/synthroid.htm synthroid, gyagp, http://ordergenericdrugs.com/products/female-viagra.htm buy generic female viagra, obah, http://price-drugs.com/order-lipitor-online-en.html Lipitor, %-D, e9d5d437545abb08260c0a7eb9656cbe0d4a4c5c 636 635 2012-05-06T08:15:21Z 31.184.238.15 0 RLqvKBwKwgXFJCN wikitext text/x-wiki comment5, http://newpharmacysite.com/comprar-venta-priligy-dapoxetine-costo-precio-en-linea-spain/ costo priligy, 259350, http://internetpharmacysite.com/acheter-achat-zithromax-azithromycin-vente-en-ligne-france/ acheter zithromax en ligne, ykaerr, http://ordergenericpharmacy.com online pharmacy usa, tpoqsl, 1823463c7f89c5a416c37a75cb2e6568a30b8aee 637 636 2012-05-06T08:19:42Z 31.184.238.9 0 wMmybHrlAyPOLWQu wikitext text/x-wiki , http://shopdrugcheap.com/order-priligy-online-en.html Priligy, 4622, http://ordergenericdrugs.com/products/cialis.htm buy cheap cialis, wky, http://price-drugs.com/order-female-viagra-online-en.html Female Viagra, skge, http://shopdrugcheap.com/order-propecia-online-en.html buy generic Propecia, >:-OOO, http://ordergenericdrugs.com/products/kamagra.htm kamagra online, %-(((, 4817162341622be989296825c9d93a46c920492d 638 637 2012-05-06T08:20:46Z 31.184.238.15 0 PySZhuhhLDkIUJEXzc wikitext text/x-wiki comment1, http://internetpharmacysite.com price zithromax, 0549, http://mygenericdrugstore.com/acheter-achat-kamagra-vente-en-ligne-france/ achat kamagra, :-((, http://getgenericpharmacy.com/acheter-achat-levitra-vardenafil-vente-en-ligne-france/ achat levitra, 8-D, 4331b52b737f14860544cd94114f23250553908f 639 638 2012-05-06T08:24:06Z 31.184.238.9 0 HcQjhWAZqBcYhSR wikitext text/x-wiki , http://more-drugs.com/products/pepcid.htm generic pepcid, :OO, http://more-drugs.com/products/diflucan.htm generic diflucan, 73477, http://more-drugs.com/products/synthroid.htm buy generic synthroid, uygnlv, http://ordergenericdrugs.com/products/female-viagra.htm buy cheap female viagra, >:-))), http://price-drugs.com/order-lipitor-online-en.html buy generic Lipitor online, 801, 395d1535b31942e5516ffb6a1d5b347c832de2b3 640 639 2012-05-06T08:26:29Z 31.184.238.15 0 KWteecUWq wikitext text/x-wiki comment2, http://internetpharmacysite.com order zithromax, :OOO, http://mygenericdrugstore.com/acheter-achat-kamagra-vente-en-ligne-france/ acheter kamagra en ligne, 911090, http://getgenericpharmacy.com/acheter-achat-levitra-vardenafil-vente-en-ligne-france/ levitra en ligne, >:-OO, a06af29a421126aa2c5dcd6421b1d8c03cfd055b 641 640 2012-05-06T08:29:14Z 31.184.238.9 0 ZkNkAMkzbncKWqwLz wikitext text/x-wiki , http://price-drugs.com/order-clomid-online-en.html generic Clomid, :-PP, http://more-drugs.com/products/viagra-professional.htm buy viagra professional, 054925, http://shopdrugcheap.com/order-cialis-online-en.html buy Cialis, =-PPP, http://more-drugs.com/products/xenical.htm cheap xenical, wblgv, http://more-drugs.com/products/kamagra.htm buy kamagra online, >:-OO, 566e84170327ae4d7b978e465f8556dfb19a6928 642 641 2012-05-06T08:32:32Z 31.184.238.15 0 jKGEYvvBxCVjSAPJ wikitext text/x-wiki comment2, http://ordergenericpharmacy.com/pharmacie-en-ligne-sans-ordonnance-europe-france/ pharmacie europe, >:-(, http://getgenericdrugstore.com/pharmacie-en-ligne-europe-france-sans-ordonnance-uk-usa/ pharmacie europe, ens, http://genericpharmacyshop.com/farmacia-online-senza-prescrizione-medica-italy-usa-uk-europa/ farmacia online italy, =-P, 1c020e8cd59ad1ef78fce73a69fd9bb53a28132b 643 642 2012-05-06T08:33:30Z 31.184.238.9 0 HZHNahwBlYixv wikitext text/x-wiki , http://ordergenericdrugs.com/products/pepcid.htm pepcid, 50373, http://price-drugs.com/order-viagra-super-active-online-en.html buy generic Viagra Super Active online, qnsc, http://more-drugs.com/products/viagra-super-active-plus.htm generic viagra super active, :]], http://shopdrugcheap.com/order-zithromax-online-en.html Zithromax, 23784, http://shopdrugcheap.com/order-viagra-online-en.html buy Viagra, 741, 420cbea4a0f1320e05183a7101bbcb98d9ffe7d2 0 8 644 643 2012-05-06T08:38:20Z 31.184.238.15 0 VlnKUsmope wikitext text/x-wiki comment2, http://wheretobuynowviagra.com/buy-cheap-generic-sildenafil-online/ buy sildenafil online, =(((, http://wheretobuynowcialis.com/buy-cheap-generic-cialis-super-active-tadalafil-online/ buy cialis super active online, 8-((, http://wheretobuynowlevitra.com/buy-cheap-generic-levitra-vardenafil-online/ levitra, 3818, 0c88f1f78498af1608c2b91f3501bbc7e571f30a 645 644 2012-05-06T08:38:33Z 31.184.238.9 0 mFpyAEddZtSZgWGQJx wikitext text/x-wiki , http://shopdrugcheap.com/order-tadacip-online-en.html buy Tadacip online, 571744, http://shopdrugcheap.com/order-accutane-online-en.html buy cheap Accutane, 883015, http://price-drugs.com/order-cialis-professional-online-en.html Cialis Professional, 6828, http://ordergenericdrugs.com/products/deltasone.htm deltasone, nxw, http://ordergenericdrugs.com/products/prevacid.htm cheap prevacid, kyrjd, 540ca7f9ac25653dd5a2b5b647413e3a2f09dd4d 646 645 2012-05-06T08:43:02Z 31.184.238.9 0 byShppbVHigJTSGchVI wikitext text/x-wiki , http://shopdrugcheap.com/order-priligy-online-en.html buy generic Priligy online, 454, http://ordergenericdrugs.com/products/cialis.htm buy cheap cialis, 403702, http://price-drugs.com/order-female-viagra-online-en.html buy Female Viagra, =-[, http://shopdrugcheap.com/order-propecia-online-en.html buy generic Propecia online, 2857, http://ordergenericdrugs.com/products/kamagra.htm buy cheap kamagra, gxr, d4836d3b830da8e1ef94e9a9c3c2a73cc96c4d91 647 646 2012-05-06T08:44:48Z 31.184.238.15 0 DgLuHzgor wikitext text/x-wiki comment3, http://getgenericdrugstore.com/farmacia-online-europa-italy-senza-ricetta-medica-usa-uk/ farmacia senza prescrizione, gdekz, http://getgenericpharmacy.com buy levitra online, 842, http://getgenericdrugstore.com online pharmacy usa, 376546, c8be35dbb244d0ab21705c2d41dbc3833ac56f2b 648 647 2012-05-06T08:48:14Z 31.184.238.9 0 fYVetQcctNpxsyFehyi wikitext text/x-wiki , http://price-drugs.com/order-female-viagra-online-en.html Female Viagra, tvkfjj, http://more-drugs.com/products/plavix.htm generic plavix, ril, http://price-drugs.com/order-flagyl-online-en.html buy generic Flagyl, %-P, http://price-drugs.com/order-doxycycline-online-en.html buy Doxycycline, 00677, http://price-drugs.com/order-levaquin-online-en.html buy Levaquin, 77596, 0174a326591a147c45f9ba143baa485c3162d32b 649 648 2012-05-06T08:50:15Z 31.184.238.15 0 VFRJhwtcU wikitext text/x-wiki comment5, http://wheretobuynowviagra.com/buy-cheap-generic-viagra-super-force-sildenafil-online/ viagra super force, %((, http://wheretobuynowcialis.com/buy-cheap-generic-tadalafil-online/ buy tadalafil, 545067, http://wheretobuynowlevitra.com/buy-cheap-generic-vardenafil-online/ vardenafil, 1509, 16ed18e33f8d6af86e29a9b9958657b386fcd34b 650 649 2012-05-06T08:52:38Z 31.184.238.9 0 rhiMHQqJhi wikitext text/x-wiki , http://more-drugs.com/products/diflucan.htm diflucan, jtvv, http://shopdrugcheap.com/order-synthroid-online-en.html generic Synthroid, zer, http://price-drugs.com/order-viagra-online-en.html Viagra, 8099, http://more-drugs.com/products/nolvadex.htm buy nolvadex, abybrq, http://shopdrugcheap.com/order-lasix-online-en.html Lasix, 83320, 2444bd2ac71f5df155650f7dcfedd7ddbe46bc6d 651 650 2012-05-06T08:56:36Z 31.184.238.15 0 goWJGramBesoqGo wikitext text/x-wiki comment6, http://genericpharmacyshop.com/farmacia-en-linea-sin-receta-spain/ farmacia uropa, 967, http://getgenericdrugstore.com/farmacia-en-linea-europa-spain-sin-receta-usa-uk/ farmacia uropa, piywt, http://newpharmacysite.com/acheter-achat-priligy-dapoxetine-vente-en-ligne-france/ priligy en ligne, shqquz, 71c537ec8fffe7bfe0ac235dad54e5d124d3e3a9 652 651 2012-05-06T08:57:04Z 31.184.238.9 0 LPaRnUlXIuUzEZFHi wikitext text/x-wiki , http://price-drugs.com/order-clomid-online-en.html buy Clomid online, urheu, http://more-drugs.com/products/viagra-professional.htm generic viagra professional, 3985, http://shopdrugcheap.com/order-cialis-online-en.html generic Cialis, =PP, http://more-drugs.com/products/xenical.htm cheap xenical, %-DD, http://more-drugs.com/products/kamagra.htm kamagra, 8]]], 584566301faa8a7ed675d532a655dbb60d42b247 653 652 2012-05-06T09:02:11Z 31.184.238.9 0 tNDWsfgtusMGTCnuN wikitext text/x-wiki , http://shopdrugcheap.com/order-priligy-online-en.html Priligy, wrja, http://ordergenericdrugs.com/products/cialis.htm buy generic cialis, 23857, http://price-drugs.com/order-female-viagra-online-en.html buy Female Viagra, 482, http://shopdrugcheap.com/order-propecia-online-en.html Propecia, 241464, http://ordergenericdrugs.com/products/kamagra.htm kamagra, >:-[[, 11e8d2116018719d62c66c8d8e490121aebf1133 654 653 2012-05-06T09:02:17Z 31.184.238.15 0 xqHegHHM wikitext text/x-wiki comment5, http://wheretobuynowviagra.com/buy-cheap-generic-viagra-super-force-sildenafil-online/ generic viagra super force, %]]], http://wheretobuynowcialis.com/buy-cheap-generic-tadalafil-online/ tadalafil, 295124, http://wheretobuynowlevitra.com/buy-cheap-generic-vardenafil-online/ buy generic vardenafil, :-DD, f99fcc33283162a54467806a0bc909efa82f8583 655 654 2012-05-06T09:06:14Z 31.184.238.9 0 cVfHbVqyUFU wikitext text/x-wiki , http://more-drugs.com/products/levitra.htm buy levitra, %-PPP, http://price-drugs.com/order-ampicillin-online-en.html buy Ampicillin online, >:-DD, http://price-drugs.com/order-doxycycline-online-en.html Doxycycline, smo, http://more-drugs.com/products/nexium.htm buy generic nexium, jzze, http://price-drugs.com/order-levitra-online-en.html generic Levitra, 927127, ba8f70ab97e04c1b4a1ac36ce046c46d3154f4cd 656 655 2012-05-06T09:08:25Z 31.184.238.15 0 LGcJIJcK wikitext text/x-wiki comment6, http://newonlinepharmacy.com/farmacia-online-senza-ricetta-medica-italy-usa-uk-europa/ farmacia online, dpuqku, http://newonlinepharmacy.com/farmacia-en-linea-sin-receta-spain-europa-usa-uk/ farmacia en linea, %-)), http://getgenericpharmacy.com/comprar-venta-levitra-vardenafil-costo-precio-en-linea-spain/ costo levitra, sxs, fff2043898672623158b55d664d4abf0ca5c947f 657 656 2012-05-06T09:10:36Z 31.184.238.9 0 QHyZbRqBViHV wikitext text/x-wiki , http://shopdrugcheap.com/order-strattera-online-en.html buy generic Strattera, zbin, http://more-drugs.com/products/levitra.htm levitra online, 5153, http://shopdrugcheap.com/order-diflucan-online-en.html generic Diflucan, qzfnjt, http://more-drugs.com/products/cialis-super-active-plus.htm cheap cialis super active, 233977, http://price-drugs.com/order-bactrim-online-en.html buy generic Bactrim online, jnrgep, e41e5fcf029aeef5b0a8495a94b4e403f898074e 658 657 2012-05-06T09:13:40Z 31.184.238.15 0 jhkEUHLgSRKNyaMWu wikitext text/x-wiki comment5, http://wheretobuynowviagra.com/ viagra for sale without a prescription, ybkqz, http://wheretobuynowcialis.com/ buying generic cialis, kjoj, http://wheretobuynowviagra.com/buy-cheap-generic-viagra-sildenafil-online/ viagra, tjkks, 86cbaa2e190f17d4f53a254a380d2a3954ee2dd5 659 658 2012-05-06T09:14:55Z 31.184.238.9 0 MdCNNxjoH wikitext text/x-wiki , http://more-drugs.com/products/propecia.htm buy generic propecia, hgsa, http://price-drugs.com/order-nolvadex-online-en.html buy generic Nolvadex, jlf, http://shopdrugcheap.com/ buy Orlistat, 6968, http://ordergenericdrugs.com/products/levitra.htm levitra, 3305, http://more-drugs.com/products/clomid.htm cheap clomid, ayyjir, dce9d5d79dd6f3b942d840141608f2813166dc51 660 659 2012-05-06T09:19:19Z 31.184.238.9 0 zsFOGstAcxhjMxcITJ wikitext text/x-wiki , http://more-drugs.com/products/plavix.htm plavix online, =-DD, http://price-drugs.com/order-proventil-online-en.html generic Proventil, =-)), http://price-drugs.com/order-proventil-online-en.html buy cheap Proventil, dty, http://ordergenericdrugs.com/products/strattera.htm cheap strattera, :-[, http://price-drugs.com/order-zithromax-online-en.html buy Zithromax, kbzack, 1e49868b25560c09731ca7e86683fdbe1dad0301 661 660 2012-05-06T09:19:34Z 31.184.238.15 0 aKytsRUWeHhdn wikitext text/x-wiki comment4, http://wheretobuynowviagra.com/buy-cheap-generic-sildenafil-online/ sildenafil, sms, http://wheretobuynowcialis.com/buy-cheap-generic-cialis-super-active-tadalafil-online/ buy cialis super active online, 467, http://wheretobuynowlevitra.com/buy-cheap-generic-levitra-vardenafil-online/ buy generic levitra, 0703, ac0e5f6f1416af4fdca01de3d2068c8c8ad039e2 662 661 2012-05-06T09:24:42Z 31.184.238.9 0 WFJIZaxoVcqJLSzA wikitext text/x-wiki , http://more-drugs.com/products/pepcid.htm generic pepcid, svqbld, http://more-drugs.com/products/diflucan.htm buy diflucan online, :(, http://more-drugs.com/products/synthroid.htm synthroid, 91715, http://ordergenericdrugs.com/products/female-viagra.htm buy cheap female viagra, 6016, http://price-drugs.com/order-lipitor-online-en.html buy generic Lipitor online, 34326, 604b8a8ba162c4032b6d0c71edcac4c3b1dd5bde 663 662 2012-05-06T09:25:23Z 31.184.238.15 0 uLvavTHwYrGY wikitext text/x-wiki comment6, http://ordergenericpharmacy.com/pharmacie-en-ligne-sans-ordonnance-europe-france/ pharmacie en ligne, snyvk, http://getgenericdrugstore.com/pharmacie-en-ligne-europe-france-sans-ordonnance-uk-usa/ pharmacie en ligne, 8-[, http://genericpharmacyshop.com/farmacia-online-senza-prescrizione-medica-italy-usa-uk-europa/ farmacia europa, =-DD, 4eaf36831ea995ad2fc35b23bcbe60b60e8b129b 664 663 2012-05-06T09:28:07Z 31.184.238.9 0 SnoIJgPaFnQ wikitext text/x-wiki , http://ordergenericdrugs.com/products/xenical.htm buy xenical online, 301, http://ordergenericdrugs.com/products/viagra.htm viagra, 707683, http://more-drugs.com/products/cialis.htm cialis, =], http://shopdrugcheap.com/order-priligy-online-en.html buy Priligy, >:-), http://ordergenericdrugs.com/products/cipro.htm cheap cipro, >:)), 098998c9b8fcfdf83288cb53a5fd0202e82438e4 665 664 2012-05-06T09:31:21Z 31.184.238.15 0 pwxdhPphVqUbAyBBj wikitext text/x-wiki comment4, http://newpharmacysite.com/comprar-venta-priligy-dapoxetine-costo-precio-en-linea-spain/ venta priligy, ihz, http://internetpharmacysite.com/acheter-achat-zithromax-azithromycin-vente-en-ligne-france/ zithromax en ligne, 8), http://ordergenericpharmacy.com online drugstore, wlv, 30e3fe8f17d92c084c20dab4dc960103897ddf62 666 665 2012-05-06T09:32:28Z 31.184.238.9 0 JevBeENxznVoJOmJ wikitext text/x-wiki , http://ordergenericdrugs.com/products/pepcid.htm pepcid online, 60555, http://price-drugs.com/order-viagra-super-active-online-en.html buy generic Viagra Super Active online, jvhke, http://more-drugs.com/products/viagra-super-active-plus.htm generic viagra super active, :-DDD, http://shopdrugcheap.com/order-zithromax-online-en.html Zithromax, dioo, http://shopdrugcheap.com/order-viagra-online-en.html buy Viagra online, rfl, 865f9716db35d66b096337aaffaaeb0c85f1fc49 667 666 2012-05-06T09:36:59Z 31.184.238.9 0 ACqtGCdPiXra wikitext text/x-wiki , http://ordergenericdrugs.com/products/amoxil.htm generic amoxil, 8-[[, http://ordergenericdrugs.com/products/propecia.htm buy generic propecia, 788, http://shopdrugcheap.com/order-female-viagra-online-en.html buy cheap Female Viagra, :-], http://shopdrugcheap.com/order-levitra-online-en.html buy cheap Levitra, fjuv, http://ordergenericdrugs.com/products/celebrex.htm buy cheap celebrex, :P, 7c4bc42746bda1cc14993e26db44137095a6251b 668 667 2012-05-06T09:37:06Z 31.184.238.15 0 YfhZUwqI wikitext text/x-wiki comment6, http://ordergenericpharmacy.com/pharmacie-en-ligne-sans-ordonnance-europe-france/ pharmacie france, xpoz, http://getgenericdrugstore.com/pharmacie-en-ligne-europe-france-sans-ordonnance-uk-usa/ pharmacie sans ordonnance, 7302, http://genericpharmacyshop.com/farmacia-online-senza-prescrizione-medica-italy-usa-uk-europa/ farmacia online italy, >:-P, d277abf8fa110fed13135c416ca428de0149ac52 669 668 2012-05-06T09:41:52Z 31.184.238.9 0 FxaJBVkaMgkyjlM wikitext text/x-wiki , http://more-drugs.com/products/plavix.htm buy cheap plavix, lgkf, http://price-drugs.com/order-proventil-online-en.html generic Proventil, lnai, http://price-drugs.com/order-proventil-online-en.html Proventil, lwbc, http://ordergenericdrugs.com/products/strattera.htm generic strattera, 671717, http://price-drugs.com/order-zithromax-online-en.html generic Zithromax, 8-), e05f8e1826f7d12976042483f7dfe5d38e5813cd 670 669 2012-05-06T09:43:19Z 31.184.238.15 0 GQOErufKSqbUM wikitext text/x-wiki comment5, http://wheretobuynowviagra.com/buy-cheap-generic-viagra-super-active-sildenafil-online/ buy generic viagra super active, yxoq, http://wheretobuynowcialis.com/buy-cheap-generic-cialis-tadalafil-online/ buy generic cialis, >:(, http://wheretobuynowlevitra.com/ buy levitra vardenafil, jcon, 29a9e5ebc5037cb86c1da010d4484feb7512da6a 671 670 2012-05-06T09:46:59Z 31.184.238.9 0 gQoUJRHYvaYvtEIuza wikitext text/x-wiki , http://ordergenericdrugs.com/products/amoxil.htm generic amoxil, 67769, http://ordergenericdrugs.com/products/propecia.htm buy cheap propecia, bezcn, http://shopdrugcheap.com/order-female-viagra-online-en.html Female Viagra, 733419, http://shopdrugcheap.com/order-levitra-online-en.html buy cheap Levitra, dsjawq, http://ordergenericdrugs.com/products/celebrex.htm celebrex, 520530, 55f910e92608a19dceb1e6d67c8bafa317d729a3 672 671 2012-05-06T09:49:30Z 31.184.238.15 0 PkRvaVbVjcPNlVDiFk wikitext text/x-wiki comment2, http://wheretobuynowviagra.com/buy-cheap-generic-viagra-professional-sildenafil-online/ viagra professional, 8-P, http://wheretobuynowcialis.com/buy-cheap-generic-cialis-professional-tadalafil-online/ cialis professional, >:OOO, http://wheretobuynowlevitra.com/buy-cheap-generic-levitra-professional-vardenafil-online/ generic levitra professional, iwaog, 7917bfd099df519b582245be4401e535312dd7fe 673 672 2012-05-06T09:51:15Z 31.184.238.9 0 xvwtJvplj wikitext text/x-wiki , http://more-drugs.com/products/kamagra.htm kamagra, qdno, http://shopdrugcheap.com/order-retin-a-online-en.html Retin-A, 504, http://shopdrugcheap.com/order-viagra-super-active-online-en.html generic Viagra Super Active, ccx, http://shopdrugcheap.com/order-proscar-online-en.html buy cheap Proscar, 07213, http://ordergenericdrugs.com/products/cipro.htm cipro online, sjwyep, 55483b4e372afc3c999e20579a0efc2607012201 674 673 2012-05-06T09:55:30Z 31.184.238.9 0 PXHeCOdXGXqUvY wikitext text/x-wiki , http://more-drugs.com/products/plavix.htm buy cheap plavix, 860503, http://price-drugs.com/order-proventil-online-en.html Proventil, %(, http://price-drugs.com/order-proventil-online-en.html Proventil, 8DDD, http://ordergenericdrugs.com/products/strattera.htm cheap strattera, 85584, http://price-drugs.com/order-zithromax-online-en.html buy Zithromax, 480, cce15f0df1ca38e4312ba7af41acf8f0100f0463 675 674 2012-05-06T09:55:41Z 31.184.238.15 0 ZXRZAkEbNHTN wikitext text/x-wiki comment3, http://wheretobuynowviagra.com/ buy cheap viagra, :PPP, http://wheretobuynowcialis.com/ cialis generic, 516107, http://wheretobuynowviagra.com/buy-cheap-generic-viagra-sildenafil-online/ buy viagra, >:OOO, 37d29ce3deed56ed3c467f7638edfb7afbfc12f1 676 675 2012-05-06T09:59:54Z 31.184.238.9 0 cdWduLSMXRzqSDX wikitext text/x-wiki , http://more-drugs.com/products/deltasone.htm buy deltasone, zbnrvl, http://price-drugs.com/order-cialis-online-en.html buy Cialis, slgi, http://ordergenericdrugs.com/products/cialis-super-active-plus.htm buy cialis super active, evmpm, http://price-drugs.com/order-propecia-online-en.html Propecia, lawrd, http://more-drugs.com/products/prevacid.htm buy cheap prevacid, 8((, 067c37231fc81673a3852b4342d83349d3aee1d9 677 676 2012-05-06T10:02:10Z 31.184.238.15 0 glOTrBFG wikitext text/x-wiki comment3, http://wheretobuynowviagra.com/buy-cheap-generic-viagra-super-force-sildenafil-online/ generic viagra super force, mqfz, http://wheretobuynowcialis.com/buy-cheap-generic-tadalafil-online/ tadalafil, 8-[[[, http://wheretobuynowlevitra.com/buy-cheap-generic-vardenafil-online/ generic vardenafil, vyrui, eb9d8c00b30f4107f0c0dd823df8c77b5efaf61f 678 677 2012-05-06T10:04:41Z 31.184.238.9 0 aYIfzjStN wikitext text/x-wiki , http://more-drugs.com/products/cialis.htm buy cialis, 919622, http://ordergenericdrugs.com/products/rogaine-5-.htm rogaine 5%, eha, http://ordergenericdrugs.com/products/zovirax.htm buy cheap zovirax, vsob, http://price-drugs.com/order-viagra-super-active-online-en.html buy Viagra Super Active, 8OOO, http://price-drugs.com/order-zithromax-online-en.html buy generic Zithromax online, %-))), 2d3e95a7e01119011fe5f1c1da9aa2763088b70b 679 678 2012-05-06T10:08:42Z 31.184.238.15 0 avceouxzwFPUDvxFyk wikitext text/x-wiki comment6, http://wheretobuynowviagra.com/buy-cheap-generic-viagra-super-active-sildenafil-online/ buy viagra super active, :D, http://wheretobuynowcialis.com/buy-cheap-generic-cialis-tadalafil-online/ buy generic cialis, lmozt, http://wheretobuynowlevitra.com/ discount levitra, 8-((, 7a6930ed6133e56d997753f0325a5e928e52d8db 680 679 2012-05-06T10:13:31Z 31.184.238.9 0 PqMOOmlrIMx wikitext text/x-wiki , http://ordergenericdrugs.com/products/strattera.htm strattera, 23121, http://price-drugs.com/order-cialis-online-en.html buy generic Cialis, 172459, http://more-drugs.com/products/female-viagra.htm buy female viagra online, 15387, http://more-drugs.com/products/cialis-professional.htm cheap cialis professional, yqdbew, http://more-drugs.com/products/cialis.htm buy cialis, 7980, fa4689fe972090c868cbf9aff4d495782f216d42 681 680 2012-05-06T10:18:31Z 31.184.238.9 0 dIpLPyEywqZjomCtNbB wikitext text/x-wiki , http://more-drugs.com/products/cialis.htm cialis online, 8-(((, http://shopdrugcheap.com/order-clomid-online-en.html Clomid, 91908, http://price-drugs.com/order-cialis-professional-online-en.html buy Cialis Professional, zfttfh, http://price-drugs.com/order-levaquin-online-en.html buy generic Levaquin online, 098, http://shopdrugcheap.com/order-orlistat-online-en.html Orlistat, vtus, 2f8237a83bc0802cec2b04708db4a1182a3c92e9 682 681 2012-05-06T10:21:07Z 31.184.238.15 0 VhnBJDUGDcBQ wikitext text/x-wiki comment1, http://wheretobuynowviagra.com/buy-cheap-generic-viagra-professional-sildenafil-online/ buy generic viagra professional, 2054, http://wheretobuynowcialis.com/buy-cheap-generic-cialis-professional-tadalafil-online/ buy generic cialis professional, >:[, http://wheretobuynowlevitra.com/buy-cheap-generic-levitra-professional-vardenafil-online/ buy levitra professional online, 748276, 70fdc50934699db10d051f8ae8136790014c0553 683 682 2012-05-06T10:26:41Z 31.184.238.15 0 aQyeknIuThauGwEobZw wikitext text/x-wiki comment2, http://getgenericpharmacy.com/compra-acquisto-levitra-vardenafil-prezzo-costo-online-italy/ prezzo levitra, >:-D, http://ordergenericpharmacy.com/farmacia-online-senza-ricetta-medica-europa-italy/ farmacia online italy, :DD, http://newpharmacysite.com get priligy, %-DDD, 559d6041163b66752f6b29e0dd1c4dde7d026a50 684 683 2012-05-06T10:27:15Z 31.184.238.9 0 QZTOWHOXIT wikitext text/x-wiki , http://price-drugs.com/order-clomid-online-en.html generic Clomid, olqc, http://more-drugs.com/products/viagra-professional.htm cheap viagra professional, %-PP, http://shopdrugcheap.com/order-cialis-online-en.html generic Cialis, 441119, http://more-drugs.com/products/xenical.htm buy xenical, >:[[, http://more-drugs.com/products/kamagra.htm kamagra, tydk, a7c7db24d94f5620d520b0bc7cc2decce0a534dd 685 684 2012-05-06T10:30:59Z 31.184.238.9 0 cDGibktEAipoHe wikitext text/x-wiki , http://more-drugs.com/products/synthroid.htm cheap synthroid, 8-PPP, http://ordergenericdrugs.com/products/female-viagra.htm cheap female viagra, 165, http://more-drugs.com/products/pepcid.htm buy generic pepcid, =-))), http://shopdrugcheap.com/order-zoloft-online-en.html generic Zoloft, %)), http://more-drugs.com/products/cipro.htm cheap cipro, untd, 94564890312296a1ab059ace094cf121bb749997 686 685 2012-05-06T10:32:31Z 31.184.238.15 0 ZKYBBnIWTXpRW wikitext text/x-wiki comment4, http://wheretobuynowviagra.com/buy-cheap-generic-viagra-super-force-sildenafil-online/ buy generic viagra super force, 8130, http://wheretobuynowcialis.com/buy-cheap-generic-tadalafil-online/ buy tadalafil online, >:-], http://wheretobuynowlevitra.com/buy-cheap-generic-vardenafil-online/ buy vardenafil, %-OOO, ba24b37943ae92d63703d9899eb1619ca6ede28c 687 686 2012-05-06T10:35:23Z 31.184.238.9 0 XSqRaZLij wikitext text/x-wiki , http://more-drugs.com/products/prevacid.htm cheap prevacid, >:[[[, http://ordergenericdrugs.com/products/clomid.htm buy cheap clomid, 8], http://price-drugs.com/order-amoxil-online-en.html buy generic Amoxil, =PP, http://more-drugs.com/products/rogaine-5-.htm rogaine 5% online, 635431, http://ordergenericdrugs.com/products/cialis-super-active-plus.htm cialis super active online, nmvc, 0c7a51a5126cc5f9913b9e98995ed48636f77c46 688 687 2012-05-06T10:38:37Z 31.184.238.15 0 sEJhkpKFRLLVadJADS wikitext text/x-wiki comment5, http://genericpharmacyshop.com/farmacia-en-linea-sin-receta-spain/ farmacia uropa, =-], http://getgenericdrugstore.com/farmacia-en-linea-europa-spain-sin-receta-usa-uk/ farmacia sin receta, 50542, http://newpharmacysite.com/acheter-achat-priligy-dapoxetine-vente-en-ligne-france/ vente priligy, %OOO, 9a7d6af5abc4998558c783705fc4a95e9c383bc0 689 688 2012-05-06T10:39:40Z 31.184.238.9 0 cXpofPoWxqKafSl wikitext text/x-wiki , http://shopdrugcheap.com/order-diflucan-online-en.html buy generic Diflucan, 8-]]], http://more-drugs.com/products/nolvadex.htm buy cheap nolvadex, rhtxj, http://ordergenericdrugs.com/products/levitra.htm buy levitra, 969, http://price-drugs.com/order-lasix-online-en.html Lasix, wnwwsq, http://more-drugs.com/products/propecia.htm cheap propecia, bfdj, ff0560343f738be763865b753a775fbede7f4dc6 690 689 2012-05-06T10:44:13Z 31.184.238.9 0 SMHqvdxnQAqcwILm wikitext text/x-wiki , http://more-drugs.com/products/clomid.htm clomid, 369337, http://shopdrugcheap.com/order-cialis-online-en.html buy cheap Cialis, 21534, http://more-drugs.com/products/cipro.htm buy generic cipro, :), http://ordergenericdrugs.com/products/amoxil.htm buy cheap amoxil, 8-[, http://shopdrugcheap.com/order-viagra-super-active-online-en.html buy generic Viagra Super Active, odhv, 1bd6ca7b64a2d6ff5601833431b75eec5abb3b17 691 690 2012-05-06T10:44:34Z 31.184.238.15 0 WcQJLtoH wikitext text/x-wiki comment6, http://newonlinepharmacy.com/farmacia-online-senza-ricetta-medica-italy-usa-uk-europa/ farmacia senza prescrizione, wtpzoq, http://newonlinepharmacy.com/farmacia-en-linea-sin-receta-spain-europa-usa-uk/ farmacia sin receta, 4336, http://getgenericpharmacy.com/comprar-venta-levitra-vardenafil-costo-precio-en-linea-spain/ comprar levitra, wwq, 1b6617b2497660f84ed11ca3cf9689ec498ce8a2 692 691 2012-05-06T10:48:36Z 31.184.238.9 0 qeeoFrTUMp wikitext text/x-wiki , http://ordergenericdrugs.com/products/cialis.htm generic cialis, 442598, http://price-drugs.com/order-cialis-super-active-online-en.html buy generic Cialis Super Active, =-(((, http://more-drugs.com/products/deltasone.htm buy generic deltasone, 787, http://ordergenericdrugs.com/products/viagra-super-active-plus.htm buy cheap viagra super active, 649, http://more-drugs.com/products/viagra-professional.htm buy cheap viagra professional, yrkgr, 583710f206473095143a619973f9e5397290aafa 693 692 2012-05-06T10:50:18Z 31.184.238.15 0 dsBxTCjGxhvvrhF wikitext text/x-wiki comment4, http://wheretobuynowviagra.com/buy-cheap-generic-viagra-professional-sildenafil-online/ buy generic viagra professional, 460433, http://wheretobuynowcialis.com/buy-cheap-generic-cialis-professional-tadalafil-online/ cialis professional, 514273, http://wheretobuynowlevitra.com/buy-cheap-generic-levitra-professional-vardenafil-online/ buy levitra professional online, 34945, 0ef4f620fcb14a99eefa5c98e26886edb259a06f 0 8 694 693 2012-05-06T10:53:14Z 31.184.238.9 0 gUHKtMPIu wikitext text/x-wiki , http://more-drugs.com/products/levitra.htm cheap levitra, oyh, http://price-drugs.com/order-ampicillin-online-en.html generic Ampicillin, mpb, http://price-drugs.com/order-doxycycline-online-en.html buy cheap Doxycycline, %-D, http://more-drugs.com/products/nexium.htm nexium online, >:-OOO, http://price-drugs.com/order-levitra-online-en.html buy Levitra online, osip, 99a5e762f02d403cf8e82dc144e03b1304d231ad 695 694 2012-05-06T10:56:23Z 31.184.238.15 0 LhiIEQAuzypvmkBmZuH wikitext text/x-wiki comment2, http://wheretobuynowviagra.com/buy-cheap-generic-sildenafil-online/ buy sildenafil online, tafhz, http://wheretobuynowcialis.com/buy-cheap-generic-cialis-super-active-tadalafil-online/ cialis super active, gaxbgp, http://wheretobuynowlevitra.com/buy-cheap-generic-levitra-vardenafil-online/ generic levitra, >:O, 8ea1d814c86b60864d247b0e6d55f2303e893bb0 696 695 2012-05-06T10:58:01Z 31.184.238.9 0 thKzAMRECwreAVit wikitext text/x-wiki , http://price-drugs.com/order-propecia-online-en.html generic Propecia, vkz, http://more-drugs.com/products/nexium.htm cheap nexium, 2638, http://ordergenericdrugs.com/products/celebrex.htm buy celebrex, =-[[, http://shopdrugcheap.com/order-orlistat-online-en.html buy cheap Orlistat, 9824, http://shopdrugcheap.com/order-female-viagra-online-en.html buy Female Viagra, 8-], df56996822a2a6b8fbf9c02e2cd578da1813d17f 697 696 2012-05-06T11:02:13Z 31.184.238.15 0 qqUYmXSiEnsisKrZpD wikitext text/x-wiki comment4, http://getgenericpharmacy.com/compra-acquisto-levitra-vardenafil-prezzo-costo-online-italy/ comprare levitra, ypi, http://ordergenericpharmacy.com/farmacia-online-senza-ricetta-medica-europa-italy/ farmacia europa, 792578, http://newpharmacysite.com buy priligy online, 201, 6790934e80e06f9c95f64186bf5a3d52121d8531 698 697 2012-05-06T11:02:38Z 31.184.238.9 0 fGivWxELxDa wikitext text/x-wiki , http://shopdrugcheap.com/order-priligy-online-en.html buy generic Priligy, =), http://ordergenericdrugs.com/products/cialis.htm cialis online, nkvi, http://price-drugs.com/order-female-viagra-online-en.html Female Viagra, hik, http://shopdrugcheap.com/order-propecia-online-en.html buy generic Propecia, =-(((, http://ordergenericdrugs.com/products/kamagra.htm kamagra online, ktz, 0b4628882e59f863dab2e086d7d0c3042ee71338 699 698 2012-05-06T11:06:45Z 31.184.238.9 0 fPCphMVdBhjoB wikitext text/x-wiki , http://more-drugs.com/products/synthroid.htm cheap synthroid, 8-O, http://ordergenericdrugs.com/products/female-viagra.htm generic female viagra, :(, http://more-drugs.com/products/pepcid.htm pepcid, ris, http://shopdrugcheap.com/order-zoloft-online-en.html Zoloft, 473, http://more-drugs.com/products/cipro.htm buy cipro, =))), db0c903c1728c3868817f851e01449cfa666070a 700 699 2012-05-06T11:08:02Z 31.184.238.15 0 fkhVNMrpZMVyiffP wikitext text/x-wiki comment2, http://wheretobuynowviagra.com/buy-cheap-generic-viagra-professional-sildenafil-online/ viagra professional, jexp, http://wheretobuynowcialis.com/buy-cheap-generic-cialis-professional-tadalafil-online/ buy cialis professional, 601, http://wheretobuynowlevitra.com/buy-cheap-generic-levitra-professional-vardenafil-online/ buy levitra professional online, 546, cd4b429d34dba552b84d2e9ec0a8fe76bd42fb8b 701 700 2012-05-06T11:11:24Z 31.184.238.9 0 tzyKjfIwrx wikitext text/x-wiki , http://more-drugs.com/products/kamagra.htm buy cheap kamagra, bkpsr, http://shopdrugcheap.com/order-retin-a-online-en.html buy Retin-A, 167, http://shopdrugcheap.com/order-viagra-super-active-online-en.html buy Viagra Super Active, eclpvj, http://shopdrugcheap.com/order-proscar-online-en.html buy cheap Proscar, sohxx, http://ordergenericdrugs.com/products/cipro.htm cipro online, 0324, 4f694ac58372f03bd2b169e18daf07dd995667b1 702 701 2012-05-06T11:14:11Z 31.184.238.15 0 kFHDneweweFROupuj wikitext text/x-wiki comment4, http://newpharmacysite.com/comprar-venta-priligy-dapoxetine-costo-precio-en-linea-spain/ comprar priligy, 8PPP, http://internetpharmacysite.com/acheter-achat-zithromax-azithromycin-vente-en-ligne-france/ acheter zithromax en ligne, >:]]], http://ordergenericpharmacy.com online drugstore, 488, d3b8104998c94d45c25cd18eaa23526a65d4b694 703 702 2012-05-06T11:16:00Z 31.184.238.9 0 zYOyTMVkBxOdrX wikitext text/x-wiki , http://price-drugs.com/order-viagra-professional-online-en.html buy generic Viagra Professional online, >:-[[[, http://shopdrugcheap.com/order-cialis-super-active-online-en.html buy cheap Cialis Super Active, qjvvvf, http://price-drugs.com/order-zoloft-online-en.html buy Zoloft online, 8DDD, http://ordergenericdrugs.com/products/rogaine-5-.htm generic rogaine 5%, 3317, http://more-drugs.com/ buy cialis online, bpfv, 75803ea65a56e313eb1776add53d900a9fcc66bf 704 703 2012-05-06T11:20:11Z 31.184.238.15 0 xdLBiJOsUROV wikitext text/x-wiki comment4, http://getgenericdrugstore.com/farmacia-online-europa-italy-senza-ricetta-medica-usa-uk/ farmacia online italy, 801748, http://getgenericpharmacy.com buy levitra online, 8322, http://getgenericdrugstore.com online pharmacy uk, >:-OOO, 314d6368a03911ffc9b86745c01927135126e184 705 704 2012-05-06T11:20:39Z 31.184.238.9 0 ssbgeBoEzv wikitext text/x-wiki , http://ordergenericdrugs.com/products/kamagra-oral-jelly.htm buy kamagra oral jelly, 79085, http://price-drugs.com/order-lasix-online-en.html generic Lasix, =-[[[, http://price-drugs.com/order-levitra-online-en.html buy generic Levitra online, 411045, http://more-drugs.com/products/viagra.htm cheap viagra, 94034, http://more-drugs.com/products/cialis-super-active-plus.htm cialis super active online, 528, 9599369de49a033417d86d5a13d3f8825712369d 706 705 2012-05-06T11:24:38Z 31.184.238.9 0 MxHgTddIr wikitext text/x-wiki , http://more-drugs.com/products/levitra.htm buy levitra online, corfv, http://price-drugs.com/order-ampicillin-online-en.html Ampicillin, dizhyb, http://price-drugs.com/order-doxycycline-online-en.html Doxycycline, >:PPP, http://more-drugs.com/products/nexium.htm buy generic nexium, 739384, http://price-drugs.com/order-levitra-online-en.html Levitra, >:-[[, fa8ef86bd75b374633c2b442f65711a334da3d55 707 706 2012-05-06T11:26:48Z 31.184.238.15 0 wpvSRNtOKiDNp wikitext text/x-wiki comment6, http://mygenericdrugstore.com/compra-acquisto-kamagra-prezzo-costo-online-italy/ acquisto kamagra, vepev, http://newpharmacysite.com/compra-acquisto-priligy-dapoxetine-prezzo-costo-online-italy/ comprare priligy online, 8-]]], http://genericpharmacyshop.com/pharmacie-en-ligne-sans-ordonnance-europe/ pharmacie en ligne, :-OOO, c2966015f84577c4a593b2c7124bf611a98878e9 708 707 2012-05-06T11:29:15Z 31.184.238.9 0 hlZbypNKsnwEbHKxl wikitext text/x-wiki , http://shopdrugcheap.com/order-priligy-online-en.html Priligy, bduc, http://ordergenericdrugs.com/products/cialis.htm cialis, 8D, http://price-drugs.com/order-female-viagra-online-en.html generic Female Viagra, dgph, http://shopdrugcheap.com/order-propecia-online-en.html buy generic Propecia online, 8-DD, http://ordergenericdrugs.com/products/kamagra.htm buy cheap kamagra, %((, abdab78e66661797ca10916162b30b1dc37e56d0 709 708 2012-05-06T11:32:59Z 31.184.238.15 0 bWWEqFfvlzfYJuEu wikitext text/x-wiki comment6, http://mygenericdrugstore.com order kamagra, nxkypd, http://newonlinepharmacy.com/pharmacie-en-ligne-sans-ordonnance-france-europe-uk-usa/ pharmacie europe, 8444, http://internetpharmacysite.com/compra-acquisto-zithromax-azithromycin-prezzo-costo-online-italy/ acquisto zithromax, 0478, 89e7e278221c67c86931441763101c883040558d 710 709 2012-05-06T11:33:45Z 31.184.238.9 0 IGJiBnclV wikitext text/x-wiki , http://price-drugs.com/order-clomid-online-en.html buy Clomid online, 2774, http://more-drugs.com/products/viagra-professional.htm buy viagra professional online, 1601, http://shopdrugcheap.com/order-cialis-online-en.html generic Cialis, 997, http://more-drugs.com/products/xenical.htm cheap xenical, >:-(, http://more-drugs.com/products/kamagra.htm cheap kamagra, ajae, 5c57d66eeb8e0e3fc5310979fc791847bb682607 711 710 2012-05-06T11:37:46Z 31.184.238.9 0 jcOrCaicuhJqdsOmZG wikitext text/x-wiki , http://ordergenericdrugs.com/products/pepcid.htm generic pepcid, wwm, http://price-drugs.com/order-ampicillin-online-en.html Ampicillin, :[[[, http://shopdrugcheap.com/order-proscar-online-en.html buy Proscar online, kggc, http://ordergenericdrugs.com/products/zovirax.htm cheap zovirax, 232, http://ordergenericdrugs.com/products/kamagra-oral-jelly.htm kamagra oral jelly, 8235, 0880ea27e70478a49e28bf711ec427bfe4ee84d9 712 711 2012-05-06T11:39:10Z 31.184.238.15 0 ywlPQFJCVezgZNX wikitext text/x-wiki comment4, http://wheretobuynowviagra.com/buy-cheap-generic-viagra-super-active-sildenafil-online/ generic viagra super active, irnk, http://wheretobuynowcialis.com/buy-cheap-generic-cialis-tadalafil-online/ buy cialis, pgalnq, http://wheretobuynowlevitra.com/ order levitra, bxxij, 947c2164bc0ea496cb299fb8668a990098cde0d5 713 712 2012-05-06T11:42:19Z 31.184.238.9 0 utuRCxOlgjDRBlzxs wikitext text/x-wiki , http://more-drugs.com/products/clomid.htm buy cheap clomid, vvwy, http://shopdrugcheap.com/order-cialis-online-en.html buy generic Cialis online, zxqu, http://more-drugs.com/products/cipro.htm cipro, qvxrwr, http://ordergenericdrugs.com/products/amoxil.htm buy generic amoxil, nhram, http://shopdrugcheap.com/order-viagra-super-active-online-en.html buy cheap Viagra Super Active, 3092, cd234daeda9fa2ff4824e7967766444601792c1b 714 713 2012-05-06T11:45:08Z 31.184.238.15 0 OWvNDPEMPzivRjACBud wikitext text/x-wiki comment6, http://getgenericpharmacy.com/compra-acquisto-levitra-vardenafil-prezzo-costo-online-italy/ online levitra, 386, http://ordergenericpharmacy.com/farmacia-online-senza-ricetta-medica-europa-italy/ farmacia online italy, 17237, http://newpharmacysite.com buy dapoxetine, ybxpbi, caafbd4a209ee43f0791a490175e15a01f137f59 715 714 2012-05-06T11:47:13Z 31.184.238.9 0 zevGVaWCqtAM wikitext text/x-wiki , http://ordergenericdrugs.com/products/viagra-super-active-plus.htm generic viagra super active, 00140, http://price-drugs.com/ buy Proventil, =(, http://shopdrugcheap.com/order-viagra-professional-online-en.html Viagra Professional, 7549, http://price-drugs.com/order-flagyl-online-en.html buy Flagyl, zqate, http://shopdrugcheap.com/order-synthroid-online-en.html buy cheap Synthroid, 25073, 26d61122bd6619ab8985729f43dba248a0997aad 716 715 2012-05-06T11:50:49Z 31.184.238.15 0 wtJpGNJn wikitext text/x-wiki comment2, http://wheretobuynowviagra.com/buy-cheap-generic-viagra-super-active-sildenafil-online/ buy viagra super active online, :-P, http://wheretobuynowcialis.com/buy-cheap-generic-cialis-tadalafil-online/ cialis, bpz, http://wheretobuynowlevitra.com/ buy levitra online, 1938, 92d44efd31f920b903ba449299444e079f80ab8a 717 716 2012-05-06T11:51:09Z 31.184.238.9 0 KzXrolqIccBEeQ wikitext text/x-wiki , http://price-drugs.com/order-propecia-online-en.html buy Propecia online, 9674, http://more-drugs.com/products/nexium.htm buy nexium, 652819, http://ordergenericdrugs.com/products/celebrex.htm generic celebrex, 8((, http://shopdrugcheap.com/order-orlistat-online-en.html Orlistat, iheg, http://shopdrugcheap.com/order-female-viagra-online-en.html Female Viagra, %]]], 8d40060046ef4e0d6d87b1e1c66bed6eb1c2bafc 718 717 2012-05-06T11:56:03Z 31.184.238.9 0 XkUHVBtuVDgc wikitext text/x-wiki , http://shopdrugcheap.com/order-kamagra-online-en.html generic Kamagra, hpihcj, http://ordergenericdrugs.com/products/clomid.htm buy clomid online, 842448, http://price-drugs.com/order-bactrim-online-en.html buy Bactrim, xvq, http://price-drugs.com/order-diflucan-online-en.html Diflucan, jjodnl, http://shopdrugcheap.com/order-tadacip-online-en.html buy generic Tadacip, %(((, 6da078c2d8a62ce14fabebe29220814ad70dae10 719 718 2012-05-06T11:57:30Z 31.184.238.15 0 XXwCIwzJQIjjoRkfD wikitext text/x-wiki comment6, http://genericpharmacyshop.com/farmacia-en-linea-sin-receta-spain/ spain farmacia, rnvxs, http://getgenericdrugstore.com/farmacia-en-linea-europa-spain-sin-receta-usa-uk/ farmacia sin receta, 096, http://newpharmacysite.com/acheter-achat-priligy-dapoxetine-vente-en-ligne-france/ priligy en ligne, 60048, e474e9e9e3f9569872d01a3ae7b25a1c8370538b 720 719 2012-05-06T12:00:03Z 31.184.238.9 0 MuYFgZMf wikitext text/x-wiki , http://more-drugs.com/products/synthroid.htm buy synthroid online, nfyul, http://ordergenericdrugs.com/products/female-viagra.htm buy female viagra online, 9975, http://more-drugs.com/products/pepcid.htm buy cheap pepcid, =OO, http://shopdrugcheap.com/order-zoloft-online-en.html buy Zoloft, :O, http://more-drugs.com/products/cipro.htm cheap cipro, 647741, 01e47fa64fe27684fd35948a4fc2a0ad744fb596 721 720 2012-05-06T12:03:05Z 31.184.238.15 0 DxUSanhbXKPu wikitext text/x-wiki comment6, http://newpharmacysite.com/comprar-venta-priligy-dapoxetine-costo-precio-en-linea-spain/ comprar priligy en linea, rfx, http://internetpharmacysite.com/acheter-achat-zithromax-azithromycin-vente-en-ligne-france/ acheter zithromax, osoec, http://ordergenericpharmacy.com online drugstore, 4256, 6d82d97013a8a91c1dd5e06fa0a0a33a89b51b1d 722 721 2012-05-06T12:04:32Z 31.184.238.9 0 qGzQGjoKBPIURcjdqsq wikitext text/x-wiki , http://more-drugs.com/products/synthroid.htm generic synthroid, hvqvyu, http://ordergenericdrugs.com/products/female-viagra.htm buy female viagra online, ubxa, http://more-drugs.com/products/pepcid.htm pepcid online, xdf, http://shopdrugcheap.com/order-zoloft-online-en.html generic Zoloft, >:DDD, http://more-drugs.com/products/cipro.htm generic cipro, 8OOO, 07a8c4feb352b6e812bbada7f7e3f871ff8b0390 723 722 2012-05-06T12:08:53Z 31.184.238.15 0 zfAjgSEHNTGngGw wikitext text/x-wiki comment1, http://wheretobuynowviagra.com/buy-cheap-generic-viagra-super-force-sildenafil-online/ viagra super force, 38358, http://wheretobuynowcialis.com/buy-cheap-generic-tadalafil-online/ buy tadalafil online, wvwxep, http://wheretobuynowlevitra.com/buy-cheap-generic-vardenafil-online/ buy generic vardenafil, 829800, 998950ffa6f9e189bef705d1de44dd7e72499ebe 724 723 2012-05-06T12:09:52Z 31.184.238.9 0 yXIndeyODimKrYM wikitext text/x-wiki , http://price-drugs.com/order-viagra-professional-online-en.html buy cheap Viagra Professional, 612311, http://shopdrugcheap.com/order-cialis-super-active-online-en.html buy cheap Cialis Super Active, 565, http://price-drugs.com/order-zoloft-online-en.html generic Zoloft, lxv, http://ordergenericdrugs.com/products/rogaine-5-.htm buy rogaine 5% online, rjqjix, http://more-drugs.com/ buy cipro online, =(((, 5b9d96b8811ef79cb862c463b6b52ec5bc819f1e 725 724 2012-05-06T12:14:53Z 31.184.238.15 0 rdQnOgBqzmfykuR wikitext text/x-wiki comment5, http://genericpharmacyshop.com/farmacia-en-linea-sin-receta-spain/ farmacia en linea, jenlee, http://getgenericdrugstore.com/farmacia-en-linea-europa-spain-sin-receta-usa-uk/ spain farmacia, skhlr, http://newpharmacysite.com/acheter-achat-priligy-dapoxetine-vente-en-ligne-france/ achat priligy, %-)), 7c87c635573c1efb133de35ddb87a741f75eae8f 726 725 2012-05-06T12:18:34Z 31.184.238.9 0 yQItVqKBkrzfIk wikitext text/x-wiki , http://more-drugs.com/products/kamagra.htm kamagra online, 8]], http://shopdrugcheap.com/order-retin-a-online-en.html buy Retin-A, 01422, http://shopdrugcheap.com/order-viagra-super-active-online-en.html Viagra Super Active, 1693, http://shopdrugcheap.com/order-proscar-online-en.html buy generic Proscar online, 125775, http://ordergenericdrugs.com/products/cipro.htm buy generic cipro, 717, b7425f46774104728276230915c48032e385fb2f 727 726 2012-05-06T12:21:03Z 31.184.238.15 0 YByWFYVROu wikitext text/x-wiki comment1, http://wheretobuynowviagra.com/buy-cheap-generic-viagra-professional-sildenafil-online/ buy generic viagra professional, %(, http://wheretobuynowcialis.com/buy-cheap-generic-cialis-professional-tadalafil-online/ buy generic cialis professional, 30627, http://wheretobuynowlevitra.com/buy-cheap-generic-levitra-professional-vardenafil-online/ generic levitra professional, %[, 78247f60382bbf62cdb62e945ef1ab9288fb20d8 728 727 2012-05-06T12:23:13Z 31.184.238.9 0 gsoJXvqUmweRyB wikitext text/x-wiki , http://more-drugs.com/products/clomid.htm buy generic clomid, 2134, http://shopdrugcheap.com/order-cialis-online-en.html Cialis, :O, http://more-drugs.com/products/cipro.htm buy generic cipro, =(, http://ordergenericdrugs.com/products/amoxil.htm buy generic amoxil, ugvq, http://shopdrugcheap.com/order-viagra-super-active-online-en.html buy cheap Viagra Super Active, blcja, 21d7aa7949b74a4457fc3b032ea9f741081348ed 729 728 2012-05-06T12:26:42Z 31.184.238.15 0 OTGprJwfQDvD wikitext text/x-wiki comment4, http://wheretobuynowviagra.com/buy-cheap-generic-viagra-super-active-sildenafil-online/ buy viagra super active, =-[, http://wheretobuynowcialis.com/buy-cheap-generic-cialis-tadalafil-online/ cialis, >:-OO, http://wheretobuynowlevitra.com/ levitra for sale, ctjo, 79e8ae3fbc65cf953f124b50084528cb463f30db 730 729 2012-05-06T12:27:12Z 31.184.238.9 0 tuecJEnlRstnxPWFxC wikitext text/x-wiki , http://more-drugs.com/products/clomid.htm buy generic clomid, dtx, http://shopdrugcheap.com/order-cialis-online-en.html buy generic Cialis, %PPP, http://more-drugs.com/products/cipro.htm buy cheap cipro, %]], http://ordergenericdrugs.com/products/amoxil.htm amoxil online, pgl, http://shopdrugcheap.com/order-viagra-super-active-online-en.html buy generic Viagra Super Active online, 57921, ff93c94fc4f02e83a4237e0ff1735ec63ed93bc7 731 730 2012-05-06T12:31:46Z 31.184.238.9 0 jJBIVPqxdHcHMAEr wikitext text/x-wiki , http://shopdrugcheap.com/order-strattera-online-en.html buy generic Strattera, =PP, http://more-drugs.com/products/levitra.htm buy cheap levitra, bbbark, http://shopdrugcheap.com/order-diflucan-online-en.html buy Diflucan online, kshnk, http://more-drugs.com/products/cialis-super-active-plus.htm generic cialis super active, >:], http://price-drugs.com/order-bactrim-online-en.html buy generic Bactrim, 53986, fd68ab601844bb1bc95ddae9994330fd3891af12 732 731 2012-05-06T12:32:29Z 31.184.238.15 0 FCdQvxXf wikitext text/x-wiki comment1, http://wheretobuynowviagra.com/ cheapest viagra, =DDD, http://wheretobuynowcialis.com/ cialis generic, bvotew, http://wheretobuynowviagra.com/buy-cheap-generic-viagra-sildenafil-online/ buy viagra, pqk, 494eaffbb02e89886ceb2c25627559ba6ee51a92 733 732 2012-05-06T12:36:29Z 31.184.238.9 0 JetbEgLAbWmjyywG wikitext text/x-wiki , http://more-drugs.com/products/cialis.htm buy generic cialis, 832, http://shopdrugcheap.com/order-clomid-online-en.html buy cheap Clomid, nipy, http://price-drugs.com/order-cialis-professional-online-en.html buy Cialis Professional online, :-(, http://price-drugs.com/order-levaquin-online-en.html Levaquin, pkqn, http://shopdrugcheap.com/order-orlistat-online-en.html Orlistat, 137, 7599c43711ab6cd018b40b87f8bc44f45d2f690a 734 733 2012-05-06T12:38:48Z 31.184.238.15 0 WiwVqWGKJvbYztlPM wikitext text/x-wiki comment3, http://wheretobuynowviagra.com/buy-cheap-generic-viagra-professional-sildenafil-online/ viagra professional, =))), http://wheretobuynowcialis.com/buy-cheap-generic-cialis-professional-tadalafil-online/ buy generic cialis professional, tgrlxu, http://wheretobuynowlevitra.com/buy-cheap-generic-levitra-professional-vardenafil-online/ buy levitra professional, %DD, d68241661ae1c0008bd7a13c515bf021ffdb6ba2 735 734 2012-05-06T12:40:57Z 31.184.238.9 0 baCiJQbFYSGOEMLTk wikitext text/x-wiki , http://shopdrugcheap.com/order-zoloft-online-en.html buy generic Zoloft online, 8-(((, http://price-drugs.com/order-cipro-online-en.html buy Cipro, >:PP, http://price-drugs.com/order-clomid-online-en.html buy cheap Clomid, >:-PPP, http://shopdrugcheap.com/order-kamagra-online-en.html Kamagra, 221, http://price-drugs.com/order-cipro-online-en.html buy cheap Cipro, 305, f9d5d9c06b12c4732c54ba2e9657ae488887cc73 736 735 2012-05-06T12:44:54Z 31.184.238.15 0 wAwcYXZIgrvBnFq wikitext text/x-wiki comment1, http://getgenericdrugstore.com/farmacia-online-europa-italy-senza-ricetta-medica-usa-uk/ farmacia europa, olmy, http://getgenericpharmacy.com buy levitra online, 38134, http://getgenericdrugstore.com online pharmacy canada, 88405, 548bcb73c042e28eb2572ebffcacb7d57901786d 737 736 2012-05-06T12:45:41Z 31.184.238.9 0 cMClnMLQOH wikitext text/x-wiki , http://price-drugs.com/order-viagra-professional-online-en.html buy cheap Viagra Professional, meuqg, http://shopdrugcheap.com/order-cialis-super-active-online-en.html buy generic Cialis Super Active online, 30211, http://price-drugs.com/order-zoloft-online-en.html buy Zoloft, 8(, http://ordergenericdrugs.com/products/rogaine-5-.htm cheap rogaine 5%, %-DDD, http://more-drugs.com/ buy viagra online, 4414, eb951e89672e05ba3ad866d98c3f1305c81874e0 738 737 2012-05-06T12:50:01Z 31.184.238.9 0 GqTfCICbdD wikitext text/x-wiki , http://more-drugs.com/products/clomid.htm clomid online, %-(, http://shopdrugcheap.com/order-cialis-online-en.html buy generic Cialis online, 27547, http://more-drugs.com/products/cipro.htm cipro, 661276, http://ordergenericdrugs.com/products/amoxil.htm amoxil online, =-(((, http://shopdrugcheap.com/order-viagra-super-active-online-en.html Viagra Super Active, =-), 4c63a0594975961bb03b362b1be07a7af61f1d34 739 738 2012-05-06T12:51:10Z 31.184.238.15 0 FjUbnwnRaECnSo wikitext text/x-wiki comment4, http://internetpharmacysite.com/comprar-venta-zithromax-azithromycin-costo-precio-en-linea-spain/ en linea zithromax, 745217, http://genericpharmacyshop.com online pharmacy, 8230, http://newonlinepharmacy.com online pharmacy, :O, 4874d76583ca750c61f73b9815ade96c6e710536 740 739 2012-05-06T12:54:11Z 31.184.238.9 0 CwdCRvjMBHRcRXn wikitext text/x-wiki , http://more-drugs.com/products/viagra.htm viagra, >:OO, http://ordergenericdrugs.com/products/prevacid.htm buy generic prevacid, 81617, http://ordergenericdrugs.com/products/viagra.htm cheap viagra, 3806, http://price-drugs.com/order-prednisone-online-en.html buy Prednisone online, 116160, http://ordergenericdrugs.com/products/kamagra.htm kamagra, srux, 56670fac386cf420a95fd4917519976366fc3bf0 741 740 2012-05-06T12:56:53Z 31.184.238.15 0 faynKYxnhHxZYspE wikitext text/x-wiki comment5, http://wheretobuynowviagra.com/buy-cheap-generic-viagra-super-force-sildenafil-online/ generic viagra super force, uqr, http://wheretobuynowcialis.com/buy-cheap-generic-tadalafil-online/ generic tadalafil, =-]], http://wheretobuynowlevitra.com/buy-cheap-generic-vardenafil-online/ generic vardenafil, 97399, 009bae2a63d6413fe3525480b6a69f645d5b2ae3 742 741 2012-05-06T12:58:42Z 31.184.238.9 0 SSBJtOcWq wikitext text/x-wiki , http://ordergenericdrugs.com/products/pepcid.htm buy generic pepcid, 72015, http://price-drugs.com/order-viagra-super-active-online-en.html buy generic Viagra Super Active online, ajky, http://more-drugs.com/products/viagra-super-active-plus.htm buy viagra super active online, =-[, http://shopdrugcheap.com/order-zithromax-online-en.html buy Zithromax online, yty, http://shopdrugcheap.com/order-viagra-online-en.html buy Viagra, ebfrn, fbd45e76e7d489efa29bdf4442feb6cf73dff77f 743 742 2012-05-06T13:02:42Z 31.184.238.15 0 edgyKkbcSvoGCUaLZ wikitext text/x-wiki comment4, http://mygenericdrugstore.com/comprar-venta-kamagra-costo-precio-en-linea-spain/ en linea kamagra, 8DD, http://ordergenericpharmacy.com/farmacia-en-linea-sin-receta-europa-spain/ farmacia online, oqdre, http://genericpharmacyshop.com online pharmacy europe, %(((, 4c0086233443dbe76512018b2de1b754db7ecfd9 0 8 744 743 2012-05-06T13:03:09Z 31.184.238.9 0 DDiUmpifkMxnKxZq wikitext text/x-wiki , http://shopdrugcheap.com/order-tadacip-online-en.html buy Tadacip online, 582656, http://shopdrugcheap.com/order-accutane-online-en.html buy generic Accutane online, 760, http://price-drugs.com/order-cialis-professional-online-en.html buy generic Cialis Professional online, 388, http://ordergenericdrugs.com/products/deltasone.htm buy generic deltasone, :-OO, http://ordergenericdrugs.com/products/prevacid.htm buy prevacid, 088959, ba73e73e9e682fe680abe9d48d580d1783cd1210 745 744 2012-05-06T13:07:49Z 31.184.238.9 0 PKOtdFrz wikitext text/x-wiki , http://more-drugs.com/products/clomid.htm buy cheap clomid, 978452, http://shopdrugcheap.com/order-cialis-online-en.html buy generic Cialis online, asm, http://more-drugs.com/products/cipro.htm buy cheap cipro, %-[[[, http://ordergenericdrugs.com/products/amoxil.htm amoxil, fycyok, http://shopdrugcheap.com/order-viagra-super-active-online-en.html buy cheap Viagra Super Active, ehuev, 9a71ad6e63b4ff4c3acc1bd32aeef7e6eb7005c2 746 745 2012-05-06T13:09:18Z 31.184.238.15 0 CFINeraP wikitext text/x-wiki comment3, http://newonlinepharmacy.com/farmacia-online-senza-ricetta-medica-italy-usa-uk-europa/ farmacia online italy, 9134, http://newonlinepharmacy.com/farmacia-en-linea-sin-receta-spain-europa-usa-uk/ spain farmacia, 358858, http://getgenericpharmacy.com/comprar-venta-levitra-vardenafil-costo-precio-en-linea-spain/ comprar levitra, 017976, be02fbe69886b9fc5e0bce8b4efa1bc1d2f13b97 747 746 2012-05-06T13:12:25Z 31.184.238.9 0 vlPMLxYfHJFTFtUKJ wikitext text/x-wiki , http://ordergenericdrugs.com/products/pepcid.htm buy pepcid online, >:]]], http://price-drugs.com/order-ampicillin-online-en.html buy generic Ampicillin, :(((, http://shopdrugcheap.com/order-proscar-online-en.html buy Proscar, 714, http://ordergenericdrugs.com/products/zovirax.htm buy zovirax, =], http://ordergenericdrugs.com/products/kamagra-oral-jelly.htm kamagra oral jelly, >:], 745ac1a41cc8d26ba45b833b54dabda7a915abb1 748 747 2012-05-06T13:15:28Z 31.184.238.15 0 ZDbtuBAhqKvwFRKr wikitext text/x-wiki comment5, http://ordergenericpharmacy.com/pharmacie-en-ligne-sans-ordonnance-europe-france/ pharmacie en ligne, 54393, http://getgenericdrugstore.com/pharmacie-en-ligne-europe-france-sans-ordonnance-uk-usa/ pharmacie europe, :-))), http://genericpharmacyshop.com/farmacia-online-senza-prescrizione-medica-italy-usa-uk-europa/ farmacia online italy, >:-PPP, 8bb681a161f79fdc9c694f1e75f74d63596218dc 749 748 2012-05-06T13:16:24Z 31.184.238.9 0 HZDJjFWHsZCrL wikitext text/x-wiki , http://more-drugs.com/products/propecia.htm buy cheap propecia, 8D, http://price-drugs.com/order-nolvadex-online-en.html buy cheap Nolvadex, 590, http://shopdrugcheap.com/ buy Cipro, gsifp, http://ordergenericdrugs.com/products/levitra.htm levitra online, dtyr, http://more-drugs.com/products/clomid.htm buy clomid online, 072, c9512f912ba15a9b454681b20ee122f8182e6130 750 749 2012-05-06T13:20:44Z 31.184.238.9 0 qKbofsueqjG wikitext text/x-wiki , http://ordergenericdrugs.com/products/strattera.htm strattera, dfze, http://price-drugs.com/order-cialis-online-en.html Cialis, yashmj, http://more-drugs.com/products/female-viagra.htm buy female viagra online, 6542, http://more-drugs.com/products/cialis-professional.htm buy cialis professional, piat, http://more-drugs.com/products/cialis.htm buy cialis, :-DDD, e9ac4d7b47ba9bbd9853a2bbfa60c125aa6882f1 751 750 2012-05-06T13:21:24Z 31.184.238.15 0 VgqVqowIaqQYy wikitext text/x-wiki comment5, http://newpharmacysite.com/comprar-venta-priligy-dapoxetine-costo-precio-en-linea-spain/ comprar priligy, fesctl, http://internetpharmacysite.com/acheter-achat-zithromax-azithromycin-vente-en-ligne-france/ acheter zithromax, 251741, http://ordergenericpharmacy.com online drugstore, 773024, 04807e7305bf3b60bed98744f4fc675323ebd313 752 751 2012-05-06T13:25:19Z 31.184.238.9 0 IJHNTtMTS wikitext text/x-wiki , http://price-drugs.com/order-prednisone-online-en.html buy generic Prednisone, 090, http://price-drugs.com/order-zoloft-online-en.html buy cheap Zoloft, =P, http://shopdrugcheap.com/order-retin-a-online-en.html buy cheap Retin-A, wagkpv, http://price-drugs.com/order-viagra-professional-online-en.html Viagra Professional, 44733, http://shopdrugcheap.com/order-propecia-online-en.html generic Propecia, 842, 5b5f947e0d95546cccd3752bf8d69759091618f7 753 752 2012-05-06T13:27:02Z 31.184.238.15 0 kOCxPGGFSj wikitext text/x-wiki comment3, http://mygenericdrugstore.com/compra-acquisto-kamagra-prezzo-costo-online-italy/ acquisto kamagra, :)), http://newpharmacysite.com/compra-acquisto-priligy-dapoxetine-prezzo-costo-online-italy/ prezzo priligy, nwln, http://genericpharmacyshop.com/pharmacie-en-ligne-sans-ordonnance-europe/ pharmacie sans ordonnance, 8-), a23c3a1600d6f8e5939e896735fad4afae85a308 754 753 2012-05-06T13:29:47Z 31.184.238.9 0 SiOyrVJwWPxDMKnEl wikitext text/x-wiki , http://shopdrugcheap.com/order-zoloft-online-en.html Zoloft, uesfcd, http://price-drugs.com/order-cipro-online-en.html buy Cipro online, =)), http://price-drugs.com/order-clomid-online-en.html buy cheap Clomid, afzs, http://shopdrugcheap.com/order-kamagra-online-en.html Kamagra, %-P, http://price-drugs.com/order-cipro-online-en.html buy generic Cipro, :PPP, 84f40bae86875e403f626d83a947e669e37dd4e3 755 754 2012-05-06T13:32:53Z 31.184.238.15 0 OSLoOHWkVmppCzaLO wikitext text/x-wiki comment2, http://internetpharmacysite.com cheap zithromax, zgx, http://mygenericdrugstore.com/acheter-achat-kamagra-vente-en-ligne-france/ kamagra en ligne, 444672, http://getgenericpharmacy.com/acheter-achat-levitra-vardenafil-vente-en-ligne-france/ levitra en ligne, ysuzrd, e01e9f6e181915c5f8c1c457f92e2f19522b6766 756 755 2012-05-06T13:34:18Z 31.184.238.9 0 MYGaPSsqi wikitext text/x-wiki , http://more-drugs.com/products/pepcid.htm generic pepcid, wqpeir, http://more-drugs.com/products/diflucan.htm generic diflucan, 295695, http://more-drugs.com/products/synthroid.htm buy generic synthroid, okhcwy, http://ordergenericdrugs.com/products/female-viagra.htm female viagra, rouatn, http://price-drugs.com/order-lipitor-online-en.html buy generic Lipitor, 436332, 4baee1930e3134f93e5e4690aa5635e8f9d2a9bb 757 756 2012-05-06T13:38:47Z 31.184.238.15 0 PKoaTXyrJJ wikitext text/x-wiki comment1, http://getgenericdrugstore.com/farmacia-online-europa-italy-senza-ricetta-medica-usa-uk/ farmacia online, 6150, http://getgenericpharmacy.com price levitra, 735811, http://getgenericdrugstore.com online pharmacy usa, hnlrz, 223c0b860ffb7a4e8c1847012b6095d1bab23ea4 758 757 2012-05-06T13:38:58Z 31.184.238.9 0 CNFYEiznWUtizi wikitext text/x-wiki , http://shopdrugcheap.com/order-tadacip-online-en.html Tadacip, :DD, http://shopdrugcheap.com/order-accutane-online-en.html buy cheap Accutane, srkwh, http://price-drugs.com/order-cialis-professional-online-en.html buy generic Cialis Professional online, 8-))), http://ordergenericdrugs.com/products/deltasone.htm deltasone online, pegox, http://ordergenericdrugs.com/products/prevacid.htm generic prevacid, :[[[, 0e500b83139f7ce3ecd670a3d01edb54a03c92d8 759 758 2012-05-06T13:43:32Z 31.184.238.9 0 QARskwRWyJ wikitext text/x-wiki , http://more-drugs.com/products/cialis.htm cheap cialis, hpjp, http://ordergenericdrugs.com/products/rogaine-5-.htm buy cheap rogaine 5%, :(, http://ordergenericdrugs.com/products/zovirax.htm buy generic zovirax, :-PPP, http://price-drugs.com/order-viagra-super-active-online-en.html generic Viagra Super Active, jvnfmy, http://price-drugs.com/order-zithromax-online-en.html buy generic Zithromax, 5881, 7d60e380b2346c2cf24fbe80a5433ee0f58007de 760 759 2012-05-06T13:44:41Z 31.184.238.15 0 FmhTKIYLoyVhKTeUiio wikitext text/x-wiki comment6, http://internetpharmacysite.com online zithromax, =-DDD, http://mygenericdrugstore.com/acheter-achat-kamagra-vente-en-ligne-france/ acheter kamagra, wxox, http://getgenericpharmacy.com/acheter-achat-levitra-vardenafil-vente-en-ligne-france/ acheter levitra, >:-[, c941eacd0df2297a393c9acf7faeb196b90c1a16 761 760 2012-05-06T13:49:04Z 31.184.238.9 0 YtqFJXpk wikitext text/x-wiki , http://ordergenericdrugs.com/products/pepcid.htm buy pepcid online, dqvnr, http://price-drugs.com/order-ampicillin-online-en.html buy generic Ampicillin online, 065, http://shopdrugcheap.com/order-proscar-online-en.html generic Proscar, 151, http://ordergenericdrugs.com/products/zovirax.htm cheap zovirax, :PP, http://ordergenericdrugs.com/products/kamagra-oral-jelly.htm kamagra oral jelly, 57859, 0c65c8aaf6c9354d52be76bfef68b7b23d17e304 762 761 2012-05-06T13:50:35Z 31.184.238.15 0 ChdkjpCNXEmevXRgX wikitext text/x-wiki comment6, http://ordergenericpharmacy.com/pharmacie-en-ligne-sans-ordonnance-europe-france/ pharmacie en ligne, fqtk, http://getgenericdrugstore.com/pharmacie-en-ligne-europe-france-sans-ordonnance-uk-usa/ pharmacie sans ordonnance, semzs, http://genericpharmacyshop.com/farmacia-online-senza-prescrizione-medica-italy-usa-uk-europa/ farmacia online italy, =OOO, 1758a631f40440932911f7a7a0fa172d92c043b5 763 762 2012-05-06T13:52:47Z 31.184.238.9 0 WRMCCqxHCw wikitext text/x-wiki , http://ordergenericdrugs.com/products/xenical.htm xenical, %-[[[, http://shopdrugcheap.com/order-accutane-online-en.html buy Accutane online, 917768, http://more-drugs.com/ buy xenical online, 677, http://shopdrugcheap.com/order-cialis-professional-online-en.html buy generic Cialis Professional, 71999, http://price-drugs.com/order-cialis-super-active-online-en.html Cialis Super Active, 20455, d4e641d0c187cb06cf1ac9b28473bc59c30e2699 764 763 2012-05-06T13:56:30Z 31.184.238.15 0 NInTAEtLBhaFkZJJ wikitext text/x-wiki comment2, http://wheretobuynowviagra.com/ cheapest viagra, fllx, http://wheretobuynowcialis.com/ cialis generic, xxlhou, http://wheretobuynowviagra.com/buy-cheap-generic-viagra-sildenafil-online/ buy generic viagra, rsaov, dccdc19e23491dbf37b0125aeeed872c8df384fb 765 764 2012-05-06T13:57:28Z 31.184.238.9 0 DSSpMTUoJQbfgsCYMm wikitext text/x-wiki , http://ordergenericdrugs.com/products/viagra-super-active-plus.htm buy viagra super active, yxa, http://price-drugs.com/ buy Cialis, 052, http://shopdrugcheap.com/order-viagra-professional-online-en.html generic Viagra Professional, xdf, http://price-drugs.com/order-flagyl-online-en.html buy Flagyl, 8[, http://shopdrugcheap.com/order-synthroid-online-en.html buy cheap Synthroid, gseb, c8c46f0b4f09b6b0b94900870a1ea74d3fbc4ba0 766 765 2012-05-06T14:02:11Z 31.184.238.9 0 pFMyeBUfIhxyABo wikitext text/x-wiki , http://more-drugs.com/products/xenical.htm xenical, =DD, http://more-drugs.com/products/viagra-super-active-plus.htm buy generic viagra super active, 98587, http://shopdrugcheap.com/order-cialis-super-active-online-en.html buy Cialis Super Active online, 88134, http://shopdrugcheap.com/order-zithromax-online-en.html Zithromax, 9324, http://price-drugs.com/order-kamagra-online-en.html Kamagra, %-DDD, f5ba0f8c630f29ea5b5c8e2d58a87a5ad7d42a69 767 766 2012-05-06T14:02:47Z 31.184.238.15 0 zoBQdcbOLns wikitext text/x-wiki comment6, http://mygenericdrugstore.com/comprar-venta-kamagra-costo-precio-en-linea-spain/ venta kamagra, vdvw, http://ordergenericpharmacy.com/farmacia-en-linea-sin-receta-europa-spain/ farmacia sin receta, mki, http://genericpharmacyshop.com online pharmacy europe, 40710, c68aab55a5a7688f88f8720099bef5af710e228c 768 767 2012-05-06T14:06:29Z 31.184.238.9 0 gphrBCNISytjrGdp wikitext text/x-wiki , http://price-drugs.com/order-viagra-professional-online-en.html buy generic Viagra Professional online, 778301, http://shopdrugcheap.com/order-cialis-super-active-online-en.html Cialis Super Active, opmdk, http://price-drugs.com/order-zoloft-online-en.html Zoloft, 15900, http://ordergenericdrugs.com/products/rogaine-5-.htm generic rogaine 5%, 46170, http://more-drugs.com/ buy nolvadex online, 8P, d94a0320b40b6006f4ac049da970d8e8ba3488a7 769 768 2012-05-06T14:09:19Z 31.184.238.15 0 nETRucigtqGvtdwR wikitext text/x-wiki comment3, http://newpharmacysite.com/comprar-venta-priligy-dapoxetine-costo-precio-en-linea-spain/ costo priligy, 622051, http://internetpharmacysite.com/acheter-achat-zithromax-azithromycin-vente-en-ligne-france/ achat zithromax, 739, http://ordergenericpharmacy.com online pharmacy usa, hfw, 0f625740389d35725f7f11f2fa5d44e99644df9c 770 769 2012-05-06T14:15:13Z 31.184.238.15 0 cZsSHKkdrsGUaz wikitext text/x-wiki comment1, http://wheretobuynowviagra.com/buy-cheap-generic-viagra-super-active-sildenafil-online/ buy generic viagra super active, =-((, http://wheretobuynowcialis.com/buy-cheap-generic-cialis-tadalafil-online/ buy cialis, >:DD, http://wheretobuynowlevitra.com/ buy levitra vardenafil, 5296, 8b88f613a2f9007727ffb06bd19a2d574c76e735 771 770 2012-05-06T14:15:37Z 31.184.238.9 0 UUlSrAfjAyaRgNfsNC wikitext text/x-wiki , http://more-drugs.com/products/pepcid.htm buy pepcid, iodzk, http://more-drugs.com/products/diflucan.htm buy diflucan online, %((, http://more-drugs.com/products/synthroid.htm buy cheap synthroid, 378398, http://ordergenericdrugs.com/products/female-viagra.htm buy cheap female viagra, >:OOO, http://price-drugs.com/order-lipitor-online-en.html buy cheap Lipitor, :-[[, d25275cf5e4b99ac15eb9ae85458237b0fc69012 772 771 2012-05-06T14:20:17Z 31.184.238.9 0 GaQgoBbrvUDiChgI wikitext text/x-wiki , http://more-drugs.com/products/levitra.htm buy levitra online, 856550, http://price-drugs.com/order-ampicillin-online-en.html generic Ampicillin, 8-O, http://price-drugs.com/order-doxycycline-online-en.html buy generic Doxycycline online, htm, http://more-drugs.com/products/nexium.htm buy generic nexium, yvg, http://price-drugs.com/order-levitra-online-en.html buy Levitra, 8-(, c13cfb7e22467ed5ca4d1bb30ceb5c89bef2a82b 773 772 2012-05-06T14:20:52Z 31.184.238.15 0 gbnqWiTOaqbRfVnN wikitext text/x-wiki comment1, http://internetpharmacysite.com buy zithromax online, onqve, http://mygenericdrugstore.com/acheter-achat-kamagra-vente-en-ligne-france/ kamagra en ligne, 84825, http://getgenericpharmacy.com/acheter-achat-levitra-vardenafil-vente-en-ligne-france/ achat levitra, 97240, fc95a45afe869711ff71da8150c111a0def57bb8 774 773 2012-05-06T14:25:44Z 31.184.238.9 0 MsLTZUGqflZjfzRUy wikitext text/x-wiki , http://more-drugs.com/products/deltasone.htm generic deltasone, fdc, http://price-drugs.com/order-cialis-online-en.html buy Cialis, 659365, http://ordergenericdrugs.com/products/cialis-super-active-plus.htm cheap cialis super active, =)), http://price-drugs.com/order-propecia-online-en.html buy generic Propecia, 023, http://more-drugs.com/products/prevacid.htm buy cheap prevacid, eilkz, 2e0470a516f915bb78a90e0d985d9ee80e3fc681 775 774 2012-05-06T14:27:08Z 31.184.238.15 0 DqOcjWTAytxOoKb wikitext text/x-wiki comment2, http://mygenericdrugstore.com online kamagra, tdn, http://newonlinepharmacy.com/pharmacie-en-ligne-sans-ordonnance-france-europe-uk-usa/ pharmacie sans ordonnance, leji, http://internetpharmacysite.com/compra-acquisto-zithromax-azithromycin-prezzo-costo-online-italy/ comprare zithromax, >:-), 261becb4cf250b2a37da729585fc5720202087ec 776 775 2012-05-06T14:29:34Z 31.184.238.9 0 whvxjyAmKZsrdukc wikitext text/x-wiki , http://price-drugs.com/order-propecia-online-en.html buy Propecia, 762, http://more-drugs.com/products/nexium.htm generic nexium, hksvpo, http://ordergenericdrugs.com/products/celebrex.htm cheap celebrex, :DD, http://shopdrugcheap.com/order-orlistat-online-en.html Orlistat, 8(, http://shopdrugcheap.com/order-female-viagra-online-en.html buy Female Viagra online, lvma, 177955deeb24ca34f8d94e8d328a9cf37fc6799f 777 776 2012-05-06T14:33:08Z 31.184.238.15 0 VTUIhqZLewLMIUlpJ wikitext text/x-wiki comment3, http://genericpharmacyshop.com/farmacia-en-linea-sin-receta-spain/ farmacia online, 8[[[, http://getgenericdrugstore.com/farmacia-en-linea-europa-spain-sin-receta-usa-uk/ farmacia sin receta, 15637, http://newpharmacysite.com/acheter-achat-priligy-dapoxetine-vente-en-ligne-france/ achat priligy, >:-O, 226bff78343c380358c06fe5b1addf881e2da751 778 777 2012-05-06T14:34:23Z 31.184.238.9 0 pVXpAZgyvyPXWqIqV wikitext text/x-wiki , http://price-drugs.com/order-propecia-online-en.html buy Propecia online, 6339, http://more-drugs.com/products/nexium.htm buy nexium online, >:[[[, http://ordergenericdrugs.com/products/celebrex.htm buy celebrex, 8-], http://shopdrugcheap.com/order-orlistat-online-en.html buy generic Orlistat, vpfx, http://shopdrugcheap.com/order-female-viagra-online-en.html buy Female Viagra, 454, 0b7b349bf69fa99a154d556ad9ca4afd4aaaaa4c 779 778 2012-05-06T14:38:31Z 31.184.238.9 0 IgBuQTQe wikitext text/x-wiki , http://price-drugs.com/order-female-viagra-online-en.html buy generic Female Viagra, =(, http://more-drugs.com/products/plavix.htm generic plavix, =-DDD, http://price-drugs.com/order-flagyl-online-en.html buy cheap Flagyl, iicpft, http://price-drugs.com/order-doxycycline-online-en.html generic Doxycycline, pphd, http://price-drugs.com/order-levaquin-online-en.html Levaquin, 5583, 24efb629b956bc0e25d8c0bb9d8e9352d1d53de5 780 779 2012-05-06T14:39:19Z 31.184.238.15 0 AxOnANsLzg wikitext text/x-wiki comment3, http://getgenericdrugstore.com/farmacia-online-europa-italy-senza-ricetta-medica-usa-uk/ farmacia europa, hzt, http://getgenericpharmacy.com buy levitra online, nokak, http://getgenericdrugstore.com online pharmacy usa, cucid, c0133956c2370376ace91c54223a3b3ca047c439 781 780 2012-05-06T14:43:35Z 31.184.238.9 0 wIUTzhqrXjfEzBMzJ wikitext text/x-wiki , http://more-drugs.com/products/cialis.htm buy cialis online, %-(, http://ordergenericdrugs.com/products/rogaine-5-.htm rogaine 5% online, 35324, http://ordergenericdrugs.com/products/zovirax.htm buy generic zovirax, 607, http://price-drugs.com/order-viagra-super-active-online-en.html buy Viagra Super Active, jsprby, http://price-drugs.com/order-zithromax-online-en.html buy cheap Zithromax, mhe, 9c3aef5dadd5e258a831652c433387b83a0d7f0c 782 781 2012-05-06T14:45:11Z 31.184.238.15 0 KbbkfHAAMzRydAVirPl wikitext text/x-wiki comment2, http://mygenericdrugstore.com buy kamagra, 8969, http://newonlinepharmacy.com/pharmacie-en-ligne-sans-ordonnance-france-europe-uk-usa/ pharmacie sans ordonnance, 133363, http://internetpharmacysite.com/compra-acquisto-zithromax-azithromycin-prezzo-costo-online-italy/ online zithromax, 459160, 81451274c3f52243c6856f3a90eaca182fd46bee 783 782 2012-05-06T14:47:27Z 31.184.238.9 0 hkYezRIFtROkps wikitext text/x-wiki , http://shopdrugcheap.com/order-kamagra-online-en.html Kamagra, 8P, http://ordergenericdrugs.com/products/clomid.htm cheap clomid, 5009, http://price-drugs.com/order-bactrim-online-en.html Bactrim, %O, http://price-drugs.com/order-diflucan-online-en.html buy generic Diflucan, ipqfrt, http://shopdrugcheap.com/order-tadacip-online-en.html Tadacip, 8526, c044c40ab3ec646eed4b947ab7a27059f53941a1 784 783 2012-05-06T14:51:07Z 31.184.238.15 0 jeFjqBadlZ wikitext text/x-wiki comment4, http://getgenericdrugstore.com/farmacia-online-europa-italy-senza-ricetta-medica-usa-uk/ farmacia online, 8[[, http://getgenericpharmacy.com buy levitra, jzmruz, http://getgenericdrugstore.com online pharmacy usa, urjka, 55af718416ac0fd2b15f5ab3bc390c2f1e810be6 785 784 2012-05-06T14:52:09Z 31.184.238.9 0 cCrTKXxuROD wikitext text/x-wiki , http://more-drugs.com/products/deltasone.htm buy deltasone, jtjhm, http://price-drugs.com/order-cialis-online-en.html Cialis, 537387, http://ordergenericdrugs.com/products/cialis-super-active-plus.htm cheap cialis super active, nrrqo, http://price-drugs.com/order-propecia-online-en.html Propecia, :PP, http://more-drugs.com/products/prevacid.htm prevacid online, %))), 4084b85255a37a4a8b1488d38ea83a0771188d82 786 785 2012-05-06T14:56:55Z 31.184.238.9 0 dgWyPQpKoqzGizAjvo wikitext text/x-wiki , http://ordergenericdrugs.com/products/deltasone.htm cheap deltasone, %(, http://more-drugs.com/products/cialis-professional.htm buy generic cialis professional, nuzoi, http://shopdrugcheap.com/order-viagra-professional-online-en.html buy cheap Viagra Professional, >:[, http://shopdrugcheap.com/order-levitra-online-en.html buy Levitra, 4060, http://shopdrugcheap.com/order-cipro-online-en.html buy Cipro, 9972, bde277d7aef0999b5638a5cacbbd7726111e3384 787 786 2012-05-06T14:57:03Z 31.184.238.15 0 gEAvFWNrZTaaTZbVHZ wikitext text/x-wiki comment1, http://newonlinepharmacy.com/farmacia-online-senza-ricetta-medica-italy-usa-uk-europa/ farmacia senza prescrizione, =-DDD, http://newonlinepharmacy.com/farmacia-en-linea-sin-receta-spain-europa-usa-uk/ farmacia online, gfcy, http://getgenericpharmacy.com/comprar-venta-levitra-vardenafil-costo-precio-en-linea-spain/ comprar levitra en linea, 710, d34184d1f126cf7f593933ab4969b9df304afda1 788 787 2012-05-06T15:01:38Z 31.184.238.9 0 eEDEJAfPIoT wikitext text/x-wiki , http://more-drugs.com/products/clomid.htm buy generic clomid, phll, http://shopdrugcheap.com/order-cialis-online-en.html buy generic Cialis online, hhya, http://more-drugs.com/products/cipro.htm cipro, olf, http://ordergenericdrugs.com/products/amoxil.htm buy cheap amoxil, rmmv, http://shopdrugcheap.com/order-viagra-super-active-online-en.html buy generic Viagra Super Active online, :-), 4d40211e992b76bea35dd96b59b9f7e368516d1e 789 788 2012-05-06T15:02:49Z 31.184.238.15 0 AwcoNnaZptipzQYI wikitext text/x-wiki comment5, http://wheretobuynowviagra.com/buy-cheap-generic-sildenafil-online/ generic sildenafil, 979, http://wheretobuynowcialis.com/buy-cheap-generic-cialis-super-active-tadalafil-online/ buy cialis super active online, hpb, http://wheretobuynowlevitra.com/buy-cheap-generic-levitra-vardenafil-online/ generic levitra, =-DD, 7358f022e71584326b4f0d377ccea8060d1f2710 790 789 2012-05-06T15:06:25Z 31.184.238.9 0 IZIMItcosfvZ wikitext text/x-wiki , http://more-drugs.com/products/diflucan.htm diflucan, lfnhhn, http://shopdrugcheap.com/order-synthroid-online-en.html Synthroid, psdlaq, http://price-drugs.com/order-viagra-online-en.html Viagra, 8900, http://more-drugs.com/products/nolvadex.htm cheap nolvadex, =-OO, http://shopdrugcheap.com/order-lasix-online-en.html generic Lasix, 476282, a8b63b5b7f774aa63ad524d698e81a0ec6ff0b1c 791 790 2012-05-06T15:09:33Z 31.184.238.15 0 cmDCoeLuGn wikitext text/x-wiki comment3, http://wheretobuynowviagra.com/buy-cheap-generic-viagra-super-force-sildenafil-online/ buy generic viagra super force, goupd, http://wheretobuynowcialis.com/buy-cheap-generic-tadalafil-online/ buy generic tadalafil, 7191, http://wheretobuynowlevitra.com/buy-cheap-generic-vardenafil-online/ vardenafil, 29470, e854282371a3cdf2750856520304cb13e77b79c0 792 791 2012-05-06T15:11:07Z 31.184.238.9 0 eBHRBYBg wikitext text/x-wiki , http://shopdrugcheap.com/order-priligy-online-en.html buy generic Priligy online, wxzzj, http://ordergenericdrugs.com/products/cialis.htm cialis online, pmtykc, http://price-drugs.com/order-female-viagra-online-en.html generic Female Viagra, nbnip, http://shopdrugcheap.com/order-propecia-online-en.html buy cheap Propecia, :[[[, http://ordergenericdrugs.com/products/kamagra.htm kamagra online, >:], 2c1a9c77199d072db9974039a3fbc5b29f1f326c 793 792 2012-05-06T15:15:39Z 31.184.238.9 0 JAROANnjISqBrp wikitext text/x-wiki , http://more-drugs.com/products/xenical.htm buy generic xenical, tdhwn, http://more-drugs.com/products/viagra-super-active-plus.htm viagra super active, 8-DD, http://shopdrugcheap.com/order-cialis-super-active-online-en.html buy Cialis Super Active, yrafr, http://shopdrugcheap.com/order-zithromax-online-en.html buy cheap Zithromax, disxb, http://price-drugs.com/order-kamagra-online-en.html Kamagra, 8]]], cf8b4afd98ddee01895d235cc10f351d6f9bcece 0 8 794 793 2012-05-06T15:15:46Z 31.184.238.15 0 gOhegxEzNSigQucfU wikitext text/x-wiki comment3, http://wheretobuynowviagra.com/buy-cheap-generic-viagra-super-force-sildenafil-online/ buy viagra super force online, 320, http://wheretobuynowcialis.com/buy-cheap-generic-tadalafil-online/ tadalafil, 97525, http://wheretobuynowlevitra.com/buy-cheap-generic-vardenafil-online/ vardenafil, 253828, 2ac0bd7d2ea6510121de617399b5a6800248f913 795 794 2012-05-06T15:21:19Z 31.184.238.15 0 GaxSIGxFGzhK wikitext text/x-wiki comment4, http://mygenericdrugstore.com/comprar-venta-kamagra-costo-precio-en-linea-spain/ en linea kamagra, 2425, http://ordergenericpharmacy.com/farmacia-en-linea-sin-receta-europa-spain/ spain farmacia, 66491, http://genericpharmacyshop.com online pharmacy canada, :-(, 7b68f3d15eee702dfa077b0d54746e6949b32ad0 796 795 2012-05-06T15:27:21Z 31.184.238.15 0 AFhTxgmsxCgXduFt wikitext text/x-wiki comment2, http://wheretobuynowviagra.com/ cheap viagra tablets, ptghnr, http://wheretobuynowcialis.com/ buy cialis online, 561066, http://wheretobuynowviagra.com/buy-cheap-generic-viagra-sildenafil-online/ buy generic viagra, 220, 4519ed4a44e378d9c0c481de7a0351295ddbe31a 797 796 2012-05-06T15:33:56Z 31.184.238.15 0 oIanddHClm wikitext text/x-wiki comment2, http://getgenericdrugstore.com/farmacia-online-europa-italy-senza-ricetta-medica-usa-uk/ farmacia online, ygnqok, http://getgenericpharmacy.com order levitra, qhwb, http://getgenericdrugstore.com online drugstore, :-DDD, 07b2dc8d3701b0dcac7269512b11029927f254f1 798 797 2012-05-06T15:34:06Z 31.184.238.9 0 FgzKkpkxl wikitext text/x-wiki , http://more-drugs.com/products/kamagra.htm buy cheap kamagra, 442365, http://shopdrugcheap.com/order-retin-a-online-en.html Retin-A, =-), http://shopdrugcheap.com/order-viagra-super-active-online-en.html buy Viagra Super Active, >:-PPP, http://shopdrugcheap.com/order-proscar-online-en.html Proscar, 336, http://ordergenericdrugs.com/products/cipro.htm buy cheap cipro, =-]], 4ea4a8e5e6b7b4dc5e2d9aef3694881005771499 799 798 2012-05-06T15:38:42Z 31.184.238.9 0 NLqnIwNRJCwCTe wikitext text/x-wiki , http://ordergenericdrugs.com/products/propecia.htm cheap propecia, vjj, http://more-drugs.com/products/female-viagra.htm buy generic female viagra, fgl, http://shopdrugcheap.com/order-cipro-online-en.html buy generic Cipro online, =[, http://price-drugs.com/order-nolvadex-online-en.html buy Nolvadex online, :-[, http://price-drugs.com/order-amoxil-online-en.html buy Amoxil online, 783291, 4cdd19201a8dbf19fa8911bb7a43c692d84ab4a5 800 799 2012-05-06T15:39:35Z 31.184.238.15 0 FmfFdxqEzQM wikitext text/x-wiki comment6, http://genericpharmacyshop.com/farmacia-en-linea-sin-receta-spain/ farmacia uropa, 8[, http://getgenericdrugstore.com/farmacia-en-linea-europa-spain-sin-receta-usa-uk/ farmacia sin receta, 8-DDD, http://newpharmacysite.com/acheter-achat-priligy-dapoxetine-vente-en-ligne-france/ achat priligy, 83682, 4230e02ef23e1b367de64b51fa29b9bff22eea44 801 800 2012-05-06T15:43:46Z 31.184.238.9 0 oPnGBkdIActKxF wikitext text/x-wiki , http://more-drugs.com/products/clomid.htm clomid online, hjsfw, http://shopdrugcheap.com/order-cialis-online-en.html buy generic Cialis online, njqgz, http://more-drugs.com/products/cipro.htm buy cheap cipro, dujbed, http://ordergenericdrugs.com/products/amoxil.htm amoxil online, 7775, http://shopdrugcheap.com/order-viagra-super-active-online-en.html buy generic Viagra Super Active online, >:-(((, 7bd4d02a516c4173cfe10d29a21382fd79bca039 802 801 2012-05-06T15:45:20Z 31.184.238.15 0 mqYCEMsPISpXTZHHheU wikitext text/x-wiki comment4, http://internetpharmacysite.com buy zithromax online, %-OOO, http://mygenericdrugstore.com/acheter-achat-kamagra-vente-en-ligne-france/ acheter kamagra en ligne, 365, http://getgenericpharmacy.com/acheter-achat-levitra-vardenafil-vente-en-ligne-france/ achat levitra, :-]]], f6fabf16eb145cdcd28d0605de07223d669cea5c 803 802 2012-05-06T15:48:55Z 31.184.238.9 0 avleunpN wikitext text/x-wiki , http://ordergenericdrugs.com/products/xenical.htm buy generic xenical, :-((, http://shopdrugcheap.com/order-accutane-online-en.html buy Accutane online, =-P, http://more-drugs.com/ buy viagra professional online, auyt, http://shopdrugcheap.com/order-cialis-professional-online-en.html buy generic Cialis Professional, gfdg, http://price-drugs.com/order-cialis-super-active-online-en.html buy Cialis Super Active online, 8((, c171b6cdd0f8b0c382b6f0bc7416786215572f0a 804 803 2012-05-06T15:51:44Z 31.184.238.15 0 gfyRjHcX wikitext text/x-wiki comment2, http://mygenericdrugstore.com for sale kamagra, =[[[, http://newonlinepharmacy.com/pharmacie-en-ligne-sans-ordonnance-france-europe-uk-usa/ pharmacie en ligne, toinad, http://internetpharmacysite.com/compra-acquisto-zithromax-azithromycin-prezzo-costo-online-italy/ online zithromax, lbh, 577e6151cb79e77457d62f290185ad97f2f115e2 805 804 2012-05-06T15:53:31Z 31.184.238.9 0 htHhVrZRWwjWOzwCDdx wikitext text/x-wiki , http://ordergenericdrugs.com/products/pepcid.htm cheap pepcid, %OOO, http://price-drugs.com/order-ampicillin-online-en.html buy cheap Ampicillin, 3518, http://shopdrugcheap.com/order-proscar-online-en.html buy Proscar, %[[, http://ordergenericdrugs.com/products/zovirax.htm buy zovirax, :], http://ordergenericdrugs.com/products/kamagra-oral-jelly.htm kamagra oral jelly online, ylby, a6e7d30fa14366776f233444aae7c53e24dcde49 806 805 2012-05-06T15:57:43Z 31.184.238.15 0 CcxWtdWtACFwRxWTHx wikitext text/x-wiki comment1, http://mygenericdrugstore.com/comprar-venta-kamagra-costo-precio-en-linea-spain/ venta kamagra, 2748, http://ordergenericpharmacy.com/farmacia-en-linea-sin-receta-europa-spain/ farmacia en linea, uia, http://genericpharmacyshop.com online pharmacy europe, 90850, e71140e998a8ec0a607c46d10da35abcb0fb9094 807 806 2012-05-06T15:58:37Z 31.184.238.9 0 ZDtDXkLgCxscUhHaIQ wikitext text/x-wiki , http://more-drugs.com/products/levitra.htm buy levitra online, 789, http://price-drugs.com/order-ampicillin-online-en.html buy Ampicillin online, 8-(, http://price-drugs.com/order-doxycycline-online-en.html Doxycycline, 221, http://more-drugs.com/products/nexium.htm nexium, 311, http://price-drugs.com/order-levitra-online-en.html buy Levitra, uaveg, 5b9bf4af2f87079b8e2d415d14df9308ee074536 808 807 2012-05-06T16:02:52Z 31.184.238.9 0 IWHtXhWoALdz wikitext text/x-wiki , http://price-drugs.com/order-clomid-online-en.html buy Clomid, bwfq, http://more-drugs.com/products/viagra-professional.htm generic viagra professional, 02342, http://shopdrugcheap.com/order-cialis-online-en.html buy Cialis, %-)), http://more-drugs.com/products/xenical.htm buy xenical online, %-P, http://more-drugs.com/products/kamagra.htm buy kamagra online, :-DDD, 073d2a294c452358b1398408641d32e925efa0a2 809 808 2012-05-06T16:03:31Z 31.184.238.15 0 rKBpUGFlCK wikitext text/x-wiki comment1, http://getgenericpharmacy.com/compra-acquisto-levitra-vardenafil-prezzo-costo-online-italy/ prezzo levitra, ukp, http://ordergenericpharmacy.com/farmacia-online-senza-ricetta-medica-europa-italy/ farmacia online italy, 1324, http://newpharmacysite.com cheap priligy, :-OOO, e7920e0983204544ae6373fd05e988da9bcdae79 810 809 2012-05-06T16:07:20Z 31.184.238.9 0 gtnoeFTUtK wikitext text/x-wiki , http://ordergenericdrugs.com/products/xenical.htm buy xenical, hjeif, http://ordergenericdrugs.com/products/viagra.htm buy cheap viagra, sxu, http://more-drugs.com/products/cialis.htm buy cheap cialis, jbun, http://shopdrugcheap.com/order-priligy-online-en.html buy Priligy online, :(((, http://ordergenericdrugs.com/products/cipro.htm buy cipro, 51486, ac92fd21fb9de3090bf5646c55c52d4bc96de528 811 810 2012-05-06T16:09:01Z 31.184.238.15 0 JVVgbMYpIXww wikitext text/x-wiki comment6, http://wheretobuynowviagra.com/buy-cheap-generic-viagra-super-active-sildenafil-online/ generic viagra super active, 0719, http://wheretobuynowcialis.com/buy-cheap-generic-cialis-tadalafil-online/ buy cialis, rct, http://wheretobuynowlevitra.com/ buy levitra online, 231497, 9b1a48892b9f23bedebe92b3ed5300c0402cbe07 812 811 2012-05-06T16:11:56Z 31.184.238.9 0 vbeZabETf wikitext text/x-wiki , http://price-drugs.com/order-propecia-online-en.html Propecia, :]], http://more-drugs.com/products/nexium.htm buy nexium, 610957, http://ordergenericdrugs.com/products/celebrex.htm buy celebrex, 4565, http://shopdrugcheap.com/order-orlistat-online-en.html buy cheap Orlistat, :OOO, http://shopdrugcheap.com/order-female-viagra-online-en.html Female Viagra, 909, 2de6ae08f267dbe7a425653c69068738958c9946 813 812 2012-05-06T16:14:41Z 31.184.238.15 0 JVSyMcRRDTBFp wikitext text/x-wiki comment2, http://newpharmacysite.com/comprar-venta-priligy-dapoxetine-costo-precio-en-linea-spain/ comprar priligy, >:(, http://internetpharmacysite.com/acheter-achat-zithromax-azithromycin-vente-en-ligne-france/ zithromax en ligne, 2977, http://ordergenericpharmacy.com online pharmacy europe, :-]]], fa30f186271c12a5c5116fef6515cff2d27aba63 814 813 2012-05-06T16:16:49Z 31.184.238.9 0 pchwOSrMbWqTKlGAzDA wikitext text/x-wiki , http://ordergenericdrugs.com/products/viagra-super-active-plus.htm generic viagra super active, pkrol, http://price-drugs.com/ buy Propecia, :))), http://shopdrugcheap.com/order-viagra-professional-online-en.html Viagra Professional, 590834, http://price-drugs.com/order-flagyl-online-en.html generic Flagyl, :]]], http://shopdrugcheap.com/order-synthroid-online-en.html buy generic Synthroid, 81133, b6f5647560c35a3a09691cf0ae50f7845710f427 815 814 2012-05-06T16:20:45Z 31.184.238.15 0 ynrGXvetXbpjDHAts wikitext text/x-wiki comment4, http://newonlinepharmacy.com/farmacia-online-senza-ricetta-medica-italy-usa-uk-europa/ farmacia europa, 271, http://newonlinepharmacy.com/farmacia-en-linea-sin-receta-spain-europa-usa-uk/ farmacia online, 8-), http://getgenericpharmacy.com/comprar-venta-levitra-vardenafil-costo-precio-en-linea-spain/ venta levitra, 545911, 69445d7569cf1b3bc2bbb03ed5c4a5c3130a7513 816 815 2012-05-06T16:21:08Z 31.184.238.9 0 aLFyfOuskSt wikitext text/x-wiki , http://more-drugs.com/products/diflucan.htm diflucan online, >:[[, http://shopdrugcheap.com/order-synthroid-online-en.html generic Synthroid, %D, http://price-drugs.com/order-viagra-online-en.html buy Viagra, lowsiq, http://more-drugs.com/products/nolvadex.htm cheap nolvadex, jzov, http://shopdrugcheap.com/order-lasix-online-en.html buy Lasix, birbl, d953031d8f3b77a0c9cafdb8dffa73ca35400d25 817 816 2012-05-06T16:26:44Z 31.184.238.9 0 MfHLyRmlzlovdI wikitext text/x-wiki , http://price-drugs.com/order-viagra-professional-online-en.html buy generic Viagra Professional, luxz, http://shopdrugcheap.com/order-cialis-super-active-online-en.html buy generic Cialis Super Active, %))), http://price-drugs.com/order-zoloft-online-en.html buy Zoloft, 6489, http://ordergenericdrugs.com/products/rogaine-5-.htm generic rogaine 5%, 8441, http://more-drugs.com/ buy deltasone online, >:-((, a8cb1233d19a4013fa62146b182a1e3e7aa483b5 818 817 2012-05-06T16:26:45Z 31.184.238.15 0 atPxmBmCPve wikitext text/x-wiki comment6, http://wheretobuynowviagra.com/buy-cheap-generic-viagra-super-force-sildenafil-online/ buy generic viagra super force, %-(((, http://wheretobuynowcialis.com/buy-cheap-generic-tadalafil-online/ buy generic tadalafil, zftyis, http://wheretobuynowlevitra.com/buy-cheap-generic-vardenafil-online/ buy vardenafil online, mjnkj, 54b8421ded6aadb19a9483c39d2d1cbfc0c2fd45 819 818 2012-05-06T16:30:39Z 31.184.238.9 0 bRwHHqVg wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-risperdal-online-en.html generic risperdal, =-], http://cheappurchaseonline.com/buy-generic-rocaltrol-online-en.html generic rocaltrol, %DD, http://cheappurchaseonline.com/buy-generic-rulide-online-en.html generic rulide, :(, http://cheappurchaseonline.com/buy-generic-rythmol-online-en.html generic rythmol, 8PP, http://cheappurchaseonline.com/buy-generic-serevent-online-en.html generic serevent, =[[[, 8bed0cbf9b0ed84f414bc5aef2d36671759ffca5 820 819 2012-05-06T16:32:19Z 31.184.238.15 0 kCmVoHkG wikitext text/x-wiki comment5, http://getgenericpharmacy.com/compra-acquisto-levitra-vardenafil-prezzo-costo-online-italy/ acquisto levitra, miofx, http://ordergenericpharmacy.com/farmacia-online-senza-ricetta-medica-europa-italy/ farmacia online italy, qlv, http://newpharmacysite.com online priligy, =DDD, 32cd5a9bfc97214bd72320655b7ea00f4e3554ba 821 820 2012-05-06T16:35:25Z 31.184.238.9 0 dEnoMkTVtlfkYBPFY wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-depakote-online-en.html generic depakote, uht, http://cheappurchaseonline.com/buy-generic-inderal-online-en.html generic inderal, 309824, http://cheappurchaseonline.com/buy-generic-cardarone-online-en.html generic cardarone, 334, http://cheappurchaseonline.com/buy-generic-artane-online-en.html generic artane, :]]], http://cheappurchaseonline.com/buy-generic-dilantin-online-en.html generic dilantin, qdzlym, 1a79565379497d5162d827b71ac65fd13b4221fb 822 821 2012-05-06T16:38:33Z 31.184.238.15 0 mMgRoDCzAiaEUzXQln wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-detrol-la-online-en.html generic detrol la, plnfne, http://cheappurchaseonline.com/buy-generic-detrol-online-en.html generic detrol, 6612, http://cheappurchaseonline.com/buy-generic-diamox-online-en.html generic diamox, 5705, 682f3380ee352dca3380263173179725eea8df83 823 822 2012-05-06T16:44:27Z 31.184.238.9 0 nlKRWZYluAXpsnLsqs wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-tadalis-sx-soft-online-en.html generic tadalis sx soft, =), http://cheappurchaseonline.com/buy-generic-nizoral-online-en.html generic nizoral, xxpr, http://cheappurchaseonline.com/buy-generic-amoxil-online-en.html generic amoxil, >:-]]], http://cheappurchaseonline.com/buy-generic-prandin-online-en.html generic prandin, woizef, http://cheappurchaseonline.com/buy-generic-kamagra-flavored-online-en.html generic kamagra flavored, =OO, eb450236f55c73bb69c3598081d20139206ba9f9 824 823 2012-05-06T16:44:43Z 31.184.238.15 0 wUOCrcXQWbjcFNPR wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-benicar-online-en.html generic benicar, daxa, http://cheappurchaseonline.com/buy-generic-diovan-hct-online-en.html generic diovan hct, mphs, http://cheappurchaseonline.com/buy-generic-reglan-online-en.html generic reglan, yzsrur, 6fefc3ecd2732f8f19427578d6f95be5bac925b2 825 824 2012-05-06T16:49:42Z 31.184.238.9 0 BYZhBZehONaKhqhjK wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-urso-online-en.html generic urso, tvywxm, http://cheappurchaseonline.com/buy-generic-venlor-online-en.html generic venlor, 381032, http://cheappurchaseonline.com/buy-generic-coreg-online-en.html generic coreg, iypgif, http://cheappurchaseonline.com/buy-generic-actigall-online-en.html generic actigall, hrnx, http://cheappurchaseonline.com/ buy prednisone, 242488, 6b90020bea670f7fea262857174c77a87b7e0dee 826 825 2012-05-06T16:51:06Z 31.184.238.15 0 lgtdDTJwWUzVod wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-tetracycline-online-en.html generic tetracycline, =P, http://cheappurchaseonline.com/buy-generic-keftab-online-en.html generic keftab, xki, http://cheappurchaseonline.com/buy-generic-neoral-online-en.html generic neoral, etj, 07eb9055d3327b85812f1034009157f3c95d3cc6 827 826 2012-05-06T16:54:21Z 31.184.238.9 0 QKRdeoSRyFCEWDIKSO wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-cialis-super-active-online-en.html generic cialis super active, hznt, http://cheappurchaseonline.com/buy-generic-minocin-online-en.html generic minocin, 38446, http://cheappurchaseonline.com/buy-generic-ceclor-online-en.html generic ceclor, %P, http://cheappurchaseonline.com/buy-generic-feldene-online-en.html generic feldene, 53284, http://cheappurchaseonline.com/buy-generic-ditropan-online-en.html generic ditropan, :-D, d61ca71ee3ca18b5ff9b0e7fb4c6a1899a41a55e 828 827 2012-05-06T16:56:56Z 31.184.238.15 0 yHanHtZjF wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-vigora-online-en.html generic vigora, lhycn, http://cheappurchaseonline.com/buy-generic-combipres-online-en.html generic combipres, 8P, http://cheappurchaseonline.com/buy-generic-kamagra-online-en.html generic kamagra, hekw, aa21cc87ff9d66233b80a2712f592a0137e0b162 829 828 2012-05-06T16:58:37Z 31.184.238.9 0 OceLDEXnvsfgw wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-eskalith-online-en.html generic eskalith, vwi, http://cheappurchaseonline.com/buy-generic-calcium-carbonate-online-en.html generic calcium carbonate, :OOO, http://cheappurchaseonline.com/buy-generic-paxil-online-en.html generic paxil, 537, http://cheappurchaseonline.com/buy-generic-tegretol-online-en.html generic tegretol, =O, http://cheappurchaseonline.com/buy-generic-elavil-online-en.html generic elavil, %PP, 93b3b0524bddae3063f9173bdf58523789d489eb 830 829 2012-05-06T17:03:08Z 31.184.238.15 0 IThohMhNlUsMia wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-cialis-super-active-online-en.html generic cialis super active, slf, http://cheappurchaseonline.com/buy-generic-theo-24-cr-online-en.html generic theo-24 cr, >:O, http://cheappurchaseonline.com/buy-generic-rythmol-online-en.html generic rythmol, >:OO, 0040ac35b8a13fa6a7c1a789edf8e325a619f66a 831 830 2012-05-06T17:03:17Z 31.184.238.9 0 QNMiYfXZyPpYfi wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-levitra-oral-jelly-online-en.html generic levitra oral jelly, %OO, http://cheappurchaseonline.com/buy-generic-catapres-online-en.html generic catapres, jlvu, http://cheappurchaseonline.com/buy-generic-viagra-professional-online-en.html generic viagra professional, 161, http://cheappurchaseonline.com/buy-generic-cozaar-online-en.html generic cozaar, =-P, http://cheappurchaseonline.com/buy-generic-amaryl-online-en.html generic amaryl, :-OOO, a600a07a70473ca158a0d6a2b754afbcc926606a 832 831 2012-05-06T17:07:57Z 31.184.238.9 0 srSDQBxmBvPAi wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-viagra-online-en.html generic viagra, 9991, http://cheappurchaseonline.com/buy-generic-ansaid-online-en.html generic ansaid, ivb, http://cheappurchaseonline.com/buy-generic-tricor-online-en.html generic tricor, 8-))), http://cheappurchaseonline.com/buy-generic-viagra-super-active-online-en.html generic viagra super active, mgdkzo, http://cheappurchaseonline.com/buy-generic-apcalis-sx-online-en.html generic apcalis sx, hsrdpb, 7b38ad9fdc48ffe1cb44b313c92fc4a6c64c8cd9 833 832 2012-05-06T17:08:59Z 31.184.238.15 0 KNWWhqDA wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-imodium-online-en.html generic imodium, :-]]], http://cheappurchaseonline.com/buy-generic-pamelor-online-en.html generic pamelor, 1331, http://cheappurchaseonline.com/buy-generic-ampicillin-online-en.html generic ampicillin, %[[, 1b6b2bbad548324f438bbc5b779d4a691541f3a8 834 833 2012-05-06T17:12:56Z 31.184.238.9 0 WKsNyCrFwte wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-rulide-online-en.html generic rulide, miu, http://cheappurchaseonline.com/buy-generic-lotrisone-online-en.html generic lotrisone, =-(, http://cheappurchaseonline.com/buy-generic-zetia-online-en.html generic zetia, 19126, http://cheappurchaseonline.com/buy-generic-erectalis-online-en.html generic erectalis, 87767, http://cheappurchaseonline.com/buy-generic-theo-24-sr-online-en.html generic theo-24 sr, 4587, f36b1740f0f23220e39498c4b2e7dab8d291d61e 835 834 2012-05-06T17:14:56Z 31.184.238.15 0 RGvoyRlPJaTQNhfFwRU wikitext text/x-wiki comment4, http://cheappurchaseonline.com/ generic prednisone, biby, http://cheappurchaseonline.com/buy-generic-kamagra-flavored-online-en.html generic kamagra flavored, 74140, http://cheappurchaseonline.com/buy-generic-prozac-online-en.html generic prozac, %PP, e983fd535aed67b393db4e82133df2cfa713825c 836 835 2012-05-06T17:17:04Z 31.184.238.9 0 muQeZPpkoYbwRYOo wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-exelon-online-en.html generic exelon, 3335, http://cheappurchaseonline.com/buy-generic-brand-cialis-online-en.html generic brand cialis, 19478, http://cheappurchaseonline.com/buy-generic-effexor-xr-online-en.html generic effexor xr, kth, http://cheappurchaseonline.com/ generic levitra, :), http://cheappurchaseonline.com/buy-generic-keftab-online-en.html generic keftab, >:-OO, b67f3a3611f268b549cd3090df6985b0c8c0b2d5 837 836 2012-05-06T17:20:40Z 31.184.238.15 0 MviYPytwxHneko wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-lotensin-online-en.html generic lotensin, 348537, http://cheappurchaseonline.com/buy-generic-beloc-online-en.html generic beloc, oiianq, http://cheappurchaseonline.com/buy-generic-procardia-online-en.html generic procardia, wtj, 8243cdd2321b9550f15b322ed0b52e1a4d30381b 838 837 2012-05-06T17:25:57Z 31.184.238.9 0 cJjzPdMnxj wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-levitra-oral-jelly-online-en.html generic levitra oral jelly, iubiwi, http://cheappurchaseonline.com/buy-generic-catapres-online-en.html generic catapres, xmzti, http://cheappurchaseonline.com/buy-generic-viagra-professional-online-en.html generic viagra professional, abhqh, http://cheappurchaseonline.com/buy-generic-cozaar-online-en.html generic cozaar, lwz, http://cheappurchaseonline.com/buy-generic-amaryl-online-en.html generic amaryl, 867779, 4831f427353c9df6094eefbb9460da9566ceb75e 839 838 2012-05-06T17:26:27Z 31.184.238.15 0 HHZeufnuRrFThuDzg wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-copegus-online-en.html generic copegus, 579420, http://cheappurchaseonline.com/buy-generic-calcium-carbonate-online-en.html generic calcium carbonate, %D, http://cheappurchaseonline.com/buy-generic-vantin-online-en.html generic vantin, 8931, 49527ed3f5fba344db50d48d5d44760711de839d 840 839 2012-05-06T17:30:12Z 31.184.238.9 0 rAHkerFmfWtvUVHJUlX wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-maxolon-online-en.html generic maxolon, vcr, http://cheappurchaseonline.com/buy-generic-reminyl-online-en.html generic reminyl, tttsdg, http://cheappurchaseonline.com/ generic orlistat, smnoo, http://cheappurchaseonline.com/buy-generic-neoral-online-en.html generic neoral, %-PPP, http://cheappurchaseonline.com/buy-generic-isordil-online-en.html generic isordil, 43602, 66ce2185779d8dd7183ee66ffddddfc945fba642 841 840 2012-05-06T17:32:24Z 31.184.238.15 0 CzUmqIrPHBgFsAfR wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-azulfidine-online-en.html generic azulfidine, ypr, http://cheappurchaseonline.com/buy-generic-toprol-online-en.html generic toprol, 8DD, http://cheappurchaseonline.com/buy-generic-terramycin-online-en.html generic terramycin, =]]], 85fd35d128dece7a1eafeef501bd537bd73ff27e 842 841 2012-05-06T17:35:02Z 31.184.238.9 0 GLYdQeIdUcQcG wikitext text/x-wiki , http://cheappurchaseonline.com/ generic prednisone, 227, http://cheappurchaseonline.com/buy-generic-lamisil-online-en.html generic lamisil, 4931, http://cheappurchaseonline.com/buy-generic-vitamin-c-online-en.html generic vitamin c, >:]], http://cheappurchaseonline.com/buy-generic-keflex-online-en.html generic keflex, >:-)), http://cheappurchaseonline.com/buy-generic-ventolin-online-en.html generic ventolin, 594, e302207a53b989d15e82b1479f6fa5d310c3d8f9 843 842 2012-05-06T17:38:08Z 31.184.238.15 0 wkgEUnslRd wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-catapres-online-en.html generic catapres, 36169, http://cheappurchaseonline.com/ generic levitra, ohv, http://cheappurchaseonline.com/buy-generic-doxycycline-online-en.html generic doxycycline, 437, b055feaf314df9da829179a8fe72576768ecf95c 0 8 844 843 2012-05-06T17:43:36Z 31.184.238.9 0 mHhcsNRgVWNUyPo wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-clonidine-online-en.html generic clonidine, fhun, http://cheappurchaseonline.com/buy-generic-colospa-online-en.html generic colospa, yfozmf, http://cheappurchaseonline.com/buy-generic-brand-viagra-online-en.html generic brand viagra, 078, http://cheappurchaseonline.com/buy-generic-dramamine-online-en.html generic dramamine, 924, http://cheappurchaseonline.com/buy-generic-flagyl-online-en.html generic flagyl, >:OO, 89ab881b36c8fa3b70dc4a08ed3f341e83990073 845 844 2012-05-06T17:43:58Z 31.184.238.15 0 SGPYKMCTicjEjNbaUkF wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-vibramycin-online-en.html generic vibramycin, art, http://cheappurchaseonline.com/buy-generic-valparin-online-en.html generic valparin, 7660, http://cheappurchaseonline.com/buy-generic-glucotrol-xl-online-en.html generic glucotrol xl, zarm, 01ae187e09e3c98ab80b1123666e44abdda6f23a 846 845 2012-05-06T17:49:47Z 31.184.238.15 0 nCYGdsCNGVGYLBgaVxd wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-coversyl-online-en.html generic coversyl, 8-D, http://cheappurchaseonline.com/buy-generic-paxil-cr-online-en.html generic paxil cr, mms, http://cheappurchaseonline.com/buy-generic-furacin-online-en.html generic furacin, %-), 733e43b7541e67a97eca2bc29f08d9fa7d793c42 847 846 2012-05-06T17:56:06Z 31.184.238.15 0 LxdiHwQP wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-phenergan-online-en.html generic phenergan, 296051, http://cheappurchaseonline.com/buy-generic-pentasa-online-en.html generic pentasa, eyzg, http://cheappurchaseonline.com/buy-generic-furadantin-online-en.html generic furadantin, 647872, 9b7a6997c0b6694aed6784fd04855495924c2bca 848 847 2012-05-06T17:58:30Z 31.184.238.9 0 vIrafjgFcsWZbVNS wikitext text/x-wiki , http://cheappurchaseonline.com/ buy zithromax, 8-], http://cheappurchaseonline.com/buy-generic-doxycycline-online-en.html generic doxycycline, 75595, http://cheappurchaseonline.com/buy-generic-risperdal-online-en.html generic risperdal, >:]]], http://cheappurchaseonline.com/buy-generic-kamagra-online-en.html generic kamagra, 6624, http://cheappurchaseonline.com/buy-generic-danocrine-online-en.html generic danocrine, dcwb, 8b2972bc861a4838bd90cf5fcb8806c3cd0f54ba 849 848 2012-05-06T18:02:21Z 31.184.238.9 0 oFRkuGcjLu wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-lexapro-online-en.html generic lexapro, 31808, http://cheappurchaseonline.com/buy-generic-coversyl-online-en.html generic coversyl, ltmnn, http://cheappurchaseonline.com/buy-generic-cipro-online-en.html generic cipro, 595315, http://cheappurchaseonline.com/buy-generic-retrovir-online-en.html generic retrovir, 8P, http://cheappurchaseonline.com/buy-generic-cytotec-online-en.html generic cytotec, >:PPP, 1a36091e3dc297d6e051e69aee56dcb0bef729dc 850 849 2012-05-06T18:02:37Z 31.184.238.15 0 pFWhYFUinhAJpsQ wikitext text/x-wiki comment2, http://cheappurchaseonline.com/ buy viagra, 9433, http://cheappurchaseonline.com/buy-generic-valtrex-online-en.html generic valtrex, 359572, http://cheappurchaseonline.com/buy-generic-vasotec-online-en.html generic vasotec, =]], 8035ea21bdd90411bd6c8b1e513d147f50c479ba 851 850 2012-05-06T18:07:03Z 31.184.238.9 0 ppCzFTFgdhauxrfT wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-duphaston-online-en.html generic duphaston, 548, http://cheappurchaseonline.com/ generic clomid, =-P, http://cheappurchaseonline.com/buy-generic-risnia-online-en.html generic risnia, nqmag, http://cheappurchaseonline.com/buy-generic-maxaquin-online-en.html generic maxaquin, klwjj, http://cheappurchaseonline.com/buy-generic-benadryl-online-en.html generic benadryl, bttbd, ac59b354fa33e8e88d0efdcf02237619a46f79a7 852 851 2012-05-06T18:08:32Z 31.184.238.15 0 eSVcDviDVRVXSBwcqCZ wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-ventolin-online-en.html generic ventolin, 8O, http://cheappurchaseonline.com/buy-generic-noroxin-online-en.html generic noroxin, demea, http://cheappurchaseonline.com/ generic clomid, >:-[[[, b1e94b99d6e9488b25a4e995128eb0893f1beeb9 853 852 2012-05-06T18:11:34Z 31.184.238.9 0 GHDcaNDCzWJqSgQmYr wikitext text/x-wiki , http://cheappurchaseonline.com/ buy zithromax, ydpp, http://cheappurchaseonline.com/buy-generic-doxycycline-online-en.html generic doxycycline, 538, http://cheappurchaseonline.com/buy-generic-risperdal-online-en.html generic risperdal, cxih, http://cheappurchaseonline.com/buy-generic-kamagra-online-en.html generic kamagra, 99137, http://cheappurchaseonline.com/buy-generic-danocrine-online-en.html generic danocrine, 837, a26bad4667e37bec5c1bc3b5cb0a554f7218326e 854 853 2012-05-06T18:14:03Z 31.184.238.15 0 oNHiIXyHDs wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-inderal-la-online-en.html generic inderal la, 349925, http://cheappurchaseonline.com/ buy clomid, xxtjc, http://cheappurchaseonline.com/buy-generic-cytotec-online-en.html generic cytotec, :-)), 80a8cbaee55eaed1cc18c437bbb921482c94a784 856 854 2012-05-06T18:20:02Z 31.184.238.15 0 iosJZumRqYkg wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-naprosyn-online-en.html generic naprosyn, =OO, http://cheappurchaseonline.com/buy-generic-zyrtec-online-en.html generic zyrtec, pzvuu, http://cheappurchaseonline.com/buy-generic-proventil-online-en.html generic proventil, :))), 9498ff0dd17cc2a0951f123b272f83abdd22ef48 857 856 2012-05-06T18:25:20Z 31.184.238.9 0 XpHTUZIsKWq wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-aricept-online-en.html generic aricept, vyhl, http://cheappurchaseonline.com/buy-generic-nitroglycerin-online-en.html generic nitroglycerin, 47439, http://cheappurchaseonline.com/buy-generic-glucophage-online-en.html generic glucophage, 8-]]], http://cheappurchaseonline.com/buy-generic-grifulvin-v-online-en.html generic grifulvin v, 263, http://cheappurchaseonline.com/buy-generic-arava-online-en.html generic arava, gue, 6057f4e5aedb7732cdaa2b925805262446737886 858 857 2012-05-06T18:26:03Z 31.184.238.15 0 kVeYiUryl wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-artane-online-en.html generic artane, owjbmo, http://cheappurchaseonline.com/buy-generic-zestoretic-online-en.html generic zestoretic, %-]]], http://cheappurchaseonline.com/buy-generic-minocin-online-en.html generic minocin, :]], e66fe1d343e29a7b7a02a1f35bbd9d2dec0cd27a 859 858 2012-05-06T18:29:23Z 31.184.238.9 0 NFjVbQHzqjh wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-monoket-online-en.html generic monoket, =]]], http://cheappurchaseonline.com/buy-generic-trecator-sc-online-en.html generic trecator-sc, agpze, http://cheappurchaseonline.com/buy-generic-allegra-online-en.html generic allegra, wzofw, http://cheappurchaseonline.com/buy-generic-tadalis-sx-online-en.html generic tadalis sx, %-DD, http://cheappurchaseonline.com/buy-generic-sinemet-online-en.html generic sinemet, =[[, d209774a4098683ee22dbe94ccc3d9caf7ba9aa5 860 859 2012-05-06T18:31:42Z 31.184.238.15 0 EAgWVlvZFzzaJgY wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-levitra-with-dapoxetine-online-en.html generic levitra with dapoxetine, 50222, http://cheappurchaseonline.com/buy-generic-urso-online-en.html generic urso, lunkmm, http://cheappurchaseonline.com/buy-generic-glucovance-online-en.html generic glucovance, upju, 81f69c796ea4e02656d033f657568783fcfbf226 861 860 2012-05-06T18:34:23Z 31.184.238.9 0 EOFAqIDwdWCzdah wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-aricept-online-en.html generic aricept, 5329, http://cheappurchaseonline.com/buy-generic-nitroglycerin-online-en.html generic nitroglycerin, =D, http://cheappurchaseonline.com/buy-generic-glucophage-online-en.html generic glucophage, upyskc, http://cheappurchaseonline.com/buy-generic-grifulvin-v-online-en.html generic grifulvin v, 057228, http://cheappurchaseonline.com/buy-generic-arava-online-en.html generic arava, 8-[, 6c469f89a94ff42d20559cd7d52c367383c99f68 862 861 2012-05-06T18:37:41Z 31.184.238.15 0 ikLTnyqONFrLnrnEY wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-lanoxin-online-en.html generic lanoxin, ispko, http://cheappurchaseonline.com/buy-generic-revatio-online-en.html generic revatio, uspbi, http://cheappurchaseonline.com/buy-generic-diamox-online-en.html generic diamox, :DDD, 4d7f81b44c52b1723b5a47bc564d4a7cc3e07fd7 863 862 2012-05-06T18:38:30Z 31.184.238.9 0 PtxWFtOPOxcjkwj wikitext text/x-wiki , http://cheappurchaseonline.com/ generic prednisone, rvirqr, http://cheappurchaseonline.com/buy-generic-lamisil-online-en.html generic lamisil, 0420, http://cheappurchaseonline.com/buy-generic-vitamin-c-online-en.html generic vitamin c, vkhpi, http://cheappurchaseonline.com/buy-generic-keflex-online-en.html generic keflex, 164, http://cheappurchaseonline.com/buy-generic-ventolin-online-en.html generic ventolin, bctq, a0c894389aca2292073f27040aff50bc2db7c555 864 863 2012-05-06T18:43:09Z 31.184.238.9 0 gdZbgIuohnrr wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-aceon-online-en.html generic aceon, 284770, http://cheappurchaseonline.com/buy-generic-tetracycline-online-en.html generic tetracycline, 65738, http://cheappurchaseonline.com/buy-generic-lincocin-online-en.html generic lincocin, 98397, http://cheappurchaseonline.com/buy-generic-zoloft-online-en.html generic zoloft, 5516, http://cheappurchaseonline.com/buy-generic-suhagra-online-en.html generic suhagra, 956, 1eba4d03685786d5f9feace97e4360f2775c011f 865 864 2012-05-06T18:43:27Z 31.184.238.15 0 HMnzxqgUpJLDj wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-sinequan-online-en.html generic sinequan, 443, http://cheappurchaseonline.com/buy-generic-suhagra-online-en.html generic suhagra, juiq, http://cheappurchaseonline.com/ buy zithromax, %(, fc59b45ad5b78d0436740309288e529c07b84030 867 865 2012-05-06T18:47:41Z 31.184.238.9 0 XxAFYSMfrAauDgiX wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-fludac-online-en.html generic fludac, braym, http://cheappurchaseonline.com/buy-generic-eldepryl-online-en.html generic eldepryl, >:OOO, http://cheappurchaseonline.com/buy-generic-indocin-online-en.html generic indocin, wwduxe, http://cheappurchaseonline.com/buy-generic-aristocort-online-en.html generic aristocort, >:O, http://cheappurchaseonline.com/buy-generic-luvox-online-en.html generic luvox, 9789, 1013fb64f22fb7e573936c83696133ee8b395541 868 867 2012-05-06T18:49:24Z 31.184.238.15 0 txfYUgRkJKxuxRj wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-exelon-online-en.html generic exelon, :-(, http://cheappurchaseonline.com/buy-generic-cycrin-online-en.html generic cycrin, 7089, http://cheappurchaseonline.com/buy-generic-dapsone-online-en.html generic dapsone, >:OOO, 319175ade7fb64686d25e7077fceca4d6923225b 869 868 2012-05-06T18:52:27Z 31.184.238.9 0 phlrDUDKk wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-lexapro-online-en.html generic lexapro, upte, http://cheappurchaseonline.com/buy-generic-coversyl-online-en.html generic coversyl, :DD, http://cheappurchaseonline.com/buy-generic-cipro-online-en.html generic cipro, asm, http://cheappurchaseonline.com/buy-generic-retrovir-online-en.html generic retrovir, =[[, http://cheappurchaseonline.com/buy-generic-cytotec-online-en.html generic cytotec, 335458, 0172946b6243348fb72bc1ae7d992b3823f72f33 870 869 2012-05-06T18:55:08Z 31.184.238.15 0 IQkEdKAhMewg wikitext text/x-wiki comment2, http://cheappurchaseonline.com/ generic flagyl, %]]], http://cheappurchaseonline.com/buy-generic-clonidine-online-en.html generic clonidine, hve, http://cheappurchaseonline.com/buy-generic-rocaltrol-online-en.html generic rocaltrol, 7696, e76a1c8195659041fa114f13c716083ca43b9f5d 871 870 2012-05-06T18:57:00Z 31.184.238.9 0 mrEUrEFmRoP wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-ibuprofen-online-en.html generic ibuprofen, xgomq, http://cheappurchaseonline.com/buy-generic-cordarone-online-en.html generic cordarone, %-]], http://cheappurchaseonline.com/buy-generic-plendil-online-en.html generic plendil, 8OO, http://cheappurchaseonline.com/buy-generic-revia-online-en.html generic revia, irbjo, http://cheappurchaseonline.com/buy-generic-yasmin-online-en.html generic yasmin, snsql, 0862cefaf9f201cc0a78294554630df39cbd41cc 872 871 2012-05-06T19:01:27Z 31.184.238.15 0 pjtHlyZpJcNZwCfIl wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-plendil-online-en.html generic plendil, %-(((, http://cheappurchaseonline.com/buy-generic-mobic-online-en.html generic mobic, 81458, http://cheappurchaseonline.com/buy-generic-fluoxetine-online-en.html generic fluoxetine, :-]]], 6d7341e643fc4e8ef72d1fe82e8c5d2a25e22717 873 872 2012-05-06T19:01:34Z 31.184.238.9 0 ovGwDZorjWB wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-aciclovir-online-en.html generic aciclovir, 237624, http://cheappurchaseonline.com/buy-generic-cytoxan-online-en.html generic cytoxan, 067760, http://cheappurchaseonline.com/buy-generic-nimotop-online-en.html generic nimotop, 8O, http://cheappurchaseonline.com/buy-generic-macrobid-online-en.html generic macrobid, 99298, http://cheappurchaseonline.com/buy-generic-super-hard-on-online-en.html generic super hard on, 309, e037eca410285eb3386a3550a32314e00349c303 874 873 2012-05-06T19:06:07Z 31.184.238.9 0 VRIZMrjzTKW wikitext text/x-wiki , http://cheappurchaseonline.com/ buy accutane, 305922, http://cheappurchaseonline.com/buy-generic-brethine-online-en.html generic brethine, huca, http://cheappurchaseonline.com/buy-generic-cialis-soft-online-en.html generic cialis soft, rcoid, http://cheappurchaseonline.com/buy-generic-toprol-online-en.html generic toprol, 8-D, http://cheappurchaseonline.com/buy-generic-furacin-online-en.html generic furacin, pdi, ab325b194298b442818aa52b5c32db70fe121962 875 874 2012-05-06T19:07:07Z 31.184.238.15 0 tRRgecMOzUQaHdZb wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-ventolin-online-en.html generic ventolin, 484087, http://cheappurchaseonline.com/buy-generic-noroxin-online-en.html generic noroxin, 399796, http://cheappurchaseonline.com/ generic clomid, eluadq, f3265d84d15383d0dea0750c11151ffeb2a9a79a 876 875 2012-05-06T19:10:46Z 31.184.238.9 0 jdoVncjAWTwZzcwmbl wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-lopressor-online-en.html generic lopressor, lbvg, http://cheappurchaseonline.com/buy-generic-benicar-online-en.html generic benicar, 897, http://cheappurchaseonline.com/buy-generic-tegopen-online-en.html generic tegopen, 37684, http://cheappurchaseonline.com/ generic accutane, 151851, http://cheappurchaseonline.com/buy-generic-arcoxia-online-en.html generic arcoxia, >:O, 70d9a53ba1b8843be13b6a7f8681f6bd87de9981 877 876 2012-05-06T19:13:00Z 31.184.238.15 0 KxiPoOXWFrkCrkzG wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-starlix-online-en.html generic starlix, 632, http://cheappurchaseonline.com/buy-generic-allegra-online-en.html generic allegra, 14138, http://cheappurchaseonline.com/buy-generic-lotrisone-online-en.html generic lotrisone, slt, 09d79789a5b72bcb67affb425cfd1892cb16767e 879 877 2012-05-06T19:18:56Z 31.184.238.15 0 suYyKqUQ wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-verampil-online-en.html generic verampil, >:-[, http://cheappurchaseonline.com/buy-generic-uniphyl-cr-online-en.html generic uniphyl cr, mtjnpd, http://cheappurchaseonline.com/buy-generic-brand-levitra-online-en.html generic brand levitra, :-P, bfe68fd6f4cdca7dbd5ac0fa228511d883581f48 880 879 2012-05-06T19:19:29Z 31.184.238.9 0 FxRuFqqElwvwMyc wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-rocaltrol-online-en.html generic rocaltrol, :-DD, http://cheappurchaseonline.com/buy-generic-zestoretic-online-en.html generic zestoretic, 137883, http://cheappurchaseonline.com/buy-generic-asendin-online-en.html generic asendin, tmlg, http://cheappurchaseonline.com/buy-generic-lotrel-online-en.html generic lotrel, >:-]]], http://cheappurchaseonline.com/buy-generic-sumycin-online-en.html generic sumycin, hebhml, 24af395afba7b1f5d8ea1821c298a7b5e4a96b40 881 880 2012-05-06T19:24:20Z 31.184.238.9 0 RzTweQEFY wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-viagra-soft-online-en.html generic viagra soft, 49282, http://cheappurchaseonline.com/ buy flagyl, >:(, http://cheappurchaseonline.com/buy-generic-kamagra-jelly-online-en.html generic kamagra jelly, 2484, http://cheappurchaseonline.com/buy-generic-diamox-online-en.html generic diamox, qlvah, http://cheappurchaseonline.com/buy-generic-calan-sr-online-en.html generic calan sr, 98123, 7dd14c985788081f3ee21a09bd5787154b4856f5 882 881 2012-05-06T19:24:46Z 31.184.238.15 0 GRJwIlMwXQGGAO wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-plendil-online-en.html generic plendil, egg, http://cheappurchaseonline.com/buy-generic-mobic-online-en.html generic mobic, 5283, http://cheappurchaseonline.com/buy-generic-fluoxetine-online-en.html generic fluoxetine, :-(((, 31455aaa8b94cab0586948f4f22eb867c6d99b36 883 882 2012-05-06T19:28:32Z 31.184.238.9 0 qvsOIgTSRm wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-combivir-online-en.html generic combivir, epsk, http://cheappurchaseonline.com/buy-generic-tadacip-online-en.html generic tadacip, 921110, http://cheappurchaseonline.com/buy-generic-toprol-xl-online-en.html generic toprol xl, 2209, http://cheappurchaseonline.com/ buy levitra, 822548, http://cheappurchaseonline.com/buy-generic-tofranil-online-en.html generic tofranil, 8))), 11080818cfcab46e490a5df92e7b74decec0cd8d 884 883 2012-05-06T19:30:50Z 31.184.238.15 0 iXaXOaaPbLLDrK wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-benadryl-online-en.html generic benadryl, :DD, http://cheappurchaseonline.com/buy-generic-pletal-online-en.html generic pletal, nxg, http://cheappurchaseonline.com/buy-generic-relafen-online-en.html generic relafen, qijmv, ff42e517b736d62c50ab6f5cccc1bc7dd370a809 885 884 2012-05-06T19:33:31Z 31.184.238.9 0 SzucWtUXvaoYkGDG wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-lanoxin-online-en.html generic lanoxin, 896, http://cheappurchaseonline.com/ buy zoloft, isggv, http://cheappurchaseonline.com/buy-generic-hydrea-online-en.html generic hydrea, =DDD, http://cheappurchaseonline.com/buy-generic-trileptal-online-en.html generic trileptal, usyuy, http://cheappurchaseonline.com/buy-generic-singulair-online-en.html generic singulair, >:-DDD, 74ca9aa0218cd6083092cab62f8c10971ffbe953 886 885 2012-05-06T19:37:08Z 31.184.238.15 0 yngFdsCCxrTey wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-glucophage-online-en.html generic glucophage, xzmz, http://cheappurchaseonline.com/ buy zoloft, 47738, http://cheappurchaseonline.com/buy-generic-crestor-online-en.html generic crestor, xtkojl, 4fd5e25373f56aa84aa46ea7a0d830d128956d19 887 886 2012-05-06T19:38:33Z 31.184.238.9 0 spaNwDHiOfZZFHji wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-depakote-online-en.html generic depakote, >:OO, http://cheappurchaseonline.com/buy-generic-inderal-online-en.html generic inderal, 3216, http://cheappurchaseonline.com/buy-generic-cardarone-online-en.html generic cardarone, gfiis, http://cheappurchaseonline.com/buy-generic-artane-online-en.html generic artane, rznpl, http://cheappurchaseonline.com/buy-generic-dilantin-online-en.html generic dilantin, 920, 8d406678bb55b970a52a7365833bd8ae5dfa479c 888 887 2012-05-06T19:42:44Z 31.184.238.9 0 frIfSypZbrUs wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-dulcolax-online-en.html generic dulcolax, 547430, http://cheappurchaseonline.com/buy-generic-casodex-online-en.html generic casodex, 572, http://cheappurchaseonline.com/buy-generic-diflucan-online-en.html generic diflucan, qaozzy, http://cheappurchaseonline.com/buy-generic-pamelor-online-en.html generic pamelor, 8]]], http://cheappurchaseonline.com/ buy cialis super active, tlm, ffbbb3c60f6a0b370e96acb87c3816780baccfed 889 888 2012-05-06T19:43:04Z 31.184.238.15 0 IOGlDoMhdG wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-strattera-online-en.html generic strattera, xbqxx, http://cheappurchaseonline.com/buy-generic-brand-viagra-online-en.html generic brand viagra, yaqmov, http://cheappurchaseonline.com/buy-generic-zyvox-online-en.html generic zyvox, 74044, 747c59fdb4f5fa977c362650a98c0d25bdcee8f2 890 889 2012-05-06T19:47:18Z 31.184.238.9 0 QnWZVHIMaaEzw wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-zyrtec-online-en.html generic zyrtec, %-[[[, http://cheappurchaseonline.com/buy-generic-vantin-online-en.html generic vantin, >:-((, http://cheappurchaseonline.com/buy-generic-detrol-la-online-en.html generic detrol la, 8-DD, http://cheappurchaseonline.com/buy-generic-topamax-online-en.html generic topamax, tlo, http://cheappurchaseonline.com/buy-generic-avandia-online-en.html generic avandia, :PPP, 746f86bdbc223b2188cc434e83d659e9c203d0db 891 890 2012-05-06T19:48:53Z 31.184.238.15 0 HOekYIqLUzT wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-naprosyn-online-en.html generic naprosyn, =-[[[, http://cheappurchaseonline.com/buy-generic-zyrtec-online-en.html generic zyrtec, ivz, http://cheappurchaseonline.com/buy-generic-proventil-online-en.html generic proventil, %DD, 7a0c98b71a6d8cec89325ff23ddc1a00ac51f3e5 892 891 2012-05-06T19:51:07Z 31.184.238.9 0 EPqlsCmEddKEQZXUVQV wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-atacand-online-en.html generic atacand, zoe, http://cheappurchaseonline.com/ buy nolvadex, 6800, http://cheappurchaseonline.com/buy-generic-endep-online-en.html generic endep, ruebbq, http://cheappurchaseonline.com/buy-generic-capoten-online-en.html generic capoten, eah, http://cheappurchaseonline.com/buy-generic-remeron-online-en.html generic remeron, fypy, cee9b22202c40a879b9dc18897b78aaf954423d0 893 892 2012-05-06T19:54:43Z 31.184.238.15 0 vHEWDPTr wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-augmentin-online-en.html generic augmentin, gpdx, http://cheappurchaseonline.com/buy-generic-desyrel-online-en.html generic desyrel, 044, http://cheappurchaseonline.com/ generic viagra, gyl, 13da182224f8a2d92a0369106bca0610a564e7ef 894 893 2012-05-06T19:56:02Z 31.184.238.9 0 zRiYiUHERHOHlKu wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-tinidazole-online-en.html generic tinidazole, 8-DDD, http://cheappurchaseonline.com/buy-generic-proventil-online-en.html generic proventil, 8-((, http://cheappurchaseonline.com/buy-generic-effexor-online-en.html generic effexor, 6963, http://cheappurchaseonline.com/buy-generic-sinemet-cr-online-en.html generic sinemet cr, 10742, http://cheappurchaseonline.com/buy-generic-levlen-online-en.html generic levlen, =], 38c63d0ef0ec87ff527ff5edebcbaf7e8e99a75b 895 894 2012-05-06T19:59:51Z 31.184.238.9 0 oiCErZiRqIgpu wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-requip-online-en.html generic requip, 690570, http://cheappurchaseonline.com/buy-generic-prograf-online-en.html generic prograf, qplzkt, http://cheappurchaseonline.com/buy-generic-vibramycin-online-en.html generic vibramycin, fzpuz, http://cheappurchaseonline.com/buy-generic-fluoxetine-online-en.html generic fluoxetine, %[[[, http://cheappurchaseonline.com/ generic doxycycline, ohvcxg, 6306b1ba6a26215b085906a3bf38f27e13ba0fa8 896 895 2012-05-06T20:00:07Z 31.184.238.15 0 QyNLecaG wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-glucophage-online-en.html generic glucophage, %OOO, http://cheappurchaseonline.com/ buy zoloft, wrnn, http://cheappurchaseonline.com/buy-generic-crestor-online-en.html generic crestor, 9666, 25368fb7d4604b995a6eb6f9c4dd5248c9dded7b 0 8 898 896 2012-05-06T20:04:02Z 31.184.238.9 0 qnoLVlcpFWUSStwkEE wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-tadalis-sx-soft-online-en.html generic tadalis sx soft, lzooou, http://cheappurchaseonline.com/buy-generic-nizoral-online-en.html generic nizoral, ruwg, http://cheappurchaseonline.com/buy-generic-amoxil-online-en.html generic amoxil, ralsrh, http://cheappurchaseonline.com/buy-generic-prandin-online-en.html generic prandin, phurgr, http://cheappurchaseonline.com/buy-generic-kamagra-flavored-online-en.html generic kamagra flavored, %((, eb8a8456199ea43b39a439a1eaa5ef9595d55cfd 899 898 2012-05-06T20:06:18Z 31.184.238.15 0 KosJjQCb wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-methotrexate-online-en.html generic methotrexate, 946, http://cheappurchaseonline.com/buy-generic-dilantin-online-en.html generic dilantin, 84969, http://cheappurchaseonline.com/buy-generic-avandia-online-en.html generic avandia, 845889, 54ea9245bb7eb502dd7e75882b3f3c59525a765c 900 899 2012-05-06T20:08:26Z 31.184.238.9 0 TgjqzPGeoGKkMbAT wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-apcalis-sx-oral-jelly-online-en.html generic apcalis sx oral jelly, >:-))), http://cheappurchaseonline.com/buy-generic-flovent-online-en.html generic flovent, 6874, http://cheappurchaseonline.com/buy-generic-precose-online-en.html generic precose, :-(, http://cheappurchaseonline.com/buy-generic-levothroid-online-en.html generic levothroid, 087786, http://cheappurchaseonline.com/buy-generic-strattera-online-en.html generic strattera, >:(, 76c4134c2befec05cd1eb502e9008880b9970f0a 901 900 2012-05-06T20:12:20Z 31.184.238.15 0 ScrrjOkJDL wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-artane-online-en.html generic artane, koltca, http://cheappurchaseonline.com/buy-generic-zestoretic-online-en.html generic zestoretic, 923, http://cheappurchaseonline.com/buy-generic-minocin-online-en.html generic minocin, bpa, 1714e7c3f802f094df006a43f034ffa942c9bc73 902 901 2012-05-06T20:12:40Z 31.184.238.9 0 HLghJOMURsdYJ wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-azulfidine-online-en.html generic azulfidine, 8293, http://cheappurchaseonline.com/buy-generic-desogen-online-en.html generic desogen, bdno, http://cheappurchaseonline.com/buy-generic-diltiazem-online-en.html generic diltiazem, >:[[[, http://cheappurchaseonline.com/buy-generic-rythmol-online-en.html generic rythmol, >:-OOO, http://cheappurchaseonline.com/ generic viagra super active, 5849, ffb5008f9b87fcfafcbf675ccd65fb4ce29878e4 903 902 2012-05-06T20:17:51Z 31.184.238.9 0 IWEaWHxYLCofXIJa wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-plavix-online-en.html generic plavix, =D, http://cheappurchaseonline.com/buy-generic-mevacor-online-en.html generic mevacor, :-D, http://cheappurchaseonline.com/buy-generic-imodium-online-en.html generic imodium, %OOO, http://cheappurchaseonline.com/buy-generic-mircette-online-en.html generic mircette, 601, http://cheappurchaseonline.com/buy-generic-pletal-online-en.html generic pletal, 593594, 091a3fed850dda8d7baa4d42f358949de36ed945 904 903 2012-05-06T20:17:57Z 31.184.238.15 0 XkmeuqPdU wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-levothroid-online-en.html generic levothroid, :PP, http://cheappurchaseonline.com/ buy cialis super active, 651, http://cheappurchaseonline.com/buy-generic-lotrel-online-en.html generic lotrel, 03183, e28c790aa03f91b15421f10d14d7c8653edf297d 905 904 2012-05-06T20:21:54Z 31.184.238.9 0 hpgOyJTMemnfhHlgHYt wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-tenormin-online-en.html generic tenormin, =-[[[, http://cheappurchaseonline.com/buy-generic-crestor-online-en.html generic crestor, irge, http://cheappurchaseonline.com/buy-generic-minipress-online-en.html generic minipress, 923435, http://cheappurchaseonline.com/buy-generic-theo-24-cr-online-en.html generic theo-24 cr, arzc, http://cheappurchaseonline.com/ generic nolvadex, 7934, a0272512c109f4c1068beded6ffe7945020d42ea 906 905 2012-05-06T20:23:56Z 31.184.238.15 0 bgNcAVRvNZfmzdRFmx wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-artane-online-en.html generic artane, tvk, http://cheappurchaseonline.com/buy-generic-zestoretic-online-en.html generic zestoretic, hez, http://cheappurchaseonline.com/buy-generic-minocin-online-en.html generic minocin, 879, 82ee665fdd43cc641fbf74b68804442ac78ab1ee 907 906 2012-05-06T20:26:10Z 31.184.238.9 0 XxcUxIhnMzPhCJUKcdK wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-valtrex-online-en.html generic valtrex, 51295, http://cheappurchaseonline.com/buy-generic-bupron-sr-online-en.html generic bupron sr, =-]], http://cheappurchaseonline.com/ generic viagra, 5585, http://cheappurchaseonline.com/buy-generic-mobic-online-en.html generic mobic, >:((, http://cheappurchaseonline.com/buy-generic-clarinex-online-en.html generic clarinex, lazud, 55988d7afb0be8172e4bfdffa15f3473442ac0a2 908 907 2012-05-06T20:29:53Z 31.184.238.15 0 LZRourwjYWvjbhRxl wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-detrol-online-en.html generic detrol, 809298, http://cheappurchaseonline.com/ generic zithromax, uxh, http://cheappurchaseonline.com/buy-generic-tegretol-online-en.html generic tegretol, 8-(((, 0305df87bbc383df20a578d00312fec45b6ed496 909 908 2012-05-06T20:30:52Z 31.184.238.9 0 tJcAPUudAQaCR wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-apcalis-sx-oral-jelly-online-en.html generic apcalis sx oral jelly, 904384, http://cheappurchaseonline.com/buy-generic-flovent-online-en.html generic flovent, 9843, http://cheappurchaseonline.com/buy-generic-precose-online-en.html generic precose, 573, http://cheappurchaseonline.com/buy-generic-levothroid-online-en.html generic levothroid, pqkoz, http://cheappurchaseonline.com/buy-generic-strattera-online-en.html generic strattera, 11742, 89034389b5c63a0b98e8c3d1fcf6ba02151e3e58 911 909 2012-05-06T20:35:31Z 31.184.238.15 0 VgrAJDxLFsGQZrui wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-lexapro-online-en.html generic lexapro, :]], http://cheappurchaseonline.com/buy-generic-intagra-online-en.html generic intagra, eiiey, http://cheappurchaseonline.com/buy-generic-propecia-online-en.html generic propecia</a>, >:-))), e968eb4f45b1aebddd9159e5819358be459b4271 912 911 2012-05-06T20:39:48Z 31.184.238.9 0 nzNfGFLSdo wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-serevent-online-en.html generic serevent, 43626, http://cheappurchaseonline.com/buy-generic-lotensin-online-en.html generic lotensin, ojibzl, http://cheappurchaseonline.com/buy-generic-cleocin-online-en.html generic cleocin, >:DD, http://cheappurchaseonline.com/buy-generic-zagam-online-en.html generic zagam, 90142, http://cheappurchaseonline.com/ generic cialis super active, 8P, 84c447d17584f2add6eb21be3a497bbe64b6cfbc 913 912 2012-05-06T20:41:42Z 31.184.238.15 0 duiyWPomBWkLkmWPxgE wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-detrol-online-en.html generic detrol, btige, http://cheappurchaseonline.com/ generic zithromax, zojuvw, http://cheappurchaseonline.com/buy-generic-tegretol-online-en.html generic tegretol, 555247, 20913ab90b30e81ecae172b63855ce2d9e96e4af 914 913 2012-05-06T20:47:44Z 31.184.238.15 0 cpYYMPJHXjlCLEwBTv wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-anaprox-online-en.html generic anaprox, 14831, http://cheappurchaseonline.com/buy-generic-bupron-sr-online-en.html generic bupron sr, 584, http://cheappurchaseonline.com/ buy doxycycline, lrrtcl, e473dc605a80409971af625ba548c1d578937eb1 915 914 2012-05-06T20:48:33Z 31.184.238.9 0 tQInQuehURdRO wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-indinavir-online-en.html generic indinavir, 665879, http://cheappurchaseonline.com/buy-generic-diovan-online-en.html generic diovan, 507, http://cheappurchaseonline.com/buy-generic-copegus-online-en.html generic copegus, 467, http://cheappurchaseonline.com/buy-generic-fempro-online-en.html generic fempro, 57879, http://cheappurchaseonline.com/ generic diflucan, =-OO, 8657ed26e29fe10323ecd9b71c94259112195b74 917 915 2012-05-06T20:53:44Z 31.184.238.15 0 lHcScnUDTqAQIRhE wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-zofran-online-en.html generic zofran, 09475, http://cheappurchaseonline.com/ generic orlistat, >:-P, http://cheappurchaseonline.com/buy-generic-maxaquin-online-en.html generic maxaquin, =]], ca313c356f4f4c9d1b1df1877d1ba55ade6bfe9d 918 917 2012-05-06T20:53:50Z 31.184.238.9 0 LCzmrerpcamHaf wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-viagra-soft-online-en.html generic viagra soft, >:-)), http://cheappurchaseonline.com/ buy flagyl, =[, http://cheappurchaseonline.com/buy-generic-kamagra-jelly-online-en.html generic kamagra jelly, =-]]], http://cheappurchaseonline.com/buy-generic-diamox-online-en.html generic diamox, gqagcv, http://cheappurchaseonline.com/buy-generic-calan-sr-online-en.html generic calan sr, 25569, 3bb4677fcaef6d750e30370ee6f99bf87c562c85 919 918 2012-05-06T20:57:38Z 31.184.238.9 0 SRxmXUVojPA wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-lexapro-online-en.html generic lexapro, 431534, http://cheappurchaseonline.com/buy-generic-coversyl-online-en.html generic coversyl, 909, http://cheappurchaseonline.com/buy-generic-cipro-online-en.html generic cipro, 691, http://cheappurchaseonline.com/buy-generic-retrovir-online-en.html generic retrovir, 537212, http://cheappurchaseonline.com/buy-generic-cytotec-online-en.html generic cytotec, 217480, 463ff05e1399b5eb4c3293310941bd6398fac5d1 920 919 2012-05-06T20:59:37Z 31.184.238.15 0 dJjJSMeRUtSU wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-zofran-online-en.html generic zofran, 0244, http://cheappurchaseonline.com/ generic orlistat, =(((, http://cheappurchaseonline.com/buy-generic-maxaquin-online-en.html generic maxaquin, tsbjuy, 88b5bf90ed8431029544fa03a1d0e7763906b6de 921 920 2012-05-06T21:02:09Z 31.184.238.9 0 kwunhjymAJafslBsQh wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-monoket-online-en.html generic monoket, bjr, http://cheappurchaseonline.com/buy-generic-trecator-sc-online-en.html generic trecator-sc, 9976, http://cheappurchaseonline.com/buy-generic-allegra-online-en.html generic allegra, puikck, http://cheappurchaseonline.com/buy-generic-tadalis-sx-online-en.html generic tadalis sx, nzda, http://cheappurchaseonline.com/buy-generic-sinemet-online-en.html generic sinemet, 976, 61684bb5001d449ae791fc190acb928f9cf44f48 922 921 2012-05-06T21:05:25Z 31.184.238.15 0 hwGjrXzLOwn wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-revia-online-en.html generic revia, shlif, http://cheappurchaseonline.com/buy-generic-kamagra-effervescent-online-en.html generic kamagra effervescent, 8OOO, http://cheappurchaseonline.com/ buy nolvadex, =OO, 27c4c14ae3f43f4256209f0e4525910ca5ed267e 923 922 2012-05-06T21:06:49Z 31.184.238.9 0 QXxlsLfvg wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-seroquel-online-en.html generic seroquel, 8-OO, http://cheappurchaseonline.com/buy-generic-dapsone-online-en.html generic dapsone, kkhnv, http://cheappurchaseonline.com/buy-generic-albenza-online-en.html generic albenza, dtpw, http://cheappurchaseonline.com/buy-generic-viagra-jelly-online-en.html generic viagra jelly, 141, http://cheappurchaseonline.com/ generic kamagra, %-[[[, 6e73e48e893b95334cf559b69545f0cf55068df0 924 923 2012-05-06T21:11:04Z 31.184.238.15 0 spdERNoFAwPidqjOtq wikitext text/x-wiki comment4, http://cheappurchaseonline.com/ generic propecia, 8-(((, http://cheappurchaseonline.com/buy-generic-ilosone-online-en.html generic ilosone, nogab, http://cheappurchaseonline.com/buy-generic-tofranil-online-en.html generic tofranil, 8-(((, b3af4b05f25bcefd72d025dcaf92cd3387d3c2e1 925 924 2012-05-06T21:11:14Z 31.184.238.9 0 pbHxJaZdZIooM wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-differin-online-en.html generic differin, lih, http://cheappurchaseonline.com/ generic cialis professional, 065, http://cheappurchaseonline.com/ generic propecia, cjgo, http://cheappurchaseonline.com/buy-generic-beloc-online-en.html generic beloc, dif, http://cheappurchaseonline.com/ buy doxycycline, pwgvul, 61b0e9762b0cc73917862e2ca9a084b26343e878 926 925 2012-05-06T21:15:51Z 31.184.238.9 0 RxNtLQineUEQq wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-coumadin-online-en.html generic coumadin, %]], http://cheappurchaseonline.com/buy-generic-norvasc-online-en.html generic norvasc, xqg, http://cheappurchaseonline.com/ generic amoxil, 2175, http://cheappurchaseonline.com/ buy amoxil, 18670, http://cheappurchaseonline.com/buy-generic-verapamil-online-en.html generic verapamil, :-)), 6fec86ff4124edfef12ed0337b22df71dbd6f7a7 927 926 2012-05-06T21:16:44Z 31.184.238.15 0 VVJwHscFo wikitext text/x-wiki comment1, http://cheappurchaseonline.com/ generic doxycycline, =-], http://cheappurchaseonline.com/buy-generic-kemadrin-online-en.html generic kemadrin, sbzlm, http://cheappurchaseonline.com/buy-generic-zantac-online-en.html generic zantac, %OO, 031b912d3191737be90d6c81987bc4d29d50c657 928 927 2012-05-06T21:19:52Z 31.184.238.9 0 BlccaZzrneO wikitext text/x-wiki , http://cheappurchaseonline.com/ generic lasix, >:(((, http://cheappurchaseonline.com/buy-generic-actos-online-en.html generic actos, =-DD, http://cheappurchaseonline.com/buy-generic-minomycin-online-en.html generic minomycin, npvhb, http://cheappurchaseonline.com/buy-generic-vitamin-b12-online-en.html generic vitamin b12, aqy, http://cheappurchaseonline.com/ generic female viagra, smn, 118baf5193ec337fda0d3ad6d049f8d49380ab70 929 928 2012-05-06T21:22:37Z 31.184.238.15 0 Ekkztdkbw wikitext text/x-wiki comment4, http://cheappurchaseonline.com/ generic propecia, %-D, http://cheappurchaseonline.com/buy-generic-ilosone-online-en.html generic ilosone, 8-))), http://cheappurchaseonline.com/buy-generic-tofranil-online-en.html generic tofranil, 98462, b19b4992078a711ee6fd521cc8ad616c34837b76 930 929 2012-05-06T21:24:43Z 31.184.238.9 0 ymWJatgKhHkL wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-requip-online-en.html generic requip, 79621, http://cheappurchaseonline.com/buy-generic-prograf-online-en.html generic prograf, 558963, http://cheappurchaseonline.com/buy-generic-vibramycin-online-en.html generic vibramycin, hrtj, http://cheappurchaseonline.com/buy-generic-fluoxetine-online-en.html generic fluoxetine, 713, http://cheappurchaseonline.com/ generic doxycycline, =((, b57c773e4a0ae1962ae30b9551d366bc6d19dbe4 931 930 2012-05-06T21:28:37Z 31.184.238.15 0 lGZwsgsYlCAafzY wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-lopressor-online-en.html generic lopressor, pqj, http://cheappurchaseonline.com/buy-generic-diflucan-online-en.html generic diflucan, 428, http://cheappurchaseonline.com/ buy prednisone, 901, 5d0861dee9198c8d8f23767579bb06ca706b193b 932 931 2012-05-06T21:28:51Z 31.184.238.9 0 jVuJonmjbqntgdOMKm wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-apcalis-sx-oral-jelly-online-en.html generic apcalis sx oral jelly, sie, http://cheappurchaseonline.com/buy-generic-flovent-online-en.html generic flovent, 2431, http://cheappurchaseonline.com/buy-generic-precose-online-en.html generic precose, >:(((, http://cheappurchaseonline.com/buy-generic-levothroid-online-en.html generic levothroid, ayph, http://cheappurchaseonline.com/buy-generic-strattera-online-en.html generic strattera, 857, 27d50fd160619bd073e93df912d7fb3472a0851f 933 932 2012-05-06T21:33:12Z 31.184.238.9 0 AQzjaLyBpSfkzXmCgY wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-fludac-online-en.html generic fludac, awylbx, http://cheappurchaseonline.com/buy-generic-eldepryl-online-en.html generic eldepryl, >:), http://cheappurchaseonline.com/buy-generic-indocin-online-en.html generic indocin, 765, http://cheappurchaseonline.com/buy-generic-aristocort-online-en.html generic aristocort, eboljt, http://cheappurchaseonline.com/buy-generic-luvox-online-en.html generic luvox, oekdj, e952babc16c37920e5dc17f1612154aedf77d9a1 934 933 2012-05-06T21:34:24Z 31.184.238.15 0 XSGMyxlhEzks wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-aciclovir-online-en.html generic aciclovir, =], http://cheappurchaseonline.com/buy-generic-lipitor-online-en.html generic lipitor, zar, 8163e6cf0e9cb83b689d50924fda113ba3b38c8d 935 934 2012-05-06T21:38:21Z 31.184.238.9 0 nJPBorkld wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-ilosone-online-en.html generic ilosone, 8D, http://cheappurchaseonline.com/buy-generic-famvir-online-en.html generic famvir, 100117, http://cheappurchaseonline.com/ buy diflucan, 8DD, http://cheappurchaseonline.com/buy-generic-aciphex-online-en.html generic aciphex, :]], http://cheappurchaseonline.com/buy-generic-etodolac-online-en.html generic etodolac, 209, 6f6d87ce3c81953ed9aeef3c649dc994604a1adf 936 935 2012-05-06T21:40:13Z 31.184.238.15 0 tsgccOmHvFDyZxNYWB wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-risnia-online-en.html generic risnia, =DD, http://cheappurchaseonline.com/buy-generic-cipro-online-en.html generic cipro, 315, http://cheappurchaseonline.com/buy-generic-casodex-online-en.html generic casodex, >:DDD, f620f7632cc6b4528dbe175e5a83039df6751123 937 936 2012-05-06T21:42:47Z 31.184.238.9 0 EiCebCHrGwCYymf wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-aralen-online-en.html generic aralen, 273, http://cheappurchaseonline.com/ buy strattera, >:)), http://cheappurchaseonline.com/buy-generic-ovral-online-en.html generic ovral, lsg, http://cheappurchaseonline.com/buy-generic-phenergan-online-en.html generic phenergan, %-))), http://cheappurchaseonline.com/buy-generic-relafen-online-en.html generic relafen, 5456, e1d3fa9e36703a3be74203f5e9c51357933ee3c0 938 937 2012-05-06T21:45:44Z 31.184.238.15 0 KkKKQkCYiA wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-ibuprofen-online-en.html generic ibuprofen, 893787, http://cheappurchaseonline.com/buy-generic-ansaid-online-en.html generic ansaid, 876, http://cheappurchaseonline.com/buy-generic-hyzaar-online-en.html generic hyzaar, 83627, 3f1933e8e9b184715de5a759878718cf32f5323a 939 938 2012-05-06T21:51:42Z 31.184.238.15 0 zlwCOvGJrwVbipI wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-combivir-online-en.html generic combivir, the, http://cheappurchaseonline.com/buy-generic-venlor-online-en.html generic venlor, 8-], http://cheappurchaseonline.com/buy-generic-prilosec-online-en.html generic prilosec, gzgbr, 44453ed7e6190c453ce2d6e99471c0991c82d18c 940 939 2012-05-06T21:51:54Z 31.184.238.9 0 SYKIUVRP wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-ortho-tri-cyclen-online-en.html generic ortho tri-cyclen, 6331, http://cheappurchaseonline.com/buy-generic-cymbalta-online-en.html generic cymbalta, 6182, http://cheappurchaseonline.com/buy-generic-trandate-online-en.html generic trandate, >:-DDD, http://cheappurchaseonline.com/buy-generic-tritace-online-en.html generic tritace, 93070, http://cheappurchaseonline.com/buy-generic-zovirax-online-en.html generic zovirax, =[, ec1aa0ffb53b9617aca5e28eb969b5e5849543b9 941 940 2012-05-06T21:57:14Z 31.184.238.15 0 xuhmSNYKOlZmKOAe wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-glucophage-online-en.html generic glucophage, ako, http://cheappurchaseonline.com/ buy zoloft, wqqrw, http://cheappurchaseonline.com/buy-generic-crestor-online-en.html generic crestor, =-DD, 7cbe6a3dcf00b403f45c1e570ee37930c88363c5 944 941 2012-05-06T22:01:02Z 31.184.238.9 0 WJiVJojmdos wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-plavix-online-en.html generic plavix, hviav, http://cheappurchaseonline.com/buy-generic-mevacor-online-en.html generic mevacor, skd, http://cheappurchaseonline.com/buy-generic-imodium-online-en.html generic imodium, 8-))), http://cheappurchaseonline.com/buy-generic-mircette-online-en.html generic mircette, 8-((, http://cheappurchaseonline.com/buy-generic-pletal-online-en.html generic pletal, =-], d832d9847dc2b3ee0a1b8f86b9f9db8b37400a27 945 944 2012-05-06T22:03:18Z 31.184.238.15 0 lgNJCKWm wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-grifulvin-online-en.html generic grifulvin, 0077, http://cheappurchaseonline.com/buy-generic-indocin-online-en.html generic indocin, :-[[[, http://cheappurchaseonline.com/buy-generic-chloromycetin-online-en.html generic chloromycetin, oiq, 8ed872adbc9dcb66cf3eb1270d63cecbc6d27bc1 946 945 2012-05-06T22:06:05Z 31.184.238.9 0 GOQbUvTMGkGDIgm wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-dulcolax-online-en.html generic dulcolax, :-DD, http://cheappurchaseonline.com/buy-generic-casodex-online-en.html generic casodex, 894, http://cheappurchaseonline.com/buy-generic-diflucan-online-en.html generic diflucan, 691, http://cheappurchaseonline.com/buy-generic-pamelor-online-en.html generic pamelor, 1672, http://cheappurchaseonline.com/ buy cialis super active, 611568, 33d6f1785bb263de86c22d0cf90571ea7c82783a 947 946 2012-05-06T22:09:20Z 31.184.238.15 0 AEPDqbekEuPB wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-zovirax-online-en.html generic zovirax, 0432, http://cheappurchaseonline.com/ generic nolvadex, %[[, http://cheappurchaseonline.com/buy-generic-protonix-online-en.html generic protonix, %))), f2343f429f4c1733fb177ce9931538c7737de976 948 947 2012-05-06T22:14:55Z 31.184.238.15 0 PPAcKSHVlAXLltmt wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-vibramycin-online-en.html generic vibramycin, kllu, http://cheappurchaseonline.com/buy-generic-valparin-online-en.html generic valparin, 359, http://cheappurchaseonline.com/buy-generic-glucotrol-xl-online-en.html generic glucotrol xl, 8496, 8443d1227c68b405e60faf07809b706912dd8fb1 949 948 2012-05-06T22:15:42Z 31.184.238.9 0 zLudtlDCXl wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-atacand-online-en.html generic atacand, npyq, http://cheappurchaseonline.com/ buy nolvadex, >:PP, http://cheappurchaseonline.com/buy-generic-endep-online-en.html generic endep, dopn, http://cheappurchaseonline.com/buy-generic-capoten-online-en.html generic capoten, czlm, http://cheappurchaseonline.com/buy-generic-remeron-online-en.html generic remeron, =DDD, f81dd9d1e3a5e290d38d07166cac250bbab20b17 950 949 2012-05-06T22:19:51Z 31.184.238.9 0 FLEHHTaiQbVEzNpQ wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-lopressor-online-en.html generic lopressor, dkdsa, http://cheappurchaseonline.com/buy-generic-benicar-online-en.html generic benicar, kdceqk, http://cheappurchaseonline.com/buy-generic-tegopen-online-en.html generic tegopen, olnlc, http://cheappurchaseonline.com/ generic accutane, wjk, http://cheappurchaseonline.com/buy-generic-arcoxia-online-en.html generic arcoxia, =-]]], fe48bf7431ecea1374159169c589589289141840 951 950 2012-05-06T22:21:32Z 31.184.238.15 0 KLHuOjBAQeEx wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-verampil-online-en.html generic verampil, 528166, http://cheappurchaseonline.com/buy-generic-uniphyl-cr-online-en.html generic uniphyl cr, >:], http://cheappurchaseonline.com/buy-generic-brand-levitra-online-en.html generic brand levitra, :), bd025264679809107643b4bd12053cd35e1e0d93 0 8 952 951 2012-05-06T22:24:41Z 31.184.238.9 0 kJxIjoas wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-urso-online-en.html generic urso, %)), http://cheappurchaseonline.com/buy-generic-venlor-online-en.html generic venlor, plcjqa, http://cheappurchaseonline.com/buy-generic-coreg-online-en.html generic coreg, 4258, http://cheappurchaseonline.com/buy-generic-actigall-online-en.html generic actigall, 5746, http://cheappurchaseonline.com/ buy prednisone, ympxjq, 989c5b16b7d4d42544b3022a2775f93fa6a42e8c 953 952 2012-05-06T22:26:55Z 31.184.238.15 0 JKcMguPDVA wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-lanoxin-online-en.html generic lanoxin, chday, http://cheappurchaseonline.com/buy-generic-revatio-online-en.html generic revatio, 584231, http://cheappurchaseonline.com/buy-generic-diamox-online-en.html generic diamox, >:-)), 95b0ead1c8ebf3bc8931263517a59d9b8d15b2c8 954 953 2012-05-06T22:28:50Z 31.184.238.9 0 UjZdQmiiT wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-ilosone-online-en.html generic ilosone, 84879, http://cheappurchaseonline.com/buy-generic-famvir-online-en.html generic famvir, =(((, http://cheappurchaseonline.com/ buy diflucan, 08358, http://cheappurchaseonline.com/buy-generic-aciphex-online-en.html generic aciphex, jmuad, http://cheappurchaseonline.com/buy-generic-etodolac-online-en.html generic etodolac, >:[[, 436e6a3ac2c45cb16e30f567e01130d547943e02 955 954 2012-05-06T22:33:06Z 31.184.238.15 0 PwIrMacyBEw wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-antabuse-online-en.html generic antabuse, 789408, http://cheappurchaseonline.com/buy-generic-levitra-oral-jelly-online-en.html generic levitra oral jelly, qbei, http://cheappurchaseonline.com/buy-generic-effexor-xr-online-en.html generic effexor xr, %O, 787658cbb0d69f97b2acd1fa945d05904950950b 956 955 2012-05-06T22:37:18Z 31.184.238.9 0 JXdhCybXuQkJoyE wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-exelon-online-en.html generic exelon, 8-[[[, http://cheappurchaseonline.com/buy-generic-brand-cialis-online-en.html generic brand cialis, 4014, http://cheappurchaseonline.com/buy-generic-effexor-xr-online-en.html generic effexor xr, yorflc, http://cheappurchaseonline.com/ generic levitra, 23624, http://cheappurchaseonline.com/buy-generic-keftab-online-en.html generic keftab, >:-((, 809f24bdddeaba193898830807a40dac1a420b46 957 956 2012-05-06T22:39:07Z 31.184.238.15 0 xpcCEQtkBgvpH wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-zestril-online-en.html generic zestril, mze, http://cheappurchaseonline.com/buy-generic-singulair-online-en.html generic singulair, rzcv, http://cheappurchaseonline.com/buy-generic-levlen-online-en.html generic levlen, >:-]], 71699d7b58a06b2f48a4982d1b07508731c23abd 958 957 2012-05-06T22:42:27Z 31.184.238.9 0 zdWnaZvBxCHPktaKpu wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-ortho-tri-cyclen-online-en.html generic ortho tri-cyclen, 532799, http://cheappurchaseonline.com/buy-generic-cymbalta-online-en.html generic cymbalta, abgdy, http://cheappurchaseonline.com/buy-generic-trandate-online-en.html generic trandate, gto, http://cheappurchaseonline.com/buy-generic-tritace-online-en.html generic tritace, mxnkt, http://cheappurchaseonline.com/buy-generic-zovirax-online-en.html generic zovirax, cwwny, 59bcc94298a30a24333186dc4914f392c75a78a1 959 958 2012-05-06T22:44:36Z 31.184.238.15 0 LAMnqeMES wikitext text/x-wiki comment6, http://cheappurchaseonline.com/ buy viagra, 66520, http://cheappurchaseonline.com/buy-generic-valtrex-online-en.html generic valtrex, >:-(((, http://cheappurchaseonline.com/buy-generic-vasotec-online-en.html generic vasotec, :-P, 4a6936422509d5d41166533668776e96cc6f71cd 960 959 2012-05-06T22:46:43Z 31.184.238.9 0 ShCqxhTWRIeGUGvvKUr wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-coumadin-online-en.html generic coumadin, 37126, http://cheappurchaseonline.com/buy-generic-norvasc-online-en.html generic norvasc, 2976, http://cheappurchaseonline.com/ generic amoxil, hdi, http://cheappurchaseonline.com/ buy amoxil, bpihcy, http://cheappurchaseonline.com/buy-generic-verapamil-online-en.html generic verapamil, 666, 8fa3ce568bca5aca2310141d2e02f19b6f1d2ae8 961 960 2012-05-06T22:50:06Z 31.184.238.15 0 LOWGKInrqKWG wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-amoxil-online-en.html generic amoxil, 279, http://cheappurchaseonline.com/buy-generic-zyprexa-online-en.html generic zyprexa, =-D, http://cheappurchaseonline.com/buy-generic-zetia-online-en.html generic zetia, :-PP, c3f461bfa75dd6b40e03199ce86c30184ea0810d 962 961 2012-05-06T22:55:45Z 31.184.238.15 0 HhuAdLZxsPHmXHHu wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-naprosyn-online-en.html generic naprosyn, dmnk, http://cheappurchaseonline.com/buy-generic-zyrtec-online-en.html generic zyrtec, 22506, http://cheappurchaseonline.com/buy-generic-proventil-online-en.html generic proventil, %-D, dbc71c0c6102b15820f5171256bb7f52d4ab559f 963 962 2012-05-06T22:56:00Z 31.184.238.9 0 kUzjtOFBYPRxSyoIWW wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-uniphyl-cr-online-en.html generic uniphyl cr, mrup, http://cheappurchaseonline.com/buy-generic-atarax-online-en.html generic atarax, :DD, http://cheappurchaseonline.com/buy-generic-levitra-with-dapoxetine-online-en.html generic levitra with dapoxetine, =-(((, http://cheappurchaseonline.com/buy-generic-isoptin-sr-online-en.html generic isoptin sr, =-))), http://cheappurchaseonline.com/buy-generic-inderal-la-online-en.html generic inderal la, 776, f8b1c34f220f7495dce4b5f3d3414c267a587e74 964 963 2012-05-06T23:00:09Z 31.184.238.9 0 LervAcWoIJLumYMBgg wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-aricept-online-en.html generic aricept, %-]]], http://cheappurchaseonline.com/buy-generic-nitroglycerin-online-en.html generic nitroglycerin, %DD, http://cheappurchaseonline.com/buy-generic-glucophage-online-en.html generic glucophage, 440707, http://cheappurchaseonline.com/buy-generic-grifulvin-v-online-en.html generic grifulvin v, 907955, http://cheappurchaseonline.com/buy-generic-arava-online-en.html generic arava, 1247, d1a4f83e14e0b32f0b1d06a5d5f03b9dad014d02 965 964 2012-05-06T23:01:55Z 31.184.238.15 0 UCttevcj wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-risperdal-online-en.html generic risperdal, 317, http://cheappurchaseonline.com/buy-generic-atacand-online-en.html generic atacand, 98154, http://cheappurchaseonline.com/ generic female viagra, 814570, c4cc14ebc44aa0af4948c8b148f3884689ae6bb0 966 965 2012-05-06T23:07:29Z 31.184.238.15 0 MZltdQmEV wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-etodolac-online-en.html generic etodolac, 34246, http://cheappurchaseonline.com/buy-generic-cialis-jelly-online-en.html generic cialis jelly, ovg, http://cheappurchaseonline.com/buy-generic-prinivil-online-en.html generic prinivil, awv, 178147ca8ca091006a1cc527c91fde1b387091c3 967 966 2012-05-06T23:09:27Z 31.184.238.9 0 VzQMHkeEGRcIZpfDL wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-urso-online-en.html generic urso, 866704, http://cheappurchaseonline.com/buy-generic-venlor-online-en.html generic venlor, gzdcdi, http://cheappurchaseonline.com/buy-generic-coreg-online-en.html generic coreg, fdos, http://cheappurchaseonline.com/buy-generic-actigall-online-en.html generic actigall, wsfn, http://cheappurchaseonline.com/ buy prednisone, >:-(, 305851a708b80b10f30b6a76a21fe15fc417b03f 968 967 2012-05-06T23:13:45Z 31.184.238.15 0 wZlobCGfUzdCIA wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-sinequan-online-en.html generic sinequan, boj, http://cheappurchaseonline.com/buy-generic-suhagra-online-en.html generic suhagra, 8OO, http://cheappurchaseonline.com/ buy zithromax, %-(((, de8e56c1f50f5849dc54ef503a187bcbb9b16fed 969 968 2012-05-06T23:14:13Z 31.184.238.9 0 RjFCTMOLT wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-silagra-online-en.html generic silagra, 727, http://cheappurchaseonline.com/ buy priligy, bxrq, http://cheappurchaseonline.com/buy-generic-biaxin-online-en.html generic biaxin, :-P, http://cheappurchaseonline.com/buy-generic-intagra-online-en.html generic intagra, 997, http://cheappurchaseonline.com/buy-generic-grifulvin-online-en.html generic grifulvin, ypt, caed7939d1ae4ce26e138b310a258d12180ddd46 970 969 2012-05-06T23:18:32Z 31.184.238.9 0 bclGNvlhpfW wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-viagra-online-en.html generic viagra, hbqdx, http://cheappurchaseonline.com/buy-generic-ansaid-online-en.html generic ansaid, 15241, http://cheappurchaseonline.com/buy-generic-tricor-online-en.html generic tricor, pjvrf, http://cheappurchaseonline.com/buy-generic-viagra-super-active-online-en.html generic viagra super active, cqe, http://cheappurchaseonline.com/buy-generic-apcalis-sx-online-en.html generic apcalis sx, sdxf, 9ebda530e69a272fec951c67510ab30fd580dd34 971 970 2012-05-06T23:19:41Z 31.184.238.15 0 KacXkBVZLRZ wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-rebetol-online-en.html generic rebetol, qmjjrd, http://cheappurchaseonline.com/buy-generic-viagra-professional-online-en.html generic viagra professional, >:[[[, http://cheappurchaseonline.com/buy-generic-serevent-online-en.html generic serevent, =-(((, b0045007512abf3e235464d55bbd4e3923f3c59a 972 971 2012-05-06T23:22:43Z 31.184.238.9 0 oONOKFPnpJwbciPxpC wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-requip-online-en.html generic requip, iqtljy, http://cheappurchaseonline.com/buy-generic-prograf-online-en.html generic prograf, 9038, http://cheappurchaseonline.com/buy-generic-vibramycin-online-en.html generic vibramycin, %-OO, http://cheappurchaseonline.com/buy-generic-fluoxetine-online-en.html generic fluoxetine, 3611, http://cheappurchaseonline.com/ generic doxycycline, lxturv, 7daef17b83c5dd9627b5f1c69dfe6d68129a12a1 973 972 2012-05-06T23:25:19Z 31.184.238.15 0 hVjcRwShvctpuvJfkaR wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-differin-online-en.html generic differin, 2811, http://cheappurchaseonline.com/buy-generic-persantine-online-en.html generic persantine, 9655, http://cheappurchaseonline.com/buy-generic-asendin-online-en.html generic asendin, :O, 53508097c3bbb7015d635f09a08a338c297c8a40 974 973 2012-05-06T23:27:35Z 31.184.238.9 0 mCsxAaMFH wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-valparin-online-en.html generic valparin, ftlxa, http://cheappurchaseonline.com/buy-generic-ticlid-online-en.html generic ticlid, kdge, http://cheappurchaseonline.com/buy-generic-xeloda-online-en.html generic xeloda, pxbv, http://cheappurchaseonline.com/buy-generic-stromectol-online-en.html generic stromectol, 8]]], http://cheappurchaseonline.com/ buy viagra professional, 5407, 58d7af44fc344991c29d2d64cbdb77270ac4f279 975 974 2012-05-06T23:31:18Z 31.184.238.15 0 xiHZBNfXmWp wikitext text/x-wiki comment5, http://cheappurchaseonline.com/ buy cialis, 8PP, http://cheappurchaseonline.com/buy-generic-plavix-online-en.html generic plavix, 71483, http://cheappurchaseonline.com/buy-generic-epivir-online-en.html generic epivir, 5941, 07cd6df2b43bf8138996d715c1147b5b840e6f39 976 975 2012-05-06T23:32:15Z 31.184.238.9 0 XPgaoDpjB wikitext text/x-wiki , http://cheappurchaseonline.com/ generic cialis, 76893, http://cheappurchaseonline.com/buy-generic-paxil-cr-online-en.html generic paxil cr, :-(, http://cheappurchaseonline.com/buy-generic-lamictal-online-en.html generic lamictal, znv, http://cheappurchaseonline.com/buy-generic-sporanox-online-en.html generic sporanox, 66656, http://cheappurchaseonline.com/buy-generic-epivir-online-en.html generic epivir, anxwq, d43d9b6bbf5ba6f5f793cfb315ffbd41c062cc08 978 976 2012-05-06T23:36:03Z 31.184.238.9 0 fXhPPrwYcZHIgWVSp wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-urispas-online-en.html generic urispas, :OOO, http://cheappurchaseonline.com/buy-generic-antabuse-online-en.html generic antabuse, :((, http://cheappurchaseonline.com/buy-generic-avapro-online-en.html generic avapro, 8-DD, http://cheappurchaseonline.com/buy-generic-levitra-soft-online-en.html generic levitra soft, >:-))), http://cheappurchaseonline.com/buy-generic-allopurinol-online-en.html generic allopurinol, xmlqa, 789265a98a4acf8a1dacfed82d2cd7662c781483 979 978 2012-05-06T23:37:07Z 31.184.238.15 0 tjDgxdReKRVH wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-copegus-online-en.html generic copegus, =-), http://cheappurchaseonline.com/buy-generic-calcium-carbonate-online-en.html generic calcium carbonate, 6931, http://cheappurchaseonline.com/buy-generic-vantin-online-en.html generic vantin, 973, 6b6b451deb5e96636331cd9d7dedc554fec916ad 980 979 2012-05-06T23:40:38Z 31.184.238.9 0 ldpnZbpGEwjElP wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-leukeran-online-en.html generic leukeran, rnfie, http://cheappurchaseonline.com/buy-generic-sustiva-online-en.html generic sustiva, 5085, http://cheappurchaseonline.com/buy-generic-prevacid-online-en.html generic prevacid, mxzxq, http://cheappurchaseonline.com/ generic viagra professional, 467, http://cheappurchaseonline.com/buy-generic-prozac-online-en.html generic prozac, =)), ffc303d10460d4c263a3c887a54518a972145593 981 980 2012-05-06T23:43:08Z 31.184.238.15 0 qOsuVXbhoOhbyzzKyr wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-rulide-online-en.html generic rulide, 228794, http://cheappurchaseonline.com/buy-generic-betapace-online-en.html generic betapace, =))), http://cheappurchaseonline.com/buy-generic-ortho-tri-cyclen-online-en.html generic ortho tri-cyclen, >:-))), 831819e677bcf5746ac1ac29b6cdac6ef0a7ce12 982 981 2012-05-06T23:44:57Z 31.184.238.9 0 EsCxIKKEPZFT wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-motrin-online-en.html generic motrin, 74854, http://cheappurchaseonline.com/buy-generic-cardura-online-en.html generic cardura, 886868, http://cheappurchaseonline.com/buy-generic-epivir-hbv-online-en.html generic epivir hbv, mtaeod, http://cheappurchaseonline.com/buy-generic-sinequan-online-en.html generic sinequan, 437600, http://cheappurchaseonline.com/ buy cialis professional, ypjqve, ac20c24f2ad09fc28ef3f92236d0c88b4a2428f4 983 982 2012-05-06T23:49:11Z 31.184.238.15 0 KhBUuuDluWNOZ wikitext text/x-wiki comment3, http://cheappurchaseonline.com/ generic prednisone, %O, http://cheappurchaseonline.com/buy-generic-kamagra-flavored-online-en.html generic kamagra flavored, sfe, http://cheappurchaseonline.com/buy-generic-prozac-online-en.html generic prozac, 000746, 88382642167a12efa2e3133ca8007813358d12c1 984 983 2012-05-06T23:50:02Z 31.184.238.9 0 rislhZxrXBaFMECYJGa wikitext text/x-wiki , http://cheappurchaseonline.com/ generic cialis, >:), http://cheappurchaseonline.com/buy-generic-paxil-cr-online-en.html generic paxil cr, =))), http://cheappurchaseonline.com/buy-generic-lamictal-online-en.html generic lamictal, =-), http://cheappurchaseonline.com/buy-generic-sporanox-online-en.html generic sporanox, 8), http://cheappurchaseonline.com/buy-generic-epivir-online-en.html generic epivir, thqc, 6ac3018d15eda093e8a122c8ba7cb4ad6cee0115 985 984 2012-05-06T23:54:00Z 31.184.238.9 0 yxgDRhblZnqjvpdVkL wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-viagra-online-en.html generic viagra, apqmav, http://cheappurchaseonline.com/buy-generic-ansaid-online-en.html generic ansaid, =-OO, http://cheappurchaseonline.com/buy-generic-tricor-online-en.html generic tricor, :))), http://cheappurchaseonline.com/buy-generic-viagra-super-active-online-en.html generic viagra super active, dhda, http://cheappurchaseonline.com/buy-generic-apcalis-sx-online-en.html generic apcalis sx, 74062, 4f5b83903f0c4275523e037376d7058da48d19be 986 985 2012-05-06T23:55:17Z 31.184.238.15 0 dRRClTKUrGFj wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-cialis-super-active-online-en.html generic cialis super active, nttfvg, http://cheappurchaseonline.com/buy-generic-theo-24-cr-online-en.html generic theo-24 cr, dhr, http://cheappurchaseonline.com/buy-generic-rythmol-online-en.html generic rythmol, ipix, cd25552f6f4c5e5643d3bb9c43cd75563df51376 987 986 2012-05-06T23:58:44Z 31.184.238.9 0 DBLwVbthmm wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-exelon-online-en.html generic exelon, 155, http://cheappurchaseonline.com/buy-generic-brand-cialis-online-en.html generic brand cialis, onkrb, http://cheappurchaseonline.com/buy-generic-effexor-xr-online-en.html generic effexor xr, 64043, http://cheappurchaseonline.com/ generic levitra, =-[[, http://cheappurchaseonline.com/buy-generic-keftab-online-en.html generic keftab, 37865, e8bed37df5a58bf52e7d200dd04b7e5fab4f1437 988 987 2012-05-07T00:01:03Z 31.184.238.15 0 zfolBJaWfsIUAIfNqj wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-celexa-online-en.html generic celexa, 35391, http://cheappurchaseonline.com/buy-generic-minomycin-online-en.html generic minomycin, njy, http://cheappurchaseonline.com/buy-generic-tricor-online-en.html generic tricor, =-PPP, e6ec6905c1d2000bc6c2808d9a9687e0f3d67f7e 989 988 2012-05-07T00:03:25Z 31.184.238.9 0 AuDiCDxrzvqdRdA wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-aralen-online-en.html generic aralen, 4844, http://cheappurchaseonline.com/ buy strattera, 69987, http://cheappurchaseonline.com/buy-generic-ovral-online-en.html generic ovral, 0493, http://cheappurchaseonline.com/buy-generic-phenergan-online-en.html generic phenergan, 450, http://cheappurchaseonline.com/buy-generic-relafen-online-en.html generic relafen, lcpp, b5a45764dae902f6b2e85ff56985d2d0ebd5d3eb 990 989 2012-05-07T00:06:57Z 31.184.238.15 0 tCRTaCeI wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-benicar-online-en.html generic benicar, 650, http://cheappurchaseonline.com/buy-generic-diovan-hct-online-en.html generic diovan hct, 6112, http://cheappurchaseonline.com/buy-generic-reglan-online-en.html generic reglan, 8-PP, c25798d0213caddcae928beffa4b2d7d7eed433c 991 990 2012-05-07T00:07:10Z 31.184.238.9 0 JqaLrnFjaJSzwM wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-maxolon-online-en.html generic maxolon, 843841, http://cheappurchaseonline.com/buy-generic-reminyl-online-en.html generic reminyl, 536703, http://cheappurchaseonline.com/ generic orlistat, zaje, http://cheappurchaseonline.com/buy-generic-neoral-online-en.html generic neoral, kxgxs, http://cheappurchaseonline.com/buy-generic-isordil-online-en.html generic isordil, 15887, b1ef416806e1224d7ca8103ac13d7f2a20878867 992 991 2012-05-07T00:11:59Z 31.184.238.9 0 TmTRaBZYl wikitext text/x-wiki , http://cheappurchaseonline.com/ generic lasix, 750, http://cheappurchaseonline.com/buy-generic-actos-online-en.html generic actos, =-DDD, http://cheappurchaseonline.com/buy-generic-minomycin-online-en.html generic minomycin, 8DDD, http://cheappurchaseonline.com/buy-generic-vitamin-b12-online-en.html generic vitamin b12, zzqjf, http://cheappurchaseonline.com/ generic female viagra, 6630, fa07f0d6db5dee39f1d435b9ad00eff33e714db6 993 992 2012-05-07T00:13:13Z 31.184.238.15 0 rbNxLEXhhgZ wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-levothroid-online-en.html generic levothroid, xzciob, http://cheappurchaseonline.com/ buy cialis super active, >:-[[[, http://cheappurchaseonline.com/buy-generic-lotrel-online-en.html generic lotrel, 77206, 0877481a3c787f6512f78bbc2dc69acfb642e8e3 994 993 2012-05-07T00:16:44Z 31.184.238.9 0 NwnEGgXpKrB wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-revatio-online-en.html generic revatio, xgcoe, http://cheappurchaseonline.com/buy-generic-carafate-online-en.html generic carafate, obchuu, http://cheappurchaseonline.com/buy-generic-oxytrol-online-en.html generic oxytrol, 030, http://cheappurchaseonline.com/buy-generic-ampicillin-online-en.html generic ampicillin, 9922, http://cheappurchaseonline.com/ buy viagra, =OOO, cea5f6a4e2425fcff82f7cf74b8572a48f9922e5 995 994 2012-05-07T00:19:13Z 31.184.238.15 0 QhEJSgzKktPeMtU wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-levothroid-online-en.html generic levothroid, 427, http://cheappurchaseonline.com/ buy cialis super active, boploa, http://cheappurchaseonline.com/buy-generic-lotrel-online-en.html generic lotrel, >:[, 215c0f90b74e3d3ac0256fdd5a70d664f0a9ce5e 996 995 2012-05-07T00:20:47Z 31.184.238.9 0 wbqcMRzWaIwCX wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-eriacta-online-en.html generic eriacta, sng, http://cheappurchaseonline.com/buy-generic-pepcid-online-en.html generic pepcid, oegqew, http://cheappurchaseonline.com/buy-generic-chloromycetin-online-en.html generic chloromycetin, uqr, http://cheappurchaseonline.com/buy-generic-cefaclor-online-en.html generic cefaclor, gxkdwd, http://cheappurchaseonline.com/buy-generic-rebetol-online-en.html generic rebetol, %-], 999416d1baedc461741242caebcfa89cdc0d1cb9 997 996 2012-05-07T00:25:01Z 31.184.238.15 0 MmqbRilEwgkzfvRaO wikitext text/x-wiki comment3, http://cheappurchaseonline.com/ generic viagra super active, 507, http://cheappurchaseonline.com/buy-generic-nizoral-online-en.html generic nizoral, %-], http://cheappurchaseonline.com/buy-generic-zagam-online-en.html generic zagam, 3671, f2ab05544d5752eb3eff9fb0df839a4a11c7cd37 998 997 2012-05-07T00:25:21Z 31.184.238.9 0 QGrYnDZbWeUwutlSFqO wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-naprosyn-online-en.html generic naprosyn, 14194, http://cheappurchaseonline.com/buy-generic-pentasa-online-en.html generic pentasa, 8455, http://cheappurchaseonline.com/buy-generic-aggrenox-online-en.html generic aggrenox, %-[, http://cheappurchaseonline.com/buy-generic-kamagra-soft-online-en.html generic kamagra soft, %), http://cheappurchaseonline.com/buy-generic-verampil-online-en.html generic verampil, ycabd, aa0d0202034765998fc66069cd066cbd4a6d2d54 999 998 2012-05-07T00:30:20Z 31.184.238.9 0 HDNTOToQncZPohZbz wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-vermox-online-en.html generic vermox, >:-DD, http://cheappurchaseonline.com/ generic flagyl, tqjnof, http://cheappurchaseonline.com/buy-generic-zyvox-online-en.html generic zyvox, splawe, http://cheappurchaseonline.com/buy-generic-cycrin-online-en.html generic cycrin, 374409, http://cheappurchaseonline.com/buy-generic-caverta-online-en.html generic caverta, %-)), b970e069a106e5c3b88e7b3f189438a7536ca9ee 1000 999 2012-05-07T00:31:42Z 31.184.238.15 0 OGsqbSGGWxOyMvqRVPb wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-levitra-professional-online-en.html generic levitra professional, =-))), http://cheappurchaseonline.com/buy-generic-actos-online-en.html generic actos, 2753, http://cheappurchaseonline.com/buy-generic-zoloft-online-en.html generic zoloft, 54123, ddb78c052aa8f0bc331356f375cd8a48a99503ff 1001 1000 2012-05-07T00:34:27Z 31.184.238.9 0 ogJeCPUTZEEscLSkfO wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-valparin-online-en.html generic valparin, 73518, http://cheappurchaseonline.com/buy-generic-ticlid-online-en.html generic ticlid, 5574, http://cheappurchaseonline.com/buy-generic-xeloda-online-en.html generic xeloda, 8-OO, http://cheappurchaseonline.com/buy-generic-stromectol-online-en.html generic stromectol, oyfcs, http://cheappurchaseonline.com/ buy viagra professional, >:(, 7cabcffe62e90ee76761c6be83e10cb2ceac67bc 1002 1001 2012-05-07T00:38:03Z 31.184.238.15 0 RJatRSVlsciQZZSmj wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-vibramycin-online-en.html generic vibramycin, 8-PPP, http://cheappurchaseonline.com/buy-generic-valparin-online-en.html generic valparin, %DD, http://cheappurchaseonline.com/buy-generic-glucotrol-xl-online-en.html generic glucotrol xl, oqtiyg, cae473966854811daa1e73c3a72f542a34a2f7e4 0 8 1003 1002 2012-05-07T00:38:39Z 31.184.238.9 0 opMeWlXjzbMJtcGwzaj wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-clonidine-online-en.html generic clonidine, %-P, http://cheappurchaseonline.com/buy-generic-colospa-online-en.html generic colospa, 384, http://cheappurchaseonline.com/buy-generic-brand-viagra-online-en.html generic brand viagra, 8]]], http://cheappurchaseonline.com/buy-generic-dramamine-online-en.html generic dramamine, 8-[[, http://cheappurchaseonline.com/buy-generic-flagyl-online-en.html generic flagyl, 797, 5a5be83991fdeb35973aa0532402e2d19e00a355 1004 1003 2012-05-07T00:43:02Z 31.184.238.9 0 FsMZmPJRRtEZ wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-reglan-online-en.html generic reglan, >:(((, http://cheappurchaseonline.com/ generic zoloft, dygnon, http://cheappurchaseonline.com/buy-generic-calan-online-en.html generic calan, %-(, http://cheappurchaseonline.com/buy-generic-alesse-online-en.html generic alesse, dvqzsg, http://cheappurchaseonline.com/buy-generic-flonase-online-en.html generic flonase, 676775, 29389e6b33dfda9cc6c436afa9be15dd536b54eb 1005 1004 2012-05-07T00:44:11Z 31.184.238.15 0 DaMkyhJZJobzpEs wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-strattera-online-en.html generic strattera, xtlu, http://cheappurchaseonline.com/buy-generic-brand-viagra-online-en.html generic brand viagra, obx, http://cheappurchaseonline.com/buy-generic-zyvox-online-en.html generic zyvox, ggu, d3d11322b5bcd953c04c28d7ef8f743e4360884f 1006 1005 2012-05-07T00:47:44Z 31.184.238.9 0 iJgIKNhezKxFvu wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-silagra-online-en.html generic silagra, use, http://cheappurchaseonline.com/ buy priligy, >:-(((, http://cheappurchaseonline.com/buy-generic-biaxin-online-en.html generic biaxin, 8[, http://cheappurchaseonline.com/buy-generic-intagra-online-en.html generic intagra, deoi, http://cheappurchaseonline.com/buy-generic-grifulvin-online-en.html generic grifulvin, >:PPP, 1d9b1bf81f1161aae1e1255d78eac2cf37377392 1007 1006 2012-05-07T00:49:52Z 31.184.238.15 0 uoSaifTQcYBL wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-nexium-online-en.html generic nexium, hpofaw, http://cheappurchaseonline.com/buy-generic-cardarone-online-en.html generic cardarone, >:-PP, http://cheappurchaseonline.com/buy-generic-aralen-online-en.html generic aralen, >:-PPP, 992dd476b3d191063f7c20e18c076e6909c03dc4 1008 1007 2012-05-07T00:52:57Z 31.184.238.9 0 kNDShEHFMHBoxOq wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-viagra-soft-online-en.html generic viagra soft, 8D, http://cheappurchaseonline.com/ buy flagyl, 44677, http://cheappurchaseonline.com/buy-generic-kamagra-jelly-online-en.html generic kamagra jelly, 79072, http://cheappurchaseonline.com/buy-generic-diamox-online-en.html generic diamox, 8-[[[, http://cheappurchaseonline.com/buy-generic-calan-sr-online-en.html generic calan sr, lfafpz, 50fff8b9ecc8cba5308ab62d801060dd9f360592 1009 1008 2012-05-07T00:55:58Z 31.184.238.15 0 fSYTrIyL wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-zovirax-online-en.html generic zovirax, =)), http://cheappurchaseonline.com/ generic nolvadex, >:-PPP, http://cheappurchaseonline.com/buy-generic-protonix-online-en.html generic protonix, piyafm, de68447a5306486840081d31bf8459d7dc46ec16 1010 1009 2012-05-07T00:56:48Z 31.184.238.9 0 cgLSRTTCwXTxQQCn wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-levitra-oral-jelly-online-en.html generic levitra oral jelly, lilc, http://cheappurchaseonline.com/buy-generic-catapres-online-en.html generic catapres, dfjf, http://cheappurchaseonline.com/buy-generic-viagra-professional-online-en.html generic viagra professional, =PPP, http://cheappurchaseonline.com/buy-generic-cozaar-online-en.html generic cozaar, iha, http://cheappurchaseonline.com/buy-generic-amaryl-online-en.html generic amaryl, csbam, 7cf64abacf0cd5239a394908c9d942fd75d846a6 1011 1010 2012-05-07T01:01:28Z 31.184.238.9 0 zYCgXnMYglbB wikitext text/x-wiki , http://cheappurchaseonline.com/ generic cialis, ankc, http://cheappurchaseonline.com/buy-generic-paxil-cr-online-en.html generic paxil cr, vnvvc, http://cheappurchaseonline.com/buy-generic-lamictal-online-en.html generic lamictal, >:[[[, http://cheappurchaseonline.com/buy-generic-sporanox-online-en.html generic sporanox, 828868, http://cheappurchaseonline.com/buy-generic-epivir-online-en.html generic epivir, fbkkwk, d680ff732da420d23eb33870c419dd23139a1231 1012 1011 2012-05-07T01:01:49Z 31.184.238.15 0 ayHUdNwACJQTnpC wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-levitra-professional-online-en.html generic levitra professional, 84695, http://cheappurchaseonline.com/buy-generic-actos-online-en.html generic actos, tdif, http://cheappurchaseonline.com/buy-generic-zoloft-online-en.html generic zoloft, 94381, 92e2b0e92a5cda1f4f940623d1a68e70202cfb8d 1013 1012 2012-05-07T01:06:14Z 31.184.238.9 0 qxrCaDHmAjPlEUMCbpc wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-furadantin-online-en.html generic furadantin, rokn, http://cheappurchaseonline.com/buy-generic-zyprexa-online-en.html generic zyprexa, 636762, http://cheappurchaseonline.com/ buy lasix, 8-D, http://cheappurchaseonline.com/buy-generic-erythromycin-online-en.html generic erythromycin, 328714, http://cheappurchaseonline.com/buy-generic-prinivil-online-en.html generic prinivil, :]]], b17c0fa612411f2401a5eedb8922f606f4cca4eb 1014 1013 2012-05-07T01:07:54Z 31.184.238.15 0 rkKrGwCJRGPwRTF wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-augmentin-online-en.html generic augmentin, %))), http://cheappurchaseonline.com/buy-generic-desyrel-online-en.html generic desyrel, 2963, http://cheappurchaseonline.com/ generic viagra, %PP, f32082ede76481e7769fa8cf3366e00bffe5828c 1015 1014 2012-05-07T01:10:23Z 31.184.238.9 0 xNUFGAXpEKhcSQdO wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-forzest-online-en.html generic forzest, zraw, http://cheappurchaseonline.com/buy-generic-augmentin-online-en.html generic augmentin, %-), http://cheappurchaseonline.com/buy-generic-kemadrin-online-en.html generic kemadrin, uaz, http://cheappurchaseonline.com/buy-generic-combipres-online-en.html generic combipres, 801618, http://cheappurchaseonline.com/buy-generic-protonix-online-en.html generic protonix, 749325, 0fd17b51b8d3ba6299a0ea7aef5b5c1724934508 1016 1015 2012-05-07T01:13:51Z 31.184.238.15 0 MEmTGbvMvgbRhRr wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-aristocort-online-en.html generic aristocort, 060, http://cheappurchaseonline.com/buy-generic-abilify-online-en.html generic abilify, =OO, http://cheappurchaseonline.com/buy-generic-prednisolone-online-en.html generic prednisolone, 30754, fc19b7069af878eb0645d7da227cf639f2d03a28 1017 1016 2012-05-07T01:14:36Z 31.184.238.9 0 nRpZrRmHrezCtPTtU wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-atacand-online-en.html generic atacand, 5501, http://cheappurchaseonline.com/ buy nolvadex, 2965, http://cheappurchaseonline.com/buy-generic-endep-online-en.html generic endep, %)), http://cheappurchaseonline.com/buy-generic-capoten-online-en.html generic capoten, rxhfm, http://cheappurchaseonline.com/buy-generic-remeron-online-en.html generic remeron, 790347, fcd8fd489e78b1c69151b8341ed2d2c9c1d6cf05 1018 1017 2012-05-07T01:19:43Z 31.184.238.9 0 fJonzwarljKOy wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-zestril-online-en.html generic zestril, utj, http://cheappurchaseonline.com/buy-generic-nexium-online-en.html generic nexium, 8PPP, http://cheappurchaseonline.com/buy-generic-cialis-online-en.html generic cialis, qdzgtw, http://cheappurchaseonline.com/buy-generic-finpecia-online-en.html generic finpecia, 8DDD, http://cheappurchaseonline.com/buy-generic-glucotrol-xl-online-en.html generic glucotrol xl, 16508, 0d80bfb2f3a4befcf3c091830a4b265d9fcde9a2 1019 1018 2012-05-07T01:19:53Z 31.184.238.15 0 TrNbbcrVCv wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-zestril-online-en.html generic zestril, siac, http://cheappurchaseonline.com/buy-generic-singulair-online-en.html generic singulair, vix, http://cheappurchaseonline.com/buy-generic-levlen-online-en.html generic levlen, 04817, 7202ac2733d400418a471a2ac18d96118a4b501b 1020 1019 2012-05-07T01:23:17Z 31.184.238.9 0 TqlwREUQY wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-forzest-online-en.html generic forzest, ftl, http://cheappurchaseonline.com/buy-generic-augmentin-online-en.html generic augmentin, 586021, http://cheappurchaseonline.com/buy-generic-kemadrin-online-en.html generic kemadrin, uttjku, http://cheappurchaseonline.com/buy-generic-combipres-online-en.html generic combipres, 8DD, http://cheappurchaseonline.com/buy-generic-protonix-online-en.html generic protonix, 8-]]], 671ea3976e7f7427e8339cedf9e31b54a95d9d9e 1021 1020 2012-05-07T01:25:44Z 31.184.238.15 0 jSZWszNl wikitext text/x-wiki comment2, http://cheappurchaseonline.com/ buy propecia, 906773, http://cheappurchaseonline.com/buy-generic-clarinex-online-en.html generic clarinex, 92286, http://cheappurchaseonline.com/buy-generic-detrol-la-online-en.html generic detrol la, hyypvx, 8689e1a0056d23411687866b7268d51439e07ebe 1022 1021 2012-05-07T01:27:45Z 31.184.238.9 0 uMXMLgqggDecWUnX wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-aciclovir-online-en.html generic aciclovir, 0332, http://cheappurchaseonline.com/buy-generic-cytoxan-online-en.html generic cytoxan, 759546, http://cheappurchaseonline.com/buy-generic-nimotop-online-en.html generic nimotop, 2875, http://cheappurchaseonline.com/buy-generic-macrobid-online-en.html generic macrobid, >:-PPP, http://cheappurchaseonline.com/buy-generic-super-hard-on-online-en.html generic super hard on, bysh, d4d1794d3436a7ebfa283aecbbe17b981f644908 1023 1022 2012-05-07T01:31:51Z 31.184.238.15 0 UsQJkaIZyDtB wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-ibuprofen-online-en.html generic ibuprofen, =-]]], http://cheappurchaseonline.com/buy-generic-ansaid-online-en.html generic ansaid, 5823, http://cheappurchaseonline.com/buy-generic-hyzaar-online-en.html generic hyzaar, 8-), 53574c7431e5f486482b9278fafdb7509e47f8c9 1024 1023 2012-05-07T01:32:05Z 31.184.238.9 0 UCFJBYVQgttoirTVnL wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-monoket-online-en.html generic monoket, igcav, http://cheappurchaseonline.com/buy-generic-trecator-sc-online-en.html generic trecator-sc, xqrbj, http://cheappurchaseonline.com/buy-generic-allegra-online-en.html generic allegra, 89719, http://cheappurchaseonline.com/buy-generic-tadalis-sx-online-en.html generic tadalis sx, nfce, http://cheappurchaseonline.com/buy-generic-sinemet-online-en.html generic sinemet, 04603, d0b22199fd4d833bcd2751e9a553d03f6e9e888d 1025 1024 2012-05-07T01:37:06Z 31.184.238.9 0 tZWCaCAamWviNQRVV wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-aciclovir-online-en.html generic aciclovir, 2579, http://cheappurchaseonline.com/buy-generic-cytoxan-online-en.html generic cytoxan, hlmbd, http://cheappurchaseonline.com/buy-generic-nimotop-online-en.html generic nimotop, 027656, http://cheappurchaseonline.com/buy-generic-macrobid-online-en.html generic macrobid, 773187, http://cheappurchaseonline.com/buy-generic-super-hard-on-online-en.html generic super hard on, 218219, c48310be6328df46c8db714707c6dd02703641b0 1026 1025 2012-05-07T01:37:36Z 31.184.238.15 0 CLmdwXiCUomn wikitext text/x-wiki comment6, http://cheappurchaseonline.com/ buy cialis, ttf, http://cheappurchaseonline.com/buy-generic-plavix-online-en.html generic plavix, ixjyjp, http://cheappurchaseonline.com/buy-generic-epivir-online-en.html generic epivir, 500, a899574bf871c5352d3cbbaf704bf41df894e1a9 1027 1026 2012-05-07T01:41:32Z 31.184.238.9 0 cHIFyvvEvyWsJcQro wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-atacand-online-en.html generic atacand, jncjb, http://cheappurchaseonline.com/ buy nolvadex, simsy, http://cheappurchaseonline.com/buy-generic-endep-online-en.html generic endep, omltv, http://cheappurchaseonline.com/buy-generic-capoten-online-en.html generic capoten, =]], http://cheappurchaseonline.com/buy-generic-remeron-online-en.html generic remeron, 7617, 3041f29d01aeb47a4b3ca264738dd6032ac304a6 1028 1027 2012-05-07T01:43:36Z 31.184.238.15 0 CXMNlyiVerOZ wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-levitra-soft-online-en.html generic levitra soft, >:-))), http://cheappurchaseonline.com/buy-generic-cialis-online-en.html generic cialis, 628930, http://cheappurchaseonline.com/ buy lasix, nyvfc, 08b329b8e6a866d168285ce9d901e5dfc1697392 1029 1028 2012-05-07T01:45:51Z 31.184.238.9 0 wdEjLWdpZRGoZJQtN wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-lipitor-online-en.html generic lipitor, =OOO, http://cheappurchaseonline.com/buy-generic-persantine-online-en.html generic persantine, 8(, http://cheappurchaseonline.com/buy-generic-zerit-online-en.html generic zerit, :-[[[, http://cheappurchaseonline.com/ buy female viagra, ukvdfl, http://cheappurchaseonline.com/buy-generic-brand-levitra-online-en.html generic brand levitra, %PP, 0fd62e39589db2f4c89278f15468e657677dde72 1030 1029 2012-05-07T01:49:30Z 31.184.238.15 0 qxvhofhbrqgdoz wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-etodolac-online-en.html generic etodolac, 24661, http://cheappurchaseonline.com/buy-generic-cialis-jelly-online-en.html generic cialis jelly, zjkrxj, http://cheappurchaseonline.com/buy-generic-prinivil-online-en.html generic prinivil, kpmk, 71142a6b51f34a8998cf9807acf8ef78afe13fbd 1031 1030 2012-05-07T01:50:27Z 31.184.238.9 0 aiAyEpBbRXDmnjb wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-serevent-online-en.html generic serevent, %-PPP, http://cheappurchaseonline.com/buy-generic-lotensin-online-en.html generic lotensin, 720350, http://cheappurchaseonline.com/buy-generic-cleocin-online-en.html generic cleocin, 8DDD, http://cheappurchaseonline.com/buy-generic-zagam-online-en.html generic zagam, redk, http://cheappurchaseonline.com/ generic cialis super active, 316, bf03518e647ad679144ecfd7020c72e5f2b46d00 1032 1031 2012-05-07T01:55:04Z 31.184.238.9 0 WqmUeMGapaT wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-tinidazole-online-en.html generic tinidazole, 00912, http://cheappurchaseonline.com/buy-generic-proventil-online-en.html generic proventil, 25786, http://cheappurchaseonline.com/buy-generic-effexor-online-en.html generic effexor, 923442, http://cheappurchaseonline.com/buy-generic-sinemet-cr-online-en.html generic sinemet cr, =), http://cheappurchaseonline.com/buy-generic-levlen-online-en.html generic levlen, >:[[[, 1e41af17afac90ca6e703167a5628413a76bad8d 1033 1032 2012-05-07T01:55:45Z 31.184.238.15 0 sLjgWfbTDqUjAa wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-kamagra-jelly-online-en.html generic kamagra jelly, jel, http://cheappurchaseonline.com/buy-generic-levaquin-online-en.html generic levaquin, 4119, http://cheappurchaseonline.com/ buy strattera, 0370, ae1d9eabf99f55dbe65297095395721b6e9bb183 1034 1033 2012-05-07T01:59:27Z 31.184.238.9 0 lXvADdHlaq wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-furoxone-online-en.html generic furoxone, %PP, http://cheappurchaseonline.com/buy-generic-zyloprim-online-en.html generic zyloprim, 1399, http://cheappurchaseonline.com/ generic priligy, 8O, http://cheappurchaseonline.com/buy-generic-cialis-professional-online-en.html generic cialis professional, 20798, http://cheappurchaseonline.com/buy-generic-omnicef-online-en.html generic omnicef, %-(, 8cb0315d0302693e9dd8569b84103237d67184fc 1035 1034 2012-05-07T02:02:04Z 31.184.238.15 0 ytqEYVggPhjijHrji wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-cialis-super-active-online-en.html generic cialis super active, %[, http://cheappurchaseonline.com/buy-generic-theo-24-cr-online-en.html generic theo-24 cr, :[[[, http://cheappurchaseonline.com/buy-generic-rythmol-online-en.html generic rythmol, hriqh, 23dead39813737cb7d01f5380c9c921f9a46a611 1036 1035 2012-05-07T02:03:53Z 31.184.238.9 0 vEopCLUBapiOBLW wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-furoxone-online-en.html generic furoxone, 1892, http://cheappurchaseonline.com/buy-generic-zyloprim-online-en.html generic zyloprim, vpu, http://cheappurchaseonline.com/ generic priligy, whwu, http://cheappurchaseonline.com/buy-generic-cialis-professional-online-en.html generic cialis professional, 8-))), http://cheappurchaseonline.com/buy-generic-omnicef-online-en.html generic omnicef, %PP, da185b93aa7a078aadf7dfa2750155b00c7de301 1037 1036 2012-05-07T02:08:23Z 31.184.238.15 0 NguiyWNyz wikitext text/x-wiki comment3, http://cheappurchaseonline.com/ buy propecia, 323, http://cheappurchaseonline.com/buy-generic-clarinex-online-en.html generic clarinex, 6546, http://cheappurchaseonline.com/buy-generic-detrol-la-online-en.html generic detrol la, 25002, be04012253bdb8f4e76f469a833a6daf3d3b45ea 1038 1037 2012-05-07T02:08:34Z 31.184.238.9 0 huikfmCmjHqZJoiJ wikitext text/x-wiki , http://cheappurchaseonline.com/ buy accutane, :[[, http://cheappurchaseonline.com/buy-generic-brethine-online-en.html generic brethine, upsw, http://cheappurchaseonline.com/buy-generic-cialis-soft-online-en.html generic cialis soft, 8-]], http://cheappurchaseonline.com/buy-generic-toprol-online-en.html generic toprol, 6317, http://cheappurchaseonline.com/buy-generic-furacin-online-en.html generic furacin, 8-))), c36feb43b2ffd6abe1447ad59cf0a9824366c330 1039 1038 2012-05-07T02:13:03Z 31.184.238.9 0 MRHsKjbGIymHSczsd wikitext text/x-wiki , http://cheappurchaseonline.com/ generic prednisone, gyxkyz, http://cheappurchaseonline.com/buy-generic-lamisil-online-en.html generic lamisil, 3470, http://cheappurchaseonline.com/buy-generic-vitamin-c-online-en.html generic vitamin c, 8), http://cheappurchaseonline.com/buy-generic-keflex-online-en.html generic keflex, %]], http://cheappurchaseonline.com/buy-generic-ventolin-online-en.html generic ventolin, owq, 2b974c1a57821f9d820c9c477b562d62886dac49 1040 1039 2012-05-07T02:13:40Z 31.184.238.15 0 dDphRAYstSIuno wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-copegus-online-en.html generic copegus, 348340, http://cheappurchaseonline.com/buy-generic-calcium-carbonate-online-en.html generic calcium carbonate, bpij, http://cheappurchaseonline.com/buy-generic-vantin-online-en.html generic vantin, cawc, af7c5ffdac2bf5c85a08546a68eddbf4dcad3123 1041 1040 2012-05-07T02:17:35Z 31.184.238.9 0 VzUmQFZtMjFZG wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-diovan-hct-online-en.html generic diovan hct, 2955, http://cheappurchaseonline.com/buy-generic-abilify-online-en.html generic abilify, >:-P, http://cheappurchaseonline.com/ buy cipro, 8-]], http://cheappurchaseonline.com/buy-generic-kamagra-gold-online-en.html generic kamagra gold, 53399, http://cheappurchaseonline.com/buy-generic-frumil-online-en.html generic frumil, orgsf, 0bd4c4f1e623d6440aede6c0695a6cc6afbe8787 1042 1041 2012-05-07T02:19:51Z 31.184.238.15 0 IwjrJSTIXdbPD wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-precose-online-en.html generic precose, ndzrwe, http://cheappurchaseonline.com/buy-generic-motrin-online-en.html generic motrin, shhcoe, http://cheappurchaseonline.com/buy-generic-reminyl-online-en.html generic reminyl, 98064, 68a6706f4491ad9ae80c85906f7ab24bc26385cb 1043 1042 2012-05-07T02:22:08Z 31.184.238.9 0 GLmlBTuSpqHuUl wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-cephalexin-online-en.html generic cephalexin, jnv, http://cheappurchaseonline.com/buy-generic-red-viagra-online-en.html generic red viagra, vbqjtd, http://cheappurchaseonline.com/buy-generic-glucophage-xr-online-en.html generic glucophage xr, 2684, http://cheappurchaseonline.com/buy-generic-noroxin-online-en.html generic noroxin, awf, http://cheappurchaseonline.com/buy-generic-cialis-jelly-online-en.html generic cialis jelly, =-P, f67f68fea5bcada1bd95429aaebdb13ec921a3e0 1044 1043 2012-05-07T02:25:57Z 31.184.238.15 0 oAFMfYvBBobIfW wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-benicar-online-en.html generic benicar, 8((, http://cheappurchaseonline.com/buy-generic-diovan-hct-online-en.html generic diovan hct, bmbetj, http://cheappurchaseonline.com/buy-generic-reglan-online-en.html generic reglan, nuewda, ed54eddb95e22b756c53c18cec1dafe03093e966 1047 1044 2012-05-07T02:26:29Z 31.184.238.9 0 rRXQCWqICVAh wikitext text/x-wiki , http://cheappurchaseonline.com/ generic lasix, 8DD, http://cheappurchaseonline.com/buy-generic-actos-online-en.html generic actos, atri, http://cheappurchaseonline.com/buy-generic-minomycin-online-en.html generic minomycin, pmdg, http://cheappurchaseonline.com/buy-generic-vitamin-b12-online-en.html generic vitamin b12, >:]], http://cheappurchaseonline.com/ generic female viagra, 825, cf0ff7ba027f8ddfcf7d7ff28a108e5e52c9a837 1048 1047 2012-05-07T02:31:28Z 31.184.238.9 0 XCcNsqJyDeqUsmRil wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-ortho-tri-cyclen-online-en.html generic ortho tri-cyclen, :-D, http://cheappurchaseonline.com/buy-generic-cymbalta-online-en.html generic cymbalta, eqna, http://cheappurchaseonline.com/buy-generic-trandate-online-en.html generic trandate, %)), http://cheappurchaseonline.com/buy-generic-tritace-online-en.html generic tritace, 6249, http://cheappurchaseonline.com/buy-generic-zovirax-online-en.html generic zovirax, >:], edd89f7663acdee0f8adb1704dd95c1a9e107a02 1049 1048 2012-05-07T02:31:39Z 31.184.238.15 0 VceYPdTtPOZrKxeDMVZ wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-wellbutrin-sr-online-en.html generic wellbutrin sr, 8-PP, http://cheappurchaseonline.com/buy-generic-symmetrel-online-en.html generic symmetrel, :-PPP, http://cheappurchaseonline.com/buy-generic-flonase-online-en.html generic flonase, sazl, c0f1020cd6e5ee08d21c21c38ad7c674e542fcd5 1050 1049 2012-05-07T02:36:07Z 31.184.238.9 0 JLaJmFoFcB wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-levitra-oral-jelly-online-en.html generic levitra oral jelly, zdxa, http://cheappurchaseonline.com/buy-generic-catapres-online-en.html generic catapres, tbp, http://cheappurchaseonline.com/buy-generic-viagra-professional-online-en.html generic viagra professional, :-), http://cheappurchaseonline.com/buy-generic-cozaar-online-en.html generic cozaar, 630, http://cheappurchaseonline.com/buy-generic-amaryl-online-en.html generic amaryl, kltnu, b0d971b8bfa97e728864de70e500afd23275bb2f 1051 1050 2012-05-07T02:37:12Z 31.184.238.15 0 SihiPysIVhfbF wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-mysoline-online-en.html generic mysoline, :-O, http://cheappurchaseonline.com/buy-generic-aggrenox-online-en.html generic aggrenox, lov, http://cheappurchaseonline.com/buy-generic-zenegra-online-en.html generic zenegra, rwp, 2001c739dc2bfd6cba61603945200ca84fdcefc2 1052 1051 2012-05-07T02:40:14Z 31.184.238.9 0 BnobkanRUU wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-urso-online-en.html generic urso, %-(((, http://cheappurchaseonline.com/buy-generic-venlor-online-en.html generic venlor, yfihe, http://cheappurchaseonline.com/buy-generic-coreg-online-en.html generic coreg, qwup, http://cheappurchaseonline.com/buy-generic-actigall-online-en.html generic actigall, sagu, http://cheappurchaseonline.com/ buy prednisone, aiwtbk, 874bc3ea79f3b7b59937a9136f8edc4be41cffec 1053 1052 2012-05-07T02:42:58Z 31.184.238.15 0 MnezFfDoUskRFNBB wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-inderal-la-online-en.html generic inderal la, bfozlq, http://cheappurchaseonline.com/ buy clomid, xua, http://cheappurchaseonline.com/buy-generic-cytotec-online-en.html generic cytotec, 290271, e7580821bfad44b6ffb7909d6e1dad3f2c3d45c0 1054 1053 2012-05-07T02:45:08Z 31.184.238.9 0 alzCMTaCQDKlVkUuCl wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-leukeran-online-en.html generic leukeran, 464215, http://cheappurchaseonline.com/buy-generic-sustiva-online-en.html generic sustiva, 98971, http://cheappurchaseonline.com/buy-generic-prevacid-online-en.html generic prevacid, 525, http://cheappurchaseonline.com/ generic viagra professional, =OO, http://cheappurchaseonline.com/buy-generic-prozac-online-en.html generic prozac, 46922, 54a7a5489e07b9f69e5568f7c043f729cbdd59ae 0 8 1055 1054 2012-05-07T02:48:57Z 31.184.238.15 0 DXNndhfBKBSVvdU wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-artane-online-en.html generic artane, dbp, http://cheappurchaseonline.com/buy-generic-zestoretic-online-en.html generic zestoretic, 572, http://cheappurchaseonline.com/buy-generic-minocin-online-en.html generic minocin, %-))), b164be98264ed7e917991db57080c58adbbb515f 1056 1055 2012-05-07T02:50:08Z 31.184.238.9 0 NxxPltawud wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-aricept-online-en.html generic aricept, 14603, http://cheappurchaseonline.com/buy-generic-nitroglycerin-online-en.html generic nitroglycerin, tyzkld, http://cheappurchaseonline.com/buy-generic-glucophage-online-en.html generic glucophage, =-), http://cheappurchaseonline.com/buy-generic-grifulvin-v-online-en.html generic grifulvin v, 833232, http://cheappurchaseonline.com/buy-generic-arava-online-en.html generic arava, 0148, e5dae848c129b2fa6f90c48356fb250b29a469e4 1057 1056 2012-05-07T02:54:26Z 31.184.238.9 0 aoJkGCaEIMaIfTz wikitext text/x-wiki , http://cheappurchaseonline.com/ buy viagra super active, 8PP, http://cheappurchaseonline.com/buy-generic-glucovance-online-en.html generic glucovance, %-PP, http://cheappurchaseonline.com/buy-generic-symmetrel-online-en.html generic symmetrel, 05546, http://cheappurchaseonline.com/ buy kamagra, xebnmo, http://cheappurchaseonline.com/buy-generic-floxin-online-en.html generic floxin, %-[, d9937df738fa119e43e8347183f3095bbcd2400c 1058 1057 2012-05-07T02:55:07Z 31.184.238.15 0 avtAPsqzJnuZ wikitext text/x-wiki comment2, http://cheappurchaseonline.com/ generic doxycycline, 854682, http://cheappurchaseonline.com/buy-generic-kemadrin-online-en.html generic kemadrin, >:(, http://cheappurchaseonline.com/buy-generic-zantac-online-en.html generic zantac, =[[, 6e122328b68a60ba36ab5a34567e2ec08e80a17a 1059 1058 2012-05-07T02:59:46Z 31.184.238.9 0 doXraFeYpWbZiFwoYkQ wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-tenormin-online-en.html generic tenormin, uikok, http://cheappurchaseonline.com/buy-generic-crestor-online-en.html generic crestor, 347, http://cheappurchaseonline.com/buy-generic-minipress-online-en.html generic minipress, 8), http://cheappurchaseonline.com/buy-generic-theo-24-cr-online-en.html generic theo-24 cr, 1050, http://cheappurchaseonline.com/ generic nolvadex, :), 47f024709ef6c512ccac8394f6bbb295bb4858ef 1060 1059 2012-05-07T03:01:26Z 31.184.238.15 0 ghzgqrOLseCWHXm wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-colospa-online-en.html generic colospa, >:-OO, http://cheappurchaseonline.com/buy-generic-dramamine-online-en.html generic dramamine, >:OOO, http://cheappurchaseonline.com/buy-generic-zocor-online-en.html generic zocor, 28466, b5efbec84de464336faa789a207237211bbd5dfb 1061 1060 2012-05-07T03:03:51Z 31.184.238.9 0 DceiviEIsqbxMQFrtg wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-apcalis-sx-oral-jelly-online-en.html generic apcalis sx oral jelly, :-DD, http://cheappurchaseonline.com/buy-generic-flovent-online-en.html generic flovent, 8D, http://cheappurchaseonline.com/buy-generic-precose-online-en.html generic precose, :-PPP, http://cheappurchaseonline.com/buy-generic-levothroid-online-en.html generic levothroid, 353226, http://cheappurchaseonline.com/buy-generic-strattera-online-en.html generic strattera, 8-OOO, f92b52cffc64cf9e3e0a17bc8fe9464b7083328a 1062 1061 2012-05-07T03:07:01Z 31.184.238.15 0 qbFVmFKfQdaZUa wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-rebetol-online-en.html generic rebetol, :-((, http://cheappurchaseonline.com/buy-generic-viagra-professional-online-en.html generic viagra professional, :P, http://cheappurchaseonline.com/buy-generic-serevent-online-en.html generic serevent, rgdqo, 87a6371ad83008fd2703057c134f5ba1eab68276 1063 1062 2012-05-07T03:08:23Z 31.184.238.9 0 eyjpQiAizMBZxxhOsdV wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-kamagra-effervescent-online-en.html generic kamagra effervescent, 3737, http://cheappurchaseonline.com/buy-generic-hyzaar-online-en.html generic hyzaar, =-]], http://cheappurchaseonline.com/buy-generic-myambutol-online-en.html generic myambutol, 870566, http://cheappurchaseonline.com/buy-generic-zebeta-online-en.html generic zebeta, 7162, http://cheappurchaseonline.com/ buy clomid, twp, d80635f6ca52a3cbb947d455beb0ce6cbb160373 1064 1063 2012-05-07T03:12:43Z 31.184.238.9 0 PIKsJlHSzCHihlqK wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-geodon-online-en.html generic geodon, 607042, http://cheappurchaseonline.com/ buy cialis, 8), http://cheappurchaseonline.com/buy-generic-zocor-online-en.html generic zocor, rmrcov, http://cheappurchaseonline.com/buy-generic-propecia-online-en.html generic propecia</a>, %-OO, http://cheappurchaseonline.com/buy-generic-combivent-online-en.html generic combivent, uctyio, cad32bbb92ffc592de096602e60ad28aa17cacfb 1065 1064 2012-05-07T03:12:46Z 31.184.238.15 0 sWcjldDNLEGvqb wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-naprosyn-online-en.html generic naprosyn, >:D, http://cheappurchaseonline.com/buy-generic-zyrtec-online-en.html generic zyrtec, gzro, http://cheappurchaseonline.com/buy-generic-proventil-online-en.html generic proventil, lcp, e61b59de7406799b7f57f53c2ca0f3b0288a0e16 1066 1065 2012-05-07T03:17:19Z 31.184.238.9 0 exetovYkVnn wikitext text/x-wiki , http://cheappurchaseonline.com/ generic lasix, :(((, http://cheappurchaseonline.com/buy-generic-actos-online-en.html generic actos, >:-]]], http://cheappurchaseonline.com/buy-generic-minomycin-online-en.html generic minomycin, 66559, http://cheappurchaseonline.com/buy-generic-vitamin-b12-online-en.html generic vitamin b12, 825, http://cheappurchaseonline.com/ generic female viagra, 8]], 2ee9fad55625f36f45bf2ca73be7455bd0f46342 1067 1066 2012-05-07T03:18:22Z 31.184.238.15 0 jVEuvBKtsAknLd wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-calan-sr-online-en.html generic calan sr, vrnoxf, http://cheappurchaseonline.com/ buy flagyl, 212, http://cheappurchaseonline.com/buy-generic-arcoxia-online-en.html generic arcoxia, =))), 73ad8f57bb66ad30702d14bdf2e3b34aa1c4577a 1068 1067 2012-05-07T03:21:24Z 31.184.238.9 0 lVErTXEMEnTJvkT wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-tadalis-sx-soft-online-en.html generic tadalis sx soft, 826, http://cheappurchaseonline.com/buy-generic-nizoral-online-en.html generic nizoral, 383, http://cheappurchaseonline.com/buy-generic-amoxil-online-en.html generic amoxil, acjaw, http://cheappurchaseonline.com/buy-generic-prandin-online-en.html generic prandin, njtsub, http://cheappurchaseonline.com/buy-generic-kamagra-flavored-online-en.html generic kamagra flavored, 82447, 02d7b0525497f728d0871e0a6918a54373670290 1069 1068 2012-05-07T03:24:03Z 31.184.238.15 0 lxHCEjGziHj wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-stromectol-online-en.html generic stromectol, obpis, http://cheappurchaseonline.com/buy-generic-nimotop-online-en.html generic nimotop, 22575, http://cheappurchaseonline.com/ buy amoxil, %-DDD, 8648d4b98b33d18eaaa0886edf5f2d5a19e208c4 1070 1069 2012-05-07T03:25:51Z 31.184.238.9 0 JfGCvEtaNwsIJsts wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-valtrex-online-en.html generic valtrex, %((, http://cheappurchaseonline.com/buy-generic-bupron-sr-online-en.html generic bupron sr, >:-P, http://cheappurchaseonline.com/ generic viagra, hpnsp, http://cheappurchaseonline.com/buy-generic-mobic-online-en.html generic mobic, %-], http://cheappurchaseonline.com/buy-generic-clarinex-online-en.html generic clarinex, 1874, d42c2ae1acfb86db9cf9dbe27f8d5ec8a4b822d1 1071 1070 2012-05-07T03:30:07Z 31.184.238.15 0 FCmjXBFSu wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-cephalexin-online-en.html generic cephalexin, 205478, http://cheappurchaseonline.com/buy-generic-elavil-online-en.html generic elavil, >:-DDD, http://cheappurchaseonline.com/buy-generic-sinemet-cr-online-en.html generic sinemet cr, 55330, 5aeddb0369d81d626d432d550ea00bf3d242f90e 1072 1071 2012-05-07T03:30:23Z 31.184.238.9 0 mBXSYgAv wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-ortho-tri-cyclen-online-en.html generic ortho tri-cyclen, 5385, http://cheappurchaseonline.com/buy-generic-cymbalta-online-en.html generic cymbalta, :-))), http://cheappurchaseonline.com/buy-generic-trandate-online-en.html generic trandate, 8((, http://cheappurchaseonline.com/buy-generic-tritace-online-en.html generic tritace, rqh, http://cheappurchaseonline.com/buy-generic-zovirax-online-en.html generic zovirax, dckyq, 4033e70c557e34d7a1887eaa2702ac9219521d51 1073 1072 2012-05-07T03:34:51Z 31.184.238.9 0 lmgdfdeBgKqNe wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-duphaston-online-en.html generic duphaston, xwm, http://cheappurchaseonline.com/ generic clomid, nzb, http://cheappurchaseonline.com/buy-generic-risnia-online-en.html generic risnia, %[, http://cheappurchaseonline.com/buy-generic-maxaquin-online-en.html generic maxaquin, 54570, http://cheappurchaseonline.com/buy-generic-benadryl-online-en.html generic benadryl, rvl, f1d63d11ecb769e83371d31282875908cc53b6aa 1074 1073 2012-05-07T03:35:59Z 31.184.238.15 0 zIkQzUNMNeucBIEJD wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-benicar-online-en.html generic benicar, 763, http://cheappurchaseonline.com/buy-generic-diovan-hct-online-en.html generic diovan hct, cib, http://cheappurchaseonline.com/buy-generic-reglan-online-en.html generic reglan, :DD, 8285ce650ba3847bed33c3f2cb89a33ad16712c2 1075 1074 2012-05-07T03:39:08Z 31.184.238.9 0 oYjXrzwFbjRJ wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-periactin-online-en.html generic periactin, :P, http://cheappurchaseonline.com/buy-generic-detrol-online-en.html generic detrol, 99297, http://cheappurchaseonline.com/buy-generic-wellbutrin-sr-online-en.html generic wellbutrin sr, dnl, http://cheappurchaseonline.com/buy-generic-methotrexate-online-en.html generic methotrexate, 9618, http://cheappurchaseonline.com/buy-generic-prednisolone-online-en.html generic prednisolone, ryzt, 191b507d04d461ef3bc34c77a9a9e5e3bc75b33e 1076 1075 2012-05-07T03:41:45Z 31.184.238.15 0 LmMFRQPcnLErOGb wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-aciphex-online-en.html generic aciphex, 93409, http://cheappurchaseonline.com/buy-generic-cefaclor-online-en.html generic cefaclor, ymw, http://cheappurchaseonline.com/buy-generic-periactin-online-en.html generic periactin, aqo, ddf283394cd9eeaa06696009ce34c1a9117ee684 1077 1076 2012-05-07T03:43:13Z 31.184.238.9 0 SCqJlYQc wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-lexapro-online-en.html generic lexapro, osu, http://cheappurchaseonline.com/buy-generic-coversyl-online-en.html generic coversyl, 8)), http://cheappurchaseonline.com/buy-generic-cipro-online-en.html generic cipro, 9645, http://cheappurchaseonline.com/buy-generic-retrovir-online-en.html generic retrovir, 476016, http://cheappurchaseonline.com/buy-generic-cytotec-online-en.html generic cytotec, enkzf, c190d24869824ce5cc0600be812c3745fbdc0a57 1078 1077 2012-05-07T03:47:53Z 31.184.238.9 0 jRKjncbBfv wikitext text/x-wiki , http://cheappurchaseonline.com/ generic lasix, ltbf, http://cheappurchaseonline.com/buy-generic-actos-online-en.html generic actos, 0584, http://cheappurchaseonline.com/buy-generic-minomycin-online-en.html generic minomycin, :DD, http://cheappurchaseonline.com/buy-generic-vitamin-b12-online-en.html generic vitamin b12, 16661, http://cheappurchaseonline.com/ generic female viagra, degbn, 1b0ab7311abfe0fe796cf98b0b4461942fc733da 1079 1078 2012-05-07T03:47:56Z 31.184.238.15 0 XNRBmPTeSWgLLYMr wikitext text/x-wiki comment4, http://cheappurchaseonline.com/ generic amoxil, bvo, http://cheappurchaseonline.com/buy-generic-alfacip-online-en.html generic alfacip, :-O, http://cheappurchaseonline.com/buy-generic-feldene-online-en.html generic feldene, 24033, e5d1b51ce887cd88f47200357f91f0b6db740b7c 1080 1079 2012-05-07T03:52:47Z 31.184.238.9 0 lKFHCbHQAZxbDFV wikitext text/x-wiki , http://cheappurchaseonline.com/ generic prednisone, =-D, http://cheappurchaseonline.com/buy-generic-lamisil-online-en.html generic lamisil, :[[, http://cheappurchaseonline.com/buy-generic-vitamin-c-online-en.html generic vitamin c, =)), http://cheappurchaseonline.com/buy-generic-keflex-online-en.html generic keflex, zmkhvn, http://cheappurchaseonline.com/buy-generic-ventolin-online-en.html generic ventolin, %-]]], 15482b4f348dd208a84128b7345ee69b988a0318 1081 1080 2012-05-07T03:54:23Z 31.184.238.15 0 XrBUlssQ wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-methotrexate-online-en.html generic methotrexate, yveip, http://cheappurchaseonline.com/buy-generic-dilantin-online-en.html generic dilantin, ryw, http://cheappurchaseonline.com/buy-generic-avandia-online-en.html generic avandia, 955420, 7a78b5d4709c38ce1b2c185b35af40c4908db33a 1082 1081 2012-05-07T03:56:41Z 31.184.238.9 0 aTCaZjqQyXPIMgD wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-aricept-online-en.html generic aricept, =(, http://cheappurchaseonline.com/buy-generic-nitroglycerin-online-en.html generic nitroglycerin, =(, http://cheappurchaseonline.com/buy-generic-glucophage-online-en.html generic glucophage, hbnnc, http://cheappurchaseonline.com/buy-generic-grifulvin-v-online-en.html generic grifulvin v, 8DDD, http://cheappurchaseonline.com/buy-generic-arava-online-en.html generic arava, :)), df13b8547f2e7f9b2400158d2c3f417addfae9c1 1083 1082 2012-05-07T03:59:50Z 31.184.238.15 0 KsmvqjFlvorXDHbR wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-benicar-online-en.html generic benicar, ahqh, http://cheappurchaseonline.com/buy-generic-diovan-hct-online-en.html generic diovan hct, lfe, http://cheappurchaseonline.com/buy-generic-reglan-online-en.html generic reglan, 8(, 60d8d1128df37cd6c0e7eb5d560ad8fec424c831 1084 1083 2012-05-07T04:01:22Z 31.184.238.9 0 aBqtzRIblK wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-combivir-online-en.html generic combivir, zyxex, http://cheappurchaseonline.com/buy-generic-tadacip-online-en.html generic tadacip, 41071, http://cheappurchaseonline.com/buy-generic-toprol-xl-online-en.html generic toprol xl, crcp, http://cheappurchaseonline.com/ buy levitra, 91577, http://cheappurchaseonline.com/buy-generic-tofranil-online-en.html generic tofranil, qhri, 575655b9e9a93a7dcfa893f5544c255c55eb4d89 1085 1084 2012-05-07T04:05:54Z 31.184.238.9 0 FgEIokzHPOsRmy wikitext text/x-wiki , http://cheappurchaseonline.com/ generic cipro, lkhgf, http://cheappurchaseonline.com/buy-generic-prilosec-online-en.html generic prilosec, 533518, http://cheappurchaseonline.com/buy-generic-nortriptyline-online-en.html generic nortriptyline, %]], http://cheappurchaseonline.com/buy-generic-levitra-online-en.html generic levitra, =-[, http://cheappurchaseonline.com/buy-generic-nolvadex-online-en.html generic nolvadex, 5228, 873af82115db36eefc3d53edbbb21943aa5ceac2 1086 1085 2012-05-07T04:06:30Z 31.184.238.15 0 peLGJnsixbJQ wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-isordil-online-en.html generic isordil, saqwl, http://cheappurchaseonline.com/buy-generic-super-hard-on-online-en.html generic super hard on, tbfl, http://cheappurchaseonline.com/buy-generic-lamisil-online-en.html generic lamisil, 87245, fab52c27aad6d424e651e3571aa287afd1619f24 1087 1086 2012-05-07T04:10:05Z 31.184.238.9 0 lZaNNpCrJKTj wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-viagra-online-en.html generic viagra, =-PPP, http://cheappurchaseonline.com/buy-generic-ansaid-online-en.html generic ansaid, ads, http://cheappurchaseonline.com/buy-generic-tricor-online-en.html generic tricor, 27246, http://cheappurchaseonline.com/buy-generic-viagra-super-active-online-en.html generic viagra super active, 07819, http://cheappurchaseonline.com/buy-generic-apcalis-sx-online-en.html generic apcalis sx, iwkpn, bba43add2bf42fb9e792b89a0b1c0f2ef44e2ec6 1088 1087 2012-05-07T04:12:10Z 31.184.238.15 0 jTsGJPwZgaE wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-imodium-online-en.html generic imodium, 359, http://cheappurchaseonline.com/buy-generic-pamelor-online-en.html generic pamelor, wjy, http://cheappurchaseonline.com/buy-generic-ampicillin-online-en.html generic ampicillin, >:[[[, 17712aa016a57352924f4422aa56441f6cc58f5c 1089 1088 2012-05-07T04:14:13Z 31.184.238.9 0 MMXYyyJInLizHPlck wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-seroquel-online-en.html generic seroquel, stfm, http://cheappurchaseonline.com/buy-generic-dapsone-online-en.html generic dapsone, 8(, http://cheappurchaseonline.com/buy-generic-albenza-online-en.html generic albenza, %DDD, http://cheappurchaseonline.com/buy-generic-viagra-jelly-online-en.html generic viagra jelly, olyasr, http://cheappurchaseonline.com/ generic kamagra, :]], 0323e32c4e0ab9dfac2715dbf5049d28083b7f0a 1090 1089 2012-05-07T04:18:10Z 31.184.238.15 0 BSAxYVBAGVMMYMj wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-grisactin-online-en.html generic grisactin, 79091, http://cheappurchaseonline.com/buy-generic-silagra-online-en.html generic silagra, ikf, http://cheappurchaseonline.com/buy-generic-seroquel-online-en.html generic seroquel, 3799, fc6558ca1cc333a65da3836a6aa4ee71d90c20db 1091 1090 2012-05-07T04:19:20Z 31.184.238.9 0 hxIryKQnva wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-combivir-online-en.html generic combivir, xyce, http://cheappurchaseonline.com/buy-generic-tadacip-online-en.html generic tadacip, >:PPP, http://cheappurchaseonline.com/buy-generic-toprol-xl-online-en.html generic toprol xl, >:-O, http://cheappurchaseonline.com/ buy levitra, 4218, http://cheappurchaseonline.com/buy-generic-tofranil-online-en.html generic tofranil, 4695, 391a12699a350a5ecfdef52b8d14f4ffe45bff7c 1092 1091 2012-05-07T04:23:13Z 31.184.238.9 0 kGBNOHZWFQyREUTL wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-zantac-online-en.html generic zantac, 9416, http://cheappurchaseonline.com/buy-generic-adalat-online-en.html generic adalat, fscq, http://cheappurchaseonline.com/buy-generic-terramycin-online-en.html generic terramycin, %OO, http://cheappurchaseonline.com/buy-generic-isoptin-online-en.html generic isoptin, 532561, http://cheappurchaseonline.com/buy-generic-monopril-online-en.html generic monopril, 82421, 07d90b5196b6feb8d02769e2b88ec8bd92abe607 1093 1092 2012-05-07T04:23:42Z 31.184.238.15 0 YgzIBrdDKjNMLcBchXb wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-mysoline-online-en.html generic mysoline, zfh, http://cheappurchaseonline.com/buy-generic-aggrenox-online-en.html generic aggrenox, gsbver, http://cheappurchaseonline.com/buy-generic-zenegra-online-en.html generic zenegra, 8))), bdcfba008accef15995247820731ef543f07bd07 1094 1093 2012-05-07T04:28:06Z 31.184.238.9 0 wNIJrmLVeliiVC wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-azulfidine-online-en.html generic azulfidine, %-PPP, http://cheappurchaseonline.com/buy-generic-desogen-online-en.html generic desogen, 74037, http://cheappurchaseonline.com/buy-generic-diltiazem-online-en.html generic diltiazem, :-(, http://cheappurchaseonline.com/buy-generic-rythmol-online-en.html generic rythmol, 9949, http://cheappurchaseonline.com/ generic viagra super active, zbyjnv, a282916d5b178d6f8a987ebb7215bd4a831f2397 1095 1094 2012-05-07T04:29:09Z 31.184.238.15 0 RFTmjJni wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-monoket-online-en.html generic monoket, irba, http://cheappurchaseonline.com/ buy cialis professional, 185437, http://cheappurchaseonline.com/ generic cialis professional, >:))), a939e0c79725b7d3ca6e12cf61494cb2a59b9c9c 1096 1095 2012-05-07T04:33:04Z 31.184.238.9 0 juLuBGtpcXvev wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-lamprene-online-en.html generic lamprene, mkfnx, http://cheappurchaseonline.com/buy-generic-zithromax-online-en.html generic zithromax, oztzs, http://cheappurchaseonline.com/buy-generic-zofran-online-en.html generic zofran, =-((, http://cheappurchaseonline.com/buy-generic-micronase-online-en.html generic micronase, =OO, http://cheappurchaseonline.com/buy-generic-glucotrol-online-en.html generic glucotrol, =-(, 1a089a3ced648fdfc5d438bb89777007d08e6fb5 1097 1096 2012-05-07T04:35:04Z 31.184.238.15 0 mYLAYEpiYJSDrSiv wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-prandin-online-en.html generic prandin, xeiij, http://cheappurchaseonline.com/buy-generic-cardura-online-en.html generic cardura, qbm, http://cheappurchaseonline.com/buy-generic-zithromax-online-en.html generic zithromax, twpxp, 7bfefcbabe61fde69a48b3cc4dbe658da41c960c 1098 1097 2012-05-07T04:36:53Z 31.184.238.9 0 RnIndCoOypjv wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-lamprene-online-en.html generic lamprene, 8))), http://cheappurchaseonline.com/buy-generic-zithromax-online-en.html generic zithromax, hyxed, http://cheappurchaseonline.com/buy-generic-zofran-online-en.html generic zofran, afyytu, http://cheappurchaseonline.com/buy-generic-micronase-online-en.html generic micronase, 32940, http://cheappurchaseonline.com/buy-generic-glucotrol-online-en.html generic glucotrol, adtj, 190373c6d11a697eedad4f8b1e0139d368d9add0 1099 1098 2012-05-07T04:41:05Z 31.184.238.15 0 EhtzUFcKtjQyZuFuOgG wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-viagra-gold-online-en.html generic viagra gold, 90751, http://cheappurchaseonline.com/buy-generic-ceclor-online-en.html generic ceclor, jiknos, http://cheappurchaseonline.com/ buy diflucan, >:))), 8fb1ff845721299f3540dc24e6548b29d2b35091 1100 1099 2012-05-07T04:41:11Z 31.184.238.9 0 tTboEXAsKGB wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-phoslo-online-en.html generic phoslo, rmpl, http://cheappurchaseonline.com/buy-generic-zenegra-online-en.html generic zenegra, dokpdj, http://cheappurchaseonline.com/buy-generic-sublingual-viagra-online-en.html generic sublingual viagra, zou, cda8ce3fe1b591f655c51f544e0715ff88587de2 1101 1100 2012-05-07T04:45:57Z 31.184.238.9 0 sLeimNhICBXFHyQ wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-revatio-online-en.html generic revatio, yhdxuf, http://cheappurchaseonline.com/buy-generic-carafate-online-en.html generic carafate, %-PP, http://cheappurchaseonline.com/buy-generic-oxytrol-online-en.html generic oxytrol, ruref, http://cheappurchaseonline.com/buy-generic-ampicillin-online-en.html generic ampicillin, %-DD, http://cheappurchaseonline.com/ buy viagra, 073, 6df5b5c2defcca1bed22016a84dedab85624dd9c 1102 1101 2012-05-07T04:46:35Z 31.184.238.15 0 FOhPfJQdg wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-etodolac-online-en.html generic etodolac, xzcen, http://cheappurchaseonline.com/buy-generic-cialis-jelly-online-en.html generic cialis jelly, nvgme, http://cheappurchaseonline.com/buy-generic-prinivil-online-en.html generic prinivil, =DDD, 855d22892b9fae8fc8dcda1a812af9fd32ecdba0 1103 1102 2012-05-07T04:50:23Z 31.184.238.9 0 TJlXJpNRUqkilto wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-ibuprofen-online-en.html generic ibuprofen, :-D, http://cheappurchaseonline.com/buy-generic-cordarone-online-en.html generic cordarone, wuh, http://cheappurchaseonline.com/buy-generic-plendil-online-en.html generic plendil, :OOO, http://cheappurchaseonline.com/buy-generic-revia-online-en.html generic revia, hch, http://cheappurchaseonline.com/buy-generic-yasmin-online-en.html generic yasmin, =OOO, c436b9f8587a43e84a6567aaab6099ad556abbaa 1104 1103 2012-05-07T04:52:23Z 31.184.238.15 0 IUzavvMdAxTkXTWVKt wikitext text/x-wiki comment3, http://cheappurchaseonline.com/ buy priligy, upusye, http://cheappurchaseonline.com/buy-generic-norvasc-online-en.html generic norvasc, ikk, http://cheappurchaseonline.com/buy-generic-floxin-online-en.html generic floxin, eviz, c09ce7c14687353bf8786438abc7893f21df3d77 0 8 1105 1104 2012-05-07T04:58:29Z 31.184.238.15 0 flZZmkGBsWsZnxL wikitext text/x-wiki comment4, http://cheappurchaseonline.com/ buy orlistat, smsw, http://cheappurchaseonline.com/buy-generic-isoptin-online-en.html generic isoptin, %]]], http://cheappurchaseonline.com/ generic cialis, 0185, 980b579ee5d4cbac1c5a7a812f35093d9f0be741 1106 1105 2012-05-07T04:59:04Z 31.184.238.9 0 ZkMkXETXKz wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-reglan-online-en.html generic reglan, 67929, http://cheappurchaseonline.com/ generic zoloft, 678966, http://cheappurchaseonline.com/buy-generic-calan-online-en.html generic calan, %(, http://cheappurchaseonline.com/buy-generic-alesse-online-en.html generic alesse, 79250, http://cheappurchaseonline.com/buy-generic-flonase-online-en.html generic flonase, ksr, 9b81a450ac2b424749a73c17d562101dc2f18743 1107 1106 2012-05-07T05:04:26Z 31.184.238.15 0 OOfLODEGErwek wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-zofran-online-en.html generic zofran, 8-OO, http://cheappurchaseonline.com/ generic orlistat, ulyqqp, http://cheappurchaseonline.com/buy-generic-maxaquin-online-en.html generic maxaquin, ogfm, 2777b3d9667cb194d4c58abafa5618cc896eb905 1108 1107 2012-05-07T05:08:50Z 31.184.238.9 0 MyjbDjzDTiuwK wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-naprosyn-online-en.html generic naprosyn, 900, http://cheappurchaseonline.com/buy-generic-pentasa-online-en.html generic pentasa, 65782, http://cheappurchaseonline.com/buy-generic-aggrenox-online-en.html generic aggrenox, %-[, http://cheappurchaseonline.com/buy-generic-kamagra-soft-online-en.html generic kamagra soft, %-(, http://cheappurchaseonline.com/buy-generic-verampil-online-en.html generic verampil, =-)), 6ea99f3d4d3ec87908c3a95c58a2c24cdb51e21d 1109 1108 2012-05-07T05:10:52Z 31.184.238.15 0 sSbbILkQFs wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-ibuprofen-online-en.html generic ibuprofen, 49548, http://cheappurchaseonline.com/buy-generic-ansaid-online-en.html generic ansaid, 490140, http://cheappurchaseonline.com/buy-generic-hyzaar-online-en.html generic hyzaar, =-(((, 61c433cb9a3f6c9003eee96c1a355a4694360026 1110 1109 2012-05-07T05:16:35Z 31.184.238.15 0 wxGuWSsfKWBsmpCLhv wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-verampil-online-en.html generic verampil, jlxt, http://cheappurchaseonline.com/buy-generic-uniphyl-cr-online-en.html generic uniphyl cr, %-O, http://cheappurchaseonline.com/buy-generic-brand-levitra-online-en.html generic brand levitra, niorft, 20287733ed8f08741db0960511cd3545cf05fef3 1111 1110 2012-05-07T05:17:33Z 31.184.238.9 0 ammxZOEEsXCGMR wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-requip-online-en.html generic requip, >:-PPP, http://cheappurchaseonline.com/buy-generic-prograf-online-en.html generic prograf, 380, http://cheappurchaseonline.com/buy-generic-vibramycin-online-en.html generic vibramycin, rwj, http://cheappurchaseonline.com/buy-generic-fluoxetine-online-en.html generic fluoxetine, incfif, http://cheappurchaseonline.com/ generic doxycycline, yzffpg, da95e2a4c8d062ec67248afe2a677b26f35eac14 1112 1111 2012-05-07T05:21:52Z 31.184.238.9 0 rBNDLCuugxKpzX wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-tenormin-online-en.html generic tenormin, gvpkxo, http://cheappurchaseonline.com/buy-generic-crestor-online-en.html generic crestor, :DDD, http://cheappurchaseonline.com/buy-generic-minipress-online-en.html generic minipress, nbi, http://cheappurchaseonline.com/buy-generic-theo-24-cr-online-en.html generic theo-24 cr, %PP, http://cheappurchaseonline.com/ generic nolvadex, 8-D, 6b86b500991a9484005bdeabd607599f0a1616e5 1113 1112 2012-05-07T05:22:19Z 31.184.238.15 0 EYSuveacVvQZDXZSDq wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-lanoxin-online-en.html generic lanoxin, 8-)), http://cheappurchaseonline.com/buy-generic-revatio-online-en.html generic revatio, %DD, http://cheappurchaseonline.com/buy-generic-diamox-online-en.html generic diamox, 400, 6c2ec6b5310a521046c957a25ca35c7c81ae4038 1114 1113 2012-05-07T05:26:33Z 31.184.238.9 0 RjhqcUjK wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-procardia-online-en.html generic procardia, :-], http://cheappurchaseonline.com/buy-generic-vigora-online-en.html generic vigora, stfnlu, http://cheappurchaseonline.com/buy-generic-claritin-online-en.html generic claritin, 8OOO, http://cheappurchaseonline.com/buy-generic-levitra-professional-online-en.html generic levitra professional, %-[, http://cheappurchaseonline.com/buy-generic-betapace-online-en.html generic betapace, :(, 2ebf121995050378da3451e5097b8ba86ff79a64 1115 1114 2012-05-07T05:28:30Z 31.184.238.15 0 GFpTlARyqfGTNyi wikitext text/x-wiki comment6, http://cheappurchaseonline.com/ generic viagra super active, 384000, http://cheappurchaseonline.com/buy-generic-nizoral-online-en.html generic nizoral, 091541, http://cheappurchaseonline.com/buy-generic-zagam-online-en.html generic zagam, 667, 6b3f6c780f037eb2124a1a0adcbc14309959d773 1116 1115 2012-05-07T05:31:46Z 31.184.238.9 0 cWUOfFFvamOiU wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-forzest-online-en.html generic forzest, 062269, http://cheappurchaseonline.com/buy-generic-augmentin-online-en.html generic augmentin, yxxd, http://cheappurchaseonline.com/buy-generic-kemadrin-online-en.html generic kemadrin, 475, http://cheappurchaseonline.com/buy-generic-combipres-online-en.html generic combipres, %DD, http://cheappurchaseonline.com/buy-generic-protonix-online-en.html generic protonix, kroc, ebd3acbe5d963894099cf24a18d4108ea5f377d6 1117 1116 2012-05-07T05:34:57Z 31.184.238.15 0 owyAIZBZ wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-vermox-online-en.html generic vermox, owk, http://cheappurchaseonline.com/buy-generic-tenormin-online-en.html generic tenormin, vdfekj, http://cheappurchaseonline.com/buy-generic-flagyl-online-en.html generic flagyl, 1134, 4d36de6f140b1403bcd34b75742db00ff36ba32c 1118 1117 2012-05-07T05:35:41Z 31.184.238.9 0 xGAKWoAOeQ wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-aralen-online-en.html generic aralen, enzbk, http://cheappurchaseonline.com/ buy strattera, =-[[[, http://cheappurchaseonline.com/buy-generic-ovral-online-en.html generic ovral, :-D, http://cheappurchaseonline.com/buy-generic-phenergan-online-en.html generic phenergan, %-[, http://cheappurchaseonline.com/buy-generic-relafen-online-en.html generic relafen, 051009, 52517b63073b05e9d42e810a963a7b412ed1f8e6 1119 1118 2012-05-07T05:40:08Z 31.184.238.9 0 sAQuoUBlfJD wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-valparin-online-en.html generic valparin, vcgoym, http://cheappurchaseonline.com/buy-generic-ticlid-online-en.html generic ticlid, ggzi, http://cheappurchaseonline.com/buy-generic-xeloda-online-en.html generic xeloda, 8DDD, http://cheappurchaseonline.com/buy-generic-stromectol-online-en.html generic stromectol, 9938, http://cheappurchaseonline.com/ buy viagra professional, :-(, 167b3d2ebca4f314a7d8b84b3d490e1d305380c2 1120 1119 2012-05-07T05:40:27Z 31.184.238.15 0 kctTvQjJZkvqjZOAaC wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-ventolin-online-en.html generic ventolin, hjlthn, http://cheappurchaseonline.com/buy-generic-noroxin-online-en.html generic noroxin, 065, http://cheappurchaseonline.com/ generic clomid, 2599, ee9d88ac1d8337459d6b356098eb01082f945d8e 1121 1120 2012-05-07T05:44:55Z 31.184.238.9 0 OpqjxXAx wikitext text/x-wiki , http://cheappurchaseonline.com/ buy zithromax, 514443, http://cheappurchaseonline.com/buy-generic-doxycycline-online-en.html generic doxycycline, 8(((, http://cheappurchaseonline.com/buy-generic-risperdal-online-en.html generic risperdal, 8O, http://cheappurchaseonline.com/buy-generic-kamagra-online-en.html generic kamagra, qzgcb, http://cheappurchaseonline.com/buy-generic-danocrine-online-en.html generic danocrine, %], f8073dbcc15549607109638ebd475f72f93e0591 1122 1121 2012-05-07T05:46:36Z 31.184.238.15 0 MowUUICZaQTidJlP wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-vibramycin-online-en.html generic vibramycin, >:-D, http://cheappurchaseonline.com/buy-generic-valparin-online-en.html generic valparin, pgvk, http://cheappurchaseonline.com/buy-generic-glucotrol-xl-online-en.html generic glucotrol xl, 8O, a1414e23d9b0982dbe81ed728259ef13a4cf06eb 1123 1122 2012-05-07T05:49:49Z 31.184.238.9 0 lUvpKLvaxHGI wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-lopressor-online-en.html generic lopressor, vurhip, http://cheappurchaseonline.com/buy-generic-benicar-online-en.html generic benicar, >:-))), http://cheappurchaseonline.com/buy-generic-tegopen-online-en.html generic tegopen, hdzco, http://cheappurchaseonline.com/ generic accutane, 2558, http://cheappurchaseonline.com/buy-generic-arcoxia-online-en.html generic arcoxia, lzx, b2abb2d61626156900ed6cd63e9f4b4d76092a8e 1124 1123 2012-05-07T05:52:19Z 31.184.238.15 0 JuJRkplCVhGAs wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-grifulvin-online-en.html generic grifulvin, =-[[, http://cheappurchaseonline.com/buy-generic-indocin-online-en.html generic indocin, =-PP, http://cheappurchaseonline.com/buy-generic-chloromycetin-online-en.html generic chloromycetin, tjqkzy, 8803a1122a5971a054d570fffd7df0438aad7122 1125 1124 2012-05-07T05:53:27Z 31.184.238.9 0 dchTBEdSu wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-combivir-online-en.html generic combivir, swuyd, http://cheappurchaseonline.com/buy-generic-tadacip-online-en.html generic tadacip, 9953, http://cheappurchaseonline.com/buy-generic-toprol-xl-online-en.html generic toprol xl, snd, http://cheappurchaseonline.com/ buy levitra, =-DD, http://cheappurchaseonline.com/buy-generic-tofranil-online-en.html generic tofranil, 082755, 0b59ac3b6e3b1e06cdd35d92f67328ea0f7a3e92 1126 1125 2012-05-07T05:58:18Z 31.184.238.15 0 fSQfjPpuXhtD wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-brethine-online-en.html generic brethine, :-((, http://cheappurchaseonline.com/buy-generic-ceclor-cd-online-en.html generic ceclor cd, mmdzhn, http://cheappurchaseonline.com/buy-generic-mevacor-online-en.html generic mevacor, >:]]], fd60731224a8f9b8175d82fcb9e826bc80335b65 1127 1126 2012-05-07T05:58:24Z 31.184.238.9 0 DNHfwnSxceaIC wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-levitra-oral-jelly-online-en.html generic levitra oral jelly, :), http://cheappurchaseonline.com/buy-generic-catapres-online-en.html generic catapres, cxik, http://cheappurchaseonline.com/buy-generic-viagra-professional-online-en.html generic viagra professional, ddg, http://cheappurchaseonline.com/buy-generic-cozaar-online-en.html generic cozaar, 123, http://cheappurchaseonline.com/buy-generic-amaryl-online-en.html generic amaryl, 34485, 5a59cc7342a1b9688e719034b3ec5d66b77ad7b5 1128 1127 2012-05-07T06:02:33Z 31.184.238.9 0 IzcVoZEbOAOOujT wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-lamprene-online-en.html generic lamprene, 27090, http://cheappurchaseonline.com/buy-generic-zithromax-online-en.html generic zithromax, %(((, http://cheappurchaseonline.com/buy-generic-zofran-online-en.html generic zofran, >:-OO, http://cheappurchaseonline.com/buy-generic-micronase-online-en.html generic micronase, 8600, http://cheappurchaseonline.com/buy-generic-glucotrol-online-en.html generic glucotrol, 398290, 55717e5e00c7940b0f2b69f48666b16d847b0e7a 1129 1128 2012-05-07T06:04:11Z 31.184.238.15 0 xxNMyImR wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-flovent-online-en.html generic flovent, oxvpm, http://cheappurchaseonline.com/ buy female viagra, %PP, http://cheappurchaseonline.com/buy-generic-danocrine-online-en.html generic danocrine, 678, 92b82969d24347017c1d8b7b5acb989cd17cfb03 1130 1129 2012-05-07T06:07:03Z 31.184.238.9 0 eHBbkMMqPjDnEVghAR wikitext text/x-wiki , http://cheappurchaseonline.com/ buy viagra super active, wampuu, http://cheappurchaseonline.com/buy-generic-glucovance-online-en.html generic glucovance, 2818, http://cheappurchaseonline.com/buy-generic-symmetrel-online-en.html generic symmetrel, wdm, http://cheappurchaseonline.com/ buy kamagra, %-)), http://cheappurchaseonline.com/buy-generic-floxin-online-en.html generic floxin, 8-PPP, 7453e9950fe5319c728d2bd81a1281104d94e731 1131 1130 2012-05-07T06:10:12Z 31.184.238.15 0 jqmVCPDdiOdVPfDb wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-erythromycin-online-en.html generic erythromycin, lqbtfs, http://cheappurchaseonline.com/ generic accutane, vgqztr, http://cheappurchaseonline.com/buy-generic-tadalis-sx-online-en.html generic tadalis sx, 854689, 216135a9291a23807956a1564dbaf2b8035e95a4 1132 1131 2012-05-07T06:11:48Z 31.184.238.9 0 SNHVVTIdHboFqpN wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-zantac-online-en.html generic zantac, onwy, http://cheappurchaseonline.com/buy-generic-adalat-online-en.html generic adalat, tvp, http://cheappurchaseonline.com/buy-generic-terramycin-online-en.html generic terramycin, 7476, http://cheappurchaseonline.com/buy-generic-isoptin-online-en.html generic isoptin, 12886, http://cheappurchaseonline.com/buy-generic-monopril-online-en.html generic monopril, 56419, 0957a3b2041697ecbb4699199dd2f98790c8eb58 1133 1132 2012-05-07T06:16:12Z 31.184.238.15 0 DJBCVcwUgeVantchx wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-finpecia-online-en.html generic finpecia, %)), http://cheappurchaseonline.com/buy-generic-fludac-online-en.html generic fludac, xwq, http://cheappurchaseonline.com/buy-generic-adalat-online-en.html generic adalat, 6811, 5be11532a21e6ce0d646e1f8a07034b4dddff5bc 1134 1133 2012-05-07T06:17:00Z 31.184.238.9 0 sVUXyehez wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-luvox-online-en.html generic luvox, 47636, http://cheappurchaseonline.com/ generic prednisone, =-(, http://cheappurchaseonline.com/buy-generic-lamisil-online-en.html generic lamisil, 8OO, http://cheappurchaseonline.com/buy-generic-vitamin-c-online-en.html generic vitamin c, 012, http://cheappurchaseonline.com/buy-generic-keflex-online-en.html generic keflex, zkj, a0b0284be394b86e98072a1f4e346146e267abbc 1135 1134 2012-05-07T06:21:36Z 31.184.238.9 0 hTjplVjvtsGZF wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-omnicef-online-en.html generic omnicef, vuvv, http://cheappurchaseonline.com/buy-generic-clonidine-online-en.html generic clonidine, 459518, http://cheappurchaseonline.com/buy-generic-colospa-online-en.html generic colospa, tiw, http://cheappurchaseonline.com/buy-generic-brand-viagra-online-en.html generic brand viagra, ogppts, http://cheappurchaseonline.com/buy-generic-dramamine-online-en.html generic dramamine, apzh, 76b1c6dea63aa703e547cfa54b22e005a53c5adf 1136 1135 2012-05-07T06:22:44Z 31.184.238.15 0 HviMArkeLWZA wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-dapsone-online-en.html generic dapsone, 8-[[, http://cheappurchaseonline.com/buy-generic-zerit-online-en.html generic zerit, >:-[[, http://cheappurchaseonline.com/buy-generic-indinavir-online-en.html generic indinavir, 8510, e802a6a5491c7bf912d68fb37e2a2d5ed977db33 1137 1136 2012-05-07T06:25:33Z 31.184.238.9 0 GNEXIxReQppZNajJvmI wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-apcalis-sx-online-en.html generic apcalis sx, >:-D, http://cheappurchaseonline.com/buy-generic-lopressor-online-en.html generic lopressor, :-[[[, http://cheappurchaseonline.com/buy-generic-benicar-online-en.html generic benicar, 160980, http://cheappurchaseonline.com/buy-generic-tegopen-online-en.html generic tegopen, %-P, http://cheappurchaseonline.com/ generic accutane, jcof, c8187c48b90f4c64ea6f68a5efee16c213ab067b 1138 1137 2012-05-07T06:29:05Z 31.184.238.15 0 MzmrZQJIgY wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-seroquel-online-en.html generic seroquel, nwapg, http://cheappurchaseonline.com/ buy viagra professional, chah, http://cheappurchaseonline.com/buy-generic-xalatan-0005-online-en.html generic xalatan 0.005%, :-]]], 20e98c33698287692358a770b413414d5b9e8985 1139 1138 2012-05-07T06:30:26Z 31.184.238.9 0 vvwtjaZB wikitext text/x-wiki , http://cheappurchaseonline.com/ buy cialis, 7057, http://cheappurchaseonline.com/buy-generic-zocor-online-en.html generic zocor, 8DDD, http://cheappurchaseonline.com/buy-generic-propecia-online-en.html generic propecia</a>, 10180, http://cheappurchaseonline.com/buy-generic-combivent-online-en.html generic combivent, %)), http://cheappurchaseonline.com/buy-generic-ortho-tri-cyclen-online-en.html generic ortho tri-cyclen, 34706, 0aa6370e8d8658f1196af543dcd03f8cb1fa48c7 1140 1139 2012-05-07T06:34:41Z 31.184.238.9 0 NGbeppeoeqLHN wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-plan-b-online-en.html generic plan b, :-(, http://cheappurchaseonline.com/buy-generic-exelon-online-en.html generic exelon, 8OOO, http://cheappurchaseonline.com/buy-generic-brand-cialis-online-en.html generic brand cialis, qinvy, http://cheappurchaseonline.com/buy-generic-effexor-xr-online-en.html generic effexor xr, 86322, http://cheappurchaseonline.com/ generic levitra, 12590, b9d4ef9f1648ffd92fe380c63b2e90497ea2e6e1 1141 1140 2012-05-07T06:35:06Z 31.184.238.15 0 mtfitFZDcfhdHqXzMpy wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-glucophage-xr-online-en.html generic glucophage xr, 9839, http://cheappurchaseonline.com/buy-generic-theo-24-sr-online-en.html generic theo-24 sr, 8]]], http://cheappurchaseonline.com/ buy cialis, %))), 6d0b546b175de4a6efacaaaa388cc809754bf82a 1142 1141 2012-05-07T06:40:22Z 31.184.238.9 0 QCVsmQyxUzeaNoUJt wikitext text/x-wiki , http://cheappurchaseonline.com/ generic female viagra, qlxc, http://cheappurchaseonline.com/buy-generic-maxolon-online-en.html generic maxolon, %-(((, http://cheappurchaseonline.com/buy-generic-reminyl-online-en.html generic reminyl, :-), http://cheappurchaseonline.com/ generic orlistat, jqq, http://cheappurchaseonline.com/buy-generic-neoral-online-en.html generic neoral, 634, 5254d9351f3ba89b97a9cc3f39fe449ae80156cd 1143 1142 2012-05-07T06:40:49Z 31.184.238.15 0 MbddHeapNVuIY wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-suhagra-online-en.html generic suhagra, mptysw, http://cheappurchaseonline.com/ buy zithromax, vyrzi, http://cheappurchaseonline.com/buy-generic-trileptal-online-en.html generic trileptal, fcajjr, af3f16e9d40caa402fd49d835d44fe21022dac38 1144 1143 2012-05-07T06:43:36Z 31.184.238.9 0 udKzEGuDopmoT wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-pletal-online-en.html generic pletal, =[[[, http://cheappurchaseonline.com/buy-generic-rocaltrol-online-en.html generic rocaltrol, kaepl, http://cheappurchaseonline.com/buy-generic-zestoretic-online-en.html generic zestoretic, mytyl, http://cheappurchaseonline.com/buy-generic-asendin-online-en.html generic asendin, 2603, http://cheappurchaseonline.com/buy-generic-lotrel-online-en.html generic lotrel, =[[[, a72cd2963e113404029dd3989baed10eed4a396b 1145 1144 2012-05-07T06:46:34Z 31.184.238.15 0 UquiiaLhTOxlmqzwZ wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-nimotop-online-en.html generic nimotop, rifa, http://cheappurchaseonline.com/ buy amoxil, bht, http://cheappurchaseonline.com/buy-generic-isordil-online-en.html generic isordil, =OO, 398a1967cffb763bbf25f45403c03137f46c5f78 1146 1145 2012-05-07T06:48:35Z 31.184.238.9 0 eVIrcfghzsJr wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-nolvadex-online-en.html generic nolvadex, 7501, http://cheappurchaseonline.com/buy-generic-viagra-soft-online-en.html generic viagra soft, =-((, http://cheappurchaseonline.com/ buy flagyl, rjyu, http://cheappurchaseonline.com/buy-generic-kamagra-jelly-online-en.html generic kamagra jelly, bhgo, http://cheappurchaseonline.com/buy-generic-diamox-online-en.html generic diamox, 902, 7de244d71889b656075ce6bec98d87bf5498235c 1147 1146 2012-05-07T06:52:46Z 31.184.238.15 0 RBOjhAbDQko wikitext text/x-wiki comment3, http://cheappurchaseonline.com/ buy cialis professional, %-(, http://cheappurchaseonline.com/ generic cialis professional, 49931, http://cheappurchaseonline.com/buy-generic-vibramycin-online-en.html generic vibramycin, 42908, 6f4becb0ce5744280400710dc179a3b77805d4ca 1148 1147 2012-05-07T06:58:06Z 31.184.238.9 0 zQjRtxccokPj wikitext text/x-wiki , http://cheappurchaseonline.com/ buy viagra professional, =DD, http://cheappurchaseonline.com/buy-generic-zyrtec-online-en.html generic zyrtec, :-DD, http://cheappurchaseonline.com/buy-generic-vantin-online-en.html generic vantin, 00713, http://cheappurchaseonline.com/buy-generic-detrol-la-online-en.html generic detrol la, yltfpm, http://cheappurchaseonline.com/buy-generic-topamax-online-en.html generic topamax, quhi, e9ebf8840591d5a93975701b00ba4c2c8d1bcfb2 1149 1148 2012-05-07T06:58:40Z 31.184.238.15 0 kOaseLhTSojy wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-trecator-sc-online-en.html generic trecator-sc, pwllfm, http://cheappurchaseonline.com/buy-generic-depakote-online-en.html generic depakote, aymc, http://cheappurchaseonline.com/buy-generic-inderal-la-online-en.html generic inderal la, vyu, efb0e5a4b96e6f52318cd98f91ff3812077cac1d 1150 1149 2012-05-07T07:02:22Z 31.184.238.9 0 NqddlTBHTxliYItij wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-kamagra-flavored-online-en.html generic kamagra flavored, zditvy, http://cheappurchaseonline.com/buy-generic-aceon-online-en.html generic aceon, ldk, http://cheappurchaseonline.com/buy-generic-tetracycline-online-en.html generic tetracycline, ojfsc, http://cheappurchaseonline.com/buy-generic-lincocin-online-en.html generic lincocin, :[[, http://cheappurchaseonline.com/buy-generic-zoloft-online-en.html generic zoloft, 6294, 20845ba8c0527e7273af46adf7ff12c9f4334222 1151 1150 2012-05-07T07:04:28Z 31.184.238.15 0 SKYVErbPOJvIzCaXA wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-furoxone-online-en.html generic furoxone, :D, http://cheappurchaseonline.com/buy-generic-atarax-online-en.html generic atarax, =-OO, http://cheappurchaseonline.com/buy-generic-erythromycin-online-en.html generic erythromycin, 87578, 20281ad635cabfda976ffe9b30e5060e99db5ff8 1152 1151 2012-05-07T07:06:42Z 31.184.238.9 0 ppOGiaLKjToqtbFTLQ wikitext text/x-wiki , http://cheappurchaseonline.com/ generic cialis super active, =-[[, http://cheappurchaseonline.com/buy-generic-lipitor-online-en.html generic lipitor, fgpk, http://cheappurchaseonline.com/buy-generic-persantine-online-en.html generic persantine, :[[, http://cheappurchaseonline.com/buy-generic-zerit-online-en.html generic zerit, rvelxw, http://cheappurchaseonline.com/ buy female viagra, 8634, 9f54745a8407ad4dcebc0c0966bdf9bc6bb21d91 1153 1152 2012-05-07T07:10:21Z 31.184.238.15 0 OXVECnTsHRkLsE wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-yasmin-online-en.html generic yasmin, >:PPP, http://cheappurchaseonline.com/buy-generic-zyloprim-online-en.html generic zyloprim, %), http://cheappurchaseonline.com/buy-generic-trandate-online-en.html generic trandate, 83573, 7dd8f5638389dbce9166754cc8f0901099bc4b4e 1154 1153 2012-05-07T07:11:42Z 31.184.238.9 0 loCcaFTiBL wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-prozac-online-en.html generic prozac, 24745, http://cheappurchaseonline.com/buy-generic-ibuprofen-online-en.html generic ibuprofen, zikp, http://cheappurchaseonline.com/buy-generic-cordarone-online-en.html generic cordarone, %(, http://cheappurchaseonline.com/buy-generic-plendil-online-en.html generic plendil, fitx, http://cheappurchaseonline.com/buy-generic-revia-online-en.html generic revia, 8[[[, c295c2977ec2634172ddee941aa2bd203034aecd 0 8 1155 1154 2012-05-07T07:15:48Z 31.184.238.9 0 zISFxFYnYngNsUHlfK wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-ventolin-online-en.html generic ventolin, slds, http://cheappurchaseonline.com/buy-generic-eriacta-online-en.html generic eriacta, >:O, http://cheappurchaseonline.com/buy-generic-pepcid-online-en.html generic pepcid, =-[[, http://cheappurchaseonline.com/buy-generic-chloromycetin-online-en.html generic chloromycetin, 26855, http://cheappurchaseonline.com/buy-generic-cefaclor-online-en.html generic cefaclor, dxh, 6de528cd253659fa4a9fbe4465a7002e53eb2002 1156 1155 2012-05-07T07:16:17Z 31.184.238.15 0 WYhiTLwUFEofDKBUlCm wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-abilify-online-en.html generic abilify, 8PPP, http://cheappurchaseonline.com/buy-generic-prednisolone-online-en.html generic prednisolone, 8-[, http://cheappurchaseonline.com/buy-generic-tegopen-online-en.html generic tegopen, >:))), 4ae0e2b46739cefcc33fd6af1c94e07e4eec5021 1157 1156 2012-05-07T07:20:31Z 31.184.238.9 0 iBZHleEmeSYqZJGWGg wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-kamagra-flavored-online-en.html generic kamagra flavored, zkyxn, http://cheappurchaseonline.com/buy-generic-aceon-online-en.html generic aceon, =-]], http://cheappurchaseonline.com/buy-generic-tetracycline-online-en.html generic tetracycline, 77447, http://cheappurchaseonline.com/buy-generic-lincocin-online-en.html generic lincocin, >:], http://cheappurchaseonline.com/buy-generic-zoloft-online-en.html generic zoloft, 6813, 94fed1f6dcb69b91f99a59b4ff688cbd6f02b7ec 1158 1157 2012-05-07T07:22:06Z 31.184.238.15 0 mLiKdjAGiqLjTzNOQ wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-pamelor-online-en.html generic pamelor, 72924, http://cheappurchaseonline.com/buy-generic-ampicillin-online-en.html generic ampicillin, 82983, http://cheappurchaseonline.com/buy-generic-famvir-online-en.html generic famvir, jbemax, 9172e538cee8cb91b94bc0d12d89e11c063e184c 1159 1158 2012-05-07T07:25:05Z 31.184.238.9 0 vDVRIDiIgTYTFAck wikitext text/x-wiki , http://cheappurchaseonline.com/ buy viagra, 2622, http://cheappurchaseonline.com/buy-generic-rulide-online-en.html generic rulide, xpwjq, http://cheappurchaseonline.com/buy-generic-lotrisone-online-en.html generic lotrisone, %((, http://cheappurchaseonline.com/buy-generic-zetia-online-en.html generic zetia, 47668, http://cheappurchaseonline.com/buy-generic-erectalis-online-en.html generic erectalis, nlrr, 4a57a8377ccd5c7876751ab118db3d62c975479a 1160 1159 2012-05-07T07:27:49Z 31.184.238.15 0 FtAHxAEKWidSPSoeU wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-revatio-online-en.html generic revatio, 016777, http://cheappurchaseonline.com/buy-generic-diamox-online-en.html generic diamox, %-O, http://cheappurchaseonline.com/buy-generic-zovirax-online-en.html generic zovirax, 279140, a4a05165a314f2dc14a6d449c3fe13c789b6807e 1161 1160 2012-05-07T07:29:40Z 31.184.238.9 0 TfuPSdKBlwWsONr wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-brand-levitra-online-en.html generic brand levitra, 8-D, http://cheappurchaseonline.com/buy-generic-monoket-online-en.html generic monoket, :-P, http://cheappurchaseonline.com/buy-generic-trecator-sc-online-en.html generic trecator-sc, 5215, http://cheappurchaseonline.com/buy-generic-allegra-online-en.html generic allegra, vyipqg, http://cheappurchaseonline.com/buy-generic-tadalis-sx-online-en.html generic tadalis sx, 9588, f94dc51fd8e1968ab3cfb6c2063ecd384bef1ae7 1162 1161 2012-05-07T07:33:22Z 31.184.238.15 0 ehgKXkgURNGmBca wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-calcium-carbonate-online-en.html generic calcium carbonate, 504, http://cheappurchaseonline.com/buy-generic-vantin-online-en.html generic vantin, 051839, http://cheappurchaseonline.com/buy-generic-brand-cialis-online-en.html generic brand cialis, >:PP, a3d1c1686f520dfb165a5068ccd1c98984e9a24f 1163 1162 2012-05-07T07:38:37Z 31.184.238.9 0 QUSqyaQsgSsAYElDWFT wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-verapamil-online-en.html generic verapamil, =-), http://cheappurchaseonline.com/buy-generic-valtrex-online-en.html generic valtrex, prbri, http://cheappurchaseonline.com/buy-generic-bupron-sr-online-en.html generic bupron sr, rmwse, http://cheappurchaseonline.com/ generic viagra, 1561, http://cheappurchaseonline.com/buy-generic-mobic-online-en.html generic mobic, 898845, 20bfd91fef8f1f26d5a300e98428e94e9fb76f7b 1164 1163 2012-05-07T07:39:35Z 31.184.238.15 0 IYqXzCHBPcd wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-vitamin-c-online-en.html generic vitamin c, :PP, http://cheappurchaseonline.com/ generic diflucan, ppu, http://cheappurchaseonline.com/buy-generic-rulide-online-en.html generic rulide, ytrdx, b931bc4df10801160a7179439579dc011a27cbda 1165 1164 2012-05-07T07:43:09Z 31.184.238.9 0 JFuOtlsydTixTA wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-relafen-online-en.html generic relafen, gic, http://cheappurchaseonline.com/buy-generic-eskalith-online-en.html generic eskalith, %OO, http://cheappurchaseonline.com/buy-generic-calcium-carbonate-online-en.html generic calcium carbonate, =-PP, http://cheappurchaseonline.com/buy-generic-paxil-online-en.html generic paxil, rdu, http://cheappurchaseonline.com/buy-generic-tegretol-online-en.html generic tegretol, 53886, b74a16e3d31a3bf0fb7efdd4658c04a011682df4 1166 1165 2012-05-07T07:45:57Z 31.184.238.15 0 tXkeNKShpraBpVrDaSB wikitext text/x-wiki comment2, http://cheappurchaseonline.com/ generic zithromax, kqmdc, http://cheappurchaseonline.com/buy-generic-tegretol-online-en.html generic tegretol, :OOO, http://cheappurchaseonline.com/buy-generic-sumycin-online-en.html generic sumycin, >:-OOO, 9be9f048f53ecf0af9cc4f7afe0c0fe6be8854ec 1167 1166 2012-05-07T07:47:58Z 31.184.238.9 0 rSEAqkouuOxEMUF wikitext text/x-wiki , http://cheappurchaseonline.com/ generic diflucan, :[, http://cheappurchaseonline.com/buy-generic-crixivan-online-en.html generic crixivan, 85718, http://cheappurchaseonline.com/buy-generic-celexa-online-en.html generic celexa, 0954, http://cheappurchaseonline.com/buy-generic-ceclor-cd-online-en.html generic ceclor cd, 03455, http://cheappurchaseonline.com/buy-generic-viagra-caps-online-en.html generic viagra caps, 395176, 491d3f300a10ac91b73c34f613b36b83ab37aa93 1168 1167 2012-05-07T07:52:00Z 31.184.238.15 0 gyxtwTuQuaMRpfNQ wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-dapsone-online-en.html generic dapsone, >:), http://cheappurchaseonline.com/buy-generic-zerit-online-en.html generic zerit, bvhzl, http://cheappurchaseonline.com/buy-generic-indinavir-online-en.html generic indinavir, 994, b810c16c4a3fed4369e45f33c6ef96e7cb084fb5 1169 1168 2012-05-07T07:52:15Z 31.184.238.9 0 GTkNEpjiUCnBNx wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-allopurinol-online-en.html generic allopurinol, 5202, http://cheappurchaseonline.com/buy-generic-silagra-online-en.html generic silagra, 267200, http://cheappurchaseonline.com/ buy priligy, 8P, http://cheappurchaseonline.com/buy-generic-biaxin-online-en.html generic biaxin, 3057, http://cheappurchaseonline.com/buy-generic-intagra-online-en.html generic intagra, rxxauq, 04a134c97eab7daef5e6a9bcf39180db069146ed 1170 1169 2012-05-07T07:56:54Z 31.184.238.9 0 zQTpRfuF wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-danocrine-online-en.html generic danocrine, ovjbr, http://cheappurchaseonline.com/buy-generic-reglan-online-en.html generic reglan, 10672, http://cheappurchaseonline.com/ generic zoloft, epxfmu, http://cheappurchaseonline.com/buy-generic-calan-online-en.html generic calan, :-], http://cheappurchaseonline.com/buy-generic-alesse-online-en.html generic alesse, 23077, 97ca3c68a7c39a87afec9e96f1127f02267b9ca8 1171 1170 2012-05-07T07:57:51Z 31.184.238.15 0 JopMnuXXGvQQCPkgBm wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-nitroglycerin-online-en.html generic nitroglycerin, lzwgx, http://cheappurchaseonline.com/ generic cialis super active, >:], http://cheappurchaseonline.com/buy-generic-lexapro-online-en.html generic lexapro, 8-[[, 7aa5e6605eea3c1a2cfab40a08554179cc0a0f29 1172 1171 2012-05-07T08:01:16Z 31.184.238.9 0 loLyGTZPaWglxtw wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-strattera-online-en.html generic strattera, chd, http://cheappurchaseonline.com/buy-generic-indinavir-online-en.html generic indinavir, yjry, http://cheappurchaseonline.com/buy-generic-diovan-online-en.html generic diovan, 8-))), http://cheappurchaseonline.com/buy-generic-copegus-online-en.html generic copegus, >:)), http://cheappurchaseonline.com/buy-generic-fempro-online-en.html generic fempro, 8-]], d4bcd7340e279af7c383287906af94132d86707a 1173 1172 2012-05-07T08:04:09Z 31.184.238.15 0 trkDIZPauJl wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-eriacta-online-en.html generic eriacta, rvif, http://cheappurchaseonline.com/buy-generic-amaryl-online-en.html generic amaryl, 8], http://cheappurchaseonline.com/buy-generic-ventolin-online-en.html generic ventolin, powzx, 8f8cf09feb91d99281ca711995e11b19edd6b99e 1174 1173 2012-05-07T08:06:13Z 31.184.238.9 0 azeiYNytpUbpRRM wikitext text/x-wiki , http://cheappurchaseonline.com/ generic strattera, :OOO, http://cheappurchaseonline.com/buy-generic-tinidazole-online-en.html generic tinidazole, 3405, http://cheappurchaseonline.com/buy-generic-proventil-online-en.html generic proventil, >:-DDD, http://cheappurchaseonline.com/buy-generic-effexor-online-en.html generic effexor, =))), http://cheappurchaseonline.com/buy-generic-sinemet-cr-online-en.html generic sinemet cr, =-], 8d5455de109cc7a1b29beff1c2510611e77a84eb 1175 1174 2012-05-07T08:10:22Z 31.184.238.15 0 dlIvumAmamPoEba wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-viagra-caps-online-en.html generic viagra caps, 8[[[, http://cheappurchaseonline.com/buy-generic-red-viagra-online-en.html generic red viagra, dol, http://cheappurchaseonline.com/buy-generic-prandin-online-en.html generic prandin, 5526, 4feba172cc7bd83dff3647c1bc95ad3f44807233 1176 1175 2012-05-07T08:10:35Z 31.184.238.9 0 HUxRkbfY wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-glucotrol-online-en.html generic glucotrol, >:-PP, http://cheappurchaseonline.com/buy-generic-furoxone-online-en.html generic furoxone, 74520, http://cheappurchaseonline.com/buy-generic-zyloprim-online-en.html generic zyloprim, qohqw, http://cheappurchaseonline.com/ generic priligy, 3718, http://cheappurchaseonline.com/buy-generic-cialis-professional-online-en.html generic cialis professional, vohh, 50c9ac78996ed499a9a901b0f3f2f301c1541516 1177 1176 2012-05-07T08:15:03Z 31.184.238.9 0 FdASjYaa wikitext text/x-wiki , http://cheappurchaseonline.com/ buy viagra, 984721, http://cheappurchaseonline.com/buy-generic-rulide-online-en.html generic rulide, tawq, http://cheappurchaseonline.com/buy-generic-lotrisone-online-en.html generic lotrisone, 3060, http://cheappurchaseonline.com/buy-generic-zetia-online-en.html generic zetia, 511, http://cheappurchaseonline.com/buy-generic-erectalis-online-en.html generic erectalis, 955586, 29611a3e384b392b245404413bd45ade9d60f23a 1178 1177 2012-05-07T08:15:51Z 31.184.238.15 0 CXfCxBISZuwEuXeKxr wikitext text/x-wiki comment4, http://cheappurchaseonline.com/ generic orlistat, 0472, http://cheappurchaseonline.com/buy-generic-maxaquin-online-en.html generic maxaquin, 1143, http://cheappurchaseonline.com/buy-generic-antabuse-online-en.html generic antabuse, 58543, f8219319f45b36e5009f8f72fb8154d84a2fe6d3 1179 1178 2012-05-07T08:19:35Z 31.184.238.9 0 IZAjZuINJnQQcQOANK wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-omnicef-online-en.html generic omnicef, :-)), http://cheappurchaseonline.com/buy-generic-clonidine-online-en.html generic clonidine, otmon, http://cheappurchaseonline.com/buy-generic-colospa-online-en.html generic colospa, =PP, http://cheappurchaseonline.com/buy-generic-brand-viagra-online-en.html generic brand viagra, 8-(, http://cheappurchaseonline.com/buy-generic-dramamine-online-en.html generic dramamine, 59276, 996dedd36118c15ba990fa9059bcc22e568c68fc 1180 1179 2012-05-07T08:21:54Z 31.184.238.15 0 wuBWNbsYH wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-paxil-online-en.html generic paxil, %-PPP, http://cheappurchaseonline.com/buy-generic-epivir-hbv-online-en.html generic epivir hbv, 8-O, http://cheappurchaseonline.com/buy-generic-levitra-professional-online-en.html generic levitra professional, aaw, 0bf41729d4ca2eaed2c14f8ccc8e7dd934212a9e 1181 1180 2012-05-07T08:24:28Z 31.184.238.9 0 UspODICOAmcutSQVBPA wikitext text/x-wiki , http://cheappurchaseonline.com/ buy cialis, 6065, http://cheappurchaseonline.com/buy-generic-zocor-online-en.html generic zocor, 649108, http://cheappurchaseonline.com/buy-generic-propecia-online-en.html generic propecia</a>, octqf, http://cheappurchaseonline.com/buy-generic-combivent-online-en.html generic combivent, 99077, http://cheappurchaseonline.com/buy-generic-ortho-tri-cyclen-online-en.html generic ortho tri-cyclen, biuwf, 60de82981bd67873efa111d141991d8e60705cba 1182 1181 2012-05-07T08:28:15Z 31.184.238.15 0 SlbvRYOgWdeP wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-neoral-online-en.html generic neoral, 3113, http://cheappurchaseonline.com/buy-generic-vermox-online-en.html generic vermox, kjzufr, 6959e6699ec7895e4168e0f83f9d5a60d354e35e 1183 1182 2012-05-07T08:28:29Z 31.184.238.9 0 IASMKVmlPealk wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-arava-online-en.html generic arava, ysoz, http://cheappurchaseonline.com/buy-generic-aralen-online-en.html generic aralen, =], http://cheappurchaseonline.com/ buy strattera, =-OO, http://cheappurchaseonline.com/buy-generic-ovral-online-en.html generic ovral, 605585, http://cheappurchaseonline.com/buy-generic-phenergan-online-en.html generic phenergan, 623088, e640c7fc7e9e7be217bfa039dd6951b71e2a5543 1184 1183 2012-05-07T08:32:51Z 31.184.238.9 0 lDkLiYoTAHsM wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-furacin-online-en.html generic furacin, 8803, http://cheappurchaseonline.com/buy-generic-dulcolax-online-en.html generic dulcolax, gceuvw, http://cheappurchaseonline.com/buy-generic-casodex-online-en.html generic casodex, =OO, http://cheappurchaseonline.com/buy-generic-diflucan-online-en.html generic diflucan, 718, http://cheappurchaseonline.com/buy-generic-pamelor-online-en.html generic pamelor, ymy, 8d592bd170d5c9fd5a5430b8a4c653f4f5f432d3 1185 1184 2012-05-07T08:34:05Z 31.184.238.15 0 doczICbmpunDVKgMXdy wikitext text/x-wiki comment3, http://cheappurchaseonline.com/ buy female viagra, mtetj, http://cheappurchaseonline.com/buy-generic-danocrine-online-en.html generic danocrine, fvvfem, http://cheappurchaseonline.com/buy-generic-erectalis-online-en.html generic erectalis, xul, 08d878d002b5d7b512c5956890e7b4e9aba597ca 1186 1185 2012-05-07T08:37:33Z 31.184.238.9 0 tkcXWuLPelALApiss wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-theo-24-sr-online-en.html generic theo-24 sr, %(, http://cheappurchaseonline.com/buy-generic-diovan-hct-online-en.html generic diovan hct, =-D, http://cheappurchaseonline.com/buy-generic-abilify-online-en.html generic abilify, >:OO, http://cheappurchaseonline.com/ buy cipro, %-DD, http://cheappurchaseonline.com/buy-generic-kamagra-gold-online-en.html generic kamagra gold, emrsxn, b7cac669b97af2e80c5f0a1e8d485898d3cb5d75 1187 1186 2012-05-07T08:40:03Z 31.184.238.15 0 iYmIuauEjavv wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-toprol-online-en.html generic toprol, :OOO, http://cheappurchaseonline.com/buy-generic-terramycin-online-en.html generic terramycin, vvfu, http://cheappurchaseonline.com/buy-generic-viagra-gold-online-en.html generic viagra gold, mua, 1f4d8df3f4e793980c584a24339f74aca32bad21 1188 1187 2012-05-07T08:41:38Z 31.184.238.9 0 HgxgHFLPyqWc wikitext text/x-wiki , http://cheappurchaseonline.com/ buy viagra, 5224, http://cheappurchaseonline.com/buy-generic-rulide-online-en.html generic rulide, 512889, http://cheappurchaseonline.com/buy-generic-lotrisone-online-en.html generic lotrisone, bxrmj, http://cheappurchaseonline.com/buy-generic-zetia-online-en.html generic zetia, 116, http://cheappurchaseonline.com/buy-generic-erectalis-online-en.html generic erectalis, 37840, b1d5f5bd83f2968f389bb2c3ce36ffd9eeb80896 1189 1188 2012-05-07T08:46:03Z 31.184.238.9 0 tZCtCxvo wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-prednisolone-online-en.html generic prednisolone, bziqyd, http://cheappurchaseonline.com/ generic zithromax, :-P, http://cheappurchaseonline.com/buy-generic-cialis-black-online-en.html generic cialis black, 4566, http://cheappurchaseonline.com/buy-generic-ddavp-online-en.html generic ddavp, urlgl, http://cheappurchaseonline.com/buy-generic-levaquin-online-en.html generic levaquin, 37419, f90bab63ccbcd24a6bcf801e89c4db3b970ee6ce 1190 1189 2012-05-07T08:46:07Z 31.184.238.15 0 xctqDLgFESgO wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-urso-online-en.html generic urso, 23128, http://cheappurchaseonline.com/buy-generic-glucovance-online-en.html generic glucovance, ync, http://cheappurchaseonline.com/buy-generic-anaprox-online-en.html generic anaprox, gvzdn, ca90387884cb1c2bd994eee467eb79ebda1aaaa1 1191 1190 2012-05-07T08:50:39Z 31.184.238.9 0 pxgVZvLZFmeFrlvExFV wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-yasmin-online-en.html generic yasmin, >:))), http://cheappurchaseonline.com/ generic lasix, tdciu, http://cheappurchaseonline.com/buy-generic-actos-online-en.html generic actos, =-)), http://cheappurchaseonline.com/buy-generic-minomycin-online-en.html generic minomycin, askvln, http://cheappurchaseonline.com/buy-generic-vitamin-b12-online-en.html generic vitamin b12, 09677, bcc2f8c57d70a8313f3ea813226d755128fb6426 1192 1191 2012-05-07T08:52:05Z 31.184.238.15 0 EdFTfbOLKxgbd wikitext text/x-wiki comment1, http://cheappurchaseonline.com/ buy zoloft, %-O, http://cheappurchaseonline.com/buy-generic-crestor-online-en.html generic crestor, >:D, http://cheappurchaseonline.com/buy-generic-tadacip-online-en.html generic tadacip, kqo, e5f732ba61de7dd65c42878f8ef9b6baa54cf5fd 1193 1192 2012-05-07T08:54:41Z 31.184.238.9 0 OmOjrknasjJPpycFo wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-singulair-online-en.html generic singulair, >:PPP, http://cheappurchaseonline.com/buy-generic-azulfidine-online-en.html generic azulfidine, :-(, http://cheappurchaseonline.com/buy-generic-desogen-online-en.html generic desogen, 620418, http://cheappurchaseonline.com/buy-generic-diltiazem-online-en.html generic diltiazem, :]], http://cheappurchaseonline.com/buy-generic-rythmol-online-en.html generic rythmol, %PPP, 5fda68f4833f7f0e6966124488a3847607d83690 1194 1193 2012-05-07T08:57:46Z 31.184.238.15 0 CjHRQyhkNWeGx wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-glucophage-xr-online-en.html generic glucophage xr, 8988, http://cheappurchaseonline.com/buy-generic-theo-24-sr-online-en.html generic theo-24 sr, qdxi, http://cheappurchaseonline.com/ buy cialis, 8-), d613ce1216b7c9c0da0d40cc33fa62b4eafef7be 1195 1194 2012-05-07T08:59:13Z 31.184.238.9 0 TSZtGLaNW wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-amaryl-online-en.html generic amaryl, 392750, http://cheappurchaseonline.com/buy-generic-aciclovir-online-en.html generic aciclovir, >:OO, http://cheappurchaseonline.com/buy-generic-cytoxan-online-en.html generic cytoxan, 372, http://cheappurchaseonline.com/buy-generic-nimotop-online-en.html generic nimotop, >:(, http://cheappurchaseonline.com/buy-generic-macrobid-online-en.html generic macrobid, =-], 222998d48b7880dded527c7e970f5c174ac3df49 1196 1195 2012-05-07T09:03:31Z 31.184.238.15 0 SYnCXyQxabpOohx wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-lipitor-online-en.html generic lipitor, 8OOO, http://cheappurchaseonline.com/buy-generic-starlix-online-en.html generic starlix, 070855, http://cheappurchaseonline.com/buy-generic-allegra-online-en.html generic allegra, %)), 223c6ad082625e416bc5c7cb1d69e84ca2363143 1197 1196 2012-05-07T09:04:03Z 31.184.238.9 0 rFBMbbksPmQPd wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-monopril-online-en.html generic monopril, 03941, http://cheappurchaseonline.com/buy-generic-tadalis-sx-soft-online-en.html generic tadalis sx soft, zziip, http://cheappurchaseonline.com/buy-generic-nizoral-online-en.html generic nizoral, ozl, http://cheappurchaseonline.com/buy-generic-amoxil-online-en.html generic amoxil, 12227, http://cheappurchaseonline.com/buy-generic-prandin-online-en.html generic prandin, %P, 6407b3909db9bfda26aab1bc18319ddca0febc66 1198 1197 2012-05-07T09:08:42Z 31.184.238.9 0 FxdnDWyOOGNOUx wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-protonix-online-en.html generic protonix, 8)), http://cheappurchaseonline.com/buy-generic-zestril-online-en.html generic zestril, qqx, http://cheappurchaseonline.com/buy-generic-nexium-online-en.html generic nexium, kqn, http://cheappurchaseonline.com/buy-generic-cialis-online-en.html generic cialis, 129, http://cheappurchaseonline.com/buy-generic-finpecia-online-en.html generic finpecia, >:P, 9e1db9f6f8a8a6e8522592889818567d10aee635 1199 1198 2012-05-07T09:09:41Z 31.184.238.15 0 EfvNEOfLR wikitext text/x-wiki comment4, http://cheappurchaseonline.com/ generic zoloft, muek, http://cheappurchaseonline.com/buy-generic-kamagra-soft-online-en.html generic kamagra soft, 44164, http://cheappurchaseonline.com/buy-generic-colospa-online-en.html generic colospa, =), 50167cb2cf1da8bc2e460f8e61b977e2b584f826 1200 1199 2012-05-07T09:15:48Z 31.184.238.15 0 MrkNonyjyANSkMREXVs wikitext text/x-wiki comment3, http://cheappurchaseonline.com/ buy zoloft, 68932, http://cheappurchaseonline.com/buy-generic-crestor-online-en.html generic crestor, 848, http://cheappurchaseonline.com/buy-generic-tadacip-online-en.html generic tadacip, %PP, 8daa7024b1b21e1bf1d59faea7cef940faac61ec 1201 1200 2012-05-07T09:17:45Z 31.184.238.9 0 GYEXzNHHSXMrOe wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-atrovent-online-en.html generic atrovent, 1412, http://cheappurchaseonline.com/buy-generic-combivir-online-en.html generic combivir, =-]], http://cheappurchaseonline.com/buy-generic-tadacip-online-en.html generic tadacip, 8(, http://cheappurchaseonline.com/buy-generic-toprol-xl-online-en.html generic toprol xl, 6710, http://cheappurchaseonline.com/ buy levitra, 29158, 6a40f6145884d43f1ca1a1854998ceb320b3f935 1202 1201 2012-05-07T09:21:09Z 31.184.238.15 0 rPuJVMBVdPiN wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-beloc-online-en.html generic beloc, >:-O, http://cheappurchaseonline.com/buy-generic-procardia-online-en.html generic procardia, 980421, http://cheappurchaseonline.com/buy-generic-strattera-online-en.html generic strattera, :-P, e0a8d5a1f6708647c0c008b7908d4f8a2116ced3 1203 1202 2012-05-07T09:26:45Z 31.184.238.9 0 azJEMTBaxmu wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-nolvadex-online-en.html generic nolvadex, 8-], http://cheappurchaseonline.com/buy-generic-viagra-soft-online-en.html generic viagra soft, fnajmg, http://cheappurchaseonline.com/ buy flagyl, cqzkok, http://cheappurchaseonline.com/buy-generic-kamagra-jelly-online-en.html generic kamagra jelly, 8]], http://cheappurchaseonline.com/buy-generic-diamox-online-en.html generic diamox, xino, 4af0fd5fb3eca7cbf65a191d7e0e460b4ad3132b 1204 1203 2012-05-07T09:27:01Z 31.184.238.15 0 rGtDydFVzpYHv wikitext text/x-wiki comment4, http://cheappurchaseonline.com/ generic zoloft, dheua, http://cheappurchaseonline.com/buy-generic-kamagra-soft-online-en.html generic kamagra soft, %O, http://cheappurchaseonline.com/buy-generic-colospa-online-en.html generic colospa, 406, 5c278af6351f528d87a37c5ba914daa263491e46 0 8 1205 1204 2012-05-07T09:31:54Z 31.184.238.9 0 nxQgYlLSESI wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-flagyl-online-en.html generic flagyl, 8-OO, http://cheappurchaseonline.com/buy-generic-forzest-online-en.html generic forzest, :-(, http://cheappurchaseonline.com/buy-generic-augmentin-online-en.html generic augmentin, 3758, http://cheappurchaseonline.com/buy-generic-kemadrin-online-en.html generic kemadrin, 8-))), http://cheappurchaseonline.com/buy-generic-combipres-online-en.html generic combipres, 9484, fea9e657b8155068167d7eb9b53bd0a14be2c12d 1206 1205 2012-05-07T09:33:04Z 31.184.238.15 0 XHbnDjByYctJ wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-minipress-online-en.html generic minipress, gtue, http://cheappurchaseonline.com/buy-generic-myambutol-online-en.html generic myambutol, 14869, http://cheappurchaseonline.com/buy-generic-sinequan-online-en.html generic sinequan, ttzyl, 0548bc1eb36f880b2d927dfd4c002680e7bb8c9c 1207 1206 2012-05-07T09:36:03Z 31.184.238.9 0 anwFDUJrzgEBuN wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-glucotrol-xl-online-en.html generic glucotrol xl, bcdbil, http://cheappurchaseonline.com/buy-generic-levitra-oral-jelly-online-en.html generic levitra oral jelly, 356406, http://cheappurchaseonline.com/buy-generic-catapres-online-en.html generic catapres, 817, http://cheappurchaseonline.com/buy-generic-viagra-professional-online-en.html generic viagra professional, 8-))), http://cheappurchaseonline.com/buy-generic-cozaar-online-en.html generic cozaar, 533247, f92fdd287d0b31d97197a7ff4ba92472a28ad0ad 1208 1207 2012-05-07T09:39:05Z 31.184.238.15 0 EvWfMDZNJ wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-uniphyl-cr-online-en.html generic uniphyl cr, =-[[, http://cheappurchaseonline.com/buy-generic-brand-levitra-online-en.html generic brand levitra, abxm, http://cheappurchaseonline.com/ buy viagra, =-(, fb2ad15fa4624babafe2705a076eb85fb8d3be59 1209 1208 2012-05-07T09:40:54Z 31.184.238.9 0 zqwNRMyqMNTvz wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-prednisolone-online-en.html generic prednisolone, 403, http://cheappurchaseonline.com/ generic zithromax, 8-(, http://cheappurchaseonline.com/buy-generic-cialis-black-online-en.html generic cialis black, ssl, http://cheappurchaseonline.com/buy-generic-ddavp-online-en.html generic ddavp, 956, http://cheappurchaseonline.com/buy-generic-levaquin-online-en.html generic levaquin, 772982, fe053b9b6febdecfd0231653ba491af71c47645f 1210 1209 2012-05-07T09:44:43Z 31.184.238.15 0 kWurBVubRoiUgfEcP wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-ceclor-cd-online-en.html generic ceclor cd, vxifx, http://cheappurchaseonline.com/buy-generic-mevacor-online-en.html generic mevacor, hgcps, http://cheappurchaseonline.com/buy-generic-tinidazole-online-en.html generic tinidazole, ghhzvf, f118b3c467697b1512390bcfc43b9dcf42f88283 1211 1210 2012-05-07T09:45:15Z 31.184.238.9 0 EZHoAARLQtAdTGKR wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-nolvadex-online-en.html generic nolvadex, adp, http://cheappurchaseonline.com/buy-generic-viagra-soft-online-en.html generic viagra soft, 8PPP, http://cheappurchaseonline.com/ buy flagyl, %[[[, http://cheappurchaseonline.com/buy-generic-kamagra-jelly-online-en.html generic kamagra jelly, :OOO, http://cheappurchaseonline.com/buy-generic-diamox-online-en.html generic diamox, :OOO, 64f43b686e2c98a0de4c377dbd77a3b5453e25d3 1212 1211 2012-05-07T09:49:30Z 31.184.238.9 0 ONUgBrHE wikitext text/x-wiki , http://cheappurchaseonline.com/ buy viagra professional, 081732, http://cheappurchaseonline.com/buy-generic-zyrtec-online-en.html generic zyrtec, %-DD, http://cheappurchaseonline.com/buy-generic-vantin-online-en.html generic vantin, 9652, http://cheappurchaseonline.com/buy-generic-detrol-la-online-en.html generic detrol la, :P, http://cheappurchaseonline.com/buy-generic-topamax-online-en.html generic topamax, rvdr, 619b755efcf2bb8491dfe3bd35ea956af0f91364 1213 1212 2012-05-07T09:50:40Z 31.184.238.15 0 PgpbiOPmaCPPoJQBbC wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-cleocin-online-en.html generic cleocin, elgem, http://cheappurchaseonline.com/buy-generic-viagra-super-active-online-en.html generic viagra super active, 075794, http://cheappurchaseonline.com/buy-generic-levothroid-online-en.html generic levothroid, :)), d155d7764bbb7860560e06b521efcf28b575ae82 1214 1213 2012-05-07T09:54:10Z 31.184.238.9 0 CAdsqhEnJmFcDWcLs wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-monopril-online-en.html generic monopril, kbrb, http://cheappurchaseonline.com/buy-generic-tadalis-sx-soft-online-en.html generic tadalis sx soft, aype, http://cheappurchaseonline.com/buy-generic-nizoral-online-en.html generic nizoral, 957, http://cheappurchaseonline.com/buy-generic-amoxil-online-en.html generic amoxil, iqfu, http://cheappurchaseonline.com/buy-generic-prandin-online-en.html generic prandin, jqkwk, 4b76b56672f3308b971c91be15e7a5c5b93aeac6 1215 1214 2012-05-07T09:56:23Z 31.184.238.15 0 PbniPCWOqsmiZ wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-kemadrin-online-en.html generic kemadrin, 613972, http://cheappurchaseonline.com/buy-generic-zantac-online-en.html generic zantac, sfljx, http://cheappurchaseonline.com/buy-generic-aristocort-online-en.html generic aristocort, 8-D, ee12cfd0d2ef6ad115b6cd03d8f9baec5415da4f 1216 1215 2012-05-07T09:58:33Z 31.184.238.9 0 gonHLXebXfGVecjcPFT wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-singulair-online-en.html generic singulair, 846433, http://cheappurchaseonline.com/buy-generic-azulfidine-online-en.html generic azulfidine, 1101, http://cheappurchaseonline.com/buy-generic-desogen-online-en.html generic desogen, >:DD, http://cheappurchaseonline.com/buy-generic-diltiazem-online-en.html generic diltiazem, 2393, http://cheappurchaseonline.com/buy-generic-rythmol-online-en.html generic rythmol, 52896, 42da66716dfb5b27f91e4f193ac73bd57d0f0fe5 1217 1216 2012-05-07T10:02:17Z 31.184.238.15 0 bHBgyfpLYRZfBUPuiI wikitext text/x-wiki comment2, http://cheappurchaseonline.com/ generic orlistat, =OO, http://cheappurchaseonline.com/buy-generic-maxaquin-online-en.html generic maxaquin, 843, http://cheappurchaseonline.com/buy-generic-antabuse-online-en.html generic antabuse, 94083, 21dd0dff0e2d781cd8eb6153ec66df170bd6ecab 1218 1217 2012-05-07T10:03:17Z 31.184.238.9 0 VCIljqLapZ wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-relafen-online-en.html generic relafen, smix, http://cheappurchaseonline.com/buy-generic-eskalith-online-en.html generic eskalith, 7125, http://cheappurchaseonline.com/buy-generic-calcium-carbonate-online-en.html generic calcium carbonate, obpmeh, http://cheappurchaseonline.com/buy-generic-paxil-online-en.html generic paxil, >:]]], http://cheappurchaseonline.com/buy-generic-tegretol-online-en.html generic tegretol, tvts, 4dbbce0e381049fcfb1c164fab8210c216ec5fa7 1219 1218 2012-05-07T10:07:55Z 31.184.238.9 0 sTsUPMvqFC wikitext text/x-wiki , http://cheappurchaseonline.com/ generic nolvadex, bjaeud, http://cheappurchaseonline.com/buy-generic-motrin-online-en.html generic motrin, 231, http://cheappurchaseonline.com/buy-generic-cardura-online-en.html generic cardura, :), http://cheappurchaseonline.com/buy-generic-epivir-hbv-online-en.html generic epivir hbv, 409, http://cheappurchaseonline.com/buy-generic-sinequan-online-en.html generic sinequan, 9791, 1260d2e5d0d9b6e5a373cab5a700938db25298ab 1220 1219 2012-05-07T10:08:18Z 31.184.238.15 0 qPKFvCBZLUsrOAwTbs wikitext text/x-wiki comment4, http://cheappurchaseonline.com/ buy clomid, 8-))), http://cheappurchaseonline.com/buy-generic-cytotec-online-en.html generic cytotec, zxl, http://cheappurchaseonline.com/buy-generic-azulfidine-online-en.html generic azulfidine, =(((, 55439a63eabe8463db3ee5cc12928fc8372c219b 1221 1220 2012-05-07T10:12:42Z 31.184.238.9 0 RbCVVxrKnQe wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-glucotrol-xl-online-en.html generic glucotrol xl, hmb, http://cheappurchaseonline.com/buy-generic-levitra-oral-jelly-online-en.html generic levitra oral jelly, fyro, http://cheappurchaseonline.com/buy-generic-catapres-online-en.html generic catapres, %], http://cheappurchaseonline.com/buy-generic-viagra-professional-online-en.html generic viagra professional, 044371, http://cheappurchaseonline.com/buy-generic-cozaar-online-en.html generic cozaar, =(((, c8e8022d7c0b870d7fbec2fd7ef5e3086f184bc1 1222 1221 2012-05-07T10:14:21Z 31.184.238.15 0 GpRrnRrA wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-brand-viagra-online-en.html generic brand viagra, 3279, http://cheappurchaseonline.com/buy-generic-zyvox-online-en.html generic zyvox, obee, http://cheappurchaseonline.com/buy-generic-zofran-online-en.html generic zofran, aoe, 72ba759713aa296f550f856d220a2fc7b1968922 1223 1222 2012-05-07T10:16:56Z 31.184.238.9 0 QiFQOiwuF wikitext text/x-wiki , http://cheappurchaseonline.com/ generic nolvadex, 780, http://cheappurchaseonline.com/buy-generic-motrin-online-en.html generic motrin, mpgg, http://cheappurchaseonline.com/buy-generic-cardura-online-en.html generic cardura, 70236, http://cheappurchaseonline.com/buy-generic-epivir-hbv-online-en.html generic epivir hbv, %[[[, http://cheappurchaseonline.com/buy-generic-sinequan-online-en.html generic sinequan, 161828, d6c61160673d315da0ba8c60200e292bb6a67fc3 1224 1223 2012-05-07T10:20:13Z 31.184.238.15 0 DqTuadEDXSWgt wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-alfacip-online-en.html generic alfacip, lcyunu, http://cheappurchaseonline.com/buy-generic-feldene-online-en.html generic feldene, 11740, http://cheappurchaseonline.com/buy-generic-allopurinol-online-en.html generic allopurinol, abp, ef8bea510c496b20523f288ba554a96966522b21 1225 1224 2012-05-07T10:21:29Z 31.184.238.9 0 HSPmZwtGkmB wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-ventolin-online-en.html generic ventolin, luwab, http://cheappurchaseonline.com/buy-generic-eriacta-online-en.html generic eriacta, 066521, http://cheappurchaseonline.com/buy-generic-pepcid-online-en.html generic pepcid, :(, http://cheappurchaseonline.com/buy-generic-chloromycetin-online-en.html generic chloromycetin, 8PPP, http://cheappurchaseonline.com/buy-generic-cefaclor-online-en.html generic cefaclor, iddq, ebf6d967048bf21d62b5c9b38da11cbf867514dc 1226 1225 2012-05-07T10:25:51Z 31.184.238.15 0 ATrFMGEVBGFKKIJop wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-kamagra-flavored-online-en.html generic kamagra flavored, 8-], http://cheappurchaseonline.com/buy-generic-prozac-online-en.html generic prozac, 079, http://cheappurchaseonline.com/buy-generic-ibuprofen-online-en.html generic ibuprofen, nbeiwy, 74b3225112f2cbb402838a4e20a090f8d23b29a9 1227 1226 2012-05-07T10:30:43Z 31.184.238.9 0 UXvxYbHO wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-erectalis-online-en.html buy erectalis online, 59583, http://cheappurchaseonline.com/buy-generic-theo-24-sr-online-en.html buy theo-24 sr online, :OOO, http://cheappurchaseonline.com/buy-generic-diovan-hct-online-en.html buy diovan hct online, 365, http://cheappurchaseonline.com/buy-generic-abilify-online-en.html buy abilify online, 8OOO, http://cheappurchaseonline.com/ buy cipro online, iyx, c7c044d5d54ae2d729940c1bf1ad3fcd0fa4e3dd 1228 1227 2012-05-07T10:31:50Z 31.184.238.15 0 QCOooFkRNCXpfKvID wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-indocin-online-en.html generic indocin, urac, http://cheappurchaseonline.com/buy-generic-chloromycetin-online-en.html generic chloromycetin, snz, http://cheappurchaseonline.com/buy-generic-lopressor-online-en.html generic lopressor, 15807, 896ed410edba1e17f39bf6c5f237c63640df099d 1229 1228 2012-05-07T10:35:10Z 31.184.238.9 0 pCayXnxSCFlkoWuKB wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-zoloft-online-en.html buy zoloft online, 8-PP, http://cheappurchaseonline.com/buy-generic-suhagra-online-en.html buy suhagra online, zvuhay, http://cheappurchaseonline.com/buy-generic-requip-online-en.html buy requip online, xybx, http://cheappurchaseonline.com/buy-generic-prograf-online-en.html buy prograf online, >:(, http://cheappurchaseonline.com/buy-generic-vibramycin-online-en.html buy vibramycin online, 083, 8cb64a7043f9be10e9cd8d559d08d38713dea888 1230 1229 2012-05-07T10:37:46Z 31.184.238.15 0 KJapPBpHyrcP wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-grifulvin-v-online-en.html buy generic grifulvin v, 982, http://cheappurchaseonline.com/buy-generic-cephalexin-online-en.html buy generic cephalexin, jdztt, http://cheappurchaseonline.com/buy-generic-elavil-online-en.html buy generic elavil, >:))), 8cdc4eae46fc68ab1a38e51d477e2647dbf6439b 1231 1230 2012-05-07T10:41:03Z 31.184.238.9 0 tLqniLaaMVRv wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-phenergan-online-en.html buy phenergan online, 857763, http://cheappurchaseonline.com/buy-generic-relafen-online-en.html buy relafen online, oaoclf, http://cheappurchaseonline.com/buy-generic-eskalith-online-en.html buy eskalith online, 20600, http://cheappurchaseonline.com/buy-generic-calcium-carbonate-online-en.html buy calcium carbonate online, spjlx, http://cheappurchaseonline.com/buy-generic-paxil-online-en.html buy paxil online, >:-))), 64db09de1089abe9fed2ae4bf002de12c4929e25 1232 1231 2012-05-07T10:43:35Z 31.184.238.15 0 IiwVMUYYIhLbruRD wikitext text/x-wiki comment3, http://cheappurchaseonline.com/ buy female viagra, qzxjfm, http://cheappurchaseonline.com/buy-generic-danocrine-online-en.html buy generic danocrine, 37959, http://cheappurchaseonline.com/buy-generic-erectalis-online-en.html buy generic erectalis, >:[[, efdfd65976ff85f3e53671ee75cb91001dc1219f 1233 1232 2012-05-07T10:45:13Z 31.184.238.9 0 kUvRmkDSlTnOzhVU wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-ampicillin-online-en.html buy ampicillin online, 22621, http://cheappurchaseonline.com/ buy viagra online, %-], http://cheappurchaseonline.com/buy-generic-rulide-online-en.html buy rulide online, lwww, http://cheappurchaseonline.com/buy-generic-lotrisone-online-en.html buy lotrisone online, 8-(((, http://cheappurchaseonline.com/buy-generic-zetia-online-en.html buy zetia online, 271, 006480dc95ca9a5c730117a87648b23da0e597aa 1234 1233 2012-05-07T10:49:51Z 31.184.238.15 0 OkIdDjuiCtMqr wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-urso-online-en.html buy generic urso, fasw, http://cheappurchaseonline.com/buy-generic-glucovance-online-en.html buy generic glucovance, blnz, http://cheappurchaseonline.com/buy-generic-anaprox-online-en.html buy generic anaprox, >:D, 3f2ed1f91f19936c106a2c75824c0277ef08626e 1235 1234 2012-05-07T10:50:27Z 31.184.238.9 0 hBNADPBkmwvxUlywk wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-zithromax-online-en.html buy zithromax online, qjypi, http://cheappurchaseonline.com/buy-generic-zofran-online-en.html buy zofran online, iymog, http://cheappurchaseonline.com/buy-generic-micronase-online-en.html buy micronase online, 8(, http://cheappurchaseonline.com/buy-generic-glucotrol-online-en.html buy glucotrol online, 32563, http://cheappurchaseonline.com/buy-generic-furoxone-online-en.html buy furoxone online, 55339, a44999d26cf00327e73c1527c5c1b2c1e583bfc9 1236 1235 2012-05-07T10:54:23Z 31.184.238.9 0 mhIVGkuO wikitext text/x-wiki , http://cheappurchaseonline.com/ buy female viagra online, xza, http://cheappurchaseonline.com/buy-generic-maxolon-online-en.html buy maxolon online, 2610, http://cheappurchaseonline.com/buy-generic-reminyl-online-en.html buy reminyl online, 498, http://cheappurchaseonline.com/ buy orlistat online, ghzt, http://cheappurchaseonline.com/buy-generic-neoral-online-en.html buy neoral online, %))), d49af7d14eca101156ce76cf9f5ceeb11bcb55ff 1237 1236 2012-05-07T10:56:05Z 31.184.238.15 0 xfgyuAqnVONYhsme wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-geodon-online-en.html buy generic geodon, xawyj, http://cheappurchaseonline.com/buy-generic-levitra-online-en.html buy generic levitra, 8-OOO, http://cheappurchaseonline.com/buy-generic-precose-online-en.html buy generic precose, 894997, 5971f9434d6bbaf16b7e53b89246b4f752210765 1238 1237 2012-05-07T10:58:37Z 31.184.238.9 0 mexqHjwHNdZE wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-mobic-online-en.html buy mobic online, zvtfar, http://cheappurchaseonline.com/buy-generic-clarinex-online-en.html buy clarinex online, 5236, http://cheappurchaseonline.com/buy-generic-kamagra-effervescent-online-en.html buy kamagra effervescent online, 9834, http://cheappurchaseonline.com/buy-generic-hyzaar-online-en.html buy hyzaar online, fduvl, http://cheappurchaseonline.com/buy-generic-myambutol-online-en.html buy myambutol online, 44521, c9f5b32bc71910874baabf63610ca7ada2c826f6 1239 1238 2012-05-07T11:02:01Z 31.184.238.15 0 qKfPQCXpSXFbFA wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-diovan-hct-online-en.html buy generic diovan hct, 8-[, http://cheappurchaseonline.com/buy-generic-reglan-online-en.html buy generic reglan, %OOO, http://cheappurchaseonline.com/buy-generic-levitra-soft-online-en.html buy generic levitra soft, hzow, 882f49f1cc1914ca7fd29d2dc84bbf630832ac55 1240 1239 2012-05-07T11:03:21Z 31.184.238.9 0 iyaUHVBFo wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-erectalis-online-en.html buy erectalis online, 6063, http://cheappurchaseonline.com/buy-generic-theo-24-sr-online-en.html buy theo-24 sr online, lkqws, http://cheappurchaseonline.com/buy-generic-diovan-hct-online-en.html buy diovan hct online, 075163, http://cheappurchaseonline.com/buy-generic-abilify-online-en.html buy abilify online, %-DDD, http://cheappurchaseonline.com/ buy cipro online, 8-PP, 7e5269260ceeba381f925baab669c0e134d0fe93 1241 1240 2012-05-07T11:07:45Z 31.184.238.15 0 ElUTpIXLYEdDEPC wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-seroquel-online-en.html buy generic seroquel, eew, http://cheappurchaseonline.com/ buy viagra professional, 7140, http://cheappurchaseonline.com/buy-generic-xalatan-0005-online-en.html buy generic xalatan 0.005%, jsrt, 5d2f34627914ffbcfe8b283458d6eee74355408d 1242 1241 2012-05-07T11:07:52Z 31.184.238.9 0 TvUKEqmVXnL wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-cozaar-online-en.html buy cozaar online, 7832, http://cheappurchaseonline.com/buy-generic-amaryl-online-en.html buy amaryl online, vxkwht, http://cheappurchaseonline.com/buy-generic-aciclovir-online-en.html buy aciclovir online, 4894, http://cheappurchaseonline.com/buy-generic-cytoxan-online-en.html buy cytoxan online, 8-DD, http://cheappurchaseonline.com/buy-generic-nimotop-online-en.html buy nimotop online, 677800, 234187085c6a85fff9eea1def795df7e6f27e845 1243 1242 2012-05-07T11:12:46Z 31.184.238.9 0 xpwsTYBNQjIXPm wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-aciphex-online-en.html buy aciphex online, fzuuek, http://cheappurchaseonline.com/buy-generic-etodolac-online-en.html buy etodolac online, ehlt, http://cheappurchaseonline.com/buy-generic-procardia-online-en.html buy procardia online, ckjg, http://cheappurchaseonline.com/buy-generic-vigora-online-en.html buy vigora online, 578, http://cheappurchaseonline.com/buy-generic-claritin-online-en.html buy claritin online, jeql, f2b63f9fb813b9c39fd16a9483be093ce6c1f585 1244 1243 2012-05-07T11:14:07Z 31.184.238.15 0 kCpIjkZKt wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-pamelor-online-en.html buy generic pamelor, qas, http://cheappurchaseonline.com/buy-generic-ampicillin-online-en.html buy generic ampicillin, smvyv, http://cheappurchaseonline.com/buy-generic-famvir-online-en.html buy generic famvir, 5709, 8c048f56fc67f3cc65e525c9d3f81be214a85886 1245 1244 2012-05-07T11:17:53Z 31.184.238.9 0 EBgdiEux wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-macrobid-online-en.html buy macrobid online, >:(((, http://cheappurchaseonline.com/buy-generic-super-hard-on-online-en.html buy super hard on online, 023, http://cheappurchaseonline.com/buy-generic-serevent-online-en.html buy serevent online, mol, http://cheappurchaseonline.com/buy-generic-lotensin-online-en.html buy lotensin online, 534032, http://cheappurchaseonline.com/buy-generic-cleocin-online-en.html buy cleocin online, 95262, 3a2d4c6c7ffd440335e40258f28411408cb3e5cb 1246 1245 2012-05-07T11:19:45Z 31.184.238.15 0 EJwMuBalThBVm wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-omnicef-online-en.html buy generic omnicef, zrf, http://cheappurchaseonline.com/buy-generic-remeron-online-en.html buy generic remeron, wkr, http://cheappurchaseonline.com/buy-generic-stromectol-online-en.html buy generic stromectol, ati, 1afab4932cd61981bf51dc682632319c7bd6e54c 1247 1246 2012-05-07T11:22:10Z 31.184.238.9 0 MOJwfEmBoSIOpJaqXj wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-verampil-online-en.html buy verampil online, 05239, http://cheappurchaseonline.com/buy-generic-tenormin-online-en.html buy tenormin online, 3383, http://cheappurchaseonline.com/buy-generic-crestor-online-en.html buy crestor online, 8-[[, http://cheappurchaseonline.com/buy-generic-minipress-online-en.html buy minipress online, 51174, http://cheappurchaseonline.com/buy-generic-theo-24-cr-online-en.html buy theo-24 cr online, 97965, b6c8d6b5b901af3cfd5a449f02f82a66780e8ab7 1248 1247 2012-05-07T11:25:32Z 31.184.238.15 0 GYOGUKWatUehDheCvv wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-uniphyl-cr-online-en.html buy generic uniphyl cr, >:-O, http://cheappurchaseonline.com/buy-generic-brand-levitra-online-en.html buy generic brand levitra, reothi, http://cheappurchaseonline.com/ buy viagra, ilh, fa52f1f763142d2570f6990d26400b9f8fe065b3 1249 1248 2012-05-07T11:27:18Z 31.184.238.9 0 QkFRrCfiHvmIlRCzjU wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-cymbalta-online-en.html buy cymbalta online, 513425, http://cheappurchaseonline.com/buy-generic-trandate-online-en.html buy trandate online, >:-D, http://cheappurchaseonline.com/buy-generic-tritace-online-en.html buy tritace online, mlcxt, http://cheappurchaseonline.com/buy-generic-zovirax-online-en.html buy zovirax online, =PP, http://cheappurchaseonline.com/buy-generic-duphaston-online-en.html buy duphaston online, 8-[, 93090b6c711db8ec0165a206005856ec359c8259 1250 1249 2012-05-07T11:30:56Z 31.184.238.15 0 tHAFBXoklYJbqbT wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-plavix-online-en.html buy generic plavix, tpgds, http://cheappurchaseonline.com/buy-generic-epivir-online-en.html buy generic epivir, patof, http://cheappurchaseonline.com/buy-generic-differin-online-en.html buy generic differin, 1070, 8061dc6b49da560b7c8b47a6c7afb735fe915669 1251 1250 2012-05-07T11:31:21Z 31.184.238.9 0 pcybqOLLUqlOHcl wikitext text/x-wiki , http://cheappurchaseonline.com/ buy amoxil online, 86199, http://cheappurchaseonline.com/buy-generic-verapamil-online-en.html buy verapamil online, 5249, http://cheappurchaseonline.com/buy-generic-valtrex-online-en.html buy valtrex online, dfcda, http://cheappurchaseonline.com/buy-generic-bupron-sr-online-en.html buy bupron sr online, 07253, http://cheappurchaseonline.com/ buy viagra online, rjky, 3bd624d73206dc71ba5d54989feb5eb37699f5a5 1252 1251 2012-05-07T11:36:03Z 31.184.238.9 0 JaaVTFfKBcuIEfHCCib wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-levitra-online-en.html buy levitra online, 292802, http://cheappurchaseonline.com/buy-generic-nolvadex-online-en.html buy nolvadex online, ioq, http://cheappurchaseonline.com/buy-generic-viagra-soft-online-en.html buy viagra soft online, :-], http://cheappurchaseonline.com/ buy flagyl online, ojpvt, http://cheappurchaseonline.com/buy-generic-kamagra-jelly-online-en.html buy kamagra jelly online, 8883, a964520a1a8e6bcd9f2ab4c4c22431397ab4d840 1253 1252 2012-05-07T11:37:05Z 31.184.238.15 0 jVPHscRxfdLZsveq wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-inderal-online-en.html buy generic inderal, faixs, http://cheappurchaseonline.com/ buy generic priligy, %D, http://cheappurchaseonline.com/buy-generic-coversyl-online-en.html buy generic coversyl, %-[[, cef1c59d8b458a19ced42ddc5343ee9c18f15db1 1254 1253 2012-05-07T11:40:22Z 31.184.238.9 0 vEnHagudXbZ wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-augmentin-online-en.html buy augmentin online, 0412, http://cheappurchaseonline.com/buy-generic-kemadrin-online-en.html buy kemadrin online, ffhy, http://cheappurchaseonline.com/buy-generic-combipres-online-en.html buy combipres online, vmveou, http://cheappurchaseonline.com/buy-generic-protonix-online-en.html buy protonix online, 72424, http://cheappurchaseonline.com/buy-generic-zestril-online-en.html buy zestril online, >:-(((, 296433dac680549ba2562bc07f7b96b3c425e268 0 8 1255 1254 2012-05-07T11:43:06Z 31.184.238.15 0 DOvNrDkDknZ wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-abilify-online-en.html buy generic abilify, 8-D, http://cheappurchaseonline.com/buy-generic-prednisolone-online-en.html buy generic prednisolone, :]]], http://cheappurchaseonline.com/buy-generic-tegopen-online-en.html buy generic tegopen, 8-P, afa7c77cfd0e48dab5d9110853d3e4fcbbfdeee2 1256 1255 2012-05-07T11:48:56Z 31.184.238.15 0 klpVKBIlmSrKw wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-lopid-online-en.html buy generic lopid, vbpiud, http://cheappurchaseonline.com/buy-generic-duricef-online-en.html buy generic duricef, =-OO, http://cheappurchaseonline.com/buy-generic-kamagra-jelly-online-en.html buy generic kamagra jelly, xgqtp, 8c652d823ec8c528e828f7b7831ec4e5e9a2f2f0 1257 1256 2012-05-07T11:54:41Z 31.184.238.9 0 ErjLbiwMeuQDLVhtzy wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-tegretol-online-en.html buy tegretol online, >:DD, http://cheappurchaseonline.com/buy-generic-elavil-online-en.html buy elavil online, 796782, http://cheappurchaseonline.com/buy-generic-vermox-online-en.html buy vermox online, 133, http://cheappurchaseonline.com/ buy flagyl online, =(((, http://cheappurchaseonline.com/buy-generic-zyvox-online-en.html buy zyvox online, :-OOO, beebff594b9921e0a43038059a42e3d3157f8667 1258 1257 2012-05-07T11:54:45Z 31.184.238.15 0 qIoqZbsqlbvxtAGp wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-trecator-sc-online-en.html buy generic trecator-sc, =DD, http://cheappurchaseonline.com/buy-generic-depakote-online-en.html buy generic depakote, 36624, http://cheappurchaseonline.com/buy-generic-inderal-la-online-en.html buy generic inderal la, >:-DDD, 5cc848b006bbc57074346e657615f10d5e9eb578 1259 1258 2012-05-07T12:00:46Z 31.184.238.9 0 peVTMauDCQvNAySNFAT wikitext text/x-wiki , http://cheappurchaseonline.com/ buy orlistat online, wqgn, http://cheappurchaseonline.com/ buy strattera online, 296, http://cheappurchaseonline.com/buy-generic-tinidazole-online-en.html buy tinidazole online, >:-[[, http://cheappurchaseonline.com/buy-generic-proventil-online-en.html buy proventil online, 206, http://cheappurchaseonline.com/buy-generic-effexor-online-en.html buy effexor online, ritfnc, f995f5af690001a90265887d688631acb190ba12 1260 1259 2012-05-07T12:02:45Z 31.184.238.15 0 zGcTYsNgXgESgEKlyvG wikitext text/x-wiki comment6, http://cheappurchaseonline.com/ buy generic orlistat, :PPP, http://cheappurchaseonline.com/buy-generic-maxaquin-online-en.html buy generic maxaquin, 8D, http://cheappurchaseonline.com/buy-generic-antabuse-online-en.html buy generic antabuse, %))), 74a1fe4ee136bccf8846c3fe0c3a3cc0e50a89af 1261 1260 2012-05-07T12:09:13Z 31.184.238.15 0 fLlNmoMRfRBrGmmJ wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-theo-24-cr-online-en.html buy generic theo-24 cr, >:-]], http://cheappurchaseonline.com/buy-generic-rythmol-online-en.html buy generic rythmol, 987, http://cheappurchaseonline.com/ buy generic prednisone, 568, 0808a5467e8c0932624429b9e041292abe449578 1262 1261 2012-05-07T12:15:38Z 31.184.238.9 0 tIhNGdDj wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-capoten-online-en.html buy capoten online, 643, http://cheappurchaseonline.com/buy-generic-remeron-online-en.html buy remeron online, bljxnb, http://cheappurchaseonline.com/buy-generic-cephalexin-online-en.html buy cephalexin online, syxh, http://cheappurchaseonline.com/buy-generic-red-viagra-online-en.html buy red viagra online, 8)), http://cheappurchaseonline.com/buy-generic-glucophage-xr-online-en.html buy glucophage xr online, =(, 3116890ee1bc12cc3e7703d25dcf4bfdd9b62f9a 1263 1262 2012-05-07T12:16:49Z 31.184.238.15 0 hMQgabKiPVg wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-zyrtec-online-en.html buy generic zyrtec, 497, http://cheappurchaseonline.com/buy-generic-proventil-online-en.html buy generic proventil, 76297, http://cheappurchaseonline.com/ buy generic propecia, xyngtp, 3a14d0c696eb0222400baf9007c4c38735ce3e77 1264 1263 2012-05-07T12:20:30Z 31.184.238.9 0 aXmjjbWTTbNZCxFKHHf wikitext text/x-wiki , http://cheappurchaseonline.com/ buy kamagra online, >:DD, http://cheappurchaseonline.com/buy-generic-naprosyn-online-en.html buy naprosyn online, dltuqz, http://cheappurchaseonline.com/buy-generic-pentasa-online-en.html buy pentasa online, 8DD, http://cheappurchaseonline.com/buy-generic-aggrenox-online-en.html buy aggrenox online, =-OOO, http://cheappurchaseonline.com/buy-generic-kamagra-soft-online-en.html buy kamagra soft online, 34796, 6c7f19ae557cd4452ded9cd3cedccc48f137c153 1265 1264 2012-05-07T12:24:54Z 31.184.238.9 0 PeHOckAOHdE wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-grifulvin-v-online-en.html buy grifulvin v online, urfu, http://cheappurchaseonline.com/buy-generic-arava-online-en.html buy arava online, hku, http://cheappurchaseonline.com/buy-generic-aralen-online-en.html buy aralen online, ecq, http://cheappurchaseonline.com/ buy strattera online, >:-OOO, http://cheappurchaseonline.com/buy-generic-ovral-online-en.html buy ovral online, vhn, 3053eec505672d9c455575d6dcc1f2441546f86d 1266 1265 2012-05-07T12:37:06Z 31.184.238.9 0 qfWnEchpW wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-tofranil-online-en.html buy tofranil online, :-PP, http://cheappurchaseonline.com/buy-generic-seroquel-online-en.html buy seroquel, bwi, http://cheappurchaseonline.com/buy-generic-dapsone-online-en.html buy generic dapsone, =PPP, http://cheappurchaseonline.com/buy-generic-albenza-online-en.html buy albenza online, tthh, http://cheappurchaseonline.com/buy-generic-viagra-jelly-online-en.html generic viagra jelly, zivjc, b432d1b3bdb79056a43c108a05fce5ff0c73c053 1267 1266 2012-05-07T12:39:44Z 31.184.238.9 0 uGtAAdjVtd wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-famvir-online-en.html buy famvir, 5425, http://cheappurchaseonline.com/ generic diflucan, 27386, http://cheappurchaseonline.com/buy-generic-aciphex-online-en.html generic aciphex, :P, http://cheappurchaseonline.com/buy-generic-etodolac-online-en.html buy etodolac, 684879, http://cheappurchaseonline.com/buy-generic-procardia-online-en.html buy generic procardia, 622719, 3d65ea134cd2f3d02dbd1040999e2409439fb257 1268 1267 2012-05-07T12:43:29Z 31.184.238.9 0 BrjTIAigGjMlRrRDAaT wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-verampil-online-en.html buy verampil online, rkn, http://cheappurchaseonline.com/buy-generic-tenormin-online-en.html generic tenormin, jvg, http://cheappurchaseonline.com/buy-generic-crestor-online-en.html generic crestor, xhs, http://cheappurchaseonline.com/buy-generic-minipress-online-en.html buy minipress online, :PPP, http://cheappurchaseonline.com/buy-generic-theo-24-cr-online-en.html theo-24 cr, xomw, 48518afd1e93e1aa868a07cab289777f76ca0d28 1269 1268 2012-05-07T12:49:51Z 31.184.238.9 0 XBHJWnPOjZtZbT wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-zyprexa-online-en.html buy zyprexa online, uzmhgw, http://cheappurchaseonline.com/ buy lasix online, fyuqn, http://cheappurchaseonline.com/buy-generic-erythromycin-online-en.html buy erythromycin, 8-OO, http://cheappurchaseonline.com/buy-generic-prinivil-online-en.html buy prinivil online, bpu, http://cheappurchaseonline.com/buy-generic-depakote-online-en.html generic depakote, 8-]]], 9a19158b0ad5f1c3444a561e0b1e2137a8a322f2 1270 1269 2012-05-07T12:53:28Z 31.184.238.9 0 KenHlxzhhthEUjMz wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-atrovent-online-en.html atrovent, sjgt, http://cheappurchaseonline.com/buy-generic-combivir-online-en.html buy generic combivir, gckcrz, http://cheappurchaseonline.com/buy-generic-tadacip-online-en.html buy tadacip, 233590, http://cheappurchaseonline.com/buy-generic-toprol-xl-online-en.html buy toprol xl online, =), http://cheappurchaseonline.com/ buy generic levitra, kxqwa, aa81c9d0e7f8b8045eae37420967dc051709ee44 1271 1270 2012-05-07T12:58:07Z 31.184.238.9 0 VyaSzWrtmseRu wikitext text/x-wiki , http://cheappurchaseonline.com/ buy clomid, :-OO, http://cheappurchaseonline.com/buy-generic-urispas-online-en.html buy urispas, srrtls, http://cheappurchaseonline.com/buy-generic-antabuse-online-en.html generic antabuse, 8-(, http://cheappurchaseonline.com/buy-generic-avapro-online-en.html buy avapro online, 8), http://cheappurchaseonline.com/buy-generic-levitra-soft-online-en.html buy generic levitra soft, rgay, c39aaa82e86da8fc0bf75d69435390a8903c261f 1272 1271 2012-05-07T13:06:24Z 31.184.238.9 0 CCvFVJuvVnuRoHhplV wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-famvir-online-en.html buy famvir, 3010, http://cheappurchaseonline.com/ buy diflucan, :-(((, http://cheappurchaseonline.com/buy-generic-aciphex-online-en.html aciphex, :-PPP, http://cheappurchaseonline.com/buy-generic-etodolac-online-en.html buy generic etodolac, 8-]], http://cheappurchaseonline.com/buy-generic-procardia-online-en.html procardia, =DD, 8ca597fb6c819d75f067e582dab102e56de4650d 1273 1272 2012-05-07T13:08:59Z 31.184.238.15 0 zNJcIdCg wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-cymbalta-online-en.html buy generic cymbalta, rqte, http://cheappurchaseonline.com/buy-generic-trandate-online-en.html buy generic trandate, :-[[, http://cheappurchaseonline.com/buy-generic-tritace-online-en.html generic tritace, =[[[, 04c22d21f470233de6ed6e34b218bfc92aced2dd 1274 1273 2012-05-07T13:11:24Z 31.184.238.9 0 MboBOlMXcTBSSI wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-suhagra-online-en.html buy generic suhagra, 672, http://cheappurchaseonline.com/buy-generic-requip-online-en.html buy requip, >:DD, http://cheappurchaseonline.com/buy-generic-prograf-online-en.html buy prograf online, rvdby, http://cheappurchaseonline.com/buy-generic-vibramycin-online-en.html buy vibramycin online, prjy, http://cheappurchaseonline.com/buy-generic-fluoxetine-online-en.html buy generic fluoxetine, pdk, 87d1cf8d7f8de0b003aec1d13d58601b24921fef 1275 1274 2012-05-07T13:14:06Z 31.184.238.15 0 GzdnjDQJqTnfTflUKEW wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-cialis-soft-online-en.html buy cialis soft online, :-OO, http://cheappurchaseonline.com/buy-generic-toprol-online-en.html generic toprol, okky, http://cheappurchaseonline.com/buy-generic-furacin-online-en.html furacin, >:-[[, 023f41c4d5a8bd8f1288609ba8cd3b56fdf9aeaa 1276 1275 2012-05-07T13:15:37Z 31.184.238.9 0 uqzZhYoYCGenUvoNbw wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-allopurinol-online-en.html buy generic allopurinol, 8(((, http://cheappurchaseonline.com/buy-generic-silagra-online-en.html generic silagra, ysa, http://cheappurchaseonline.com/ buy priligy, 133, http://cheappurchaseonline.com/buy-generic-biaxin-online-en.html buy biaxin online, 66801, http://cheappurchaseonline.com/buy-generic-intagra-online-en.html buy intagra, wfl, 95fe9d942242665206ed25a3b56c50eeaf03b06a 1277 1276 2012-05-07T13:28:14Z 31.184.238.9 0 pDEHaUHjsAsAto wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-verampil-online-en.html buy verampil online, 478780, http://cheappurchaseonline.com/buy-generic-tenormin-online-en.html buy tenormin online, aotz, http://cheappurchaseonline.com/buy-generic-crestor-online-en.html buy crestor, 17958, http://cheappurchaseonline.com/buy-generic-minipress-online-en.html generic minipress, lqqqkq, http://cheappurchaseonline.com/buy-generic-theo-24-cr-online-en.html generic theo-24 cr, >:-D, 1cf95cda7fbf987f16f9607c861beb1ac359bc82 1278 1277 2012-05-07T13:30:06Z 31.184.238.15 0 UzttlUDUmBkX wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-caverta-online-en.html buy caverta, apno, http://cheappurchaseonline.com/buy-generic-lanoxin-online-en.html generic lanoxin, ayjrbl, http://cheappurchaseonline.com/ buy generic zoloft, %D, cd131768bb414a7c5887f7abc12e9b5488f92d15 1279 1278 2012-05-07T13:32:47Z 31.184.238.9 0 cRqwpCHow wikitext text/x-wiki , http://cheappurchaseonline.com/ female viagra, mhohgf, http://cheappurchaseonline.com/buy-generic-maxolon-online-en.html buy maxolon online, 7480, http://cheappurchaseonline.com/buy-generic-reminyl-online-en.html buy reminyl online, lfyil, http://cheappurchaseonline.com/ buy orlistat, :((, http://cheappurchaseonline.com/buy-generic-neoral-online-en.html buy generic neoral, mysuiu, 3f5b2e478595668dff86dcaa8a1afba36d5c13c4 1280 1279 2012-05-07T13:35:51Z 31.184.238.15 0 vKlqRUJIGT wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-aggrenox-online-en.html buy generic aggrenox, 325064, http://cheappurchaseonline.com/buy-generic-kamagra-soft-online-en.html buy kamagra soft online, 518, http://cheappurchaseonline.com/buy-generic-verampil-online-en.html buy verampil, 63379, c3f559d074da7ceee7e8c3c3d31f3de5c72ba39f 1281 1280 2012-05-07T13:37:27Z 31.184.238.9 0 SvLVKQPkMoojmnzcXK wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-verapamil-online-en.html generic verapamil, 8-OO, http://cheappurchaseonline.com/buy-generic-valtrex-online-en.html buy generic valtrex, mami, http://cheappurchaseonline.com/buy-generic-bupron-sr-online-en.html buy bupron sr, 008818, http://cheappurchaseonline.com/ buy viagra online, :-O, http://cheappurchaseonline.com/buy-generic-mobic-online-en.html generic mobic, =-))), 2a05ccdb4e316fa8c0d1b40f7f1d697f62c902d9 1282 1281 2012-05-07T13:41:58Z 31.184.238.15 0 BzALQFdywD wikitext text/x-wiki comment4, http://cheappurchaseonline.com/ buy amoxil, =-DDD, http://cheappurchaseonline.com/ amoxil, %-[, http://cheappurchaseonline.com/buy-generic-verapamil-online-en.html buy generic verapamil, 445, c538f4117279438b4663138d41cfa8320c645ca9 1283 1282 2012-05-07T13:42:41Z 31.184.238.9 0 PGcxxnGEJS wikitext text/x-wiki , http://cheappurchaseonline.com/ buy strattera, 717079, http://cheappurchaseonline.com/buy-generic-tinidazole-online-en.html buy tinidazole online, hyagz, http://cheappurchaseonline.com/buy-generic-proventil-online-en.html buy generic proventil, dovncb, http://cheappurchaseonline.com/buy-generic-effexor-online-en.html effexor, 77676, http://cheappurchaseonline.com/buy-generic-sinemet-cr-online-en.html buy sinemet cr, >:(, 7e81fb4c12e9c66a08111ee4a09e108eeabc9b0f 1284 1283 2012-05-07T13:47:05Z 31.184.238.9 0 GpiNlfRtxuBwFpeYtXu wikitext text/x-wiki , http://cheappurchaseonline.com/ buy cialis, vvxcv, http://cheappurchaseonline.com/buy-generic-zocor-online-en.html buy generic zocor, =-(((, http://cheappurchaseonline.com/buy-generic-propecia-online-en.html buy propecia</a>, >:PP, http://cheappurchaseonline.com/buy-generic-combivent-online-en.html buy generic combivent, :))), http://cheappurchaseonline.com/buy-generic-ortho-tri-cyclen-online-en.html buy ortho tri-cyclen online, zbvbbf, 370c17501eb7103885dc81610d2f693f693aca72 1285 1284 2012-05-07T13:47:50Z 31.184.238.15 0 cIEhWXEuofajSpQc wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-famvir-online-en.html generic famvir, 620334, http://cheappurchaseonline.com/ buy generic diflucan, :DDD, http://cheappurchaseonline.com/buy-generic-aciphex-online-en.html buy generic aciphex, :[[[, cd69a889a58237abc52ffa6747cc133162ad0982 1286 1285 2012-05-07T13:51:24Z 31.184.238.9 0 XhmSwQVoghYQLlWD wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-plan-b-online-en.html buy plan b online, 794, http://cheappurchaseonline.com/buy-generic-exelon-online-en.html generic exelon, %((, http://cheappurchaseonline.com/buy-generic-brand-cialis-online-en.html buy brand cialis online, hllk, http://cheappurchaseonline.com/buy-generic-effexor-xr-online-en.html buy effexor xr, :)), http://cheappurchaseonline.com/ buy generic levitra, mspsn, 510e544f54604067d1b8625e1f6efa1baaa65a62 1287 1286 2012-05-07T13:53:57Z 31.184.238.15 0 iSvLRaYarDVufsyd wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-luvox-online-en.html buy luvox, 755, http://cheappurchaseonline.com/ buy generic prednisone, 0108, http://cheappurchaseonline.com/buy-generic-lamisil-online-en.html buy generic lamisil, 170, ab88a3c43f8f8f0aa102fe6a78e164fcd5b320d8 1288 1287 2012-05-07T13:55:58Z 31.184.238.9 0 AvHJSTRmWnVSir wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-isordil-online-en.html buy generic isordil, 893, http://cheappurchaseonline.com/buy-generic-lopid-online-en.html generic lopid, idv, http://cheappurchaseonline.com/buy-generic-wellbutrin-online-en.html buy generic wellbutrin, 380967, http://cheappurchaseonline.com/buy-generic-grisactin-online-en.html generic grisactin, 52126, http://cheappurchaseonline.com/buy-generic-mysoline-online-en.html buy mysoline online, ccczb, 6599f97674d11c31d942844b2b5c0eb225c9e0f2 1289 1288 2012-05-07T14:00:18Z 31.184.238.15 0 PvUXGVAuogxEuBlzk wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-zagam-online-en.html buy generic zagam, :-PPP, http://cheappurchaseonline.com/buy-generic-lipitor-online-en.html generic lipitor, memoa, http://cheappurchaseonline.com/buy-generic-persantine-online-en.html buy persantine online, 20322, e4999ce29d51ca8f12f0aaa1046bdae02ac98ac3 1290 1289 2012-05-07T14:00:59Z 31.184.238.9 0 gMfAReekVl wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-kamagra-flavored-online-en.html kamagra flavored, 8-], http://cheappurchaseonline.com/buy-generic-aceon-online-en.html aceon, 8PPP, http://cheappurchaseonline.com/buy-generic-tetracycline-online-en.html generic tetracycline, 5468, http://cheappurchaseonline.com/buy-generic-lincocin-online-en.html buy generic lincocin, cahr, http://cheappurchaseonline.com/buy-generic-zoloft-online-en.html zoloft, 8880, e33b4df65dc40ce71575ac3ed1ec6d8cb19de2a2 1291 1290 2012-05-07T14:05:34Z 31.184.238.9 0 LylmgEFEKFMLbFo wikitext text/x-wiki , http://cheappurchaseonline.com/ generic prednisone, hokn, http://cheappurchaseonline.com/buy-generic-apcalis-sx-oral-jelly-online-en.html buy generic apcalis sx oral jelly, =-], http://cheappurchaseonline.com/buy-generic-flovent-online-en.html buy flovent online, 04686, http://cheappurchaseonline.com/buy-generic-precose-online-en.html precose, vqlszm, http://cheappurchaseonline.com/buy-generic-levothroid-online-en.html buy levothroid, zxmxia, 6d64a305f17d116f1fb6050a1e4015261d081209 1292 1291 2012-05-07T14:05:42Z 31.184.238.15 0 bDaqfgqCACrtQGSJMt wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-feldene-online-en.html buy feldene online, :O, http://cheappurchaseonline.com/buy-generic-ditropan-online-en.html buy generic ditropan, 18844, http://cheappurchaseonline.com/buy-generic-periactin-online-en.html buy generic periactin, 3926, 0ca129817e49c1cba0140e0826d7c9bcada6f859 1293 1292 2012-05-07T14:10:37Z 31.184.238.9 0 hdFtyPDBPrWNQUZbCM wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-calan-sr-online-en.html buy calan sr, :-O, http://cheappurchaseonline.com/buy-generic-valparin-online-en.html generic valparin, :[[[, http://cheappurchaseonline.com/buy-generic-ticlid-online-en.html ticlid, =-D, http://cheappurchaseonline.com/buy-generic-xeloda-online-en.html buy xeloda online, >:-), http://cheappurchaseonline.com/buy-generic-stromectol-online-en.html generic stromectol, 43817, b598cb84fd8a41e0579f718e3046a0fff963de55 1294 1293 2012-05-07T14:11:45Z 31.184.238.15 0 mndWdZFKJmR wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-risperdal-online-en.html buy generic risperdal, 21018, http://cheappurchaseonline.com/buy-generic-kamagra-online-en.html buy kamagra, 605, http://cheappurchaseonline.com/buy-generic-danocrine-online-en.html generic danocrine, 598, 2dfa717426161b4dfc877a17e31d940e9391a78e 1295 1294 2012-05-07T14:15:09Z 31.184.238.9 0 sZDMhUrYTX wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-zyprexa-online-en.html buy generic zyprexa, :-PPP, http://cheappurchaseonline.com/ lasix, =(, http://cheappurchaseonline.com/buy-generic-erythromycin-online-en.html buy erythromycin, kbcsi, http://cheappurchaseonline.com/buy-generic-prinivil-online-en.html prinivil, >:P, http://cheappurchaseonline.com/buy-generic-depakote-online-en.html depakote, >:(((, 992162f2374dcbb4ca04e4d3f89f2930e691c388 1296 1295 2012-05-07T14:17:31Z 31.184.238.15 0 JVQCqiDOuGpAPbO wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-prevacid-online-en.html prevacid, 9034, http://cheappurchaseonline.com/ buy viagra professional, eejbwc, http://cheappurchaseonline.com/buy-generic-prozac-online-en.html generic prozac, =-]]], a8c6a671a3d2e4644e12ab7fb016b148e1773bb0 1297 1296 2012-05-07T14:23:41Z 31.184.238.15 0 NLtOUqJcetiVq wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-monoket-online-en.html buy generic monoket, >:DDD, http://cheappurchaseonline.com/buy-generic-trecator-sc-online-en.html trecator-sc, =PP, http://cheappurchaseonline.com/buy-generic-allegra-online-en.html generic allegra, yvp, 33ecb5cbd360bdb69a286ab87262b05514bf6b48 1298 1297 2012-05-07T14:24:16Z 31.184.238.9 0 PKcrTusgsxnuB wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-inderal-online-en.html buy generic inderal, uhdo, http://cheappurchaseonline.com/buy-generic-cardarone-online-en.html buy cardarone, :(((, http://cheappurchaseonline.com/buy-generic-artane-online-en.html artane, tpje, http://cheappurchaseonline.com/buy-generic-dilantin-online-en.html buy generic dilantin, 726, http://cheappurchaseonline.com/buy-generic-geodon-online-en.html geodon, djbe, 81709564bbea14143e2b3c2f62339cd6c518bc19 1299 1298 2012-05-07T14:29:08Z 31.184.238.15 0 WOVbnQrJWlCrFbDReX wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-omnicef-online-en.html buy omnicef, nye, http://cheappurchaseonline.com/buy-generic-clonidine-online-en.html buy generic clonidine, 8-O, http://cheappurchaseonline.com/buy-generic-colospa-online-en.html buy colospa, :-]], c63e665434df9ff70c50c878ffec451b3ce0b780 1300 1299 2012-05-07T14:29:28Z 31.184.238.9 0 rghagfTfspwjQ wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-arcoxia-online-en.html buy arcoxia, qtibh, http://cheappurchaseonline.com/buy-generic-plavix-online-en.html plavix, vql, http://cheappurchaseonline.com/buy-generic-mevacor-online-en.html generic mevacor, 089056, http://cheappurchaseonline.com/buy-generic-imodium-online-en.html buy imodium online, 774, http://cheappurchaseonline.com/buy-generic-mircette-online-en.html buy mircette, %DDD, ad8c72218b8d9dde074c0e49a6f32cede40e29fd 1301 1300 2012-05-07T14:33:33Z 31.184.238.9 0 fxUZymFxhpiwCI wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-yasmin-online-en.html generic yasmin, %-[, http://cheappurchaseonline.com/ buy lasix, cfalr, http://cheappurchaseonline.com/buy-generic-actos-online-en.html buy actos, 65339, http://cheappurchaseonline.com/buy-generic-minomycin-online-en.html buy minomycin, :O, http://cheappurchaseonline.com/buy-generic-vitamin-b12-online-en.html buy vitamin b12 online, kmwb, 8e0f1eb90e3c4bb43428386f96e1d3f9773210ba 1302 1301 2012-05-07T14:35:09Z 31.184.238.15 0 AzOLHqqkzPUmREDN wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-tegretol-online-en.html generic tegretol, =-)), http://cheappurchaseonline.com/buy-generic-elavil-online-en.html buy elavil, :-DDD, http://cheappurchaseonline.com/buy-generic-vermox-online-en.html buy vermox online, 94687, db8b4f8175d8cdc584670fcc9a2e84cf0285e0c9 1303 1302 2012-05-07T14:38:18Z 31.184.238.9 0 JdoaKVfDHxu wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-catapres-online-en.html buy catapres, >:P, http://cheappurchaseonline.com/buy-generic-viagra-professional-online-en.html buy generic viagra professional, mqgu, http://cheappurchaseonline.com/buy-generic-cozaar-online-en.html buy cozaar online, =DDD, http://cheappurchaseonline.com/buy-generic-amaryl-online-en.html buy amaryl, 53962, http://cheappurchaseonline.com/buy-generic-aciclovir-online-en.html buy generic aciclovir, dot, 855bfa608279f5aa0e1a5116d17de35032a2dbff 1304 1303 2012-05-07T14:40:57Z 31.184.238.15 0 spivoQbgYHTZutplV wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-plan-b-online-en.html buy plan b online, bhgual, http://cheappurchaseonline.com/buy-generic-exelon-online-en.html buy exelon online, chm, http://cheappurchaseonline.com/buy-generic-brand-cialis-online-en.html buy brand cialis online, 8713, 1d2a3cc8fa113d7bc6c2d0276ba26d7e15664880 0 8 1305 1304 2012-05-07T14:43:10Z 31.184.238.9 0 sZwpDaofQsyzQLtnj wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-sumycin-online-en.html buy sumycin online, xtsn, http://cheappurchaseonline.com/buy-generic-aricept-online-en.html generic aricept, ravo, http://cheappurchaseonline.com/buy-generic-nitroglycerin-online-en.html buy nitroglycerin online, 8]], http://cheappurchaseonline.com/buy-generic-glucophage-online-en.html buy glucophage online, 9793, http://cheappurchaseonline.com/buy-generic-grifulvin-v-online-en.html buy grifulvin v online, >:-OO, 59cbd61909afb0f1d506fabc1e9da445a6cc2e25 1306 1305 2012-05-07T14:47:14Z 31.184.238.15 0 ZuDtmkUFWvTE wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-calan-sr-online-en.html buy calan sr online, esxk, http://cheappurchaseonline.com/buy-generic-valparin-online-en.html buy generic valparin, xhmwnl, http://cheappurchaseonline.com/buy-generic-ticlid-online-en.html buy ticlid, >:(((, ada26f24206323f72af63bf9c1bd8434b55145b3 1307 1306 2012-05-07T14:47:28Z 31.184.238.9 0 mDgtylhCRCtMt wikitext text/x-wiki , http://cheappurchaseonline.com/ generic cialis professional, nhbl, http://cheappurchaseonline.com/buy-generic-phoslo-online-en.html phoslo, =[[, http://cheappurchaseonline.com/buy-generic-zenegra-online-en.html generic zenegra, 4314, http://cheappurchaseonline.com/buy-generic-sublingual-viagra-online-en.html buy sublingual viagra, dhkuz, http://cheappurchaseonline.com/buy-generic-furadantin-online-en.html buy furadantin, 01357, 414882ccfa06bb94aed0a0cfa230ae2dbc076004 1308 1307 2012-05-07T14:52:02Z 31.184.238.9 0 KWDRgptVwsUHPJvS wikitext text/x-wiki , http://cheappurchaseonline.com/ buy prednisone online, 889, http://cheappurchaseonline.com/buy-generic-apcalis-sx-oral-jelly-online-en.html apcalis sx oral jelly, uobl, http://cheappurchaseonline.com/buy-generic-flovent-online-en.html flovent, 22117, http://cheappurchaseonline.com/buy-generic-precose-online-en.html precose, >:[[[, http://cheappurchaseonline.com/buy-generic-levothroid-online-en.html levothroid, hpa, 5be462b8d22358338b33d684dfddd8a319f1b6ee 1309 1308 2012-05-07T14:53:06Z 31.184.238.15 0 xmCeexoj wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-prednisolone-online-en.html buy prednisolone, 488, http://cheappurchaseonline.com/ zithromax, lojtp, http://cheappurchaseonline.com/buy-generic-cialis-black-online-en.html buy cialis black, 8]], 10279e86ea634a9708d23e3feee89745ea0b4d69 1310 1309 2012-05-07T14:59:09Z 31.184.238.9 0 SvuTptGGsVXUaFy wikitext text/x-wiki , http://cheappurchaseonline.com/ generic clomid, 8))), http://cheappurchaseonline.com/buy-generic-urispas-online-en.html buy urispas online, npar, http://cheappurchaseonline.com/buy-generic-antabuse-online-en.html buy generic antabuse, mail, http://cheappurchaseonline.com/buy-generic-avapro-online-en.html generic avapro, >:DDD, http://cheappurchaseonline.com/buy-generic-levitra-soft-online-en.html generic levitra soft, 708, 8c15703c92a1d96d0e2b08697f5b660ff59ac0d7 1311 1310 2012-05-07T15:01:02Z 31.184.238.15 0 usdOcdWmgtcBV wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-cialis-super-active-online-en.html generic cialis super active, 56026, http://cheappurchaseonline.com/buy-generic-minocin-online-en.html buy generic minocin, rix, http://cheappurchaseonline.com/buy-generic-ceclor-online-en.html ceclor, 46631, a7cf9c69a1360b7fcd55aab7c58a53cc0bea2cd8 1312 1311 2012-05-07T15:03:52Z 31.184.238.9 0 jOFJnFAidF wikitext text/x-wiki , http://cheappurchaseonline.com/ buy generic diflucan, fymzrk, http://cheappurchaseonline.com/buy-generic-crixivan-online-en.html generic crixivan, czt, http://cheappurchaseonline.com/buy-generic-celexa-online-en.html buy celexa online, 78643, http://cheappurchaseonline.com/buy-generic-ceclor-cd-online-en.html buy generic ceclor cd, ecz, http://cheappurchaseonline.com/buy-generic-viagra-caps-online-en.html buy viagra caps, 134810, 0c632cb8d0872ae53b50ef2d92b291c1ef56a332 1313 1312 2012-05-07T15:07:00Z 31.184.238.15 0 rNIOQIzGQLQrIkSf wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-mysoline-online-en.html buy generic mysoline, mogxf, http://cheappurchaseonline.com/buy-generic-duricef-online-en.html duricef, 755800, http://cheappurchaseonline.com/buy-generic-urso-online-en.html buy urso online, 605, e47594bb88244828f093d3e98714da8ac3b03d87 1314 1313 2012-05-07T15:08:05Z 31.184.238.9 0 ClsLiAdKUULCjcPl wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-levlen-online-en.html buy levlen online, 261645, http://cheappurchaseonline.com/ buy accutane online, 9407, http://cheappurchaseonline.com/buy-generic-brethine-online-en.html buy generic brethine, hsbz, http://cheappurchaseonline.com/buy-generic-cialis-soft-online-en.html cialis soft, 83375, http://cheappurchaseonline.com/buy-generic-toprol-online-en.html buy toprol online, 8-]], 5310df1592404f1ba9d3956a18932bc9fe8a98d2 1315 1314 2012-05-07T15:12:37Z 31.184.238.9 0 ScNIcHZU wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-relafen-online-en.html relafen, gnp, http://cheappurchaseonline.com/buy-generic-eskalith-online-en.html buy eskalith online, 8)), http://cheappurchaseonline.com/buy-generic-calcium-carbonate-online-en.html calcium carbonate, 01159, http://cheappurchaseonline.com/buy-generic-paxil-online-en.html buy generic paxil, wdnzc, http://cheappurchaseonline.com/buy-generic-tegretol-online-en.html tegretol, =D, 9b2360479fd8146329ea0981d967ce37506dfc41 1316 1315 2012-05-07T15:13:16Z 31.184.238.15 0 doYiKPSYLVjH wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-monoket-online-en.html buy monoket, kzbvny, http://cheappurchaseonline.com/buy-generic-trecator-sc-online-en.html generic trecator-sc, %[[[, http://cheappurchaseonline.com/buy-generic-allegra-online-en.html buy generic allegra, 909363, 8e742656c30d70efbc42c1bf5a76ac82fd9471b5 1317 1316 2012-05-07T15:17:32Z 31.184.238.9 0 DglODiZGknEVKnTWY wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-motilium-online-en.html buy generic motilium, 193432, http://cheappurchaseonline.com/buy-generic-eulexin-online-en.html buy eulexin, >:-DDD, http://cheappurchaseonline.com/buy-generic-astelin-online-en.html buy astelin online, :-[[, http://cheappurchaseonline.com/buy-generic-starlix-online-en.html generic starlix, 448213, http://cheappurchaseonline.com/buy-generic-fludac-online-en.html generic fludac, 5272, 1f8be5a831bbd2a2742eb4d22928b8ce00b0abe2 1318 1317 2012-05-07T15:18:50Z 31.184.238.15 0 lskDMeTLJpbTIFqxm wikitext text/x-wiki comment2, http://cheappurchaseonline.com/ buy propecia online, dkj, http://cheappurchaseonline.com/buy-generic-motilium-online-en.html buy motilium, mrjwny, http://cheappurchaseonline.com/buy-generic-eulexin-online-en.html eulexin, zsuf, 8874e8bb3efb8e6078dcefa2022132193719ea04 1319 1318 2012-05-07T15:21:29Z 31.184.238.9 0 NkTngpwYAAJHztcv wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-catapres-online-en.html buy catapres online, mtqulw, http://cheappurchaseonline.com/buy-generic-viagra-professional-online-en.html buy generic viagra professional, 468, http://cheappurchaseonline.com/buy-generic-cozaar-online-en.html buy cozaar, 8-P, http://cheappurchaseonline.com/buy-generic-amaryl-online-en.html amaryl, >:-), http://cheappurchaseonline.com/buy-generic-aciclovir-online-en.html buy aciclovir online, 9366, ad0da2bf27921b35fd1308b6e1d9b600d3cbac36 1320 1319 2012-05-07T15:24:50Z 31.184.238.15 0 zGApIozdQFpYtTzfed wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-zyrtec-online-en.html buy zyrtec, :[, http://cheappurchaseonline.com/buy-generic-vantin-online-en.html vantin, krjs, http://cheappurchaseonline.com/buy-generic-detrol-la-online-en.html buy detrol la online, =-D, 97a4a33f8f76e86ad8b5790bf5af1fc0024eccb7 1321 1320 2012-05-07T15:26:04Z 31.184.238.9 0 yCJKKkLnKjsWFE wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-inderal-la-online-en.html buy inderal la online, :]]], http://cheappurchaseonline.com/buy-generic-viagra-online-en.html viagra, 893452, http://cheappurchaseonline.com/buy-generic-ansaid-online-en.html buy generic ansaid, >:-PPP, http://cheappurchaseonline.com/buy-generic-tricor-online-en.html buy generic tricor, 32133, http://cheappurchaseonline.com/buy-generic-viagra-super-active-online-en.html generic viagra super active, mugg, 1ba9b56bda99d96731d1afe4019f1e8cbb71f555 1322 1321 2012-05-07T15:30:23Z 31.184.238.15 0 zZOKavfTDG wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-calan-sr-online-en.html buy calan sr, crom, http://cheappurchaseonline.com/buy-generic-valparin-online-en.html valparin, uxst, http://cheappurchaseonline.com/buy-generic-ticlid-online-en.html buy generic ticlid, 208370, 7dbe3b5b4ab69291746b813726710c131b0a75bf 1323 1322 2012-05-07T15:30:58Z 31.184.238.9 0 ECEPyufOfHTmqfwFEx wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-grifulvin-online-en.html generic grifulvin, 836808, http://cheappurchaseonline.com/buy-generic-zantac-online-en.html zantac, 05751, http://cheappurchaseonline.com/buy-generic-adalat-online-en.html buy generic adalat, :DD, http://cheappurchaseonline.com/buy-generic-terramycin-online-en.html buy generic terramycin, 92162, http://cheappurchaseonline.com/buy-generic-isoptin-online-en.html isoptin, :-(((, 21c2dbeeadd657b6f8c875fee2f3b9d8c73379c2 1324 1323 2012-05-07T15:35:57Z 31.184.238.9 0 UDZvVxvWOTQ wikitext text/x-wiki , http://cheappurchaseonline.com/ buy generic kamagra, dityvt, http://cheappurchaseonline.com/buy-generic-naprosyn-online-en.html buy naprosyn online, 23977, http://cheappurchaseonline.com/buy-generic-pentasa-online-en.html buy generic pentasa, >:-)), http://cheappurchaseonline.com/buy-generic-aggrenox-online-en.html buy aggrenox online, kjryz, http://cheappurchaseonline.com/buy-generic-kamagra-soft-online-en.html buy kamagra soft, fhe, 61b6209969dc9027dd8578c5c2d4ceb2d9bd5a53 1325 1324 2012-05-07T15:36:10Z 31.184.238.15 0 YeGtjKuzRCUv wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-zagam-online-en.html zagam, 394, http://cheappurchaseonline.com/buy-generic-lipitor-online-en.html buy generic lipitor, =-((, http://cheappurchaseonline.com/buy-generic-persantine-online-en.html buy persantine, 4040, 6b2197bb3d59155bfb26dc73f122e75c71df33e4 1326 1325 2012-05-07T15:40:00Z 31.184.238.9 0 wUGAkauIMnmxfsk wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-cialis-jelly-online-en.html buy cialis jelly online, =-]]], http://cheappurchaseonline.com/buy-generic-revatio-online-en.html revatio, %-)), http://cheappurchaseonline.com/buy-generic-carafate-online-en.html carafate, ccom, http://cheappurchaseonline.com/buy-generic-oxytrol-online-en.html generic oxytrol, %-)), http://cheappurchaseonline.com/buy-generic-ampicillin-online-en.html buy ampicillin, enpbf, 16120fb23b7eb9e56ea1971a94e6a521b70d7e2a 1327 1326 2012-05-07T15:42:13Z 31.184.238.15 0 bBtuhKnCNHbsB wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-omnicef-online-en.html buy generic omnicef, 390, http://cheappurchaseonline.com/buy-generic-clonidine-online-en.html buy clonidine online, bbqwvy, http://cheappurchaseonline.com/buy-generic-colospa-online-en.html generic colospa, :-[[[, 8019156e42fa19cd708f89a2c758fb7728563b1c 1328 1327 2012-05-07T15:44:21Z 31.184.238.9 0 NSnkTuUAERZk wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-verapamil-online-en.html verapamil, 28904, http://cheappurchaseonline.com/buy-generic-valtrex-online-en.html generic valtrex, qxrlea, http://cheappurchaseonline.com/buy-generic-bupron-sr-online-en.html buy bupron sr, 01019, http://cheappurchaseonline.com/ buy generic viagra, jxnfsb, http://cheappurchaseonline.com/buy-generic-mobic-online-en.html buy generic mobic, =-]]], 0632bd01ba67b4661c8f3cd0bce281d2cacd97c9 1329 1328 2012-05-07T15:48:14Z 31.184.238.15 0 HWkZgUxLlraPJpoOg wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-zenegra-online-en.html buy generic zenegra, %[[, http://cheappurchaseonline.com/buy-generic-sublingual-viagra-online-en.html buy generic sublingual viagra, qmfnp, http://cheappurchaseonline.com/buy-generic-furadantin-online-en.html furadantin, yna, 7a735505c61c94e535a857c66151607b7eb2b944 1330 1329 2012-05-07T15:53:48Z 31.184.238.9 0 lLrEHcvupfGqjUKJ wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-relafen-online-en.html buy relafen online, 8-(, http://cheappurchaseonline.com/buy-generic-eskalith-online-en.html buy eskalith, :-PP, http://cheappurchaseonline.com/buy-generic-calcium-carbonate-online-en.html buy calcium carbonate, 52445, http://cheappurchaseonline.com/buy-generic-paxil-online-en.html buy generic paxil, 7085, http://cheappurchaseonline.com/buy-generic-tegretol-online-en.html tegretol, 79163, 9f011712a4b4bbf3e4eff7c649806cf36ffd8493 1331 1330 2012-05-07T15:54:19Z 31.184.238.15 0 LjQjBYbY wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-zagam-online-en.html zagam, 41311, http://cheappurchaseonline.com/buy-generic-lipitor-online-en.html generic lipitor, bccwk, http://cheappurchaseonline.com/buy-generic-persantine-online-en.html buy generic persantine, aix, c264029ee8bdefc4e678876fa8481fd75afa140c 1332 1331 2012-05-07T15:58:01Z 31.184.238.9 0 JEzkqSTa wikitext text/x-wiki , http://cheappurchaseonline.com/ clomid, 962918, http://cheappurchaseonline.com/buy-generic-urispas-online-en.html buy urispas online, lbsk, http://cheappurchaseonline.com/buy-generic-antabuse-online-en.html buy generic antabuse, wrm, http://cheappurchaseonline.com/buy-generic-avapro-online-en.html avapro, zxn, http://cheappurchaseonline.com/buy-generic-levitra-soft-online-en.html buy levitra soft, vxbvd, d1e15b37861d3a33eff4da71df773db194883755 1333 1332 2012-05-07T16:00:58Z 31.184.238.15 0 VjIcTnUkbWqDIE wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-dapsone-online-en.html buy dapsone online, :-O, http://cheappurchaseonline.com/buy-generic-albenza-online-en.html generic albenza, 6574, http://cheappurchaseonline.com/buy-generic-viagra-jelly-online-en.html generic viagra jelly, %), 99fe8bf45b6f525299dac21164c591f4e6e40ea1 1334 1333 2012-05-07T16:03:20Z 31.184.238.9 0 FGlPMjSmymuscp wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-pletal-online-en.html pletal, 53834, http://cheappurchaseonline.com/buy-generic-rocaltrol-online-en.html rocaltrol, xyfdhm, http://cheappurchaseonline.com/buy-generic-zestoretic-online-en.html buy generic zestoretic, 674, http://cheappurchaseonline.com/buy-generic-asendin-online-en.html buy generic asendin, >:OO, http://cheappurchaseonline.com/buy-generic-lotrel-online-en.html buy generic lotrel, 692125, 810ca6d9cfda901d363142862ade2bf2e2ff6797 1335 1334 2012-05-07T16:06:55Z 31.184.238.15 0 OXPQMICvPYD wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-arcoxia-online-en.html buy arcoxia online, >:-P, http://cheappurchaseonline.com/buy-generic-plavix-online-en.html plavix, nstzh, http://cheappurchaseonline.com/buy-generic-mevacor-online-en.html buy mevacor online, %DD, 1054f9ae889da849bef41980f81a2022c39e88ca 1336 1335 2012-05-07T16:08:14Z 31.184.238.9 0 RMXfRpXgW wikitext text/x-wiki , http://cheappurchaseonline.com/ clomid, 338, http://cheappurchaseonline.com/buy-generic-urispas-online-en.html urispas, 229236, http://cheappurchaseonline.com/buy-generic-antabuse-online-en.html buy generic antabuse, 9347, http://cheappurchaseonline.com/buy-generic-avapro-online-en.html buy avapro online, aukh, http://cheappurchaseonline.com/buy-generic-levitra-soft-online-en.html buy levitra soft, =P, 7c12201968cc0b611cc6a1847e26c60b0a6b2e6d 1337 1336 2012-05-07T16:12:53Z 31.184.238.9 0 fTuHyiKtmPPNxR wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-famvir-online-en.html famvir, bkc, http://cheappurchaseonline.com/ buy diflucan, 93239, http://cheappurchaseonline.com/buy-generic-aciphex-online-en.html buy aciphex online, hntuwo, http://cheappurchaseonline.com/buy-generic-etodolac-online-en.html buy etodolac online, icpnp, http://cheappurchaseonline.com/buy-generic-procardia-online-en.html buy procardia, 508642, 82b60d4d91fc3158c87866ce58b7aa3e9722ce64 1338 1337 2012-05-07T16:13:00Z 31.184.238.15 0 GmacWLTnTgnmjXx wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-tinidazole-online-en.html buy tinidazole, 5282, http://cheappurchaseonline.com/buy-generic-proventil-online-en.html buy generic proventil, =-D, http://cheappurchaseonline.com/buy-generic-effexor-online-en.html generic effexor, qum, http://cheappurchaseonline.com/buy-generic-sinemet-cr-online-en.html generic sinemet cr, iwyo, http://cheappurchaseonline.com/buy-generic-levlen-online-en.html buy levlen, ghgsa, 219021f4604f536faff4172a309acdd50812de61 1339 1338 2012-05-07T16:17:10Z 31.184.238.9 0 hZYJVPEBWEyYM wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-epivir-online-en.html epivir, 7887, http://cheappurchaseonline.com/ buy generic cipro, 8-], http://cheappurchaseonline.com/buy-generic-prilosec-online-en.html buy generic prilosec, =(((, http://cheappurchaseonline.com/buy-generic-nortriptyline-online-en.html buy nortriptyline, 943, http://cheappurchaseonline.com/buy-generic-levitra-online-en.html generic levitra, 462, 50e3edb35d32239230bbbfbbd6fa77e6a3dd1b62 1340 1339 2012-05-07T16:18:41Z 31.184.238.15 0 pMqEIsYFCxgGZsp wikitext text/x-wiki comment1, http://cheappurchaseonline.com/ buy generic cipro, kwpl, http://cheappurchaseonline.com/buy-generic-prilosec-online-en.html buy generic prilosec, fhx, http://cheappurchaseonline.com/buy-generic-nortriptyline-online-en.html nortriptyline, eweav, http://cheappurchaseonline.com/buy-generic-levitra-online-en.html generic levitra, >:], http://cheappurchaseonline.com/buy-generic-nolvadex-online-en.html nolvadex, %-OO, 232980d7adda4062cb80d84010cb2af9fd76d381 1341 1340 2012-05-07T16:22:10Z 31.184.238.9 0 uFdDXjuqvaoX wikitext text/x-wiki , http://cheappurchaseonline.com/ generic doxycycline, 8-[[[, http://cheappurchaseonline.com/buy-generic-leukeran-online-en.html buy generic leukeran, whrtse, http://cheappurchaseonline.com/buy-generic-sustiva-online-en.html sustiva, :OOO, http://cheappurchaseonline.com/buy-generic-prevacid-online-en.html buy prevacid, :(((, http://cheappurchaseonline.com/ buy viagra professional online, >:-(, b7865b98dee6df2115b621b8af8f5b82d7de5b49 1342 1341 2012-05-07T16:24:52Z 31.184.238.15 0 zgYOosxNIXAsb wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-cytoxan-online-en.html generic cytoxan, 93776, http://cheappurchaseonline.com/buy-generic-nimotop-online-en.html nimotop, 94656, http://cheappurchaseonline.com/buy-generic-macrobid-online-en.html buy macrobid online, pyyf, http://cheappurchaseonline.com/buy-generic-super-hard-on-online-en.html buy generic super hard on, >:-D, http://cheappurchaseonline.com/buy-generic-serevent-online-en.html buy serevent online, 8DD, f46ee91da0840461c10aad802f0628456cf6360e 1343 1342 2012-05-07T16:25:45Z 31.184.238.9 0 XVgrvBERlrEkQyWOip wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-theo-24-sr-online-en.html generic theo-24 sr, tdvfl, http://cheappurchaseonline.com/buy-generic-diovan-hct-online-en.html buy diovan hct online, 8(, http://cheappurchaseonline.com/buy-generic-abilify-online-en.html buy generic abilify, %(, http://cheappurchaseonline.com/ buy cipro, qqhbt, http://cheappurchaseonline.com/buy-generic-kamagra-gold-online-en.html buy kamagra gold, dkq, 69eed992b5d5e02d86f39f7ea8bbb299af80110f 1344 1343 2012-05-07T16:30:31Z 31.184.238.9 0 NKoKemBWQeIGR wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-famvir-online-en.html buy famvir online, 924, http://cheappurchaseonline.com/ diflucan, 009, http://cheappurchaseonline.com/buy-generic-aciphex-online-en.html generic aciphex, 46576, http://cheappurchaseonline.com/buy-generic-etodolac-online-en.html buy etodolac online, 79877, http://cheappurchaseonline.com/buy-generic-procardia-online-en.html buy procardia online, 8-[, 221b6a900134e6e54531bfce377e04a8c86fa7c2 1345 1344 2012-05-07T16:30:38Z 31.184.238.15 0 DIjuUNoLjTGrbgdTS wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-maxolon-online-en.html generic maxolon, 576386, http://cheappurchaseonline.com/buy-generic-reminyl-online-en.html buy reminyl online, %]]], http://cheappurchaseonline.com/ orlistat, >:-D, http://cheappurchaseonline.com/buy-generic-neoral-online-en.html buy neoral online, mvqyk, http://cheappurchaseonline.com/buy-generic-isordil-online-en.html buy isordil online, vwwc, 5fbc679f6ec7af735eca21ae4888e6801900e42d 1346 1345 2012-05-07T16:34:48Z 31.184.238.9 0 yQxhwEVyU wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-tofranil-online-en.html buy tofranil, >:PPP, http://cheappurchaseonline.com/buy-generic-seroquel-online-en.html buy generic seroquel, 8-]], http://cheappurchaseonline.com/buy-generic-dapsone-online-en.html buy dapsone, kqyzv, http://cheappurchaseonline.com/buy-generic-albenza-online-en.html albenza, =(, http://cheappurchaseonline.com/buy-generic-viagra-jelly-online-en.html generic viagra jelly, 80800, 26ecc12a494a0b4cd06371453bb38e851ac249d2 1347 1346 2012-05-07T16:36:39Z 31.184.238.15 0 aDZkseNHLIre wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-tenormin-online-en.html buy tenormin, itwrxj, http://cheappurchaseonline.com/buy-generic-crestor-online-en.html buy crestor, 9872, http://cheappurchaseonline.com/buy-generic-minipress-online-en.html buy generic minipress, 24725, http://cheappurchaseonline.com/buy-generic-theo-24-cr-online-en.html buy theo-24 cr, 7237, http://cheappurchaseonline.com/ buy nolvadex online, 8-((, 19b2e7ea6db6e17d7fb713c68464e023e5542331 1348 1347 2012-05-07T16:43:03Z 31.184.238.15 0 EMMCkbVhgzAyEhuCHIz wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-revatio-online-en.html revatio, fyk, http://cheappurchaseonline.com/buy-generic-carafate-online-en.html buy carafate online, 409, http://cheappurchaseonline.com/buy-generic-oxytrol-online-en.html buy generic oxytrol, 8-PP, http://cheappurchaseonline.com/buy-generic-ampicillin-online-en.html buy ampicillin, 253, http://cheappurchaseonline.com/ viagra, =-[, de4210838959b691cb41c8cee9ef9b464612085a 1349 1348 2012-05-07T16:43:55Z 31.184.238.9 0 ZxKmiVavQWvnFjr wikitext text/x-wiki , http://cheappurchaseonline.com/ generic prednisone, biqdo, http://cheappurchaseonline.com/buy-generic-apcalis-sx-oral-jelly-online-en.html buy apcalis sx oral jelly, 3219, http://cheappurchaseonline.com/buy-generic-flovent-online-en.html flovent, 39375, http://cheappurchaseonline.com/buy-generic-precose-online-en.html buy precose online, lfuzn, http://cheappurchaseonline.com/buy-generic-levothroid-online-en.html buy levothroid, =-]]], 3be506033c020c04e31b737ccaa7f63139293cd7 1350 1349 2012-05-07T16:49:18Z 31.184.238.15 0 XUisIkHrprdzBI wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-urso-online-en.html urso, 8-DDD, http://cheappurchaseonline.com/buy-generic-venlor-online-en.html buy generic venlor, =-DDD, http://cheappurchaseonline.com/buy-generic-coreg-online-en.html buy coreg online, 106998, http://cheappurchaseonline.com/buy-generic-actigall-online-en.html buy actigall online, 9974, http://cheappurchaseonline.com/ buy prednisone online, :-DD, 4156c0015843a9c6b38412cddf7d635b9a7a9cbf 1351 1350 2012-05-07T16:52:58Z 31.184.238.9 0 PlMMxxutyq wikitext text/x-wiki , http://cheappurchaseonline.com/ generic clomid, zvu, http://cheappurchaseonline.com/buy-generic-risnia-online-en.html risnia, 727, http://cheappurchaseonline.com/buy-generic-maxaquin-online-en.html buy generic maxaquin, =-(((, http://cheappurchaseonline.com/buy-generic-benadryl-online-en.html buy generic benadryl, 146871, http://cheappurchaseonline.com/buy-generic-viagra-gold-online-en.html generic viagra gold, 3710, 245ab3c3329ae82ea330c7fe75923f5dc684d86e 1352 1351 2012-05-07T16:54:57Z 31.184.238.15 0 iBtPpmDhl wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-nexium-online-en.html buy nexium, 28885, http://cheappurchaseonline.com/ cialis super active, :[[[, http://cheappurchaseonline.com/buy-generic-cialis-online-en.html buy generic cialis, 8-OO, http://cheappurchaseonline.com/buy-generic-finpecia-online-en.html buy generic finpecia, 867, http://cheappurchaseonline.com/buy-generic-glucotrol-xl-online-en.html buy glucotrol xl online, 691616, 15590bd3095d1130b637be991d50b2777e05c29d 1353 1352 2012-05-07T16:57:21Z 31.184.238.9 0 OMFshZUSlaj wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-verampil-online-en.html buy verampil, 4693, http://cheappurchaseonline.com/buy-generic-tenormin-online-en.html buy generic tenormin, wwi, http://cheappurchaseonline.com/buy-generic-crestor-online-en.html generic crestor, sov, http://cheappurchaseonline.com/buy-generic-minipress-online-en.html buy minipress, ccwvcj, http://cheappurchaseonline.com/buy-generic-theo-24-cr-online-en.html buy generic theo-24 cr, tefz, 589d17484e59e18cc31cbc7a0eaca25df2deb395 1354 1353 2012-05-07T17:00:35Z 31.184.238.15 0 WoSiYvSVMxpgH wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-terramycin-online-en.html buy generic terramycin, :-OO, http://cheappurchaseonline.com/buy-generic-isoptin-online-en.html buy generic isoptin, 8DD, http://cheappurchaseonline.com/buy-generic-monopril-online-en.html buy monopril, zpw, http://cheappurchaseonline.com/buy-generic-tadalis-sx-soft-online-en.html generic tadalis sx soft, 423911, http://cheappurchaseonline.com/buy-generic-nizoral-online-en.html nizoral, =), db39e60458a53732ebe7329aaa7bf04610fd9595 0 8 1355 1354 2012-05-07T17:06:36Z 31.184.238.9 0 AssIVaufbwDyhARaT wikitext text/x-wiki , http://cheappurchaseonline.com/ buy cialis, =-(((, http://cheappurchaseonline.com/buy-generic-zocor-online-en.html zocor, :-))), http://cheappurchaseonline.com/buy-generic-propecia-online-en.html propecia</a>, 3124, http://cheappurchaseonline.com/buy-generic-combivent-online-en.html buy combivent, 550, http://cheappurchaseonline.com/buy-generic-ortho-tri-cyclen-online-en.html buy ortho tri-cyclen online, 930, a856af10c30843101f04062634c97a8e05b22a61 1356 1355 2012-05-07T17:07:05Z 31.184.238.15 0 ZQIQfyvutgibDu wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-zerit-online-en.html buy generic zerit, 841, http://cheappurchaseonline.com/ buy female viagra, tktvo, http://cheappurchaseonline.com/buy-generic-brand-levitra-online-en.html buy brand levitra, nqtz, http://cheappurchaseonline.com/buy-generic-monoket-online-en.html buy monoket, nfv, http://cheappurchaseonline.com/buy-generic-trecator-sc-online-en.html generic trecator-sc, 8[[, 96c68e327bfd883037d2810c3df7a6fd6c228563 1357 1356 2012-05-07T17:11:11Z 31.184.238.9 0 gBfitLjksDgV wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-danocrine-online-en.html buy generic danocrine, 475, http://cheappurchaseonline.com/buy-generic-reglan-online-en.html buy generic reglan, =-D, http://cheappurchaseonline.com/ zoloft, gaieuq, http://cheappurchaseonline.com/buy-generic-calan-online-en.html generic calan, 052815, http://cheappurchaseonline.com/buy-generic-alesse-online-en.html generic alesse, xxhvro, 1ce57009eb25473e163b79fa87a2963eaf9b032f 1358 1357 2012-05-07T17:13:15Z 31.184.238.15 0 WotSSyJYz wikitext text/x-wiki comment3, http://cheappurchaseonline.com/ buy generic cialis, 8-))), http://cheappurchaseonline.com/buy-generic-paxil-cr-online-en.html paxil cr, mclykf, http://cheappurchaseonline.com/buy-generic-lamictal-online-en.html lamictal, >:-PPP, http://cheappurchaseonline.com/buy-generic-sporanox-online-en.html buy sporanox, wlkzyr, http://cheappurchaseonline.com/buy-generic-epivir-online-en.html generic epivir, 8))), 6a4cf62664682a805dd130b335b8f515d86bfac5 1359 1358 2012-05-07T17:15:23Z 31.184.238.9 0 ybKuoncwaCHPqZPYbBm wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-glycomet-online-en.html buy glycomet online, >:(((, http://cheappurchaseonline.com/buy-generic-viramune-online-en.html buy viramune, jhs, http://cheappurchaseonline.com/buy-generic-desyrel-online-en.html buy desyrel, 89389, 56ee8a7777b6e4aa9bb40914396020a62361019e 1360 1359 2012-05-07T17:19:43Z 31.184.238.15 0 IPRsGKpdiTfyH wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-vibramycin-online-en.html buy generic vibramycin, 67022, http://cheappurchaseonline.com/buy-generic-fluoxetine-online-en.html fluoxetine, lovfc, http://cheappurchaseonline.com/ doxycycline, psajp, http://cheappurchaseonline.com/buy-generic-uniphyl-cr-online-en.html generic uniphyl cr, >:], http://cheappurchaseonline.com/buy-generic-atarax-online-en.html buy atarax, 6511, ce1273f1d85dac6f5f51ca57871a9d7622f0378a 1361 1360 2012-05-07T17:20:11Z 31.184.238.9 0 lQcNBouXXZSawa wikitext text/x-wiki , http://cheappurchaseonline.com/ generic nolvadex, nenli, http://cheappurchaseonline.com/buy-generic-motrin-online-en.html generic motrin, fzi, http://cheappurchaseonline.com/buy-generic-cardura-online-en.html buy cardura, dppq, http://cheappurchaseonline.com/buy-generic-epivir-hbv-online-en.html buy epivir hbv, %PP, http://cheappurchaseonline.com/buy-generic-sinequan-online-en.html buy generic sinequan, :-], 1ed71789a73b85681e2291230cb0d2880fc2ccdd 1362 1361 2012-05-07T17:24:15Z 31.184.238.9 0 JjrdcAjEbuB wikitext text/x-wiki , http://cheappurchaseonline.com/ buy generic clomid, mlrs, http://cheappurchaseonline.com/buy-generic-risnia-online-en.html buy risnia, 830, http://cheappurchaseonline.com/buy-generic-maxaquin-online-en.html maxaquin, %-DD, http://cheappurchaseonline.com/buy-generic-benadryl-online-en.html buy generic benadryl, zuz, http://cheappurchaseonline.com/buy-generic-viagra-gold-online-en.html buy viagra gold online, ihbih, faaebb095eebb7a90d1f220147fb00af3c39158c 1363 1362 2012-05-07T17:25:43Z 31.184.238.15 0 dZHGYsfEu wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-reglan-online-en.html reglan, =[, http://cheappurchaseonline.com/ buy generic zoloft, %]]], http://cheappurchaseonline.com/buy-generic-calan-online-en.html buy calan, xcw, http://cheappurchaseonline.com/buy-generic-alesse-online-en.html buy alesse, 43092, http://cheappurchaseonline.com/buy-generic-flonase-online-en.html buy flonase online, sug, a8a83eee78a26f6299e4eca542f6dff0828f2b02 1364 1363 2012-05-07T17:28:29Z 31.184.238.9 0 xCPvduTmZlIBK wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-pletal-online-en.html generic pletal, uwntbc, http://cheappurchaseonline.com/buy-generic-rocaltrol-online-en.html generic rocaltrol, 898477, http://cheappurchaseonline.com/buy-generic-zestoretic-online-en.html generic zestoretic, 7171, http://cheappurchaseonline.com/buy-generic-asendin-online-en.html buy asendin online, >:DD, http://cheappurchaseonline.com/buy-generic-lotrel-online-en.html lotrel, 8(, 4ec8ca6807cab0bd3336cc31874eeea0c03d176c 1365 1364 2012-05-07T17:31:29Z 31.184.238.15 0 icSXizTn wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-sinequan-online-en.html buy sinequan online, tzgvx, http://cheappurchaseonline.com/ generic cialis professional, >:[[[, http://cheappurchaseonline.com/buy-generic-phoslo-online-en.html buy generic phoslo, 4596, http://cheappurchaseonline.com/buy-generic-zenegra-online-en.html buy generic zenegra, >:-[, http://cheappurchaseonline.com/buy-generic-sublingual-viagra-online-en.html buy sublingual viagra online, %-D, 1cdda9b443b4816650202ec722965469bfefd3b4 1366 1365 2012-05-07T17:33:00Z 31.184.238.9 0 cnEGFaCIuTWtIGUzYd wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-nolvadex-online-en.html buy generic nolvadex, 2938, http://cheappurchaseonline.com/buy-generic-viagra-soft-online-en.html generic viagra soft, epvb, http://cheappurchaseonline.com/ flagyl, twnm, http://cheappurchaseonline.com/buy-generic-kamagra-jelly-online-en.html kamagra jelly, :(, http://cheappurchaseonline.com/buy-generic-diamox-online-en.html diamox, =-((, ce2f1ba4c0ffa563a3048edba5121ef2e4770e41 1367 1366 2012-05-07T17:37:34Z 31.184.238.9 0 XAHxvLgj wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-theo-24-sr-online-en.html buy theo-24 sr online, %]], http://cheappurchaseonline.com/buy-generic-diovan-hct-online-en.html buy diovan hct, zuic, http://cheappurchaseonline.com/buy-generic-abilify-online-en.html buy abilify, >:-O, http://cheappurchaseonline.com/ buy cipro online, 6581, http://cheappurchaseonline.com/buy-generic-kamagra-gold-online-en.html kamagra gold, 556, ef7d72c76c862b6c30c41c4bac81ddceb85e062e 1368 1367 2012-05-07T17:37:45Z 31.184.238.15 0 xxDsNIGUKFPhaixO wikitext text/x-wiki comment5, http://cheappurchaseonline.com/ generic viagra, %P, http://cheappurchaseonline.com/buy-generic-mobic-online-en.html buy mobic online, 432, http://cheappurchaseonline.com/buy-generic-clarinex-online-en.html clarinex, bggz, http://cheappurchaseonline.com/buy-generic-kamagra-effervescent-online-en.html buy kamagra effervescent online, 996, http://cheappurchaseonline.com/buy-generic-hyzaar-online-en.html hyzaar, 39917, e7e090dc99cb5193dee39340f403711a18333c0d 1369 1368 2012-05-07T17:43:04Z 31.184.238.9 0 mJMyLEmDIHMrWOj wikitext text/x-wiki , http://cheappurchaseonline.com/ buy kamagra, 5282, http://cheappurchaseonline.com/buy-generic-naprosyn-online-en.html buy generic naprosyn, jbe, http://cheappurchaseonline.com/buy-generic-pentasa-online-en.html pentasa, ewx, http://cheappurchaseonline.com/buy-generic-aggrenox-online-en.html aggrenox, hijsf, http://cheappurchaseonline.com/buy-generic-kamagra-soft-online-en.html buy kamagra soft, >:[[[, 5206ee86b55487c477627305aafeaccc2fed1982 1370 1369 2012-05-07T17:45:58Z 31.184.238.15 0 WzfdjFBYOLlRAiQww wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-indinavir-online-en.html buy indinavir, 625365, http://cheappurchaseonline.com/buy-generic-diovan-online-en.html buy diovan online, 470048, http://cheappurchaseonline.com/buy-generic-copegus-online-en.html generic copegus, ertzke, http://cheappurchaseonline.com/buy-generic-fempro-online-en.html buy fempro, xbswuc, http://cheappurchaseonline.com/ buy diflucan, 468168, 3c588c191102d8fc9746d16a8c2c8d68f937f0d0 1371 1370 2012-05-07T17:47:50Z 31.184.238.9 0 hEBawbCOkkRbEw wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-caverta-online-en.html caverta, =D, http://cheappurchaseonline.com/buy-generic-lanoxin-online-en.html buy lanoxin, dsgd, http://cheappurchaseonline.com/ buy zoloft, 549616, http://cheappurchaseonline.com/buy-generic-hydrea-online-en.html buy generic hydrea, 408, http://cheappurchaseonline.com/buy-generic-trileptal-online-en.html generic trileptal, sdjb, 830ba5cc6a3903c2d5ec31d18225010460910e06 1372 1371 2012-05-07T17:51:49Z 31.184.238.15 0 TacltTmSeuqR wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-depakote-online-en.html buy depakote online, %[, http://cheappurchaseonline.com/buy-generic-inderal-online-en.html buy inderal, >:-OO, http://cheappurchaseonline.com/buy-generic-cardarone-online-en.html generic cardarone, jijwkz, http://cheappurchaseonline.com/buy-generic-artane-online-en.html buy generic artane, 8-D, http://cheappurchaseonline.com/buy-generic-dilantin-online-en.html buy dilantin online, sdxbwi, 6238aeac165cb35da6cf7caab9e15ef0be6aa99f 1373 1372 2012-05-07T17:52:17Z 31.184.238.9 0 tJNetfBhrJUTfiE wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-inderal-la-online-en.html buy inderal la, 261, http://cheappurchaseonline.com/buy-generic-viagra-online-en.html generic viagra, kfvtda, http://cheappurchaseonline.com/buy-generic-ansaid-online-en.html buy ansaid, >:[[[, http://cheappurchaseonline.com/buy-generic-tricor-online-en.html buy generic tricor, 8-OOO, http://cheappurchaseonline.com/buy-generic-viagra-super-active-online-en.html viagra super active, rhby, c4d2c68d882ff2ca8e309bcbcb1449bfa4c4c433 1374 1373 2012-05-07T17:56:52Z 31.184.238.9 0 jCejYmwSRygttMGS wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-avandia-online-en.html avandia, 481, http://cheappurchaseonline.com/buy-generic-atacand-online-en.html buy atacand online, 0195, http://cheappurchaseonline.com/ nolvadex, eaqy, http://cheappurchaseonline.com/buy-generic-endep-online-en.html endep, oqqgq, http://cheappurchaseonline.com/buy-generic-capoten-online-en.html buy generic capoten, oxu, ac7754e026c04844583faa8a318ea93fc929499b 1375 1374 2012-05-07T17:57:42Z 31.184.238.15 0 EIonPHjzizbu wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-crixivan-online-en.html buy crixivan online, pffl, http://cheappurchaseonline.com/buy-generic-celexa-online-en.html celexa, 835, http://cheappurchaseonline.com/buy-generic-ceclor-cd-online-en.html buy ceclor cd, 00290, http://cheappurchaseonline.com/buy-generic-viagra-caps-online-en.html buy viagra caps, ghc, http://cheappurchaseonline.com/buy-generic-plan-b-online-en.html generic plan b, :-(, 77d0e414e91b4289b6845054cd7a2b9d430e5bd1 1376 1375 2012-05-07T18:01:30Z 31.184.238.9 0 BudwFuvRcTiXNE wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-zofran-online-en.html buy zofran online, 164, http://cheappurchaseonline.com/buy-generic-micronase-online-en.html buy generic micronase, njrux, http://cheappurchaseonline.com/buy-generic-glucotrol-online-en.html glucotrol, xzmjwf, http://cheappurchaseonline.com/buy-generic-furoxone-online-en.html generic furoxone, xbfvz, http://cheappurchaseonline.com/buy-generic-zyloprim-online-en.html zyloprim, ysih, a27b1939461b36a8ee525941c635c7d9c520bc0c 1377 1376 2012-05-07T18:04:03Z 31.184.238.15 0 tvRSEPOAGLJAM wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-naprosyn-online-en.html buy naprosyn, 1651, http://cheappurchaseonline.com/buy-generic-pentasa-online-en.html generic pentasa, 3379, http://cheappurchaseonline.com/buy-generic-aggrenox-online-en.html aggrenox, 8-]]], http://cheappurchaseonline.com/buy-generic-kamagra-soft-online-en.html buy generic kamagra soft, %], http://cheappurchaseonline.com/buy-generic-verampil-online-en.html buy verampil online, lww, 1a85ce21c9d8bb9f72320d44605386cde25023f5 1378 1377 2012-05-07T18:06:11Z 31.184.238.9 0 QDEPZpDXADhHE wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-furacin-online-en.html furacin, 8PP, http://cheappurchaseonline.com/buy-generic-dulcolax-online-en.html dulcolax, 788, http://cheappurchaseonline.com/buy-generic-casodex-online-en.html buy casodex online, wkma, http://cheappurchaseonline.com/buy-generic-diflucan-online-en.html buy diflucan, 812614, http://cheappurchaseonline.com/buy-generic-pamelor-online-en.html generic pamelor, iokg, aae8c3b8508ca94804e95c496b343c4feaf7b262 1379 1378 2012-05-07T18:10:09Z 31.184.238.15 0 kmRuRGhbTzCOBxOS wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-ovral-online-en.html buy generic ovral, 0648, http://cheappurchaseonline.com/buy-generic-phenergan-online-en.html phenergan, 0330, http://cheappurchaseonline.com/buy-generic-relafen-online-en.html buy generic relafen, 9635, http://cheappurchaseonline.com/buy-generic-eskalith-online-en.html generic eskalith, 8[, http://cheappurchaseonline.com/buy-generic-calcium-carbonate-online-en.html buy calcium carbonate online, rbokb, d8e87f693d1c10e7e614171a12791e7cff1f8b04 1380 1379 2012-05-07T18:11:01Z 31.184.238.9 0 CuonxluRdux wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-sumycin-online-en.html generic sumycin, yfxl, http://cheappurchaseonline.com/buy-generic-aricept-online-en.html generic aricept, 965, http://cheappurchaseonline.com/buy-generic-nitroglycerin-online-en.html nitroglycerin, %-)), http://cheappurchaseonline.com/buy-generic-glucophage-online-en.html buy glucophage online, xcm, http://cheappurchaseonline.com/buy-generic-grifulvin-v-online-en.html grifulvin v, :[[[, 9a5beb0a472c3f98fb3bd75b2391c4071f0fb347 1381 1380 2012-05-07T18:12:38Z 31.184.238.9 0 hamLarslavIpZGCaFO wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-arava-online-en.html buy arava, hmzen, http://cheappurchaseonline.com/buy-generic-aralen-online-en.html generic aralen, >:((, http://cheappurchaseonline.com/ buy strattera, :D, http://cheappurchaseonline.com/buy-generic-ovral-online-en.html generic ovral, 192, http://cheappurchaseonline.com/buy-generic-phenergan-online-en.html buy generic phenergan, sduln, 1f3f28371e849ea6ba521d909a3238ca841418a3 1382 1381 2012-05-07T18:16:00Z 31.184.238.15 0 qTSiSZSGeZp wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-diltiazem-online-en.html diltiazem, 54224, http://cheappurchaseonline.com/buy-generic-rythmol-online-en.html buy rythmol online, 31050, http://cheappurchaseonline.com/ viagra super active, uft, http://cheappurchaseonline.com/buy-generic-anaprox-online-en.html buy generic anaprox, 3501, http://cheappurchaseonline.com/buy-generic-lamprene-online-en.html buy lamprene online, exxsou, d71939fb577d5346bee4ebf23b4c31589557a178 1383 1382 2012-05-07T18:17:09Z 31.184.238.9 0 UwtedUcMzUq wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-remeron-online-en.html remeron, >:OO, http://cheappurchaseonline.com/buy-generic-cephalexin-online-en.html buy cephalexin, >:-(((, http://cheappurchaseonline.com/buy-generic-red-viagra-online-en.html generic red viagra, bidb, http://cheappurchaseonline.com/buy-generic-glucophage-xr-online-en.html buy glucophage xr, zdqcsl, http://cheappurchaseonline.com/buy-generic-noroxin-online-en.html generic noroxin, 1422, 8480557b6d360f4c77b2b166baccb7905b9f95a7 1384 1383 2012-05-07T18:21:28Z 31.184.238.15 0 kUoNBOOslYtDDStXEsx wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-levitra-with-dapoxetine-online-en.html buy levitra with dapoxetine, %-[[, http://cheappurchaseonline.com/buy-generic-isoptin-sr-online-en.html buy isoptin sr online, 297200, http://cheappurchaseonline.com/buy-generic-inderal-la-online-en.html buy inderal la online, %)), http://cheappurchaseonline.com/buy-generic-viagra-online-en.html generic viagra, 939, http://cheappurchaseonline.com/buy-generic-ansaid-online-en.html ansaid, rckbb, 2acbbcb14313d4100b8f80389bca840ede9d8eb4 1385 1384 2012-05-07T18:21:37Z 31.184.238.9 0 IsAgxQagb wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-arcoxia-online-en.html buy generic arcoxia, 554, http://cheappurchaseonline.com/buy-generic-plavix-online-en.html plavix, 8PP, http://cheappurchaseonline.com/buy-generic-mevacor-online-en.html mevacor, 8-DD, http://cheappurchaseonline.com/buy-generic-imodium-online-en.html buy generic imodium, >:[, http://cheappurchaseonline.com/buy-generic-mircette-online-en.html buy generic mircette, rsvh, 7e3e943bd6184958204c383d3e51e7061f2e959f 1386 1385 2012-05-07T18:26:24Z 31.184.238.9 0 GxTkhNgBG wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-elavil-online-en.html buy elavil, 28018, http://cheappurchaseonline.com/buy-generic-vermox-online-en.html buy vermox online, 2057, http://cheappurchaseonline.com/ buy flagyl online, dmfkhb, http://cheappurchaseonline.com/buy-generic-zyvox-online-en.html buy zyvox, zra, http://cheappurchaseonline.com/buy-generic-cycrin-online-en.html buy cycrin, xjl, ad61ac353aa7acee4167ca280f3bbef31502bf84 1387 1386 2012-05-07T18:27:18Z 31.184.238.15 0 VhKGsIqehZx wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-lopid-online-en.html buy lopid online, psew, http://cheappurchaseonline.com/buy-generic-wellbutrin-online-en.html buy wellbutrin, 551, http://cheappurchaseonline.com/buy-generic-grisactin-online-en.html buy generic grisactin, volzr, http://cheappurchaseonline.com/buy-generic-mysoline-online-en.html generic mysoline, 156, http://cheappurchaseonline.com/buy-generic-duricef-online-en.html generic duricef, dksz, d0eeba8d131b54eff27151d1ff7568846544886e 1389 1387 2012-05-07T18:30:31Z 31.184.238.9 0 jUpCLdNddQhxjQDMHu wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-famvir-online-en.html famvir, btpgj, http://cheappurchaseonline.com/ generic diflucan, 191285, http://cheappurchaseonline.com/buy-generic-aciphex-online-en.html aciphex, %OO, http://cheappurchaseonline.com/buy-generic-etodolac-online-en.html buy etodolac online, wpd, http://cheappurchaseonline.com/buy-generic-procardia-online-en.html buy procardia, :-[[, 696f339ac5ed3b27362662a7ac1d9e47437ebf15 1390 1389 2012-05-07T18:33:31Z 31.184.238.15 0 IMcwggpCEiT wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-zithromax-online-en.html buy zithromax, >:-(((, http://cheappurchaseonline.com/buy-generic-zofran-online-en.html buy generic zofran, firni, http://cheappurchaseonline.com/buy-generic-micronase-online-en.html generic micronase, 533694, http://cheappurchaseonline.com/buy-generic-glucotrol-online-en.html generic glucotrol, =PPP, http://cheappurchaseonline.com/buy-generic-furoxone-online-en.html buy furoxone online, pfmwxs, 8820e741e1723e82a42b9abce705c4b0f112e4e6 1391 1390 2012-05-07T18:34:55Z 31.184.238.9 0 gODYAMMdGgVOPOXWJap wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-pepcid-online-en.html generic pepcid, csrgg, http://cheappurchaseonline.com/buy-generic-chloromycetin-online-en.html buy generic chloromycetin, 713, http://cheappurchaseonline.com/buy-generic-cefaclor-online-en.html buy cefaclor online, 8-[[[, http://cheappurchaseonline.com/buy-generic-rebetol-online-en.html buy generic rebetol, >:-D, http://cheappurchaseonline.com/ buy viagra super active online, fpbwem, 0e996e635948845a352ae8818425961f34498009 1392 1391 2012-05-07T18:39:17Z 31.184.238.9 0 mJWEBrqFNtjn wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-persantine-online-en.html buy persantine, iwuh, http://cheappurchaseonline.com/buy-generic-zerit-online-en.html generic zerit, 24582, http://cheappurchaseonline.com/ female viagra, >:-[[[, http://cheappurchaseonline.com/buy-generic-brand-levitra-online-en.html buy brand levitra, >:PPP, http://cheappurchaseonline.com/buy-generic-monoket-online-en.html generic monoket, =-[[, 701b078ca0b11e483919546e1633751f6435c1ec 1393 1392 2012-05-07T18:39:43Z 31.184.238.15 0 awrglfHCTGpzBgSXsy wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-ortho-tri-cyclen-online-en.html buy ortho tri-cyclen, lkr, http://cheappurchaseonline.com/buy-generic-cymbalta-online-en.html buy generic cymbalta, etz, http://cheappurchaseonline.com/buy-generic-trandate-online-en.html buy trandate, >:-))), http://cheappurchaseonline.com/buy-generic-tritace-online-en.html tritace, 407, http://cheappurchaseonline.com/buy-generic-zovirax-online-en.html buy zovirax online, oodw, 8f951238fd1b650d9783a09d38b99a096ed30b25 1394 1393 2012-05-07T18:43:33Z 31.184.238.9 0 YAJjOzlkxFXSfAvNeSz wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-vigora-online-en.html buy vigora online, 1009, http://cheappurchaseonline.com/buy-generic-claritin-online-en.html buy claritin online, 247, http://cheappurchaseonline.com/buy-generic-levitra-professional-online-en.html buy levitra professional online, sucrq, http://cheappurchaseonline.com/buy-generic-betapace-online-en.html buy generic betapace, utoxdy, http://cheappurchaseonline.com/ buy generic propecia, dwoyl, 9e66045da44da45eda49d9ac7567a87dd87cc84a 1395 1394 2012-05-07T18:46:31Z 31.184.238.15 0 cLgHQptd wikitext text/x-wiki comment3, http://cheappurchaseonline.com/ buy diflucan, 163, http://cheappurchaseonline.com/buy-generic-aciphex-online-en.html aciphex, 8OOO, http://cheappurchaseonline.com/buy-generic-etodolac-online-en.html buy generic etodolac, 29485, http://cheappurchaseonline.com/buy-generic-procardia-online-en.html buy generic procardia, >:))), http://cheappurchaseonline.com/buy-generic-vigora-online-en.html buy generic vigora, 8(((, 8c5d0767c69dff5048ffa9bfad630ed2c34e8a19 1396 1395 2012-05-07T18:47:45Z 31.184.238.9 0 bUULIURm wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-lamisil-online-en.html generic lamisil, 886678, http://cheappurchaseonline.com/buy-generic-vitamin-c-online-en.html buy generic vitamin c, jze, http://cheappurchaseonline.com/buy-generic-keflex-online-en.html keflex, :-OO, http://cheappurchaseonline.com/buy-generic-ventolin-online-en.html buy ventolin online, =], http://cheappurchaseonline.com/buy-generic-eriacta-online-en.html buy eriacta online, 8DDD, 87a9bc01f72e839af5a8f524204da2cc76935786 1397 1396 2012-05-07T18:51:59Z 31.184.238.9 0 lNlNGCJEEAiU wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-clarinex-online-en.html generic clarinex, igim, http://cheappurchaseonline.com/buy-generic-kamagra-effervescent-online-en.html buy kamagra effervescent, vsm, http://cheappurchaseonline.com/buy-generic-hyzaar-online-en.html buy hyzaar online, 6303, http://cheappurchaseonline.com/buy-generic-myambutol-online-en.html buy myambutol, ucf, http://cheappurchaseonline.com/buy-generic-zebeta-online-en.html generic zebeta, kafzxo, 3ea38ef09c2b7ef8b3eb04340d0d26fb355cc5fd 1398 1397 2012-05-07T18:52:23Z 31.184.238.15 0 AAvibklcAOixKEBSyhq wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-maxolon-online-en.html buy maxolon, kid, http://cheappurchaseonline.com/buy-generic-reminyl-online-en.html buy reminyl online, 87685, http://cheappurchaseonline.com/ generic orlistat, ibxgve, http://cheappurchaseonline.com/buy-generic-neoral-online-en.html buy neoral, vfe, http://cheappurchaseonline.com/buy-generic-isordil-online-en.html buy isordil online, =-D, df690b776f3f745836b92bbe3b97782268c84944 1399 1398 2012-05-07T18:56:33Z 31.184.238.9 0 RAaKxNZFADkFhgC wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-clarinex-online-en.html buy clarinex, =]], http://cheappurchaseonline.com/buy-generic-kamagra-effervescent-online-en.html buy kamagra effervescent online, vzyask, http://cheappurchaseonline.com/buy-generic-hyzaar-online-en.html buy hyzaar, ivwq, http://cheappurchaseonline.com/buy-generic-myambutol-online-en.html buy myambutol online, :], http://cheappurchaseonline.com/buy-generic-zebeta-online-en.html generic zebeta, yis, 7b8813aa1448f8a1dfdcf568f06cffdc8c66a442 1400 1399 2012-05-07T18:58:26Z 31.184.238.15 0 qSoJaWrdKHuKttmSiH wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-exelon-online-en.html buy exelon online, 032989, http://cheappurchaseonline.com/buy-generic-brand-cialis-online-en.html generic brand cialis, :-], http://cheappurchaseonline.com/buy-generic-effexor-xr-online-en.html buy effexor xr online, %PP, http://cheappurchaseonline.com/ levitra, dvikr, http://cheappurchaseonline.com/buy-generic-keftab-online-en.html buy keftab online, %-)), 6b3cbf3166e1b7fe9633f75a46796e4cde7ed1d7 1401 1400 2012-05-07T19:00:47Z 31.184.238.9 0 shMkACnjbeGBlAsbSR wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-lamisil-online-en.html buy lamisil, jsj, http://cheappurchaseonline.com/buy-generic-vitamin-c-online-en.html buy vitamin c, 46018, http://cheappurchaseonline.com/buy-generic-keflex-online-en.html keflex, 352443, http://cheappurchaseonline.com/buy-generic-ventolin-online-en.html ventolin, aofooz, http://cheappurchaseonline.com/buy-generic-eriacta-online-en.html generic eriacta, =DD, ad34670465c75a8f0648b1041c63ff1265e7bd00 1402 1401 2012-05-07T19:04:43Z 31.184.238.15 0 kJHokuZUQ wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-symmetrel-online-en.html buy generic symmetrel, rcitzb, http://cheappurchaseonline.com/ generic kamagra, 878, http://cheappurchaseonline.com/buy-generic-floxin-online-en.html buy floxin online, 41448, http://cheappurchaseonline.com/buy-generic-coumadin-online-en.html buy generic coumadin, >:-OOO, http://cheappurchaseonline.com/buy-generic-norvasc-online-en.html generic norvasc, %-O, ee00d5db076a370b8df395c36e4b8e3542e9bdfc 1403 1402 2012-05-07T19:05:14Z 31.184.238.9 0 ahWTMKuAcHTcuZyh wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-monopril-online-en.html buy monopril, 743, http://cheappurchaseonline.com/buy-generic-tadalis-sx-soft-online-en.html tadalis sx soft, :), http://cheappurchaseonline.com/buy-generic-nizoral-online-en.html buy generic nizoral, kpwzm, http://cheappurchaseonline.com/buy-generic-amoxil-online-en.html buy generic amoxil, jnqpb, http://cheappurchaseonline.com/buy-generic-prandin-online-en.html prandin, 8439, 9781c99078313267c7fd59c0f632f5b5c40dca28 1404 1403 2012-05-07T19:09:51Z 31.184.238.9 0 FLIVKKesWXuhh wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-monopril-online-en.html generic monopril, %-)), http://cheappurchaseonline.com/buy-generic-tadalis-sx-soft-online-en.html buy generic tadalis sx soft, 8((, http://cheappurchaseonline.com/buy-generic-nizoral-online-en.html buy nizoral online, fipam, http://cheappurchaseonline.com/buy-generic-amoxil-online-en.html buy amoxil online, %-OOO, http://cheappurchaseonline.com/buy-generic-prandin-online-en.html buy prandin online, lqqeck, 4bc9b90e7d9e679306c029426e51f9a2e94780d5 1405 1404 2012-05-07T19:10:50Z 31.184.238.15 0 xwdoQpfxaXtqLQ wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-furadantin-online-en.html buy furadantin online, =[[[, http://cheappurchaseonline.com/buy-generic-zyprexa-online-en.html buy generic zyprexa, ejy, http://cheappurchaseonline.com/ buy lasix online, twp, http://cheappurchaseonline.com/buy-generic-erythromycin-online-en.html buy erythromycin, 807236, http://cheappurchaseonline.com/buy-generic-prinivil-online-en.html buy prinivil online, 956420, 9fbf9d46fce0083b61455c4a8d940daff01e818e 0 8 1406 1405 2012-05-07T19:14:17Z 31.184.238.9 0 pawefGgWyvVTFPOI wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-kemadrin-online-en.html generic kemadrin, pcjlaz, http://cheappurchaseonline.com/buy-generic-combipres-online-en.html generic combipres, 790, http://cheappurchaseonline.com/buy-generic-protonix-online-en.html generic protonix, :-[[[, http://cheappurchaseonline.com/buy-generic-zestril-online-en.html generic zestril, >:-]], http://cheappurchaseonline.com/buy-generic-nexium-online-en.html nexium, ubowa, 2daf3efcecaa3b153c51b2f7f99da360d3d6aa37 1407 1406 2012-05-07T19:16:56Z 31.184.238.15 0 TmRVAlxxByhq wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-colospa-online-en.html buy colospa, sitr, http://cheappurchaseonline.com/buy-generic-brand-viagra-online-en.html buy brand viagra, 552, http://cheappurchaseonline.com/buy-generic-dramamine-online-en.html dramamine, dxm, http://cheappurchaseonline.com/buy-generic-flagyl-online-en.html flagyl, :O, http://cheappurchaseonline.com/buy-generic-forzest-online-en.html generic forzest, nsdf, a94cb6f33e7439b3c1d3a0ac310a91651dee3f27 1408 1407 2012-05-07T19:18:27Z 31.184.238.9 0 KzUTasJq wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-motilium-online-en.html generic motilium, hanydg, http://cheappurchaseonline.com/buy-generic-eulexin-online-en.html generic eulexin, :-DD, http://cheappurchaseonline.com/buy-generic-astelin-online-en.html buy generic astelin, lxxkb, http://cheappurchaseonline.com/buy-generic-starlix-online-en.html generic starlix, ergps, http://cheappurchaseonline.com/buy-generic-fludac-online-en.html buy fludac, bwjo, 143661bf28aa3b109a0c180dee223b8ea5baf479 1409 1408 2012-05-07T19:22:30Z 31.184.238.9 0 unbZLabo wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-floxin-online-en.html buy generic floxin, >:O, http://cheappurchaseonline.com/buy-generic-coumadin-online-en.html generic coumadin, jfiq, http://cheappurchaseonline.com/buy-generic-norvasc-online-en.html generic norvasc, eeag, http://cheappurchaseonline.com/ amoxil, 3254, http://cheappurchaseonline.com/ buy amoxil online, ebygl, f08deb91c456e164317cc63669a1353ac3f6bc0f 1410 1409 2012-05-07T19:23:09Z 31.184.238.15 0 EZQlMOgKkJIzw wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-leukeran-online-en.html generic leukeran, gxqjxe, http://cheappurchaseonline.com/buy-generic-sustiva-online-en.html buy sustiva online, 7882, http://cheappurchaseonline.com/buy-generic-prevacid-online-en.html buy prevacid online, 8-DDD, http://cheappurchaseonline.com/ viagra professional, eycm, http://cheappurchaseonline.com/buy-generic-prozac-online-en.html generic prozac, :-], 8f8f7dd3d6cbc547204269c792ed525cfa19980e 1411 1410 2012-05-07T19:26:50Z 31.184.238.9 0 KtSZkvkPLDvnfA wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-sumycin-online-en.html buy sumycin, =DD, http://cheappurchaseonline.com/buy-generic-aricept-online-en.html buy aricept, klwy, http://cheappurchaseonline.com/buy-generic-nitroglycerin-online-en.html buy nitroglycerin online, 67475, http://cheappurchaseonline.com/buy-generic-glucophage-online-en.html glucophage, okb, http://cheappurchaseonline.com/buy-generic-grifulvin-v-online-en.html buy grifulvin v online, cry, d8f35ea2538bf7ef4c073f006911256e32026fcc 1412 1411 2012-05-07T19:29:55Z 31.184.238.15 0 pZFQNnPaAZ wikitext text/x-wiki comment4, http://cheappurchaseonline.com/ buy generic amoxil, 371, http://cheappurchaseonline.com/ buy generic amoxil, 18023, http://cheappurchaseonline.com/buy-generic-verapamil-online-en.html verapamil, 028, http://cheappurchaseonline.com/buy-generic-valtrex-online-en.html valtrex, axjbp, http://cheappurchaseonline.com/buy-generic-bupron-sr-online-en.html bupron sr, gqb, 8697d3da03d7d95b8228ec189a80657b5b131e0c 1413 1412 2012-05-07T19:31:08Z 31.184.238.9 0 vSkEHVBJ wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-kamagra-flavored-online-en.html kamagra flavored, uwtc, http://cheappurchaseonline.com/buy-generic-aceon-online-en.html buy aceon online, zgy, http://cheappurchaseonline.com/buy-generic-tetracycline-online-en.html buy tetracycline, dwwtkp, http://cheappurchaseonline.com/buy-generic-lincocin-online-en.html buy generic lincocin, gvilkj, http://cheappurchaseonline.com/buy-generic-zoloft-online-en.html buy generic zoloft, 98191, 0cddb1dbdd7bae0427ea540e9f77e7c97c6cc5d2 1414 1413 2012-05-07T19:35:31Z 31.184.238.9 0 vmbKsIvs wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-eldepryl-online-en.html eldepryl, 904, http://cheappurchaseonline.com/buy-generic-indocin-online-en.html indocin, 8-((, http://cheappurchaseonline.com/buy-generic-aristocort-online-en.html aristocort, wrjxgg, http://cheappurchaseonline.com/buy-generic-luvox-online-en.html generic luvox, bmf, http://cheappurchaseonline.com/ buy prednisone online, hydu, 85ffc96ce0fb6ee1199de4c0a16b1fd395f0b41a 1415 1414 2012-05-07T19:39:52Z 31.184.238.9 0 UcswrEZkXfHvNoV wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-allopurinol-online-en.html buy allopurinol online, rakn, http://cheappurchaseonline.com/buy-generic-silagra-online-en.html buy silagra, vwdfrq, http://cheappurchaseonline.com/ buy priligy online, 568443, http://cheappurchaseonline.com/buy-generic-biaxin-online-en.html biaxin, >:DDD, http://cheappurchaseonline.com/buy-generic-intagra-online-en.html buy intagra online, sjtuz, 4bf9f385aba75206e28453ec37d30e902fa1402e 1416 1415 2012-05-07T19:41:45Z 31.184.238.15 0 pxrbccRFxQAoaG wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-duphaston-online-en.html buy duphaston, 8-]]], http://cheappurchaseonline.com/ buy generic clomid, 602, http://cheappurchaseonline.com/buy-generic-risnia-online-en.html buy generic risnia, 00013, http://cheappurchaseonline.com/buy-generic-maxaquin-online-en.html generic maxaquin, 405126, http://cheappurchaseonline.com/buy-generic-benadryl-online-en.html generic benadryl, 8]], d4fb3fa5e819aabe711362001dab7967f592a8de 1417 1416 2012-05-07T19:44:36Z 31.184.238.9 0 zLEkeyVxOZSHBn wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-elavil-online-en.html buy elavil online, 8[[[, http://cheappurchaseonline.com/buy-generic-vermox-online-en.html buy vermox online, zcsclt, http://cheappurchaseonline.com/ buy flagyl, >:[[, http://cheappurchaseonline.com/buy-generic-zyvox-online-en.html buy generic zyvox, =-P, http://cheappurchaseonline.com/buy-generic-cycrin-online-en.html buy cycrin, 7999, 5777862ff6e43db5b14cb88a38bb52c7cf392cc7 1418 1417 2012-05-07T19:47:51Z 31.184.238.15 0 FZTpthusM wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-diovan-hct-online-en.html buy diovan hct, 018, http://cheappurchaseonline.com/buy-generic-abilify-online-en.html abilify, 8-[[[, http://cheappurchaseonline.com/ cipro, zdqq, http://cheappurchaseonline.com/buy-generic-kamagra-gold-online-en.html buy generic kamagra gold, 23707, http://cheappurchaseonline.com/buy-generic-frumil-online-en.html buy frumil, 15400, e54581936727eb5d80c7369b34043f9a1f75984f 1419 1418 2012-05-07T19:49:01Z 31.184.238.9 0 zkDePepTUsn wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-duricef-online-en.html buy generic duricef, vdtvxd, http://cheappurchaseonline.com/buy-generic-urso-online-en.html buy generic urso, :PPP, http://cheappurchaseonline.com/buy-generic-venlor-online-en.html generic venlor, %-((, http://cheappurchaseonline.com/buy-generic-coreg-online-en.html buy coreg, yzuu, http://cheappurchaseonline.com/buy-generic-actigall-online-en.html actigall, 451, e48d9621f8164afa28d57d35e5b99d0a52452221 1420 1419 2012-05-07T19:53:15Z 31.184.238.9 0 NVbsXTUw wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-pletal-online-en.html buy pletal online, 41835, http://cheappurchaseonline.com/buy-generic-rocaltrol-online-en.html buy rocaltrol, tcj, http://cheappurchaseonline.com/buy-generic-zestoretic-online-en.html buy zestoretic online, bzhylp, http://cheappurchaseonline.com/buy-generic-asendin-online-en.html asendin, 42618, http://cheappurchaseonline.com/buy-generic-lotrel-online-en.html buy lotrel, 66020, 81b87a9fc41d8e9426ba652f9907bdbf4b5236b8 1421 1420 2012-05-07T19:54:25Z 31.184.238.15 0 KJiioJiJRfclvLM wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-lincocin-online-en.html buy generic lincocin, 40734, http://cheappurchaseonline.com/buy-generic-zoloft-online-en.html buy zoloft online, tysy, http://cheappurchaseonline.com/buy-generic-suhagra-online-en.html buy suhagra, >:-((, http://cheappurchaseonline.com/buy-generic-requip-online-en.html buy requip, >:(, http://cheappurchaseonline.com/buy-generic-prograf-online-en.html buy prograf online, 175, f215d1f1d73db7da057c9ecae7f8317618bc06c7 1422 1421 2012-05-07T19:58:04Z 31.184.238.9 0 BZwOkcrOBUrZlB wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-kemadrin-online-en.html kemadrin, 405, http://cheappurchaseonline.com/buy-generic-combipres-online-en.html buy combipres, %-]]], http://cheappurchaseonline.com/buy-generic-protonix-online-en.html buy protonix, hanqk, http://cheappurchaseonline.com/buy-generic-zestril-online-en.html buy zestril online, 8[[, http://cheappurchaseonline.com/buy-generic-nexium-online-en.html nexium, :-(((, b2d00c2d8f09cb41c02678af82a88627d11fe456 1423 1422 2012-05-07T20:02:34Z 31.184.238.9 0 OgMGFCqXv wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-glucovance-online-en.html glucovance, 788936, http://cheappurchaseonline.com/buy-generic-symmetrel-online-en.html symmetrel, tcmpl, http://cheappurchaseonline.com/buy-generic-anaprox-online-en.html generic anaprox, 837, http://cheappurchaseonline.com/buy-generic-lamprene-online-en.html lamprene, 620, http://cheappurchaseonline.com/buy-generic-zithromax-online-en.html zithromax, 0226, 34d4357f9cb218463f28128b6922edf8ae669b7c 1424 1423 2012-05-07T20:06:31Z 31.184.238.15 0 vpeAZegrNwB wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-augmentin-online-en.html buy augmentin, abc, http://cheappurchaseonline.com/buy-generic-kemadrin-online-en.html buy kemadrin, =-OOO, http://cheappurchaseonline.com/buy-generic-combipres-online-en.html generic combipres, utrqu, http://cheappurchaseonline.com/buy-generic-protonix-online-en.html buy protonix online, 0320, http://cheappurchaseonline.com/buy-generic-zestril-online-en.html zestril, hjsumg, b00cd25c4f2a1e3253aabd8292d43a0390043e5f 1425 1424 2012-05-07T20:06:35Z 31.184.238.9 0 OVwdZaNN wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-sumycin-online-en.html buy sumycin, %(, http://cheappurchaseonline.com/buy-generic-aricept-online-en.html buy generic aricept, :-)), http://cheappurchaseonline.com/buy-generic-nitroglycerin-online-en.html buy nitroglycerin, 90170, http://cheappurchaseonline.com/buy-generic-glucophage-online-en.html buy glucophage online, vufsa, http://cheappurchaseonline.com/buy-generic-grifulvin-v-online-en.html buy generic grifulvin v, :PPP, fc9823265f175b87edb3c25fd4305ff066cd87ec 1426 1425 2012-05-07T20:10:44Z 31.184.238.9 0 qIChRUtKTUivPzLcl wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-cialis-online-en.html buy cialis, 8-PP, http://cheappurchaseonline.com/buy-generic-finpecia-online-en.html generic finpecia, fbxm, http://cheappurchaseonline.com/buy-generic-glucotrol-xl-online-en.html glucotrol xl, ylp, http://cheappurchaseonline.com/buy-generic-levitra-oral-jelly-online-en.html buy levitra oral jelly, 192691, http://cheappurchaseonline.com/ buy kamagra, :), e5370ef4e25e2ff69772375f2d5f4b26777648f7 1427 1426 2012-05-07T20:12:40Z 31.184.238.15 0 PoePbJjU wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-lotensin-online-en.html buy lotensin, ftsc, http://cheappurchaseonline.com/buy-generic-cleocin-online-en.html buy cleocin, gez, http://cheappurchaseonline.com/buy-generic-zagam-online-en.html zagam, zhgcqf, http://cheappurchaseonline.com/buy-generic-lipitor-online-en.html lipitor, =]], http://cheappurchaseonline.com/buy-generic-persantine-online-en.html generic persantine, :-(((, 3ea23f844508c4a46707cccebd0b192790c51f9e 1428 1427 2012-05-07T20:14:58Z 31.184.238.9 0 uNNJrSRrTrKoFlUFWGI wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-vigora-online-en.html buy vigora, %-]]], http://cheappurchaseonline.com/buy-generic-claritin-online-en.html generic claritin, 379, http://cheappurchaseonline.com/buy-generic-levitra-professional-online-en.html generic levitra professional, 69101, http://cheappurchaseonline.com/buy-generic-betapace-online-en.html buy betapace, 2654, http://cheappurchaseonline.com/ propecia, cbf, 7d19276bd1cd74c492128d5cbea4c6e5bd216bb2 1429 1428 2012-05-07T20:19:14Z 31.184.238.15 0 mUddztXaFLyHPrxn wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-ortho-tri-cyclen-online-en.html buy ortho tri-cyclen, qlr, http://cheappurchaseonline.com/buy-generic-cymbalta-online-en.html buy cymbalta online, lcjohc, http://cheappurchaseonline.com/buy-generic-trandate-online-en.html buy trandate, plpy, http://cheappurchaseonline.com/buy-generic-tritace-online-en.html generic tritace, 11717, http://cheappurchaseonline.com/buy-generic-zovirax-online-en.html zovirax, 828866, 15848d4b533dd97451b11512ab4d411df53d7904 1430 1429 2012-05-07T20:19:18Z 31.184.238.9 0 ojFazhSYHhlXF wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-pletal-online-en.html pletal, =)), http://cheappurchaseonline.com/buy-generic-rocaltrol-online-en.html rocaltrol, udr, http://cheappurchaseonline.com/buy-generic-zestoretic-online-en.html buy zestoretic, 290288, http://cheappurchaseonline.com/buy-generic-asendin-online-en.html asendin, %-(((, http://cheappurchaseonline.com/buy-generic-lotrel-online-en.html buy generic lotrel, %-((, 025fdf9de88c1a3bb8023be665b655563df176e6 1431 1430 2012-05-07T20:23:49Z 31.184.238.9 0 NeljMnvBBGSpvEw wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-vigora-online-en.html buy generic vigora, >:))), http://cheappurchaseonline.com/buy-generic-claritin-online-en.html buy claritin online, 703225, http://cheappurchaseonline.com/buy-generic-levitra-professional-online-en.html buy levitra professional online, 098, http://cheappurchaseonline.com/buy-generic-betapace-online-en.html buy betapace online, 22008, http://cheappurchaseonline.com/ generic propecia, =[[, a0dc943395191c33aca437ac15552eff0bf37d74 1432 1431 2012-05-07T20:25:09Z 31.184.238.15 0 MpgECxoKmhtrz wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-zithromax-online-en.html zithromax, >:DD, http://cheappurchaseonline.com/buy-generic-zofran-online-en.html zofran, ilx, http://cheappurchaseonline.com/buy-generic-micronase-online-en.html buy micronase online, 991, http://cheappurchaseonline.com/buy-generic-glucotrol-online-en.html buy glucotrol, :-OOO, http://cheappurchaseonline.com/buy-generic-furoxone-online-en.html buy furoxone online, lxs, 868024cfdfc5c3233cdeb689963a313e461406bb 1433 1432 2012-05-07T20:28:33Z 31.184.238.9 0 LZKAtilFhalDyDEnkx wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-inderal-online-en.html buy generic inderal, gtqlpn, http://cheappurchaseonline.com/buy-generic-cardarone-online-en.html buy cardarone, 983, http://cheappurchaseonline.com/buy-generic-artane-online-en.html buy artane, :], http://cheappurchaseonline.com/buy-generic-dilantin-online-en.html buy generic dilantin, 89576, http://cheappurchaseonline.com/buy-generic-geodon-online-en.html buy geodon, 381058, a484f8deedb1c2b73baf26abe127690dab11ce9a 1434 1433 2012-05-07T20:31:48Z 31.184.238.15 0 NafiLUiNjx wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-lexapro-online-en.html buy lexapro online, %-), http://cheappurchaseonline.com/buy-generic-coversyl-online-en.html coversyl, >:-PP, http://cheappurchaseonline.com/buy-generic-cipro-online-en.html buy cipro, :[[, http://cheappurchaseonline.com/buy-generic-retrovir-online-en.html buy generic retrovir, :-], http://cheappurchaseonline.com/buy-generic-cytotec-online-en.html buy generic cytotec, 044, b471e740f919b94dbedd2141c18068da61d1390a 1435 1434 2012-05-07T20:32:36Z 31.184.238.9 0 tYNBUvkKf wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-eldepryl-online-en.html buy eldepryl, aojnsw, http://cheappurchaseonline.com/buy-generic-indocin-online-en.html generic indocin, :(((, http://cheappurchaseonline.com/buy-generic-aristocort-online-en.html generic aristocort, ourp, http://cheappurchaseonline.com/buy-generic-luvox-online-en.html luvox, 12170, http://cheappurchaseonline.com/ buy generic prednisone, 05947, b5a94b99ca2351a53c6ff62c944c471e80062a4b 1436 1435 2012-05-07T20:36:51Z 31.184.238.9 0 LMNCLLxIuNxtK wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-zofran-online-en.html buy zofran, 8-]]], http://cheappurchaseonline.com/buy-generic-micronase-online-en.html buy micronase, 578, http://cheappurchaseonline.com/buy-generic-glucotrol-online-en.html buy glucotrol, eydc, http://cheappurchaseonline.com/buy-generic-furoxone-online-en.html buy furoxone, lmcst, http://cheappurchaseonline.com/buy-generic-zyloprim-online-en.html buy zyloprim, >:[[[, cb0eb5fd3f9f9e8e60a01fabb6fc1108739d0fcd 1437 1436 2012-05-07T20:37:08Z 31.184.238.15 0 ITOeRLUzY wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-viagra-gold-online-en.html buy viagra gold, cmnvr, http://cheappurchaseonline.com/buy-generic-glycomet-online-en.html generic glycomet, ptpvak, http://cheappurchaseonline.com/buy-generic-viramune-online-en.html generic viramune, 00685, http://cheappurchaseonline.com/buy-generic-desyrel-online-en.html desyrel, :((, http://cheappurchaseonline.com/buy-generic-aciclovir-online-en.html generic aciclovir, 64931, 9c170d493f487c660517ca7fed15be3184eae01b 1438 1437 2012-05-07T20:41:27Z 31.184.238.9 0 qvchGDFfnOxOLS wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-verapamil-online-en.html buy verapamil online, 422, http://cheappurchaseonline.com/buy-generic-valtrex-online-en.html buy valtrex, 428354, http://cheappurchaseonline.com/buy-generic-bupron-sr-online-en.html generic bupron sr, 54960, http://cheappurchaseonline.com/ buy viagra, :-[[[, http://cheappurchaseonline.com/buy-generic-mobic-online-en.html buy generic mobic, 631, c8f491c8f3814e2dff1e5b4b0ae271478bacaf86 1439 1438 2012-05-07T20:43:07Z 31.184.238.15 0 DvlayRXKApvhplZ wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-colospa-online-en.html generic colospa, xrghnb, http://cheappurchaseonline.com/buy-generic-brand-viagra-online-en.html generic brand viagra, 5585, http://cheappurchaseonline.com/buy-generic-dramamine-online-en.html buy generic dramamine, 8-DDD, http://cheappurchaseonline.com/buy-generic-flagyl-online-en.html buy flagyl, pnr, http://cheappurchaseonline.com/buy-generic-forzest-online-en.html forzest, 4307, 4ee978239a39a993d335bff1b36064d317675d6b 1440 1439 2012-05-07T20:45:40Z 31.184.238.9 0 xJJHtGqV wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-kamagra-flavored-online-en.html buy kamagra flavored online, owwc, http://cheappurchaseonline.com/buy-generic-aceon-online-en.html generic aceon, pwacy, http://cheappurchaseonline.com/buy-generic-tetracycline-online-en.html tetracycline, %))), http://cheappurchaseonline.com/buy-generic-lincocin-online-en.html buy generic lincocin, 36623, http://cheappurchaseonline.com/buy-generic-zoloft-online-en.html buy zoloft online, 39349, eb6eee2cc2753078a82b11eabf9def4c9e27ff0a 1441 1440 2012-05-07T20:49:51Z 31.184.238.15 0 UeJcgjKjFMtcl wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-vitamin-c-online-en.html buy vitamin c online, cxkljy, http://cheappurchaseonline.com/buy-generic-keflex-online-en.html generic keflex, xwh, http://cheappurchaseonline.com/buy-generic-ventolin-online-en.html generic ventolin, 77501, http://cheappurchaseonline.com/buy-generic-eriacta-online-en.html buy eriacta, >:[[, http://cheappurchaseonline.com/buy-generic-pepcid-online-en.html buy generic pepcid, oxd, 0ebeffb96256a00f6f001f959d7209142bdd80dd 1442 1441 2012-05-07T20:50:05Z 31.184.238.9 0 kGoJqPqriHXvJZVN wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-clarinex-online-en.html generic clarinex, 37787, http://cheappurchaseonline.com/buy-generic-kamagra-effervescent-online-en.html generic kamagra effervescent, 41238, http://cheappurchaseonline.com/buy-generic-hyzaar-online-en.html generic hyzaar, 3913, http://cheappurchaseonline.com/buy-generic-myambutol-online-en.html myambutol, fhdopc, http://cheappurchaseonline.com/buy-generic-zebeta-online-en.html buy generic zebeta, %-], 934bf65a6ede98594dccdf0405a3bedffc5b4924 1443 1442 2012-05-07T20:54:42Z 31.184.238.9 0 IFgoHLGfNsaWBFMrPp wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-grifulvin-online-en.html buy grifulvin, :-PPP, http://cheappurchaseonline.com/buy-generic-zantac-online-en.html buy generic zantac, :-[[, http://cheappurchaseonline.com/buy-generic-adalat-online-en.html buy generic adalat, kvq, http://cheappurchaseonline.com/buy-generic-terramycin-online-en.html buy terramycin online, %-[[, http://cheappurchaseonline.com/buy-generic-isoptin-online-en.html buy generic isoptin, 5219, c4fb30b462ba5702b13596b053a00b03c295a379 1444 1443 2012-05-07T20:55:37Z 31.184.238.15 0 JEXkCaXVndaQD wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-alfacip-online-en.html buy alfacip online, 580232, http://cheappurchaseonline.com/buy-generic-vasotec-online-en.html buy vasotec online, 4308, http://cheappurchaseonline.com/buy-generic-xalatan-0005-online-en.html buy xalatan 0.005% online, zjtg, http://cheappurchaseonline.com/ generic orlistat, 8-DDD, http://cheappurchaseonline.com/ buy strattera, 64626, b3425f9c75186f0682b0a6fc350956b1bfb9c3b5 1445 1444 2012-05-07T21:05:36Z 31.184.238.9 0 iEQlyJqhQkpyekOVd wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-persantine-online-en.html generic persantine, fdxn, http://cheappurchaseonline.com/buy-generic-zerit-online-en.html generic zerit, >:-), http://cheappurchaseonline.com/ buy female viagra, %-OOO, http://cheappurchaseonline.com/buy-generic-brand-levitra-online-en.html buy brand levitra online, wfhj, http://cheappurchaseonline.com/buy-generic-monoket-online-en.html generic monoket, >:]], 7044eb450bfc5ba3fec480021e2e078a9cedc318 1446 1445 2012-05-07T21:17:22Z 31.184.238.9 0 XYWCFhTar wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-catapres-online-en.html buy catapres online, ksq, http://cheappurchaseonline.com/buy-generic-viagra-professional-online-en.html viagra professional, %-), http://cheappurchaseonline.com/buy-generic-cozaar-online-en.html generic cozaar, 215, http://cheappurchaseonline.com/buy-generic-amaryl-online-en.html amaryl, %-DD, http://cheappurchaseonline.com/buy-generic-aciclovir-online-en.html aciclovir, 8-PPP, e9d0be5678e8b70928ddf71d6c77ca4ab38939e8 1447 1446 2012-05-07T21:20:24Z 31.184.238.15 0 uEiARoVoOQviWcmCYa wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-allegra-online-en.html buy generic allegra, 749, http://cheappurchaseonline.com/buy-generic-tadalis-sx-online-en.html buy tadalis sx online, 645366, http://cheappurchaseonline.com/buy-generic-sinemet-online-en.html sinemet, 513291, http://cheappurchaseonline.com/buy-generic-ilosone-online-en.html buy ilosone online, mxgjt, http://cheappurchaseonline.com/buy-generic-famvir-online-en.html generic famvir, ofzew, bce297f7b3d45f191a49c913547481ec17eaf442 1448 1447 2012-05-07T21:22:27Z 31.184.238.9 0 BmuzomSZpEiaxRZRnIR wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-arava-online-en.html buy generic arava, 8[[[, http://cheappurchaseonline.com/buy-generic-aralen-online-en.html aralen, 801739, http://cheappurchaseonline.com/ strattera, %-[[, http://cheappurchaseonline.com/buy-generic-ovral-online-en.html generic ovral, =-O, http://cheappurchaseonline.com/buy-generic-phenergan-online-en.html generic phenergan, 27415, d07ca749be6c372c06823429524376f611bf4b5e 1449 1448 2012-05-07T21:27:10Z 31.184.238.9 0 ErDSrnxhCGAoeHZUs wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-zofran-online-en.html buy generic zofran, gzvlrd, http://cheappurchaseonline.com/buy-generic-micronase-online-en.html buy micronase, 8-]]], http://cheappurchaseonline.com/buy-generic-glucotrol-online-en.html generic glucotrol, 43237, http://cheappurchaseonline.com/buy-generic-furoxone-online-en.html generic furoxone, 8)), http://cheappurchaseonline.com/buy-generic-zyloprim-online-en.html zyloprim, uvkudn, 3633053cc6c540c25a95b360d8a6e3ff25bf1449 1450 1449 2012-05-07T21:28:10Z 31.184.238.15 0 yKGNzQPtMBgaRJbSHaC wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-atacand-online-en.html buy atacand, 102, http://cheappurchaseonline.com/ nolvadex, :D, http://cheappurchaseonline.com/buy-generic-endep-online-en.html endep, 4454, http://cheappurchaseonline.com/buy-generic-capoten-online-en.html buy generic capoten, kxbay, http://cheappurchaseonline.com/buy-generic-remeron-online-en.html remeron, 8], 0d492218ee3b45297cb093d20c52e672453d6a9e 1451 1450 2012-05-07T21:30:18Z 31.184.238.9 0 TcbdCeaHVVXyM wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-verapamil-online-en.html buy generic verapamil, 871, http://cheappurchaseonline.com/buy-generic-valtrex-online-en.html generic valtrex, %-[, http://cheappurchaseonline.com/buy-generic-bupron-sr-online-en.html buy bupron sr online, twyw, http://cheappurchaseonline.com/ buy generic viagra, ocari, http://cheappurchaseonline.com/buy-generic-mobic-online-en.html buy generic mobic, %-(, 56f872f4c000946d4cd804e8d84f1c71a25d18e9 1452 1451 2012-05-07T21:32:39Z 31.184.238.15 0 rHGizTojyQMrNlAlWEz wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-ibuprofen-online-en.html buy generic ibuprofen, >:-((, http://cheappurchaseonline.com/buy-generic-cordarone-online-en.html buy cordarone online, 8-[[, http://cheappurchaseonline.com/buy-generic-plendil-online-en.html generic plendil, =-)), http://cheappurchaseonline.com/buy-generic-revia-online-en.html buy revia online, fjxfnx, http://cheappurchaseonline.com/buy-generic-yasmin-online-en.html generic yasmin, lnqyv, 0cc3ae6cc6a2971842027524cba45c467d838ebf 1453 1452 2012-05-07T21:36:51Z 31.184.238.9 0 yTIuvkQIJvhC wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-singulair-online-en.html singulair, >:-[[[, http://cheappurchaseonline.com/buy-generic-azulfidine-online-en.html buy generic azulfidine, >:]]], http://cheappurchaseonline.com/buy-generic-desogen-online-en.html generic desogen, xplxx, http://cheappurchaseonline.com/buy-generic-diltiazem-online-en.html buy diltiazem, 6017, http://cheappurchaseonline.com/buy-generic-rythmol-online-en.html generic rythmol, 446, 3e7b652feee35bbd03c3042b11c95dcf0fcdd69f 1454 1453 2012-05-07T21:40:06Z 31.184.238.15 0 odZpOaISFCpryySbbP wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-levitra-oral-jelly-online-en.html generic levitra oral jelly, 24662, http://cheappurchaseonline.com/buy-generic-catapres-online-en.html generic catapres, =-(((, http://cheappurchaseonline.com/buy-generic-viagra-professional-online-en.html viagra professional, 1081, http://cheappurchaseonline.com/buy-generic-cozaar-online-en.html buy cozaar online, 90645, http://cheappurchaseonline.com/buy-generic-amaryl-online-en.html buy generic amaryl, 60887, f9d5f67560f58a781c4eb889284ebcf63a681125 1455 1454 2012-05-07T21:40:23Z 31.184.238.9 0 AteSLBvbfCmmcZjRmZ wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-inderal-online-en.html inderal, >:-P, http://cheappurchaseonline.com/buy-generic-cardarone-online-en.html generic cardarone, 690705, http://cheappurchaseonline.com/buy-generic-artane-online-en.html buy artane online, 84917, http://cheappurchaseonline.com/buy-generic-dilantin-online-en.html generic dilantin, :-DDD, http://cheappurchaseonline.com/buy-generic-geodon-online-en.html generic geodon, 8198, ca37b1e42dcf417daf0a0114b2982ee6987d06dd 0 8 1456 1455 2012-05-07T21:43:27Z 31.184.238.9 0 YyOocHKo wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-clarinex-online-en.html generic clarinex, nht, http://cheappurchaseonline.com/buy-generic-kamagra-effervescent-online-en.html buy kamagra effervescent online, 09440, http://cheappurchaseonline.com/buy-generic-hyzaar-online-en.html buy generic hyzaar, hwymfh, http://cheappurchaseonline.com/buy-generic-myambutol-online-en.html myambutol, 457, http://cheappurchaseonline.com/buy-generic-zebeta-online-en.html zebeta, zvec, ed0cb8a7069a4b0277d7dc4f5ab6b9e563753ee2 1457 1456 2012-05-07T21:44:58Z 31.184.238.15 0 CBCiTroLRzQIbkm wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-differin-online-en.html generic differin, 988, http://cheappurchaseonline.com/ buy generic cialis professional, 8-O, http://cheappurchaseonline.com/ buy propecia online, %-[, http://cheappurchaseonline.com/buy-generic-beloc-online-en.html buy beloc, 6211, http://cheappurchaseonline.com/ doxycycline, :[[[, f43ee1b984f359d34599f7c32d74832a8b1ca858 1458 1457 2012-05-07T21:48:11Z 31.184.238.9 0 LBfYpuoMYhhTtdrkV wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-glycomet-online-en.html buy glycomet online, xxuotv, http://cheappurchaseonline.com/buy-generic-viramune-online-en.html buy viramune online, 7871, http://cheappurchaseonline.com/buy-generic-desyrel-online-en.html buy generic desyrel, =-D, e78408d80a352da0fe13c94ccfa2d7cf999a7da5 1459 1458 2012-05-07T21:51:51Z 31.184.238.15 0 DcIKdIoQ wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-asendin-online-en.html buy asendin, =-O, http://cheappurchaseonline.com/buy-generic-lotrel-online-en.html lotrel, >:], http://cheappurchaseonline.com/buy-generic-sumycin-online-en.html sumycin, 4376, http://cheappurchaseonline.com/buy-generic-aricept-online-en.html generic aricept, >:-[[, http://cheappurchaseonline.com/buy-generic-nitroglycerin-online-en.html buy generic nitroglycerin, :-(, 20b58378bc5b8e7009feca25a332da6bbcc3159a 1460 1459 2012-05-07T21:52:53Z 31.184.238.9 0 gaKUdKAW wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-lotensin-online-en.html buy generic lotensin, 991060, http://cheappurchaseonline.com/buy-generic-cleocin-online-en.html buy generic cleocin, 564, http://cheappurchaseonline.com/buy-generic-zagam-online-en.html generic zagam, >:-O, http://cheappurchaseonline.com/ buy cialis super active, men, http://cheappurchaseonline.com/buy-generic-lipitor-online-en.html generic lipitor, regaa, c223ad160cb3351f8759db43eb56e9b0c1df47bc 1461 1460 2012-05-07T21:56:22Z 31.184.238.9 0 oUssrFnqWgnCfGg wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-zofran-online-en.html buy generic zofran, heoin, http://cheappurchaseonline.com/buy-generic-micronase-online-en.html buy micronase online, 863046, http://cheappurchaseonline.com/buy-generic-glucotrol-online-en.html buy generic glucotrol, 8153, http://cheappurchaseonline.com/buy-generic-furoxone-online-en.html buy furoxone, =-(, http://cheappurchaseonline.com/buy-generic-zyloprim-online-en.html generic zyloprim, fhinw, 5b96e28d1c20bdc2fd4a39c9cb53b8f3893eba25 1462 1461 2012-05-07T21:57:03Z 31.184.238.15 0 QAMcteytdW wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-zerit-online-en.html buy zerit online, >:[, http://cheappurchaseonline.com/ generic female viagra, pblfzw, http://cheappurchaseonline.com/buy-generic-brand-levitra-online-en.html buy brand levitra online, whtrcc, http://cheappurchaseonline.com/buy-generic-monoket-online-en.html monoket, >:))), http://cheappurchaseonline.com/buy-generic-trecator-sc-online-en.html trecator-sc, 442773, f6ddfff93a88aa1f427f8f3502d435d20ca6f977 1463 1462 2012-05-07T22:00:32Z 31.184.238.9 0 JQLQtbnWfsJdbfzcG wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-relafen-online-en.html buy relafen online, %-O, http://cheappurchaseonline.com/buy-generic-eskalith-online-en.html buy eskalith online, ypvqqz, http://cheappurchaseonline.com/buy-generic-calcium-carbonate-online-en.html generic calcium carbonate, 8]]], http://cheappurchaseonline.com/buy-generic-paxil-online-en.html buy paxil, 0674, http://cheappurchaseonline.com/buy-generic-tegretol-online-en.html buy tegretol online, 385, bc6b7cae172cb7b6a017c9e4c00244f29a80a6e1 1464 1463 2012-05-07T22:03:50Z 31.184.238.15 0 qEwhrxJerQdZfWu wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-imodium-online-en.html generic imodium, iqcm, http://cheappurchaseonline.com/buy-generic-mircette-online-en.html buy generic mircette, %-[, http://cheappurchaseonline.com/buy-generic-pletal-online-en.html generic pletal, =-((, http://cheappurchaseonline.com/buy-generic-rocaltrol-online-en.html buy rocaltrol, 16614, http://cheappurchaseonline.com/buy-generic-zestoretic-online-en.html generic zestoretic, lgxw, fd09a63dd411bd92b638c9950e1d8a8cc8c32a08 1465 1464 2012-05-07T22:04:56Z 31.184.238.9 0 VqGGblELo wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-pepcid-online-en.html buy pepcid, 531540, http://cheappurchaseonline.com/buy-generic-chloromycetin-online-en.html buy generic chloromycetin, 032, http://cheappurchaseonline.com/buy-generic-cefaclor-online-en.html buy cefaclor, ecrm, http://cheappurchaseonline.com/buy-generic-rebetol-online-en.html buy rebetol, yqgd, http://cheappurchaseonline.com/ generic viagra super active, =]], 11fdd6a11bfee649cf80eee15446305aa35c8828 1466 1465 2012-05-07T22:09:32Z 31.184.238.9 0 XEZNMrMpJUQgijcDYC wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-grifulvin-online-en.html generic grifulvin, %PPP, http://cheappurchaseonline.com/buy-generic-zantac-online-en.html zantac, 563, http://cheappurchaseonline.com/buy-generic-adalat-online-en.html adalat, eeqhbr, http://cheappurchaseonline.com/buy-generic-terramycin-online-en.html buy terramycin online, 15527, http://cheappurchaseonline.com/buy-generic-isoptin-online-en.html buy isoptin, ivzi, c748c409e67559b887e81e76c5d2870e0b478263 1467 1466 2012-05-07T22:09:45Z 31.184.238.15 0 LJXaUSLlwkOSU wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-asendin-online-en.html asendin, =-PP, http://cheappurchaseonline.com/buy-generic-lotrel-online-en.html lotrel, cbue, http://cheappurchaseonline.com/buy-generic-sumycin-online-en.html buy sumycin online, wfs, http://cheappurchaseonline.com/buy-generic-aricept-online-en.html generic aricept, %-[[, http://cheappurchaseonline.com/buy-generic-nitroglycerin-online-en.html generic nitroglycerin, unlh, 1c790bfe513c9dcf6cabb49d54cdadfab8ab5a63 1468 1467 2012-05-07T22:13:56Z 31.184.238.9 0 aUmcrWsoVoWK wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-singulair-online-en.html buy singulair, qij, http://cheappurchaseonline.com/buy-generic-azulfidine-online-en.html buy azulfidine online, :-[, http://cheappurchaseonline.com/buy-generic-desogen-online-en.html generic desogen, 166, http://cheappurchaseonline.com/buy-generic-diltiazem-online-en.html buy generic diltiazem, 8-DDD, http://cheappurchaseonline.com/buy-generic-rythmol-online-en.html rythmol, ineuiq, b94f6e945dbdfd8422d4de09bf8d62061a1571e4 1469 1468 2012-05-07T22:15:59Z 31.184.238.15 0 BQebxSMXgBLkGqlTaM wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-seroquel-online-en.html buy seroquel online, =-))), http://cheappurchaseonline.com/buy-generic-dapsone-online-en.html generic dapsone, kdmeql, http://cheappurchaseonline.com/buy-generic-albenza-online-en.html buy albenza, 864569, http://cheappurchaseonline.com/buy-generic-viagra-jelly-online-en.html viagra jelly, twuyou, http://cheappurchaseonline.com/ buy generic kamagra, smxut, f0b9a5b1a7d134ec13db1ec252fb411698ebf047 1470 1469 2012-05-07T22:18:07Z 31.184.238.9 0 nWekMAhRyocOVQU wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-floxin-online-en.html floxin, %DD, http://cheappurchaseonline.com/buy-generic-coumadin-online-en.html buy coumadin online, 15499, http://cheappurchaseonline.com/buy-generic-norvasc-online-en.html buy norvasc online, wouv, http://cheappurchaseonline.com/ buy amoxil online, cwmm, http://cheappurchaseonline.com/ generic amoxil, kyyy, 3645c30e842760ca569d73ad41203d1cbfe54084 1471 1470 2012-05-07T22:22:18Z 31.184.238.15 0 tHNnOIHoRaXjkTP wikitext text/x-wiki comment4, http://cheappurchaseonline.com/ generic zithromax, %-P, http://cheappurchaseonline.com/buy-generic-cialis-black-online-en.html buy generic cialis black, 3458, http://cheappurchaseonline.com/buy-generic-ddavp-online-en.html ddavp, ahkqxa, http://cheappurchaseonline.com/buy-generic-levaquin-online-en.html levaquin, 3939, http://cheappurchaseonline.com/buy-generic-atrovent-online-en.html buy atrovent, kgdbxz, 7a4ef11a4ae1e0a0dbdcb8121d919337c441a2dc 1472 1471 2012-05-07T22:22:29Z 31.184.238.9 0 gosdhdzWn wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-kemadrin-online-en.html kemadrin, =-[[, http://cheappurchaseonline.com/buy-generic-combipres-online-en.html buy generic combipres, 8-DDD, http://cheappurchaseonline.com/buy-generic-protonix-online-en.html protonix, 851561, http://cheappurchaseonline.com/buy-generic-zestril-online-en.html buy zestril, pnp, http://cheappurchaseonline.com/buy-generic-nexium-online-en.html nexium, :OO, eff394e01833db8464d04212ff21ceaed04e58b8 1474 1472 2012-05-07T22:26:55Z 31.184.238.9 0 kTQckzlMom wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-floxin-online-en.html buy generic floxin, lrwqd, http://cheappurchaseonline.com/buy-generic-coumadin-online-en.html buy coumadin online, >:[[[, http://cheappurchaseonline.com/buy-generic-norvasc-online-en.html buy generic norvasc, rzvi, http://cheappurchaseonline.com/ buy amoxil, rxqbl, http://cheappurchaseonline.com/ amoxil, 8-], cec844b01ef28a50160c67d886edea652f392a0d 1475 1474 2012-05-07T22:28:16Z 31.184.238.15 0 TWdkxbWdDge wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-viagra-gold-online-en.html buy viagra gold online, %]]], http://cheappurchaseonline.com/buy-generic-glycomet-online-en.html buy glycomet, >:]], http://cheappurchaseonline.com/buy-generic-viramune-online-en.html buy viramune online, 861714, http://cheappurchaseonline.com/buy-generic-desyrel-online-en.html buy desyrel, rlrug, http://cheappurchaseonline.com/buy-generic-aciclovir-online-en.html buy generic aciclovir, :-((, cb962a7921da83399b768ee9728049a0fbe7d456 1476 1475 2012-05-07T22:31:17Z 31.184.238.9 0 HQDRxZgCPiSGXYMQUJ wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-apcalis-sx-online-en.html buy apcalis sx online, 9094, http://cheappurchaseonline.com/buy-generic-lopressor-online-en.html buy lopressor, 8-[, http://cheappurchaseonline.com/buy-generic-benicar-online-en.html benicar, 03733, http://cheappurchaseonline.com/buy-generic-tegopen-online-en.html buy tegopen, 2078, http://cheappurchaseonline.com/ buy accutane online, gcrhq, ea6c3250fed947d883b58eb38c83395e7bdeb815 1477 1476 2012-05-07T22:34:14Z 31.184.238.15 0 mXkdFTgtiP wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-ibuprofen-online-en.html buy ibuprofen, 054, http://cheappurchaseonline.com/buy-generic-cordarone-online-en.html buy cordarone online, %-DDD, http://cheappurchaseonline.com/buy-generic-plendil-online-en.html generic plendil, 73051, http://cheappurchaseonline.com/buy-generic-revia-online-en.html buy revia online, :]]], http://cheappurchaseonline.com/buy-generic-yasmin-online-en.html buy yasmin online, %-), 46da9149eb0709b009a630932ed43da495aecd12 1478 1477 2012-05-07T22:35:55Z 31.184.238.9 0 EUlLaFIvUgUz wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-brand-viagra-online-en.html buy generic brand viagra, %((, http://cheappurchaseonline.com/buy-generic-dramamine-online-en.html dramamine, 8PPP, http://cheappurchaseonline.com/buy-generic-flagyl-online-en.html generic flagyl, 452, http://cheappurchaseonline.com/buy-generic-forzest-online-en.html forzest, 0867, http://cheappurchaseonline.com/buy-generic-augmentin-online-en.html buy generic augmentin, vkky, a2e00613ed6a5fb6fbbe199e4182c701a5440634 1479 1478 2012-05-07T22:40:05Z 31.184.238.9 0 wyWkMfmHzkfVcpPl wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-cialis-online-en.html buy generic cialis, =-PPP, http://cheappurchaseonline.com/buy-generic-finpecia-online-en.html finpecia, 269256, http://cheappurchaseonline.com/buy-generic-glucotrol-xl-online-en.html glucotrol xl, %), http://cheappurchaseonline.com/buy-generic-levitra-oral-jelly-online-en.html buy levitra oral jelly, =PP, http://cheappurchaseonline.com/ generic kamagra, 375628, eec6601becbeda4a975b8efaf1994cc85c3bacec 1480 1479 2012-05-07T22:40:55Z 31.184.238.15 0 xjJpKGepYvTLs wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-lotensin-online-en.html buy generic lotensin, 176, http://cheappurchaseonline.com/buy-generic-cleocin-online-en.html cleocin, =-), http://cheappurchaseonline.com/buy-generic-zagam-online-en.html generic zagam, :-[[, http://cheappurchaseonline.com/buy-generic-lipitor-online-en.html buy lipitor, ppqj, http://cheappurchaseonline.com/buy-generic-persantine-online-en.html buy persantine, =-((, 2369d6fce0e6ac1a2f81c02bac353f00a397e37e 1481 1480 2012-05-07T22:44:42Z 31.184.238.9 0 sSmFkjyPlVOP wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-glucovance-online-en.html buy generic glucovance, >:], http://cheappurchaseonline.com/buy-generic-symmetrel-online-en.html buy symmetrel online, 621759, http://cheappurchaseonline.com/buy-generic-anaprox-online-en.html anaprox, >:DDD, http://cheappurchaseonline.com/buy-generic-lamprene-online-en.html lamprene, %(((, http://cheappurchaseonline.com/buy-generic-zithromax-online-en.html buy zithromax, :OOO, f3b268fc64aef19f0c6862f18f55b8675efce784 1482 1481 2012-05-07T22:46:14Z 31.184.238.15 0 LOTMrHEOwPm wikitext text/x-wiki comment1, http://cheappurchaseonline.com/ generic viagra, 71110, http://cheappurchaseonline.com/buy-generic-mobic-online-en.html mobic, duhfmj, http://cheappurchaseonline.com/buy-generic-clarinex-online-en.html buy clarinex, :-[[, http://cheappurchaseonline.com/buy-generic-kamagra-effervescent-online-en.html buy kamagra effervescent online, bbje, http://cheappurchaseonline.com/buy-generic-hyzaar-online-en.html hyzaar, 59664, 0785438bef79f28e1bc6a6715ab6d423c0f3b1cd 1483 1482 2012-05-07T22:48:59Z 31.184.238.9 0 yAcJfkvk wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-apcalis-sx-online-en.html buy apcalis sx, kpnxw, http://cheappurchaseonline.com/buy-generic-lopressor-online-en.html buy generic lopressor, %-P, http://cheappurchaseonline.com/buy-generic-benicar-online-en.html generic benicar, 021870, http://cheappurchaseonline.com/buy-generic-tegopen-online-en.html tegopen, :-DD, http://cheappurchaseonline.com/ accutane, toiorz, fb09850b55e2162b4a211744df353ecd098f2c99 1484 1483 2012-05-07T22:52:17Z 31.184.238.15 0 nvgKKlyVYb wikitext text/x-wiki comment6, http://cheappurchaseonline.com/ buy viagra, 781301, http://cheappurchaseonline.com/buy-generic-mobic-online-en.html generic mobic, msttk, http://cheappurchaseonline.com/buy-generic-clarinex-online-en.html buy clarinex, :-))), http://cheappurchaseonline.com/buy-generic-kamagra-effervescent-online-en.html buy kamagra effervescent, 8]], http://cheappurchaseonline.com/buy-generic-hyzaar-online-en.html hyzaar, 71390, 1cc8d7208ed71c49970dd3306a329be4e38aea51 1485 1484 2012-05-07T22:53:31Z 31.184.238.9 0 aHvOBTsMdkcucKYKV wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-eldepryl-online-en.html generic eldepryl, yhx, http://cheappurchaseonline.com/buy-generic-indocin-online-en.html buy indocin, ifgnxx, http://cheappurchaseonline.com/buy-generic-aristocort-online-en.html buy aristocort online, 740613, http://cheappurchaseonline.com/buy-generic-luvox-online-en.html buy luvox online, %[, http://cheappurchaseonline.com/ prednisone, 4036, 758b179e9483de155a7e1ceb66412b1a4083a3b2 1486 1485 2012-05-07T22:57:45Z 31.184.238.9 0 GPCNoymVx wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-inderal-la-online-en.html generic inderal la, boa, http://cheappurchaseonline.com/buy-generic-viagra-online-en.html buy viagra, >:-P, http://cheappurchaseonline.com/buy-generic-ansaid-online-en.html generic ansaid, =PPP, http://cheappurchaseonline.com/buy-generic-tricor-online-en.html buy generic tricor, 8(((, http://cheappurchaseonline.com/buy-generic-viagra-super-active-online-en.html generic viagra super active, 914, 7d183b89bddadc408fc5ca83e31667043738a30d 1487 1486 2012-05-07T22:58:22Z 31.184.238.15 0 SFgHObbnQtAVaPtxki wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-ovral-online-en.html buy generic ovral, 95993, http://cheappurchaseonline.com/buy-generic-phenergan-online-en.html generic phenergan, zcsb, http://cheappurchaseonline.com/buy-generic-relafen-online-en.html buy generic relafen, :-[[[, http://cheappurchaseonline.com/buy-generic-eskalith-online-en.html eskalith, :DDD, http://cheappurchaseonline.com/buy-generic-calcium-carbonate-online-en.html buy generic calcium carbonate, 8(((, 8f2644abcd1be39a8476c0546f78d8c64ff7e037 1488 1487 2012-05-07T23:02:00Z 31.184.238.9 0 EOIAGcHOZPqSCKZXtd wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-pepcid-online-en.html buy pepcid online, 694254, http://cheappurchaseonline.com/buy-generic-chloromycetin-online-en.html generic chloromycetin, %(((, http://cheappurchaseonline.com/buy-generic-cefaclor-online-en.html cefaclor, %[[, http://cheappurchaseonline.com/buy-generic-rebetol-online-en.html buy rebetol, 158, http://cheappurchaseonline.com/ buy viagra super active, fum, 905e3ebc31bc51b25faf85957e2735df10e1368d 1489 1488 2012-05-07T23:04:25Z 31.184.238.15 0 KUkcROqTZIVs wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-glucophage-online-en.html generic glucophage, krtv, http://cheappurchaseonline.com/buy-generic-grifulvin-v-online-en.html generic grifulvin v, 262, http://cheappurchaseonline.com/buy-generic-arava-online-en.html buy generic arava, 210, http://cheappurchaseonline.com/buy-generic-aralen-online-en.html buy aralen online, >:-DD, http://cheappurchaseonline.com/ buy strattera, qjxkqk, d2b24d11b183917dbc931cf6cf1ef268dbabdf91 1490 1489 2012-05-07T23:06:20Z 31.184.238.9 0 uKSACgnFUjvBKhP wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-motilium-online-en.html buy motilium online, :[[, http://cheappurchaseonline.com/buy-generic-eulexin-online-en.html buy generic eulexin, xxmq, http://cheappurchaseonline.com/buy-generic-astelin-online-en.html buy astelin, =-((, http://cheappurchaseonline.com/buy-generic-starlix-online-en.html generic starlix, %(, http://cheappurchaseonline.com/buy-generic-fludac-online-en.html fludac, 20784, a1f17222a39d290c19032ce99aa54ee879c1d6d1 1491 1490 2012-05-07T23:10:41Z 31.184.238.15 0 EdwMqjvHxYWxWpYo wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-avapro-online-en.html buy generic avapro, kdmqjg, http://cheappurchaseonline.com/buy-generic-levitra-soft-online-en.html buy levitra soft, >:-))), http://cheappurchaseonline.com/buy-generic-allopurinol-online-en.html buy allopurinol, 01607, http://cheappurchaseonline.com/buy-generic-silagra-online-en.html buy silagra online, %-)), http://cheappurchaseonline.com/ generic priligy, 070357, 10877c90b3d3f7cc93882be4c13722042baabd1e 1492 1491 2012-05-07T23:10:54Z 31.184.238.9 0 jZCyPGjHNhnL wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-isordil-online-en.html isordil, =-((, http://cheappurchaseonline.com/buy-generic-lopid-online-en.html buy lopid online, :-]], http://cheappurchaseonline.com/buy-generic-wellbutrin-online-en.html buy wellbutrin online, npck, http://cheappurchaseonline.com/buy-generic-grisactin-online-en.html buy grisactin online, %OO, http://cheappurchaseonline.com/buy-generic-mysoline-online-en.html buy mysoline, =), b760c3c87a23968baa8f7ac539e1701210a40284 1493 1492 2012-05-07T23:15:12Z 31.184.238.9 0 ryUAlDutiICtdc wikitext text/x-wiki , http://cheappurchaseonline.com/ buy clomid, gbloo, http://cheappurchaseonline.com/buy-generic-risnia-online-en.html risnia, qhcen, http://cheappurchaseonline.com/buy-generic-maxaquin-online-en.html buy maxaquin online, 7534, http://cheappurchaseonline.com/buy-generic-benadryl-online-en.html benadryl, 491779, http://cheappurchaseonline.com/buy-generic-viagra-gold-online-en.html buy viagra gold online, =-O, 07db5f0ba913397a2fbf5c8e94209f7fbe85dba9 1494 1493 2012-05-07T23:16:55Z 31.184.238.15 0 aCqqCKmCaKpbNn wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-levitra-with-dapoxetine-online-en.html generic levitra with dapoxetine, %), http://cheappurchaseonline.com/buy-generic-isoptin-sr-online-en.html buy generic isoptin sr, 2813, http://cheappurchaseonline.com/buy-generic-inderal-la-online-en.html buy generic inderal la, 49862, http://cheappurchaseonline.com/buy-generic-viagra-online-en.html generic viagra, kzkk, http://cheappurchaseonline.com/buy-generic-ansaid-online-en.html generic ansaid, 8-O, f45d6b02742a25ce0e8ea41b8c7d54b78a47c203 1495 1494 2012-05-07T23:19:37Z 31.184.238.9 0 cVXoicDGDPJTwShtp wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-vigora-online-en.html generic vigora, zklf, http://cheappurchaseonline.com/buy-generic-claritin-online-en.html claritin, =-DDD, http://cheappurchaseonline.com/buy-generic-levitra-professional-online-en.html buy levitra professional online, 999, http://cheappurchaseonline.com/buy-generic-betapace-online-en.html buy generic betapace, vyt, http://cheappurchaseonline.com/ propecia, topsfp, f1a2a2eeb971f743644b8acea55b0d5044b6e008 1496 1495 2012-05-07T23:23:05Z 31.184.238.15 0 JWRCaRzKbl wikitext text/x-wiki comment1, http://cheappurchaseonline.com/ accutane, 8190, http://cheappurchaseonline.com/buy-generic-brethine-online-en.html brethine, dkxg, http://cheappurchaseonline.com/buy-generic-cialis-soft-online-en.html buy generic cialis soft, %-]]], http://cheappurchaseonline.com/buy-generic-toprol-online-en.html toprol, 33210, http://cheappurchaseonline.com/buy-generic-furacin-online-en.html furacin, 382, cb41d2a916b6eedf311854f4aa37eb2db0562898 1497 1496 2012-05-07T23:24:01Z 31.184.238.9 0 zrlVACfobOgFn wikitext text/x-wiki , http://cheappurchaseonline.com/ strattera, 2147, http://cheappurchaseonline.com/buy-generic-tinidazole-online-en.html buy generic tinidazole, 9635, http://cheappurchaseonline.com/buy-generic-proventil-online-en.html buy proventil, >:OOO, http://cheappurchaseonline.com/buy-generic-effexor-online-en.html buy effexor online, 1763, http://cheappurchaseonline.com/buy-generic-sinemet-cr-online-en.html buy sinemet cr online, yxzih, 396a9bf928608bc2e0e9470defe617bf344e93aa 1498 1497 2012-05-07T23:28:24Z 31.184.238.9 0 bxbmABRqlEqIbMKcx wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-catapres-online-en.html generic catapres, 3662, http://cheappurchaseonline.com/buy-generic-viagra-professional-online-en.html buy generic viagra professional, 8-DDD, http://cheappurchaseonline.com/buy-generic-cozaar-online-en.html cozaar, vdnik, http://cheappurchaseonline.com/buy-generic-amaryl-online-en.html amaryl, wjc, http://cheappurchaseonline.com/buy-generic-aciclovir-online-en.html generic aciclovir, sncrd, fbb11e35957cc6b3464e89a658679e045fa41983 1499 1498 2012-05-07T23:29:24Z 31.184.238.15 0 PSkBoHjmiG wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-claritin-online-en.html buy generic claritin, wciq, http://cheappurchaseonline.com/buy-generic-levitra-professional-online-en.html buy levitra professional, tbuqbo, http://cheappurchaseonline.com/buy-generic-betapace-online-en.html generic betapace, 49430, http://cheappurchaseonline.com/ buy propecia online, emqgco, http://cheappurchaseonline.com/buy-generic-motilium-online-en.html buy motilium, 1859, 0c923880de3d6c820e242fb1ffd5e29d8e1cb90b 1500 1499 2012-05-07T23:33:31Z 31.184.238.9 0 GplDztUGyVCUe wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-suhagra-online-en.html buy generic suhagra, mus, http://cheappurchaseonline.com/buy-generic-requip-online-en.html buy generic requip, >:]], http://cheappurchaseonline.com/buy-generic-prograf-online-en.html prograf, qjpehq, http://cheappurchaseonline.com/buy-generic-vibramycin-online-en.html vibramycin, 8758, http://cheappurchaseonline.com/buy-generic-fluoxetine-online-en.html buy generic fluoxetine, 8-DD, 27915697261d80ec63bb02a0ef554d71558ead6c 1501 1500 2012-05-07T23:37:24Z 31.184.238.9 0 LAwkTHCHPUMHGGoYnAJ wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-monopril-online-en.html buy monopril, 8-(, http://cheappurchaseonline.com/buy-generic-tadalis-sx-soft-online-en.html tadalis sx soft, 15003, http://cheappurchaseonline.com/buy-generic-nizoral-online-en.html buy nizoral, 8[, http://cheappurchaseonline.com/buy-generic-amoxil-online-en.html buy amoxil online, puk, http://cheappurchaseonline.com/buy-generic-prandin-online-en.html buy prandin, 993205, dab0db9f9b43fcafed5132c2ab6ecc97d04ef41d 1502 1501 2012-05-07T23:41:35Z 31.184.238.15 0 gDpFQFfhgfRsF wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-diltiazem-online-en.html diltiazem, >:-[, http://cheappurchaseonline.com/buy-generic-rythmol-online-en.html rythmol, mfquwv, http://cheappurchaseonline.com/ buy generic viagra super active, 883, http://cheappurchaseonline.com/buy-generic-anaprox-online-en.html anaprox, bqw, http://cheappurchaseonline.com/buy-generic-lamprene-online-en.html generic lamprene, ouhuxp, 9b72d55e53ee8da882ca3d61bd372c1c9e3ab502 1503 1502 2012-05-07T23:41:40Z 31.184.238.9 0 GwehvQLHRooHk wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-lotensin-online-en.html generic lotensin, 0156, http://cheappurchaseonline.com/buy-generic-cleocin-online-en.html cleocin, 060, http://cheappurchaseonline.com/buy-generic-zagam-online-en.html generic zagam, =-), http://cheappurchaseonline.com/ generic cialis super active, :)), http://cheappurchaseonline.com/buy-generic-lipitor-online-en.html buy generic lipitor, :-((, 68ab6f17324538e50468eb721c0f536f3209dc11 1504 1503 2012-05-07T23:46:01Z 31.184.238.9 0 KhYZZPXYpL wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-allopurinol-online-en.html buy allopurinol, :-]]], http://cheappurchaseonline.com/buy-generic-silagra-online-en.html buy generic silagra, :(, http://cheappurchaseonline.com/ buy priligy, 9980, http://cheappurchaseonline.com/buy-generic-biaxin-online-en.html buy biaxin, =-P, http://cheappurchaseonline.com/buy-generic-intagra-online-en.html intagra, 279184, e100f84ac6d8739a2356c3382ecbab7c761c9367 1505 1504 2012-05-07T23:47:53Z 31.184.238.15 0 mbTfNuLoMuw wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-alfacip-online-en.html buy alfacip online, 1735, http://cheappurchaseonline.com/buy-generic-vasotec-online-en.html generic vasotec, umvk, http://cheappurchaseonline.com/buy-generic-xalatan-0005-online-en.html buy xalatan 0.005%, lqsuru, http://cheappurchaseonline.com/ orlistat, 912, http://cheappurchaseonline.com/ strattera, omfj, 83989ce374cd04cadd97b57b4eb5340ae98b4e1a 1506 1505 2012-05-07T23:50:15Z 31.184.238.9 0 cxyBwMMzisdNNVp wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-zofran-online-en.html buy generic zofran, :((, http://cheappurchaseonline.com/buy-generic-micronase-online-en.html generic micronase, appvtg, http://cheappurchaseonline.com/buy-generic-glucotrol-online-en.html buy glucotrol online, %-), http://cheappurchaseonline.com/buy-generic-furoxone-online-en.html buy furoxone, =(((, http://cheappurchaseonline.com/buy-generic-zyloprim-online-en.html zyloprim, 17213, a6808f9ecd286e35086010f96ea5d25005070887 0 8 1507 1506 2012-05-07T23:54:09Z 31.184.238.15 0 HMSHNMxucAa wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-allegra-online-en.html buy allegra, %DD, http://cheappurchaseonline.com/buy-generic-tadalis-sx-online-en.html buy generic tadalis sx, %-PP, http://cheappurchaseonline.com/buy-generic-sinemet-online-en.html buy sinemet online, 012379, http://cheappurchaseonline.com/buy-generic-ilosone-online-en.html buy ilosone online, =), http://cheappurchaseonline.com/buy-generic-famvir-online-en.html buy generic famvir, griyp, 5b9def1553a10da9fc94287a16fb05b0f5999743 1508 1507 2012-05-07T23:54:52Z 31.184.238.9 0 JCxXmgBM wikitext text/x-wiki , http://cheappurchaseonline.com/ buy nolvadex, >:-P, http://cheappurchaseonline.com/buy-generic-motrin-online-en.html motrin, jbwbli, http://cheappurchaseonline.com/buy-generic-cardura-online-en.html buy cardura, 8758, http://cheappurchaseonline.com/buy-generic-epivir-hbv-online-en.html buy generic epivir hbv, fajqq, http://cheappurchaseonline.com/buy-generic-sinequan-online-en.html sinequan, ctini, fc28271b3460f783ac46b0f1fa6991b505d7a71f 1509 1508 2012-05-07T23:58:53Z 31.184.238.9 0 TQLjmRxS wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-verapamil-online-en.html buy verapamil online, wmmt, http://cheappurchaseonline.com/buy-generic-valtrex-online-en.html valtrex, >:O, http://cheappurchaseonline.com/buy-generic-bupron-sr-online-en.html buy generic bupron sr, 275646, http://cheappurchaseonline.com/ buy generic viagra, %OO, http://cheappurchaseonline.com/buy-generic-mobic-online-en.html generic mobic, =-]], 660564c4cf6048aab20b5e05b51beae4fcffefe3 1510 1509 2012-05-08T00:00:14Z 31.184.238.15 0 LInYRyMuBXyJR wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-lotensin-online-en.html buy lotensin online, uqrco, http://cheappurchaseonline.com/buy-generic-cleocin-online-en.html generic cleocin, 8-(, http://cheappurchaseonline.com/buy-generic-zagam-online-en.html buy generic zagam, 708, http://cheappurchaseonline.com/buy-generic-lipitor-online-en.html lipitor, :D, http://cheappurchaseonline.com/buy-generic-persantine-online-en.html buy persantine, :-)), 6ca5bb2a3d17f24fac5a121b9a5af128d1a041f5 1511 1510 2012-05-08T00:03:17Z 31.184.238.9 0 LKpajFZcojlMIGgfi wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-allopurinol-online-en.html buy allopurinol online, 516354, http://cheappurchaseonline.com/buy-generic-silagra-online-en.html buy silagra, mswah, http://cheappurchaseonline.com/ buy priligy online, ysfp, http://cheappurchaseonline.com/buy-generic-biaxin-online-en.html biaxin, rty, http://cheappurchaseonline.com/buy-generic-intagra-online-en.html buy generic intagra, >:((, c4ef352a029e75654d39f48dca471b5f401f1d08 1512 1511 2012-05-08T00:06:20Z 31.184.238.15 0 AmseprFWlemsAB wikitext text/x-wiki comment3, http://cheappurchaseonline.com/ generic diflucan, >:-OOO, http://cheappurchaseonline.com/buy-generic-aciphex-online-en.html generic aciphex, 333, http://cheappurchaseonline.com/buy-generic-etodolac-online-en.html buy etodolac, >:PPP, http://cheappurchaseonline.com/buy-generic-procardia-online-en.html generic procardia, kjjgi, http://cheappurchaseonline.com/buy-generic-vigora-online-en.html buy vigora online, uql, e66c7e767f0fcd6cda25e0e772ba9c2bab55df90 1513 1512 2012-05-08T00:07:31Z 31.184.238.9 0 nqxuJillPJkRygnpa wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-allopurinol-online-en.html buy generic allopurinol, dfxu, http://cheappurchaseonline.com/buy-generic-silagra-online-en.html buy silagra, 36423, http://cheappurchaseonline.com/ priligy, :O, http://cheappurchaseonline.com/buy-generic-biaxin-online-en.html buy generic biaxin, ifc, http://cheappurchaseonline.com/buy-generic-intagra-online-en.html intagra, %[[[, 1dd9c03a5557f9821ff314c2015cc118f590e494 1514 1513 2012-05-08T00:11:55Z 31.184.238.9 0 VmfmryETKCtvd wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-clarinex-online-en.html buy generic clarinex, sufcrf, http://cheappurchaseonline.com/buy-generic-kamagra-effervescent-online-en.html kamagra effervescent, ppr, http://cheappurchaseonline.com/buy-generic-hyzaar-online-en.html buy generic hyzaar, 2884, http://cheappurchaseonline.com/buy-generic-myambutol-online-en.html buy myambutol, >:-[[[, http://cheappurchaseonline.com/buy-generic-zebeta-online-en.html buy zebeta, 43937, 1e7a903f7c9809b5c8a1f8ac5b9730b071d94b4b 1515 1514 2012-05-08T00:12:46Z 31.184.238.15 0 CqlJzfYZQSJIWfSbjeG wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-cialis-super-active-online-en.html buy cialis super active online, jlhj, http://cheappurchaseonline.com/buy-generic-minocin-online-en.html minocin, 3920, http://cheappurchaseonline.com/buy-generic-ceclor-online-en.html generic ceclor, =P, http://cheappurchaseonline.com/buy-generic-feldene-online-en.html buy feldene online, 932117, http://cheappurchaseonline.com/buy-generic-ditropan-online-en.html generic ditropan, 93448, 085c8316bcd5ed4ec62f34f229e1d7cbad3fe38d 1516 1515 2012-05-08T00:16:18Z 31.184.238.9 0 SDpAePBWUiDrcBRKF wikitext text/x-wiki , http://cheappurchaseonline.com/ doxycycline, 8-[[[, http://cheappurchaseonline.com/buy-generic-uniphyl-cr-online-en.html buy uniphyl cr online, cgat, http://cheappurchaseonline.com/buy-generic-atarax-online-en.html buy atarax, 8075, http://cheappurchaseonline.com/buy-generic-levitra-with-dapoxetine-online-en.html generic levitra with dapoxetine, :-D, http://cheappurchaseonline.com/buy-generic-isoptin-sr-online-en.html generic isoptin sr, 5952, 8ccab090d628974b1f49e41ca35645d3cafcd4aa 1517 1516 2012-05-08T00:18:56Z 31.184.238.15 0 CZuWIYaX wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-lexapro-online-en.html buy generic lexapro, 685, http://cheappurchaseonline.com/buy-generic-coversyl-online-en.html buy coversyl online, 8[, http://cheappurchaseonline.com/buy-generic-cipro-online-en.html generic cipro, akrh, http://cheappurchaseonline.com/buy-generic-retrovir-online-en.html buy retrovir, =O, http://cheappurchaseonline.com/buy-generic-cytotec-online-en.html buy generic cytotec, jrk, 6643aed42d246a24ffade197940d1b83cbc5ebc5 1518 1517 2012-05-08T00:21:14Z 31.184.238.9 0 OquMdMQcUYbtkEn wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-glucovance-online-en.html generic glucovance, 578067, http://cheappurchaseonline.com/buy-generic-symmetrel-online-en.html generic symmetrel, :-PP, http://cheappurchaseonline.com/buy-generic-anaprox-online-en.html buy anaprox online, tsglc, http://cheappurchaseonline.com/buy-generic-lamprene-online-en.html lamprene, kdr, http://cheappurchaseonline.com/buy-generic-zithromax-online-en.html buy generic zithromax, 894824, 387d868c6626235996bcc6ecc5c8578969b4407f 1519 1518 2012-05-08T00:23:59Z 31.184.238.15 0 mufqKrGoViYkwgioi wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-eulexin-online-en.html eulexin, 351307, http://cheappurchaseonline.com/buy-generic-astelin-online-en.html buy astelin online, 68509, http://cheappurchaseonline.com/buy-generic-starlix-online-en.html generic starlix, 852, http://cheappurchaseonline.com/buy-generic-fludac-online-en.html generic fludac, enguqw, http://cheappurchaseonline.com/buy-generic-eldepryl-online-en.html eldepryl, 386, 4676b46247f0497703b08607b88d4f6e821163cd 1520 1519 2012-05-08T00:24:56Z 31.184.238.9 0 AOECyaVCyApqMpo wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-kamagra-flavored-online-en.html buy generic kamagra flavored, 8[[, http://cheappurchaseonline.com/buy-generic-aceon-online-en.html buy aceon online, >:PPP, http://cheappurchaseonline.com/buy-generic-tetracycline-online-en.html tetracycline, 2582, http://cheappurchaseonline.com/buy-generic-lincocin-online-en.html generic lincocin, 3656, http://cheappurchaseonline.com/buy-generic-zoloft-online-en.html buy zoloft, iozlq, 0af4dc43a24445e5375faad3d4f8c71ec7e468d9 1521 1520 2012-05-08T00:28:41Z 31.184.238.15 0 nyaWzOLeXdH wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-lopid-online-en.html generic lopid, gkftdk, http://cheappurchaseonline.com/buy-generic-wellbutrin-online-en.html generic wellbutrin, 891971, http://cheappurchaseonline.com/buy-generic-grisactin-online-en.html buy generic grisactin, >:-]]], http://cheappurchaseonline.com/buy-generic-mysoline-online-en.html generic mysoline, qnbaij, http://cheappurchaseonline.com/buy-generic-duricef-online-en.html generic duricef, :-[[, 04b80bf3f50cd103d3f16390cf2133cde44f2357 1522 1521 2012-05-08T00:28:46Z 31.184.238.9 0 fLAmyfICpISFeKmKkv wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-glycomet-online-en.html glycomet, misye, http://cheappurchaseonline.com/buy-generic-viramune-online-en.html generic viramune, ljifij, http://cheappurchaseonline.com/buy-generic-desyrel-online-en.html generic desyrel, jdb, ec18d7ffcdc40916bb76eb4de5557bf668f97217 1523 1522 2012-05-08T00:32:37Z 31.184.238.9 0 JwvirnHu wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-arcoxia-online-en.html arcoxia, :OO, http://cheappurchaseonline.com/buy-generic-plavix-online-en.html buy generic plavix, pwgc, http://cheappurchaseonline.com/buy-generic-mevacor-online-en.html mevacor, 52371, http://cheappurchaseonline.com/buy-generic-imodium-online-en.html generic imodium, mhxha, http://cheappurchaseonline.com/buy-generic-mircette-online-en.html buy mircette online, 710, 88377a61843ddaa1791d46f517eab015577cf0e5 1524 1523 2012-05-08T00:34:05Z 31.184.238.15 0 lTOfyawW wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-lotensin-online-en.html lotensin, %OOO, http://cheappurchaseonline.com/buy-generic-cleocin-online-en.html cleocin, :-(, http://cheappurchaseonline.com/buy-generic-zagam-online-en.html buy zagam, %OOO, http://cheappurchaseonline.com/buy-generic-lipitor-online-en.html buy lipitor online, jteycj, http://cheappurchaseonline.com/buy-generic-persantine-online-en.html persantine, wdrhr, f6a7441e6965fa94dd619cbc55f1c6ce521e1cfb 1525 1524 2012-05-08T00:37:07Z 31.184.238.9 0 TnfVKLBFmB wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-cialis-jelly-online-en.html buy cialis jelly, %-OO, http://cheappurchaseonline.com/buy-generic-revatio-online-en.html revatio, 5976, http://cheappurchaseonline.com/buy-generic-carafate-online-en.html buy carafate online, %[[[, http://cheappurchaseonline.com/buy-generic-oxytrol-online-en.html buy oxytrol, qir, http://cheappurchaseonline.com/buy-generic-ampicillin-online-en.html buy ampicillin, 6973, 95e1f6427ff48b0a03da8f589c0e87e7ce7cdda4 1526 1525 2012-05-08T00:39:26Z 31.184.238.15 0 IZAXGRBDOtY wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-combivir-online-en.html generic combivir, 415, http://cheappurchaseonline.com/buy-generic-tadacip-online-en.html buy tadacip online, >:((, http://cheappurchaseonline.com/buy-generic-toprol-xl-online-en.html toprol xl, :-[, http://cheappurchaseonline.com/ buy generic levitra, 9477, http://cheappurchaseonline.com/buy-generic-tofranil-online-en.html buy generic tofranil, ubx, 84d0b5f51fba03ebae9f7be08353b8a692f51b29 1527 1526 2012-05-08T00:41:23Z 31.184.238.9 0 bDAnrTCeu wikitext text/x-wiki , http://cheappurchaseonline.com/ buy generic prednisone, 8-PPP, http://cheappurchaseonline.com/buy-generic-apcalis-sx-oral-jelly-online-en.html generic apcalis sx oral jelly, 775, http://cheappurchaseonline.com/buy-generic-flovent-online-en.html buy flovent online, 1612, http://cheappurchaseonline.com/buy-generic-precose-online-en.html buy generic precose, 19853, http://cheappurchaseonline.com/buy-generic-levothroid-online-en.html buy levothroid, pgvcum, cb39d9ccff31461f4ee281caea47798702a740c5 1528 1527 2012-05-08T00:44:45Z 31.184.238.15 0 IeBmanHOZqhXbokrBwv wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-valparin-online-en.html buy valparin online, 4390, http://cheappurchaseonline.com/buy-generic-ticlid-online-en.html generic ticlid, 750, http://cheappurchaseonline.com/buy-generic-xeloda-online-en.html generic xeloda, >:-((, http://cheappurchaseonline.com/buy-generic-stromectol-online-en.html stromectol, swtwds, http://cheappurchaseonline.com/ buy viagra professional online, hhs, 25d10d99449588f90134fb540726b9cd45556cd4 1529 1528 2012-05-08T00:45:30Z 31.184.238.9 0 ESFiRrskVcvZoBlK wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-lamisil-online-en.html buy lamisil, 588401, http://cheappurchaseonline.com/buy-generic-vitamin-c-online-en.html vitamin c, :-OO, http://cheappurchaseonline.com/buy-generic-keflex-online-en.html keflex, =-OO, http://cheappurchaseonline.com/buy-generic-ventolin-online-en.html ventolin, fqpev, http://cheappurchaseonline.com/buy-generic-eriacta-online-en.html generic eriacta, >:-OOO, 7a786ff0011097c22d0687b5177932c58d069795 1530 1529 2012-05-08T00:49:33Z 31.184.238.9 0 oWAowAoqTQuvXau wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-catapres-online-en.html buy catapres online, pzqvkg, http://cheappurchaseonline.com/buy-generic-viagra-professional-online-en.html generic viagra professional, 72181, http://cheappurchaseonline.com/buy-generic-cozaar-online-en.html generic cozaar, 370780, http://cheappurchaseonline.com/buy-generic-amaryl-online-en.html amaryl, 86473, http://cheappurchaseonline.com/buy-generic-aciclovir-online-en.html generic aciclovir, :D, fc39df14606e220ca60057cbf74ab0a44794ff7e 1531 1530 2012-05-08T00:50:27Z 31.184.238.15 0 pkoSLJFqCCkV wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-lotensin-online-en.html buy lotensin, 717431, http://cheappurchaseonline.com/buy-generic-cleocin-online-en.html generic cleocin, 8-]]], http://cheappurchaseonline.com/buy-generic-zagam-online-en.html zagam, eob, http://cheappurchaseonline.com/buy-generic-lipitor-online-en.html buy generic lipitor, kvq, http://cheappurchaseonline.com/buy-generic-persantine-online-en.html buy persantine, 29063, fd364a097e9e02cb7438bd19bdb157b98fa80301 1532 1531 2012-05-08T00:54:12Z 31.184.238.9 0 ZIMxeQjhEW wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-kemadrin-online-en.html generic kemadrin, =P, http://cheappurchaseonline.com/buy-generic-combipres-online-en.html buy combipres online, 775961, http://cheappurchaseonline.com/buy-generic-protonix-online-en.html buy generic protonix, 341, http://cheappurchaseonline.com/buy-generic-zestril-online-en.html buy zestril, :-(((, http://cheappurchaseonline.com/buy-generic-nexium-online-en.html nexium, ifzgui, 018275495868e9d164ef5640a8e5222d5d8e5bfe 1533 1532 2012-05-08T00:56:12Z 31.184.238.15 0 wvrwOMmVlvJjJte wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-leukeran-online-en.html buy leukeran online, 9316, http://cheappurchaseonline.com/buy-generic-sustiva-online-en.html buy sustiva, kxpvc, http://cheappurchaseonline.com/buy-generic-prevacid-online-en.html buy prevacid, 423, http://cheappurchaseonline.com/ generic viagra professional, 74670, http://cheappurchaseonline.com/buy-generic-prozac-online-en.html buy prozac, 369699, 816afa59dcdacab3200a57560a0430bb20a4dc74 1534 1533 2012-05-08T00:58:00Z 31.184.238.9 0 VhfVctxzCIkalIyuu wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-singulair-online-en.html buy generic singulair, 02891, http://cheappurchaseonline.com/buy-generic-azulfidine-online-en.html buy generic azulfidine, 293283, http://cheappurchaseonline.com/buy-generic-desogen-online-en.html generic desogen, fztyj, http://cheappurchaseonline.com/buy-generic-diltiazem-online-en.html buy diltiazem, :[[[, http://cheappurchaseonline.com/buy-generic-rythmol-online-en.html buy rythmol, ksg, b1a18d3d527c640bcbe17358e9ee2edf112e21e4 1535 1534 2012-05-08T01:01:55Z 31.184.238.15 0 QGNTZAjaTgxXfPtHWlg wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-valparin-online-en.html valparin, :-), http://cheappurchaseonline.com/buy-generic-ticlid-online-en.html ticlid, =PPP, http://cheappurchaseonline.com/buy-generic-xeloda-online-en.html buy xeloda, =-[, http://cheappurchaseonline.com/buy-generic-stromectol-online-en.html buy stromectol, darvmv, http://cheappurchaseonline.com/ viagra professional, qhetv, 0ee991a791dd1bdc0c59dc628a2ceb57c9055ef4 1536 1535 2012-05-08T01:02:24Z 31.184.238.9 0 sXGTUwgPHImufPNGnq wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-kamagra-flavored-online-en.html generic kamagra flavored, =D, http://cheappurchaseonline.com/buy-generic-aceon-online-en.html buy generic aceon, 8DD, http://cheappurchaseonline.com/buy-generic-tetracycline-online-en.html buy generic tetracycline, fhk, http://cheappurchaseonline.com/buy-generic-lincocin-online-en.html buy generic lincocin, 722, http://cheappurchaseonline.com/buy-generic-zoloft-online-en.html buy zoloft, 277, adb4e68d1c1ab63db7713336f71e0829be3ac9f6 1537 1536 2012-05-08T01:06:35Z 31.184.238.9 0 HzvtcEeQLh wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-glucovance-online-en.html buy glucovance online, 89592, http://cheappurchaseonline.com/buy-generic-symmetrel-online-en.html buy generic symmetrel, bbatf, http://cheappurchaseonline.com/buy-generic-anaprox-online-en.html anaprox, 65943, http://cheappurchaseonline.com/buy-generic-lamprene-online-en.html buy lamprene online, >:OOO, http://cheappurchaseonline.com/buy-generic-zithromax-online-en.html zithromax, 8120, 7f8bd7f64e4f6be410f186fbd36f26271f8b113d 1538 1537 2012-05-08T01:07:48Z 31.184.238.15 0 OmpGYAVcTlgrwLU wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-avapro-online-en.html buy avapro online, 12596, http://cheappurchaseonline.com/buy-generic-levitra-soft-online-en.html buy generic levitra soft, qts, http://cheappurchaseonline.com/buy-generic-allopurinol-online-en.html buy generic allopurinol, xpo, http://cheappurchaseonline.com/buy-generic-silagra-online-en.html buy generic silagra, 188276, http://cheappurchaseonline.com/ generic priligy, 726, 3cba7884b5cc4dae80b8ed13d45b9a3b6341c8ec 1539 1538 2012-05-08T01:11:10Z 31.184.238.9 0 itDkgkxkOWBjRRnaQ wikitext text/x-wiki , http://cheappurchaseonline.com/ buy clomid, %-], http://cheappurchaseonline.com/buy-generic-risnia-online-en.html generic risnia, 57923, http://cheappurchaseonline.com/buy-generic-maxaquin-online-en.html buy generic maxaquin, 8634, http://cheappurchaseonline.com/buy-generic-benadryl-online-en.html buy benadryl online, jwejkq, http://cheappurchaseonline.com/buy-generic-viagra-gold-online-en.html viagra gold, kvtv, ed4c66e6de5b5526a2fc96d3b0306073141155d6 1540 1539 2012-05-08T01:13:20Z 31.184.238.15 0 daNteLLEkMWaTabbm wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-augmentin-online-en.html generic augmentin, %-PPP, http://cheappurchaseonline.com/buy-generic-kemadrin-online-en.html buy kemadrin online, 7854, http://cheappurchaseonline.com/buy-generic-combipres-online-en.html generic combipres, xyqu, http://cheappurchaseonline.com/buy-generic-protonix-online-en.html buy generic protonix, 365, http://cheappurchaseonline.com/buy-generic-zestril-online-en.html buy generic zestril, mrn, c36993fcfc38b4c03445cbf4968d493a8a50c4d9 1541 1540 2012-05-08T01:15:01Z 31.184.238.9 0 BlyxiXCPcecAjED wikitext text/x-wiki , http://cheappurchaseonline.com/ priligy, eolo, http://cheappurchaseonline.com/buy-generic-cialis-professional-online-en.html cialis professional, olczv, http://cheappurchaseonline.com/buy-generic-omnicef-online-en.html omnicef, =-], http://cheappurchaseonline.com/buy-generic-clonidine-online-en.html buy clonidine, ugwjwy, http://cheappurchaseonline.com/buy-generic-colospa-online-en.html buy colospa online, ojzhea, 0d5ff45c0e0817abed0377a6c1656982b8ac14c7 1542 1541 2012-05-08T01:18:23Z 31.184.238.15 0 LfGEiRYwgtLJz wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-terramycin-online-en.html buy terramycin, ewrrw, http://cheappurchaseonline.com/buy-generic-isoptin-online-en.html buy generic isoptin, =-(((, http://cheappurchaseonline.com/buy-generic-monopril-online-en.html buy generic monopril, wlkns, http://cheappurchaseonline.com/buy-generic-tadalis-sx-soft-online-en.html buy tadalis sx soft online, %[[, http://cheappurchaseonline.com/buy-generic-nizoral-online-en.html nizoral, 6869, 89004ee80c3cd1e2c4bb74db87d3491bea45db40 1543 1542 2012-05-08T01:19:06Z 31.184.238.9 0 avowegLkvEHWfm wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-kamagra-flavored-online-en.html buy generic kamagra flavored, :PP, http://cheappurchaseonline.com/buy-generic-aceon-online-en.html buy aceon online, 62462, http://cheappurchaseonline.com/buy-generic-tetracycline-online-en.html buy tetracycline online, 9538, http://cheappurchaseonline.com/buy-generic-lincocin-online-en.html buy lincocin online, >:-]]], http://cheappurchaseonline.com/buy-generic-zoloft-online-en.html generic zoloft, xniqem, a1a107183a40bda692d6dc4d6afb3a5cebf6f101 1544 1543 2012-05-08T01:23:37Z 31.184.238.9 0 jXkDdcBblFZpAeh wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-verapamil-online-en.html buy generic verapamil, 399, http://cheappurchaseonline.com/buy-generic-valtrex-online-en.html valtrex, >:-DD, http://cheappurchaseonline.com/buy-generic-bupron-sr-online-en.html buy bupron sr, 825, http://cheappurchaseonline.com/ buy viagra online, luij, http://cheappurchaseonline.com/buy-generic-mobic-online-en.html mobic, 8126, eaeeadac3069515c429af8c3f6e33f065ff635a5 1545 1544 2012-05-08T01:23:52Z 31.184.238.15 0 rzljaeCBttJ wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-motrin-online-en.html buy generic motrin, iwhbfh, http://cheappurchaseonline.com/buy-generic-cardura-online-en.html cardura, 0906, http://cheappurchaseonline.com/buy-generic-epivir-hbv-online-en.html buy epivir hbv, eypod, 17ff49ed8abff19063fa0d24c92421c29d48d248 1546 1545 2012-05-08T01:27:44Z 31.184.238.9 0 QmoIBuPjbbvWRkjv wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-cytotec-online-en.html buy cytotec, 1595, http://cheappurchaseonline.com/ generic cialis, %-O, http://cheappurchaseonline.com/buy-generic-paxil-cr-online-en.html buy paxil cr, 57221, http://cheappurchaseonline.com/buy-generic-lamictal-online-en.html generic lamictal, 8((, http://cheappurchaseonline.com/buy-generic-sporanox-online-en.html buy sporanox, 0798, f5cc0ee5705023e6becf845fe4c34ecc4fd20113 1547 1546 2012-05-08T01:29:20Z 31.184.238.15 0 aukXtqOfaxgrYeD wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-combivir-online-en.html buy combivir online, =], http://cheappurchaseonline.com/buy-generic-tadacip-online-en.html buy tadacip, mmtjb, http://cheappurchaseonline.com/buy-generic-toprol-xl-online-en.html buy generic toprol xl, 390078, http://cheappurchaseonline.com/ buy generic levitra, dphpn, http://cheappurchaseonline.com/buy-generic-tofranil-online-en.html buy tofranil online, 48640, 6e3ef4581c5d936439d54d4f108869419879b1e3 1548 1547 2012-05-08T01:32:12Z 31.184.238.9 0 NMgrgDzqLxvnBLfYI wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-floxin-online-en.html floxin, uiryb, http://cheappurchaseonline.com/buy-generic-coumadin-online-en.html generic coumadin, qxrjgb, http://cheappurchaseonline.com/buy-generic-norvasc-online-en.html buy norvasc, wpb, http://cheappurchaseonline.com/ buy generic amoxil, 8459, http://cheappurchaseonline.com/ buy amoxil online, %DD, 24366ced02905fa13382cf0a24608968c6e9cf0c 1549 1548 2012-05-08T01:34:46Z 31.184.238.15 0 VINrSSpaVPNYmz wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-cytoxan-online-en.html buy cytoxan online, 282, http://cheappurchaseonline.com/buy-generic-nimotop-online-en.html buy generic nimotop, 279938, http://cheappurchaseonline.com/buy-generic-macrobid-online-en.html generic macrobid, 47250, http://cheappurchaseonline.com/buy-generic-super-hard-on-online-en.html buy generic super hard on, xbu, http://cheappurchaseonline.com/buy-generic-serevent-online-en.html generic serevent, qcwfc, 57c535e1e783b074bd0889e273eec6196fd31d79 1550 1549 2012-05-08T01:36:37Z 31.184.238.9 0 WqSbauzna wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-cytoxan-online-en.html cytoxan, 90208, http://cheappurchaseonline.com/buy-generic-nimotop-online-en.html generic nimotop, 7156, http://cheappurchaseonline.com/buy-generic-macrobid-online-en.html buy generic macrobid, esd, http://cheappurchaseonline.com/buy-generic-super-hard-on-online-en.html buy generic super hard on, mhwsk, http://cheappurchaseonline.com/buy-generic-serevent-online-en.html buy generic serevent, >:((, bd5bdddafa7d0ceee0f427d2bc60b988aee200c5 1551 1550 2012-05-08T01:40:07Z 31.184.238.15 0 WKcIgdGReNMUaDnh wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-viagra-gold-online-en.html viagra gold, bkppc, http://cheappurchaseonline.com/buy-generic-glycomet-online-en.html buy glycomet online, bpnevb, http://cheappurchaseonline.com/buy-generic-viramune-online-en.html viramune, %))), http://cheappurchaseonline.com/buy-generic-desyrel-online-en.html desyrel, tybc, http://cheappurchaseonline.com/buy-generic-aciclovir-online-en.html aciclovir, >:(((, 9073327d2816d8ec6ed282bdff7bfc2bc80d72d8 1552 1551 2012-05-08T01:40:40Z 31.184.238.9 0 TrgYYGNedM wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-glucovance-online-en.html buy glucovance online, 12146, http://cheappurchaseonline.com/buy-generic-symmetrel-online-en.html symmetrel, 167, http://cheappurchaseonline.com/buy-generic-anaprox-online-en.html buy anaprox, whbohc, http://cheappurchaseonline.com/buy-generic-lamprene-online-en.html lamprene, :-((, http://cheappurchaseonline.com/buy-generic-zithromax-online-en.html buy generic zithromax, 241, 4f154a09dfd3e2008dca68c30948cecad6c34458 1553 1552 2012-05-08T01:44:52Z 31.184.238.9 0 rNeTrLDVpcsbYPrHWyI wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-motilium-online-en.html buy motilium, uglush, http://cheappurchaseonline.com/buy-generic-eulexin-online-en.html generic eulexin, vhe, http://cheappurchaseonline.com/buy-generic-astelin-online-en.html buy astelin, 704897, http://cheappurchaseonline.com/buy-generic-starlix-online-en.html buy generic starlix, 83852, http://cheappurchaseonline.com/buy-generic-fludac-online-en.html buy fludac, xve, 00c1a4b11e2f6b17aa264b7352b1ba48a4e1d746 1554 1553 2012-05-08T01:45:12Z 31.184.238.15 0 rUctWCKxhUINcDxXlE wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-glucophage-online-en.html generic glucophage, 55801, http://cheappurchaseonline.com/buy-generic-grifulvin-v-online-en.html grifulvin v, 103529, http://cheappurchaseonline.com/buy-generic-arava-online-en.html buy generic arava, 92111, http://cheappurchaseonline.com/buy-generic-aralen-online-en.html buy generic aralen, =-]]], http://cheappurchaseonline.com/ buy strattera, 417, 6e4a7290ab16634db267903e6d9b9d91a252e0e1 1555 1554 2012-05-08T01:49:19Z 31.184.238.9 0 FlmESnJl wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-brand-viagra-online-en.html buy brand viagra, %(((, http://cheappurchaseonline.com/buy-generic-dramamine-online-en.html buy generic dramamine, 51102, http://cheappurchaseonline.com/buy-generic-flagyl-online-en.html buy flagyl, 49333, http://cheappurchaseonline.com/buy-generic-forzest-online-en.html buy generic forzest, 14851, http://cheappurchaseonline.com/buy-generic-augmentin-online-en.html generic augmentin, 6556, 0e224f5cdcd2df2cf03fcf03a57b40d6a7331b0e 1556 1555 2012-05-08T01:50:06Z 31.184.238.15 0 PJYhWFbvsasZYjFIhB wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-leukeran-online-en.html leukeran, przd, http://cheappurchaseonline.com/buy-generic-sustiva-online-en.html buy sustiva online, oxr, http://cheappurchaseonline.com/buy-generic-prevacid-online-en.html generic prevacid, %]], http://cheappurchaseonline.com/ buy generic viagra professional, boxr, http://cheappurchaseonline.com/buy-generic-prozac-online-en.html prozac, 8-PP, 2954f2c333b7a52adf392dc39ad990a8fc2d3b16 0 8 1557 1556 2012-05-08T01:57:33Z 31.184.238.9 0 eSeAcNOvNzVVJsXg wikitext text/x-wiki , http://cheappurchaseonline.com/ buy clomid, 8-[[, http://cheappurchaseonline.com/buy-generic-urispas-online-en.html urispas, %-[, http://cheappurchaseonline.com/buy-generic-antabuse-online-en.html buy antabuse, >:((, http://cheappurchaseonline.com/buy-generic-avapro-online-en.html avapro, :-PPP, http://cheappurchaseonline.com/buy-generic-levitra-soft-online-en.html generic levitra soft, tqt, 27a17cbec1ab1c2090e4676007aa3e7d72a7bcdf 1558 1557 2012-05-08T02:00:23Z 31.184.238.15 0 YzAbQjLhxcr wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-tinidazole-online-en.html buy generic tinidazole, >:-DD, http://cheappurchaseonline.com/buy-generic-proventil-online-en.html buy generic proventil, 50354, http://cheappurchaseonline.com/buy-generic-effexor-online-en.html buy effexor, gconlk, http://cheappurchaseonline.com/buy-generic-sinemet-cr-online-en.html buy sinemet cr, 8((, http://cheappurchaseonline.com/buy-generic-levlen-online-en.html buy generic levlen, :-PPP, 3154b090e2e95633fab845268714a7df7321f47d 1559 1558 2012-05-08T02:01:46Z 31.184.238.9 0 tJPNqrBNe wikitext text/x-wiki , http://cheappurchaseonline.com/ buy doxycycline online, burhi, http://cheappurchaseonline.com/buy-generic-uniphyl-cr-online-en.html buy uniphyl cr online, 8399, http://cheappurchaseonline.com/buy-generic-atarax-online-en.html generic atarax, rvb, http://cheappurchaseonline.com/buy-generic-levitra-with-dapoxetine-online-en.html levitra with dapoxetine, tcofgc, http://cheappurchaseonline.com/buy-generic-isoptin-sr-online-en.html isoptin sr, hsgw, dee20fcdd75c2872a3a4ac878e80a4e87cdb8f4f 1560 1559 2012-05-08T02:05:52Z 31.184.238.15 0 RrnLkthDvkkYsGE wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-ovral-online-en.html buy ovral, gee, http://cheappurchaseonline.com/buy-generic-phenergan-online-en.html generic phenergan, =), http://cheappurchaseonline.com/buy-generic-relafen-online-en.html buy relafen online, 369, http://cheappurchaseonline.com/buy-generic-eskalith-online-en.html generic eskalith, =DD, http://cheappurchaseonline.com/buy-generic-calcium-carbonate-online-en.html buy calcium carbonate online, wpdkee, 1b3c22698680d8341fa6e5dbc719aab5aaa3ba2c 1561 1560 2012-05-08T02:06:19Z 31.184.238.9 0 FUsECrhzPaAUk wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-suhagra-online-en.html buy suhagra, yjtggj, http://cheappurchaseonline.com/buy-generic-requip-online-en.html generic requip, 210, http://cheappurchaseonline.com/buy-generic-prograf-online-en.html generic prograf, fglhc, http://cheappurchaseonline.com/buy-generic-vibramycin-online-en.html vibramycin, jhiyax, http://cheappurchaseonline.com/buy-generic-fluoxetine-online-en.html buy fluoxetine, shu, 64eb98b4c41d21bcca3578fb5d0d39fe5f110f12 1562 1561 2012-05-08T02:14:59Z 31.184.238.9 0 BHSVXVvTjLET wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-clarinex-online-en.html buy clarinex online, 8-OOO, http://cheappurchaseonline.com/buy-generic-kamagra-effervescent-online-en.html generic kamagra effervescent, 8[[[, http://cheappurchaseonline.com/buy-generic-hyzaar-online-en.html buy generic hyzaar, >:-(((, http://cheappurchaseonline.com/buy-generic-myambutol-online-en.html generic myambutol, 86534, http://cheappurchaseonline.com/buy-generic-zebeta-online-en.html buy generic zebeta, >:OO, 16482c5b129a015f32b1a71a5578f8def1010a35 1563 1562 2012-05-08T02:16:46Z 31.184.238.15 0 mCmbypvFWCGdPpYHVS wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-lopid-online-en.html buy lopid, sdp, http://cheappurchaseonline.com/buy-generic-wellbutrin-online-en.html generic wellbutrin, :-], http://cheappurchaseonline.com/buy-generic-grisactin-online-en.html generic grisactin, exw, http://cheappurchaseonline.com/buy-generic-mysoline-online-en.html mysoline, mfx, http://cheappurchaseonline.com/buy-generic-duricef-online-en.html buy duricef, bueu, 905f2ca73631d7c63e6252ce41310d87770c6941 1564 1563 2012-05-08T02:19:28Z 31.184.238.9 0 AzXKACwTMOMhjGffVlq wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-atrovent-online-en.html atrovent, =-)), http://cheappurchaseonline.com/buy-generic-combivir-online-en.html buy combivir, 8))), http://cheappurchaseonline.com/buy-generic-tadacip-online-en.html generic tadacip, rbm, http://cheappurchaseonline.com/buy-generic-toprol-xl-online-en.html toprol xl, =-PPP, http://cheappurchaseonline.com/ buy levitra online, %-[[[, e4955f3c388f8ed9ed96936d78b1c84e3872e18e 1565 1564 2012-05-08T02:21:39Z 31.184.238.15 0 PfvVLDMglQKlzB wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-paxil-online-en.html buy paxil, 5469, http://cheappurchaseonline.com/buy-generic-tegretol-online-en.html tegretol, xxe, http://cheappurchaseonline.com/buy-generic-elavil-online-en.html generic elavil, 59329, http://cheappurchaseonline.com/buy-generic-vermox-online-en.html generic vermox, :-DD, http://cheappurchaseonline.com/ flagyl, ichbr, f084f093cb2b339ce0449a6dbdbbd8eb9540fc80 1566 1565 2012-05-08T02:23:16Z 31.184.238.9 0 iORJLUhuEIfhEuUMJIF wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-floxin-online-en.html buy floxin, :DD, http://cheappurchaseonline.com/buy-generic-coumadin-online-en.html buy coumadin, 8-))), http://cheappurchaseonline.com/buy-generic-norvasc-online-en.html buy norvasc online, hgjapv, http://cheappurchaseonline.com/ buy generic amoxil, 21787, http://cheappurchaseonline.com/ buy amoxil online, ixbp, 53ce27791ad0568f0f06f5c758f4f28b0c79c59d 1567 1566 2012-05-08T02:26:34Z 31.184.238.15 0 fgbNKyRdrkNevyrQs wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-levitra-with-dapoxetine-online-en.html buy levitra with dapoxetine online, =-)), http://cheappurchaseonline.com/buy-generic-isoptin-sr-online-en.html buy isoptin sr, 6265, http://cheappurchaseonline.com/buy-generic-inderal-la-online-en.html generic inderal la, 8(, http://cheappurchaseonline.com/buy-generic-viagra-online-en.html buy generic viagra, jmnxo, http://cheappurchaseonline.com/buy-generic-ansaid-online-en.html generic ansaid, zjjih, eda263d46d52e8c6c433305b4aebf4c94c6d907b 1568 1567 2012-05-08T02:27:31Z 31.184.238.9 0 wwVnYSiqpamzSvZ wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-inderal-la-online-en.html generic inderal la, =D, http://cheappurchaseonline.com/buy-generic-viagra-online-en.html buy viagra, fpln, http://cheappurchaseonline.com/buy-generic-ansaid-online-en.html generic ansaid, 9343, http://cheappurchaseonline.com/buy-generic-tricor-online-en.html buy tricor, kip, http://cheappurchaseonline.com/buy-generic-viagra-super-active-online-en.html buy viagra super active, ldeciy, 7899862eb716c0fb08ec2bb9971de6a42027b9dd 1569 1568 2012-05-08T02:32:05Z 31.184.238.15 0 hdUdzIftYJMdrTyAP wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-furadantin-online-en.html buy generic furadantin, hazx, http://cheappurchaseonline.com/buy-generic-zyprexa-online-en.html buy generic zyprexa, 5703, http://cheappurchaseonline.com/ generic lasix, 8-[[[, http://cheappurchaseonline.com/buy-generic-erythromycin-online-en.html buy erythromycin, qgqzy, http://cheappurchaseonline.com/buy-generic-prinivil-online-en.html buy generic prinivil, =PPP, 9cfe6221edc01fb98be1f01c9e9e552bd29c3e92 1570 1569 2012-05-08T02:32:07Z 31.184.238.9 0 cGvqSTbwwcY wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-inderal-la-online-en.html inderal la, %DDD, http://cheappurchaseonline.com/buy-generic-viagra-online-en.html buy viagra, =-P, http://cheappurchaseonline.com/buy-generic-ansaid-online-en.html ansaid, eul, http://cheappurchaseonline.com/buy-generic-tricor-online-en.html buy tricor online, 136994, http://cheappurchaseonline.com/buy-generic-viagra-super-active-online-en.html buy generic viagra super active, 9120, 5bc4f6396a31179b6f4a251d5cca1d347d554bcd 1571 1570 2012-05-08T02:35:42Z 31.184.238.9 0 ltlIsSQOPEKeQxMP wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-monopril-online-en.html buy monopril, :-]]], http://cheappurchaseonline.com/buy-generic-tadalis-sx-soft-online-en.html buy tadalis sx soft online, 304905, http://cheappurchaseonline.com/buy-generic-nizoral-online-en.html buy nizoral online, lwfz, http://cheappurchaseonline.com/buy-generic-amoxil-online-en.html buy generic amoxil, rthot, http://cheappurchaseonline.com/buy-generic-prandin-online-en.html buy generic prandin, cwn, d6c2d3fae4658f8b2d9fa828c778b0a5da618077 1572 1571 2012-05-08T02:37:06Z 31.184.238.15 0 HYhyAoIgOCCttCjeWM wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-apcalis-sx-oral-jelly-online-en.html buy apcalis sx oral jelly online, wifvy, http://cheappurchaseonline.com/buy-generic-flovent-online-en.html buy flovent online, gfswqm, http://cheappurchaseonline.com/buy-generic-precose-online-en.html generic precose, :-)), http://cheappurchaseonline.com/buy-generic-levothroid-online-en.html buy generic levothroid, >:-PP, http://cheappurchaseonline.com/buy-generic-strattera-online-en.html buy strattera online, rmkmhe, 7bc80f123e13b5e2c4358ef1d85e83e0deb12ee0 1573 1572 2012-05-08T02:39:43Z 31.184.238.9 0 MQHBrRYkDNWKxPZ wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-clarinex-online-en.html buy clarinex, soj, http://cheappurchaseonline.com/buy-generic-kamagra-effervescent-online-en.html buy kamagra effervescent online, wcybc, http://cheappurchaseonline.com/buy-generic-hyzaar-online-en.html buy hyzaar online, mdsl, http://cheappurchaseonline.com/buy-generic-myambutol-online-en.html buy myambutol online, %(((, http://cheappurchaseonline.com/buy-generic-zebeta-online-en.html generic zebeta, 5032, 49ee82460dabd2b87abaf32c9f92d6a8f3a5ed13 1574 1573 2012-05-08T02:42:06Z 31.184.238.15 0 ldFVdvurpx wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-ortho-tri-cyclen-online-en.html generic ortho tri-cyclen, tchk, http://cheappurchaseonline.com/buy-generic-cymbalta-online-en.html cymbalta, ljxqux, http://cheappurchaseonline.com/buy-generic-trandate-online-en.html buy trandate, >:-]]], http://cheappurchaseonline.com/buy-generic-tritace-online-en.html buy generic tritace, 201, http://cheappurchaseonline.com/buy-generic-zovirax-online-en.html buy zovirax, boplr, 134880b087d9ca3da894b61998960fd46ae4b546 1575 1574 2012-05-08T02:43:34Z 31.184.238.9 0 jGAnmaBP wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-arcoxia-online-en.html buy arcoxia, 3536, http://cheappurchaseonline.com/buy-generic-plavix-online-en.html buy generic plavix, %((, http://cheappurchaseonline.com/buy-generic-mevacor-online-en.html buy mevacor online, 535, http://cheappurchaseonline.com/buy-generic-imodium-online-en.html buy imodium, >:]], http://cheappurchaseonline.com/buy-generic-mircette-online-en.html generic mircette, 8-PP, 34ad417a16bb7b019c025b037a8e6f82d19f1d9d 1576 1575 2012-05-08T02:47:09Z 31.184.238.15 0 FrCcndKOISL wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-asendin-online-en.html buy asendin, 60282, http://cheappurchaseonline.com/buy-generic-lotrel-online-en.html buy lotrel online, =-DDD, http://cheappurchaseonline.com/buy-generic-sumycin-online-en.html buy sumycin online, :-), http://cheappurchaseonline.com/buy-generic-aricept-online-en.html aricept, iqxb, http://cheappurchaseonline.com/buy-generic-nitroglycerin-online-en.html buy generic nitroglycerin, 823, 40035fd6e4da1a8c7430d685654bcad32800d402 1577 1576 2012-05-08T02:47:36Z 31.184.238.9 0 DBeJpwTYLYqRJutNc wikitext text/x-wiki , http://cheappurchaseonline.com/ doxycycline, =)), http://cheappurchaseonline.com/buy-generic-uniphyl-cr-online-en.html buy uniphyl cr online, xhoh, http://cheappurchaseonline.com/buy-generic-atarax-online-en.html buy atarax online, 790803, http://cheappurchaseonline.com/buy-generic-levitra-with-dapoxetine-online-en.html generic levitra with dapoxetine, 8(((, http://cheappurchaseonline.com/buy-generic-isoptin-sr-online-en.html buy isoptin sr online, vln, 2ad7c998cee7981b0a3feedc036a2ea42c9c5b14 1578 1577 2012-05-08T02:52:24Z 31.184.238.15 0 mqyYiHarp wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-maxolon-online-en.html generic maxolon, 73982, http://cheappurchaseonline.com/buy-generic-reminyl-online-en.html reminyl, :-[[[, http://cheappurchaseonline.com/ buy generic orlistat, %-]], http://cheappurchaseonline.com/buy-generic-neoral-online-en.html buy generic neoral, vni, http://cheappurchaseonline.com/buy-generic-isordil-online-en.html generic isordil, nakpyh, 830aea1c58e333d1c62bdd0e609c7370d1250d77 1579 1578 2012-05-08T02:52:31Z 31.184.238.9 0 HuDgERXW wikitext text/x-wiki , http://cheappurchaseonline.com/ buy priligy, =P, http://cheappurchaseonline.com/buy-generic-cialis-professional-online-en.html buy generic cialis professional, :D, http://cheappurchaseonline.com/buy-generic-omnicef-online-en.html buy omnicef online, =DDD, http://cheappurchaseonline.com/buy-generic-clonidine-online-en.html buy generic clonidine, 8)), http://cheappurchaseonline.com/buy-generic-colospa-online-en.html generic colospa, wihv, d5dc7a81c0702e1c3e5ef0f8ac22526842ad072c 1581 1579 2012-05-08T02:56:32Z 31.184.238.9 0 UyWsCsSYiP wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-persantine-online-en.html buy persantine, 020704, http://cheappurchaseonline.com/buy-generic-zerit-online-en.html zerit, yjcxpu, http://cheappurchaseonline.com/ buy generic female viagra, =-], http://cheappurchaseonline.com/buy-generic-brand-levitra-online-en.html generic brand levitra, 0982, http://cheappurchaseonline.com/buy-generic-monoket-online-en.html monoket, %[, c711b33ce43d78e9e6a9fbb06268e107566c011a 1582 1581 2012-05-08T02:57:49Z 31.184.238.15 0 AtPiCTZsme wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-cialis-super-active-online-en.html buy cialis super active online, >:OO, http://cheappurchaseonline.com/buy-generic-minocin-online-en.html buy minocin, :[, http://cheappurchaseonline.com/buy-generic-ceclor-online-en.html buy ceclor, =-DDD, http://cheappurchaseonline.com/buy-generic-feldene-online-en.html buy feldene online, 336227, http://cheappurchaseonline.com/buy-generic-ditropan-online-en.html buy ditropan online, :-))), fdea9a21e453e9988ae1f98b27d0dbfee2989509 1583 1582 2012-05-08T03:00:50Z 31.184.238.9 0 AOGeseehi wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-apcalis-sx-online-en.html buy apcalis sx online, :-)), http://cheappurchaseonline.com/buy-generic-lopressor-online-en.html generic lopressor, ddolta, http://cheappurchaseonline.com/buy-generic-benicar-online-en.html benicar, eou, http://cheappurchaseonline.com/buy-generic-tegopen-online-en.html tegopen, =-))), http://cheappurchaseonline.com/ buy generic accutane, 38365, c5e758e3e3c276445cd67552c879a823a55b4a82 1584 1583 2012-05-08T03:02:49Z 31.184.238.15 0 NqnkHmBaeO wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-nexium-online-en.html nexium, buxb, http://cheappurchaseonline.com/ cialis super active, >:), http://cheappurchaseonline.com/buy-generic-cialis-online-en.html cialis, :-OOO, http://cheappurchaseonline.com/buy-generic-finpecia-online-en.html buy generic finpecia, xwwo, http://cheappurchaseonline.com/buy-generic-glucotrol-xl-online-en.html buy generic glucotrol xl, xwqel, 0f53031e8acfc0b026641381f35c0e0019eae145 1585 1584 2012-05-08T03:05:01Z 31.184.238.9 0 oaDnFiGISVwCumFBZ wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-sumycin-online-en.html generic sumycin, 413, http://cheappurchaseonline.com/buy-generic-aricept-online-en.html aricept, 24475, http://cheappurchaseonline.com/buy-generic-nitroglycerin-online-en.html buy nitroglycerin, 681, http://cheappurchaseonline.com/buy-generic-glucophage-online-en.html buy glucophage, 7843, http://cheappurchaseonline.com/buy-generic-grifulvin-v-online-en.html grifulvin v, 46616, 65ed7e248ef4324bdd7fe033fd7231d692bebf2a 1586 1585 2012-05-08T03:07:40Z 31.184.238.15 0 BKxOHTqLXJdGgYJSG wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-combivir-online-en.html combivir, %-DD, http://cheappurchaseonline.com/buy-generic-tadacip-online-en.html buy generic tadacip, :-(((, http://cheappurchaseonline.com/buy-generic-toprol-xl-online-en.html buy generic toprol xl, npcdha, http://cheappurchaseonline.com/ buy levitra, czrjv, http://cheappurchaseonline.com/buy-generic-tofranil-online-en.html buy tofranil online, >:], d4d4bfd67412ff9f1cd1f554051c5a04e2265250 1587 1586 2012-05-08T03:09:04Z 31.184.238.9 0 JDIvcOhF wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-clarinex-online-en.html buy clarinex online, gqdt, http://cheappurchaseonline.com/buy-generic-kamagra-effervescent-online-en.html buy generic kamagra effervescent, 7553, http://cheappurchaseonline.com/buy-generic-hyzaar-online-en.html buy generic hyzaar, 22754, http://cheappurchaseonline.com/buy-generic-myambutol-online-en.html buy generic myambutol, =OO, http://cheappurchaseonline.com/buy-generic-zebeta-online-en.html buy zebeta online, pnju, a7fc2659ad6452e99775ba72bc5b6156d9d609e5 1588 1587 2012-05-08T03:13:04Z 31.184.238.9 0 tMfQQsfw wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-lotensin-online-en.html lotensin, pqb, http://cheappurchaseonline.com/buy-generic-cleocin-online-en.html buy cleocin, 8-)), http://cheappurchaseonline.com/buy-generic-zagam-online-en.html buy generic zagam, 7298, http://cheappurchaseonline.com/ buy cialis super active, 2535, http://cheappurchaseonline.com/buy-generic-lipitor-online-en.html buy lipitor online, mslia, 8e7811e16ec9165b8b44e1f19876f76ee65b62ce 1589 1588 2012-05-08T03:13:14Z 31.184.238.15 0 XohxiLMLwJtgxbGTvys wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-avapro-online-en.html avapro, njbfn, http://cheappurchaseonline.com/buy-generic-levitra-soft-online-en.html buy levitra soft online, 630, http://cheappurchaseonline.com/buy-generic-allopurinol-online-en.html buy allopurinol, otnfez, http://cheappurchaseonline.com/buy-generic-silagra-online-en.html buy silagra online, >:(, http://cheappurchaseonline.com/ generic priligy, teoq, 4f6682dd291fe4b5d6c937d296a2a9a4eceb1a7e 1590 1589 2012-05-08T03:17:35Z 31.184.238.9 0 kUYNsJqqkKtajXX wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-flonase-online-en.html flonase, >:-(((, http://cheappurchaseonline.com/buy-generic-lexapro-online-en.html buy generic lexapro, ppho, http://cheappurchaseonline.com/buy-generic-coversyl-online-en.html buy coversyl, =(((, http://cheappurchaseonline.com/buy-generic-cipro-online-en.html buy generic cipro, 4398, http://cheappurchaseonline.com/buy-generic-retrovir-online-en.html buy retrovir online, ymnnw, addcba3da5ab9a108baaf245d1a986c8d6045f68 1591 1590 2012-05-08T03:18:19Z 31.184.238.15 0 MIRTprGFcnkLSwqyaC wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-tenormin-online-en.html generic tenormin, nze, http://cheappurchaseonline.com/buy-generic-crestor-online-en.html generic crestor, =)), http://cheappurchaseonline.com/buy-generic-minipress-online-en.html buy minipress online, 603, http://cheappurchaseonline.com/buy-generic-theo-24-cr-online-en.html buy theo-24 cr, 946, http://cheappurchaseonline.com/ buy generic nolvadex, kmycrr, 387527d1202544b533e5c9c62d4059a55842ef94 1592 1591 2012-05-08T03:21:33Z 31.184.238.9 0 LTiupwwy wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-glucovance-online-en.html buy generic glucovance, obdzqr, http://cheappurchaseonline.com/buy-generic-symmetrel-online-en.html generic symmetrel, ogz, http://cheappurchaseonline.com/buy-generic-anaprox-online-en.html generic anaprox, 2382, http://cheappurchaseonline.com/buy-generic-lamprene-online-en.html buy lamprene online, 8376, http://cheappurchaseonline.com/buy-generic-zithromax-online-en.html buy zithromax, btjv, 04a7f64d456b74a0c2b84ceadade6deb14572812 1593 1592 2012-05-08T03:23:35Z 31.184.238.15 0 anOacdMUq wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-zithromax-online-en.html generic zithromax, tpdbl, http://cheappurchaseonline.com/buy-generic-zofran-online-en.html generic zofran, 6112, http://cheappurchaseonline.com/buy-generic-micronase-online-en.html buy micronase, =-O, http://cheappurchaseonline.com/buy-generic-glucotrol-online-en.html glucotrol, jcejft, http://cheappurchaseonline.com/buy-generic-furoxone-online-en.html buy generic furoxone, 655205, e802795703c9daa36c609be70002ea25ee392175 1594 1593 2012-05-08T03:25:25Z 31.184.238.9 0 eFJGLwtkxLGBh wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-trecator-sc-online-en.html generic trecator-sc, ylsai, http://cheappurchaseonline.com/buy-generic-allegra-online-en.html allegra, >:-)), http://cheappurchaseonline.com/buy-generic-tadalis-sx-online-en.html generic tadalis sx, 696875, http://cheappurchaseonline.com/buy-generic-sinemet-online-en.html sinemet, 841, http://cheappurchaseonline.com/buy-generic-ilosone-online-en.html ilosone, ags, 3e19258d29edcfb5bf64039639a53fa646e8c9e5 1595 1594 2012-05-08T03:28:47Z 31.184.238.15 0 FgNsOIYhX wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-cialis-super-active-online-en.html cialis super active, 7911, http://cheappurchaseonline.com/buy-generic-minocin-online-en.html buy minocin online, tlyly, http://cheappurchaseonline.com/buy-generic-ceclor-online-en.html buy ceclor, 736050, http://cheappurchaseonline.com/buy-generic-feldene-online-en.html generic feldene, :-], http://cheappurchaseonline.com/buy-generic-ditropan-online-en.html ditropan, lhg, db76540297fc3b875aa837e3c43c1d4f9edf9670 1596 1595 2012-05-08T03:29:39Z 31.184.238.9 0 zjAWlQiFkUdDnRMy wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-persantine-online-en.html buy persantine online, 704, http://cheappurchaseonline.com/buy-generic-zerit-online-en.html buy zerit, :PPP, http://cheappurchaseonline.com/ buy female viagra, 8026, http://cheappurchaseonline.com/buy-generic-brand-levitra-online-en.html generic brand levitra, qlsa, http://cheappurchaseonline.com/buy-generic-monoket-online-en.html buy monoket online, =PP, 34194a24994443d3300c7766722b4f8cf9e6a3cb 1597 1596 2012-05-08T03:33:50Z 31.184.238.15 0 QcWYXIpCkCN wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-atacand-online-en.html buy atacand, 601, http://cheappurchaseonline.com/ nolvadex, :-[[[, http://cheappurchaseonline.com/buy-generic-endep-online-en.html generic endep, >:[[, http://cheappurchaseonline.com/buy-generic-capoten-online-en.html buy capoten online, =PPP, http://cheappurchaseonline.com/buy-generic-remeron-online-en.html buy remeron online, 8-D, f2e9c366e95b47a2fa8d378158de96e3c73655b3 1598 1597 2012-05-08T03:33:51Z 31.184.238.9 0 uVdtCJybIhn wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-allopurinol-online-en.html allopurinol, wchf, http://cheappurchaseonline.com/buy-generic-silagra-online-en.html buy generic silagra, ckm, http://cheappurchaseonline.com/ buy generic priligy, huo, http://cheappurchaseonline.com/buy-generic-biaxin-online-en.html buy biaxin online, :-]]], http://cheappurchaseonline.com/buy-generic-intagra-online-en.html buy intagra online, 9043, df3708bcb41a6fd8a62807e1e94b6e43878ef1d0 1599 1598 2012-05-08T03:38:08Z 31.184.238.9 0 EFnzfmgdOaUUyS wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-lotensin-online-en.html buy generic lotensin, =-OOO, http://cheappurchaseonline.com/buy-generic-cleocin-online-en.html buy cleocin, 8O, http://cheappurchaseonline.com/buy-generic-zagam-online-en.html zagam, =-((, http://cheappurchaseonline.com/ generic cialis super active, 64741, http://cheappurchaseonline.com/buy-generic-lipitor-online-en.html buy lipitor online, rvspq, 7d480d98e6679dff0dffa82a254f71a4c34d00cb 1600 1599 2012-05-08T03:38:55Z 31.184.238.15 0 WgOQAuqfyBBijZWnPaB wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-indocin-online-en.html indocin, 4521, http://cheappurchaseonline.com/buy-generic-aristocort-online-en.html generic aristocort, :(, http://cheappurchaseonline.com/buy-generic-luvox-online-en.html buy generic luvox, vtm, http://cheappurchaseonline.com/ generic prednisone, :-]]], http://cheappurchaseonline.com/buy-generic-lamisil-online-en.html lamisil, 8DDD, 57aa3efabb982b064da47c26223f82cb544fcd27 1601 1600 2012-05-08T03:42:29Z 31.184.238.9 0 qXMMXIjqABIILJV wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-famvir-online-en.html famvir, ybnup, http://cheappurchaseonline.com/ diflucan, krdj, http://cheappurchaseonline.com/buy-generic-aciphex-online-en.html buy generic aciphex, >:-), http://cheappurchaseonline.com/buy-generic-etodolac-online-en.html buy generic etodolac, 74238, http://cheappurchaseonline.com/buy-generic-procardia-online-en.html buy procardia, lsgkej, fb78fb93a97f333cb6b9f25b9003c231658625ca 1602 1601 2012-05-08T03:43:51Z 31.184.238.15 0 sGOZANdNiN wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-claritin-online-en.html claritin, 809653, http://cheappurchaseonline.com/buy-generic-levitra-professional-online-en.html generic levitra professional, gljmng, http://cheappurchaseonline.com/buy-generic-betapace-online-en.html generic betapace, %], http://cheappurchaseonline.com/ buy generic propecia, 7849, http://cheappurchaseonline.com/buy-generic-motilium-online-en.html buy motilium, %D, 5993e9730d1518fa68be4e53b82260e8c4cc3039 1603 1602 2012-05-08T03:46:41Z 31.184.238.9 0 GvlNxAkaQClSVZWXDf wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-vigora-online-en.html vigora, 8965, http://cheappurchaseonline.com/buy-generic-claritin-online-en.html claritin, bzj, http://cheappurchaseonline.com/buy-generic-levitra-professional-online-en.html levitra professional, bfyt, http://cheappurchaseonline.com/buy-generic-betapace-online-en.html buy betapace, 019406, http://cheappurchaseonline.com/ buy propecia online, oyws, 9e27bc8643d3835ce24eca4acb3683552cdb32e5 1604 1603 2012-05-08T03:49:14Z 31.184.238.15 0 JPdqBqOtGedyuZVBTb wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-differin-online-en.html differin, =-PPP, http://cheappurchaseonline.com/ buy generic cialis professional, 704, http://cheappurchaseonline.com/ propecia, derop, http://cheappurchaseonline.com/buy-generic-beloc-online-en.html beloc, :P, http://cheappurchaseonline.com/ doxycycline, %-((, aa93213400446cfadbb753d8b6980514c908d899 1605 1604 2012-05-08T03:51:06Z 31.184.238.9 0 yThfZGbTwVOjXGfe wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-glycomet-online-en.html buy glycomet, :(((, http://cheappurchaseonline.com/buy-generic-viramune-online-en.html viramune, 8-(((, http://cheappurchaseonline.com/buy-generic-desyrel-online-en.html buy generic desyrel, 8[, a67bae24f9eb8b450fff0d51c624da93ea90599b 1606 1605 2012-05-08T03:54:07Z 31.184.238.15 0 UTQSmcfzqRGv wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-dulcolax-online-en.html dulcolax, =-DDD, http://cheappurchaseonline.com/buy-generic-casodex-online-en.html generic casodex, %-[[, http://cheappurchaseonline.com/buy-generic-diflucan-online-en.html diflucan, :-((, http://cheappurchaseonline.com/buy-generic-pamelor-online-en.html generic pamelor, 650558, http://cheappurchaseonline.com/ buy generic cialis super active, skvjx, 6ceed4722eeaf78c0d2864cefe81500a9db6b850 1607 1606 2012-05-08T03:55:21Z 31.184.238.9 0 sTUQuoFK wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-eldepryl-online-en.html eldepryl, qat, http://cheappurchaseonline.com/buy-generic-indocin-online-en.html buy indocin, %-P, http://cheappurchaseonline.com/buy-generic-aristocort-online-en.html buy generic aristocort, >:-[, http://cheappurchaseonline.com/buy-generic-luvox-online-en.html buy luvox online, %DDD, http://cheappurchaseonline.com/ prednisone, 8], c9623cea066f50c81d317e75da29c502c001dfe5 0 8 1608 1607 2012-05-08T03:59:14Z 31.184.238.9 0 olrmBOrXT wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-eldepryl-online-en.html buy eldepryl, 8[[[, http://cheappurchaseonline.com/buy-generic-indocin-online-en.html buy indocin, 8-[[, http://cheappurchaseonline.com/buy-generic-aristocort-online-en.html buy generic aristocort, jah, http://cheappurchaseonline.com/buy-generic-luvox-online-en.html generic luvox, bftxlw, http://cheappurchaseonline.com/ buy prednisone, :((, 4a679b0f550ad65f0bf26e66191dfb37688969ae 1609 1608 2012-05-08T03:59:29Z 31.184.238.15 0 UYfWGoiSwUyDWO wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-viagra-soft-online-en.html buy viagra soft online, %OO, http://cheappurchaseonline.com/ flagyl, eeqoew, http://cheappurchaseonline.com/buy-generic-kamagra-jelly-online-en.html buy kamagra jelly, %))), http://cheappurchaseonline.com/buy-generic-diamox-online-en.html buy generic diamox, gzak, http://cheappurchaseonline.com/buy-generic-calan-sr-online-en.html buy calan sr online, 7581, a34fcd394afb8c2412c95466d5987e88d085e11c 1610 1609 2012-05-08T04:03:26Z 31.184.238.9 0 TSAPEaqMMhbfy wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-atrovent-online-en.html atrovent, 62201, http://cheappurchaseonline.com/buy-generic-combivir-online-en.html buy combivir, 18812, http://cheappurchaseonline.com/buy-generic-tadacip-online-en.html generic tadacip, 440793, http://cheappurchaseonline.com/buy-generic-toprol-xl-online-en.html buy toprol xl, >:-[[[, http://cheappurchaseonline.com/ buy levitra, >:PP, f78b1244c906a1d712d8f26fb0e820f2ed5c5810 1611 1610 2012-05-08T04:04:17Z 31.184.238.15 0 wEEhpRQcMaiC wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-furadantin-online-en.html buy furadantin online, =-]]], http://cheappurchaseonline.com/buy-generic-zyprexa-online-en.html zyprexa, mykuz, http://cheappurchaseonline.com/ buy generic lasix, dmfrzs, http://cheappurchaseonline.com/buy-generic-erythromycin-online-en.html generic erythromycin, 601, http://cheappurchaseonline.com/buy-generic-prinivil-online-en.html prinivil, 67585, cb16138921e4b9f4b778735291c839b971fad2c1 1612 1611 2012-05-08T04:07:27Z 31.184.238.9 0 YzrCrgVH wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-pepcid-online-en.html buy pepcid, inv, http://cheappurchaseonline.com/buy-generic-chloromycetin-online-en.html buy generic chloromycetin, :OO, http://cheappurchaseonline.com/buy-generic-cefaclor-online-en.html buy cefaclor online, fvac, http://cheappurchaseonline.com/buy-generic-rebetol-online-en.html buy rebetol, xlc, http://cheappurchaseonline.com/ buy generic viagra super active, >:-[, ce329d5a225d5f3ecb08da52a9b67e63901af4d2 1613 1612 2012-05-08T04:09:31Z 31.184.238.15 0 YCnIsIkUaqLpLOiEQuz wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-zerit-online-en.html buy zerit online, pdo, http://cheappurchaseonline.com/ buy generic female viagra, bbxp, http://cheappurchaseonline.com/buy-generic-brand-levitra-online-en.html buy brand levitra, uapikz, http://cheappurchaseonline.com/buy-generic-monoket-online-en.html generic monoket, xgamaa, http://cheappurchaseonline.com/buy-generic-trecator-sc-online-en.html buy trecator-sc, zlq, 60d6c3fc79db1fb4dc61697dbf0dbbf2ce96165f 1614 1613 2012-05-08T04:11:32Z 31.184.238.9 0 wwHAZTCTPOLcttlUE wikitext text/x-wiki , http://cheappurchaseonline.com/ buy generic cialis professional, 16289, http://cheappurchaseonline.com/buy-generic-phoslo-online-en.html buy generic phoslo, =-((, http://cheappurchaseonline.com/buy-generic-zenegra-online-en.html zenegra, >:-O, http://cheappurchaseonline.com/buy-generic-sublingual-viagra-online-en.html buy sublingual viagra online, %DD, http://cheappurchaseonline.com/buy-generic-furadantin-online-en.html furadantin, 609909, ad0fc005c36048839443754c1c284dfb7f64d2da 1615 1614 2012-05-08T04:14:26Z 31.184.238.15 0 YVDffJfHZiQnLLsiELD wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-diltiazem-online-en.html generic diltiazem, 0008, http://cheappurchaseonline.com/buy-generic-rythmol-online-en.html buy generic rythmol, 352584, http://cheappurchaseonline.com/ viagra super active, jvc, http://cheappurchaseonline.com/buy-generic-anaprox-online-en.html generic anaprox, =-PPP, http://cheappurchaseonline.com/buy-generic-lamprene-online-en.html buy lamprene, 986, 7eb10fb5674d36816828a115a39c0c75d096a181 1616 1615 2012-05-08T04:15:32Z 31.184.238.9 0 DLlxBCPqPEexBIHw wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-pepcid-online-en.html buy pepcid online, >:-[, http://cheappurchaseonline.com/buy-generic-chloromycetin-online-en.html buy chloromycetin, 8-DDD, http://cheappurchaseonline.com/buy-generic-cefaclor-online-en.html cefaclor, 849, http://cheappurchaseonline.com/buy-generic-rebetol-online-en.html buy rebetol online, 928, http://cheappurchaseonline.com/ buy viagra super active, 4633, 849114567e653b75afde7a8e04121604de7129d2 1617 1616 2012-05-08T04:19:25Z 31.184.238.15 0 qzFdeCFUygTEO wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-rulide-online-en.html generic rulide, 926, http://cheappurchaseonline.com/buy-generic-lotrisone-online-en.html generic lotrisone, cxrlb, http://cheappurchaseonline.com/buy-generic-zetia-online-en.html generic zetia, 106771, http://cheappurchaseonline.com/buy-generic-erectalis-online-en.html generic erectalis, 28964, http://cheappurchaseonline.com/buy-generic-theo-24-sr-online-en.html buy theo-24 sr online, 8-[[[, 9643d4d0163b606e49cb854a56d9736b1b4d47d2 1618 1617 2012-05-08T04:19:34Z 31.184.238.9 0 sWItxpaMAHMH wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-isordil-online-en.html isordil, 023, http://cheappurchaseonline.com/buy-generic-lopid-online-en.html lopid, 114270, http://cheappurchaseonline.com/buy-generic-wellbutrin-online-en.html buy generic wellbutrin, 682590, http://cheappurchaseonline.com/buy-generic-grisactin-online-en.html generic grisactin, 4434, http://cheappurchaseonline.com/buy-generic-mysoline-online-en.html buy mysoline, nex, d12571c8fd26a1dc2a6a7a7448513aebb298d0cd 1619 1618 2012-05-08T04:23:41Z 31.184.238.9 0 SbgMsgThAsGT wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-verapamil-online-en.html verapamil, >:), http://cheappurchaseonline.com/buy-generic-valtrex-online-en.html buy valtrex, =DDD, http://cheappurchaseonline.com/buy-generic-bupron-sr-online-en.html generic bupron sr, 9120, http://cheappurchaseonline.com/ buy generic viagra, 908, http://cheappurchaseonline.com/buy-generic-mobic-online-en.html buy generic mobic, 93932, 1312ddeccdd89c4ed8cdb8eb31a46e023a406aee 1620 1619 2012-05-08T04:24:36Z 31.184.238.15 0 uPUKeYYntmofKnGGVq wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-levitra-oral-jelly-online-en.html buy generic levitra oral jelly, 769, http://cheappurchaseonline.com/buy-generic-catapres-online-en.html buy catapres online, iamjc, http://cheappurchaseonline.com/buy-generic-viagra-professional-online-en.html generic viagra professional, 8-O, http://cheappurchaseonline.com/buy-generic-cozaar-online-en.html cozaar, 98066, http://cheappurchaseonline.com/buy-generic-amaryl-online-en.html buy generic amaryl, =-PP, 3b2ed0ae13f97cfc1f13fbb8ec5e78c51db2b40b 1621 1620 2012-05-08T04:27:40Z 31.184.238.9 0 vORjnyYuvJnuIri wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-pepcid-online-en.html buy generic pepcid, ayw, http://cheappurchaseonline.com/buy-generic-chloromycetin-online-en.html generic chloromycetin, 8-P, http://cheappurchaseonline.com/buy-generic-cefaclor-online-en.html buy cefaclor, 953886, http://cheappurchaseonline.com/buy-generic-rebetol-online-en.html buy generic rebetol, 90729, http://cheappurchaseonline.com/ generic viagra super active, oatx, 79b5c5f226afefda33e22e56a4f3653fa8c49369 1622 1621 2012-05-08T04:29:51Z 31.184.238.15 0 AbKHMAPDvLgOIv wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-rulide-online-en.html buy generic rulide, chdmz, http://cheappurchaseonline.com/buy-generic-lotrisone-online-en.html buy lotrisone online, fqjx, http://cheappurchaseonline.com/buy-generic-zetia-online-en.html buy zetia online, 8))), http://cheappurchaseonline.com/buy-generic-erectalis-online-en.html generic erectalis, 8-((, http://cheappurchaseonline.com/buy-generic-theo-24-sr-online-en.html generic theo-24 sr, 64425, 2af00763c7231f8f978213476afaf01e50f656a7 1623 1622 2012-05-08T04:31:53Z 31.184.238.9 0 jeCYUWEsLVmYwH wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-motilium-online-en.html generic motilium, klqe, http://cheappurchaseonline.com/buy-generic-eulexin-online-en.html buy eulexin, =DDD, http://cheappurchaseonline.com/buy-generic-astelin-online-en.html buy astelin, %-D, http://cheappurchaseonline.com/buy-generic-starlix-online-en.html generic starlix, =-PPP, http://cheappurchaseonline.com/buy-generic-fludac-online-en.html fludac, 7266, ff52453b09016a02f9c53f9cce51b1040657c7c4 1624 1623 2012-05-08T04:34:54Z 31.184.238.15 0 sKRKUgfJXdGZcVCFC wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-indinavir-online-en.html generic indinavir, vxbtf, http://cheappurchaseonline.com/buy-generic-diovan-online-en.html buy generic diovan, odxp, http://cheappurchaseonline.com/buy-generic-copegus-online-en.html copegus, :]]], http://cheappurchaseonline.com/buy-generic-fempro-online-en.html fempro, %-]], http://cheappurchaseonline.com/ diflucan, qxjxd, d74a30c0d575d442398dbfed0c679ab3330168d3 1625 1624 2012-05-08T04:36:17Z 31.184.238.9 0 cvtXMuNPnZlsupupk wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-allopurinol-online-en.html generic allopurinol, ehb, http://cheappurchaseonline.com/buy-generic-silagra-online-en.html buy silagra, 0422, http://cheappurchaseonline.com/ buy priligy online, bryq, http://cheappurchaseonline.com/buy-generic-biaxin-online-en.html buy biaxin, 30772, http://cheappurchaseonline.com/buy-generic-intagra-online-en.html buy intagra online, :-PP, 5eec151d3ec029ea66b25f57abbb6b07a82f8589 1626 1625 2012-05-08T04:39:57Z 31.184.238.15 0 mTFxJSvX wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-leukeran-online-en.html generic leukeran, 2164, http://cheappurchaseonline.com/buy-generic-sustiva-online-en.html generic sustiva, 877, http://cheappurchaseonline.com/buy-generic-prevacid-online-en.html prevacid, >:PP, http://cheappurchaseonline.com/ buy viagra professional, 264770, http://cheappurchaseonline.com/buy-generic-prozac-online-en.html generic prozac, pgo, 278910e67934e3f42251d08ee8132f4b5ffd4e1a 1627 1626 2012-05-08T04:40:18Z 31.184.238.9 0 ZoSUnGVrr wikitext text/x-wiki , http://cheappurchaseonline.com/ buy generic doxycycline, 87638, http://cheappurchaseonline.com/buy-generic-uniphyl-cr-online-en.html buy uniphyl cr, =-]]], http://cheappurchaseonline.com/buy-generic-atarax-online-en.html generic atarax, rjgdsl, http://cheappurchaseonline.com/buy-generic-levitra-with-dapoxetine-online-en.html buy generic levitra with dapoxetine, nnhqg, http://cheappurchaseonline.com/buy-generic-isoptin-sr-online-en.html generic isoptin sr, >:OO, 0448fc5c8e7eae7f00fabc5a3c2ee7e4b9d9be39 1630 1627 2012-05-08T04:44:35Z 31.184.238.9 0 qBvWSGGgZYVGdsnSc wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-pepcid-online-en.html buy generic pepcid, >:-[[, http://cheappurchaseonline.com/buy-generic-chloromycetin-online-en.html buy chloromycetin online, wquyju, http://cheappurchaseonline.com/buy-generic-cefaclor-online-en.html buy cefaclor online, 717731, http://cheappurchaseonline.com/buy-generic-rebetol-online-en.html buy generic rebetol, 37230, http://cheappurchaseonline.com/ viagra super active, 8), 4bbfbf8db1b064b5584332a4d538270710f5d3b7 1631 1630 2012-05-08T04:45:07Z 31.184.238.15 0 yGIDGCDwVHdh wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-indocin-online-en.html indocin, nnli, http://cheappurchaseonline.com/buy-generic-aristocort-online-en.html generic aristocort, fyceru, http://cheappurchaseonline.com/buy-generic-luvox-online-en.html generic luvox, 29558, http://cheappurchaseonline.com/ buy prednisone online, >:-(, http://cheappurchaseonline.com/buy-generic-lamisil-online-en.html buy lamisil, =-], 30d478a70947f2d60d408446f4187a378eb26c21 1632 1631 2012-05-08T04:48:48Z 31.184.238.9 0 pKGtKqWzzVHfp wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-motilium-online-en.html generic motilium, =-[[, http://cheappurchaseonline.com/buy-generic-eulexin-online-en.html generic eulexin, 3184, http://cheappurchaseonline.com/buy-generic-astelin-online-en.html buy generic astelin, dhhcfc, http://cheappurchaseonline.com/buy-generic-starlix-online-en.html buy starlix online, linn, http://cheappurchaseonline.com/buy-generic-fludac-online-en.html generic fludac, 71981, 1e4ad887626d9d3dcffe13ba554e535e2a1d8d36 1633 1632 2012-05-08T04:49:59Z 31.184.238.15 0 zdHjmkAoTNdnsOHSlcu wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-claritin-online-en.html claritin, =-OO, http://cheappurchaseonline.com/buy-generic-levitra-professional-online-en.html buy generic levitra professional, jga, http://cheappurchaseonline.com/buy-generic-betapace-online-en.html buy betapace online, uqvpy, http://cheappurchaseonline.com/ generic propecia, >:-)), http://cheappurchaseonline.com/buy-generic-motilium-online-en.html buy motilium online, %-)), a5db0a16261cfdd6c0d2a23e9f24ce26dbdcaf24 1634 1633 2012-05-08T04:52:47Z 31.184.238.9 0 hHzmtuJeHX wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-cialis-online-en.html buy generic cialis, lof, http://cheappurchaseonline.com/buy-generic-finpecia-online-en.html generic finpecia, 90062, http://cheappurchaseonline.com/buy-generic-glucotrol-xl-online-en.html buy glucotrol xl, dptss, http://cheappurchaseonline.com/buy-generic-levitra-oral-jelly-online-en.html levitra oral jelly, =], http://cheappurchaseonline.com/ buy kamagra online, pos, 39e62cc75ccfb6b972ace75a0ab1d794a1f36005 1635 1634 2012-05-08T04:54:48Z 31.184.238.15 0 vckvNurk wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-colospa-online-en.html buy colospa online, 8), http://cheappurchaseonline.com/buy-generic-brand-viagra-online-en.html buy generic brand viagra, kzk, http://cheappurchaseonline.com/buy-generic-dramamine-online-en.html buy dramamine online, mblgcc, http://cheappurchaseonline.com/buy-generic-flagyl-online-en.html generic flagyl, toc, http://cheappurchaseonline.com/buy-generic-forzest-online-en.html buy generic forzest, >:-PPP, c18de82711b29db6737038e18192ee809b46f524 1636 1635 2012-05-08T04:57:25Z 31.184.238.9 0 mzidkhIvOWNsefRuRMJ wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-clarinex-online-en.html buy generic clarinex, 325, http://cheappurchaseonline.com/buy-generic-kamagra-effervescent-online-en.html buy kamagra effervescent online, 77335, http://cheappurchaseonline.com/buy-generic-hyzaar-online-en.html generic hyzaar, jmxjy, http://cheappurchaseonline.com/buy-generic-myambutol-online-en.html buy myambutol, =P, http://cheappurchaseonline.com/buy-generic-zebeta-online-en.html zebeta, uwt, ecacfa93a9e5ea91a03a31e295fc27ebbf2ad6bd 1637 1636 2012-05-08T04:59:54Z 31.184.238.15 0 tGvLdLAqOB wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-lopid-online-en.html lopid, 98231, http://cheappurchaseonline.com/buy-generic-wellbutrin-online-en.html generic wellbutrin, >:-OO, http://cheappurchaseonline.com/buy-generic-grisactin-online-en.html generic grisactin, dfysaj, http://cheappurchaseonline.com/buy-generic-mysoline-online-en.html buy mysoline online, :))), http://cheappurchaseonline.com/buy-generic-duricef-online-en.html buy generic duricef, zqowke, 71a887d935f93aa3e41a58d5642a20f68ca8d796 1638 1637 2012-05-08T05:00:52Z 31.184.238.9 0 WjZqwwssveoioN wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-catapres-online-en.html buy catapres online, orbgs, http://cheappurchaseonline.com/buy-generic-viagra-professional-online-en.html buy viagra professional online, 59665, http://cheappurchaseonline.com/buy-generic-cozaar-online-en.html buy cozaar, 97658, http://cheappurchaseonline.com/buy-generic-amaryl-online-en.html buy amaryl online, 19985, http://cheappurchaseonline.com/buy-generic-aciclovir-online-en.html generic aciclovir, hmmbv, 6460dc52bc1801ea4a307666e78c59e77339e74a 1639 1638 2012-05-08T05:05:42Z 31.184.238.9 0 FNajQCHbdauMAYkDhi wikitext text/x-wiki , http://cheappurchaseonline.com/ buy clomid online, pfnw, http://cheappurchaseonline.com/buy-generic-urispas-online-en.html generic urispas, yjzgvm, http://cheappurchaseonline.com/buy-generic-antabuse-online-en.html buy antabuse online, 8(((, http://cheappurchaseonline.com/buy-generic-avapro-online-en.html buy avapro, 8OO, http://cheappurchaseonline.com/buy-generic-levitra-soft-online-en.html buy levitra soft, 35198, d5a3bf0d55e056e80138505417be28cb1621306a 1640 1639 2012-05-08T05:06:07Z 31.184.238.15 0 QMiXgTmtIKAitETeVO wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-lincocin-online-en.html buy lincocin, mbyls, http://cheappurchaseonline.com/buy-generic-zoloft-online-en.html zoloft, 8-]]], http://cheappurchaseonline.com/buy-generic-suhagra-online-en.html buy suhagra online, 486405, http://cheappurchaseonline.com/buy-generic-requip-online-en.html buy requip online, 289193, http://cheappurchaseonline.com/buy-generic-prograf-online-en.html generic prograf, :)), e8d5c6a7570ed2a6ce88226036e929ae0d8d8d44 1641 1640 2012-05-08T05:09:24Z 31.184.238.9 0 qMZOJZmYeShFsjwBo wikitext text/x-wiki , http://cheappurchaseonline.com/ clomid, 040769, http://cheappurchaseonline.com/buy-generic-urispas-online-en.html urispas, kliz, http://cheappurchaseonline.com/buy-generic-antabuse-online-en.html buy generic antabuse, 604, http://cheappurchaseonline.com/buy-generic-avapro-online-en.html buy generic avapro, ehda, http://cheappurchaseonline.com/buy-generic-levitra-soft-online-en.html buy generic levitra soft, 6330, 5098b44bb95c191c34b67596170a729146a762dd 1642 1641 2012-05-08T05:10:59Z 31.184.238.15 0 noTYZVskWm wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-terramycin-online-en.html buy terramycin, 8], http://cheappurchaseonline.com/buy-generic-isoptin-online-en.html buy isoptin, uhh, http://cheappurchaseonline.com/buy-generic-monopril-online-en.html generic monopril, soprva, http://cheappurchaseonline.com/buy-generic-tadalis-sx-soft-online-en.html tadalis sx soft, xetbq, http://cheappurchaseonline.com/buy-generic-nizoral-online-en.html generic nizoral, %), 1d83359c1fe928b7d0e9acd949cfca700cb865e6 1643 1642 2012-05-08T05:13:22Z 31.184.238.9 0 EZqGCXVC wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-brand-viagra-online-en.html generic brand viagra, %(((, http://cheappurchaseonline.com/buy-generic-dramamine-online-en.html buy dramamine online, 632, http://cheappurchaseonline.com/buy-generic-flagyl-online-en.html buy generic flagyl, nqepo, http://cheappurchaseonline.com/buy-generic-forzest-online-en.html forzest, kywq, http://cheappurchaseonline.com/buy-generic-augmentin-online-en.html buy augmentin, 313, db85f7f61305fe9a640ba628cccce03c1338b782 1644 1643 2012-05-08T05:15:49Z 31.184.238.15 0 ECuuBWRMpkDhJGzckw wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-zyvox-online-en.html buy zyvox online, 5673, http://cheappurchaseonline.com/buy-generic-cycrin-online-en.html cycrin, :(, http://cheappurchaseonline.com/buy-generic-caverta-online-en.html generic caverta, =))), http://cheappurchaseonline.com/buy-generic-lanoxin-online-en.html generic lanoxin, >:-DD, http://cheappurchaseonline.com/ generic zoloft, 593, d1ec00f2817f1b622478e51aeb2f53d1ab8ac2e4 1645 1644 2012-05-08T05:17:45Z 31.184.238.9 0 FkuXYYsJsxgf wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-famvir-online-en.html generic famvir, :P, http://cheappurchaseonline.com/ diflucan, 396866, http://cheappurchaseonline.com/buy-generic-aciphex-online-en.html aciphex, 8-P, http://cheappurchaseonline.com/buy-generic-etodolac-online-en.html buy generic etodolac, 8-], http://cheappurchaseonline.com/buy-generic-procardia-online-en.html procardia, btkwhr, 2788c93e1ca2b512b12abb1c65215f46c1a769c2 1646 1645 2012-05-08T05:21:07Z 31.184.238.15 0 HzbIVjrHgddMtRUKCAx wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-hydrea-online-en.html buy hydrea online, 348214, http://cheappurchaseonline.com/buy-generic-trileptal-online-en.html buy generic trileptal, 964, http://cheappurchaseonline.com/buy-generic-singulair-online-en.html buy generic singulair, smouv, http://cheappurchaseonline.com/buy-generic-azulfidine-online-en.html generic azulfidine, :(, http://cheappurchaseonline.com/buy-generic-desogen-online-en.html buy desogen online, >:DD, 71cee87b239a007e2bd703b56879ed6ca2cdd0d4 1647 1646 2012-05-08T05:22:08Z 31.184.238.9 0 DSERywuuw wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-vigora-online-en.html vigora, 07857, http://cheappurchaseonline.com/buy-generic-claritin-online-en.html buy claritin online, 244999, http://cheappurchaseonline.com/buy-generic-levitra-professional-online-en.html buy levitra professional online, 82834, http://cheappurchaseonline.com/buy-generic-betapace-online-en.html generic betapace, :-]], http://cheappurchaseonline.com/ propecia, wjx, 20b149e63e6931deeb584ff98c01f7ad271adddf 1648 1647 2012-05-08T05:26:28Z 31.184.238.9 0 hHpAvVfQggj wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-motilium-online-en.html motilium, 8[, http://cheappurchaseonline.com/buy-generic-eulexin-online-en.html generic eulexin, 685, http://cheappurchaseonline.com/buy-generic-astelin-online-en.html generic astelin, 125, http://cheappurchaseonline.com/buy-generic-starlix-online-en.html buy starlix online, >:-D, http://cheappurchaseonline.com/buy-generic-fludac-online-en.html buy generic fludac, eyydxt, b7d0e8b5f6880efe52b6e660662155f0a876e6a8 1649 1648 2012-05-08T05:26:30Z 31.184.238.15 0 oHIZdtTJZprRcMe wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-differin-online-en.html differin, 9173, http://cheappurchaseonline.com/ buy cialis professional online, 74491, http://cheappurchaseonline.com/ buy propecia online, %)), http://cheappurchaseonline.com/buy-generic-beloc-online-en.html buy generic beloc, 6739, http://cheappurchaseonline.com/ generic doxycycline, %[, 86cdce56b0b45a40341885ed07736d76a0ca10ef 1650 1649 2012-05-08T05:30:37Z 31.184.238.9 0 HbFNSiONvlqBMNi wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-catapres-online-en.html buy catapres, >:]]], http://cheappurchaseonline.com/buy-generic-viagra-professional-online-en.html viagra professional, 523193, http://cheappurchaseonline.com/buy-generic-cozaar-online-en.html cozaar, scambd, http://cheappurchaseonline.com/buy-generic-amaryl-online-en.html amaryl, 892, http://cheappurchaseonline.com/buy-generic-aciclovir-online-en.html generic aciclovir, nufw, 0cbc9a0f3125695706a5e9431076577c124f5f76 1651 1650 2012-05-08T05:31:24Z 31.184.238.15 0 RAhtAxVdvsv wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-sinequan-online-en.html buy generic sinequan, 924, http://cheappurchaseonline.com/ buy cialis professional online, yrryu, http://cheappurchaseonline.com/buy-generic-phoslo-online-en.html generic phoslo, vyd, http://cheappurchaseonline.com/buy-generic-zenegra-online-en.html buy zenegra, =OOO, http://cheappurchaseonline.com/buy-generic-sublingual-viagra-online-en.html sublingual viagra, 8(, a03f2aceb8a9ee632a2ce07644ec2dfc6081c3a7 1653 1651 2012-05-08T05:35:01Z 31.184.238.9 0 TxsbMsSZjhYVZLb wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-pepcid-online-en.html buy generic pepcid, >:((, http://cheappurchaseonline.com/buy-generic-chloromycetin-online-en.html buy chloromycetin, 8))), http://cheappurchaseonline.com/buy-generic-cefaclor-online-en.html buy cefaclor online, hlg, http://cheappurchaseonline.com/buy-generic-rebetol-online-en.html rebetol, >:OO, http://cheappurchaseonline.com/ viagra super active, :-D, 9c064bd1568823ae146b48d06f7b0fdcfa0de6e4 1654 1653 2012-05-08T05:36:53Z 31.184.238.15 0 kfVrMjkowB wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-leukeran-online-en.html leukeran, 1000, http://cheappurchaseonline.com/buy-generic-sustiva-online-en.html generic sustiva, 770283, http://cheappurchaseonline.com/buy-generic-prevacid-online-en.html buy generic prevacid, 403, http://cheappurchaseonline.com/ generic viagra professional, jniad, http://cheappurchaseonline.com/buy-generic-prozac-online-en.html buy prozac online, :))), b34e430a610c9a1199e6d5cc206ff046720d5de9 1656 1654 2012-05-08T05:39:31Z 31.184.238.9 0 snXnOoIdXaukKfK wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-keftab-online-en.html buy generic keftab, mapfcz, http://cheappurchaseonline.com/buy-generic-cialis-super-active-online-en.html buy generic cialis super active, 007, http://cheappurchaseonline.com/buy-generic-minocin-online-en.html buy minocin online, 87420, http://cheappurchaseonline.com/buy-generic-ceclor-online-en.html buy generic ceclor, tzwpxc, http://cheappurchaseonline.com/buy-generic-feldene-online-en.html buy generic feldene, >:-]]], 7850601b219e2af9ce185ed66f91370e2efa42b9 1657 1656 2012-05-08T05:42:13Z 31.184.238.15 0 UwVLIVdGWbJ wikitext text/x-wiki comment5, http://cheappurchaseonline.com/ buy generic cipro, =-DDD, http://cheappurchaseonline.com/buy-generic-prilosec-online-en.html buy generic prilosec, >:-), http://cheappurchaseonline.com/buy-generic-nortriptyline-online-en.html buy generic nortriptyline, =D, http://cheappurchaseonline.com/buy-generic-levitra-online-en.html generic levitra, xwnijl, http://cheappurchaseonline.com/buy-generic-nolvadex-online-en.html nolvadex, 521, 8a3cab514a1ccf29a272202aa180815a477654b8 1658 1657 2012-05-08T05:43:27Z 31.184.238.9 0 qZaEQdrcPZ wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-zofran-online-en.html buy zofran, 615, http://cheappurchaseonline.com/buy-generic-micronase-online-en.html generic micronase, erv, http://cheappurchaseonline.com/buy-generic-glucotrol-online-en.html buy glucotrol, 073845, http://cheappurchaseonline.com/buy-generic-furoxone-online-en.html buy furoxone, cxbsvo, http://cheappurchaseonline.com/buy-generic-zyloprim-online-en.html generic zyloprim, hzmm, 1368dfa849b96dbc914232d4d7a25844333f852d 1661 1658 2012-05-08T05:47:31Z 31.184.238.9 0 TgoLPsqzSdAzuosdCoR wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-suhagra-online-en.html generic suhagra, wjzhza, http://cheappurchaseonline.com/buy-generic-requip-online-en.html generic requip, 377, http://cheappurchaseonline.com/buy-generic-prograf-online-en.html buy prograf online, 912, http://cheappurchaseonline.com/buy-generic-vibramycin-online-en.html generic vibramycin, vfzwe, http://cheappurchaseonline.com/buy-generic-fluoxetine-online-en.html buy generic fluoxetine, %((, 6e68cc66c5fb0931e0fa9ead018e0dfd85061f2f 1662 1661 2012-05-08T05:47:33Z 31.184.238.15 0 MShiHerLOwgNWUz wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-asendin-online-en.html buy asendin, 5105, http://cheappurchaseonline.com/buy-generic-lotrel-online-en.html buy lotrel, :PP, http://cheappurchaseonline.com/buy-generic-sumycin-online-en.html buy sumycin online, 4986, http://cheappurchaseonline.com/buy-generic-aricept-online-en.html generic aricept, %-D, http://cheappurchaseonline.com/buy-generic-nitroglycerin-online-en.html buy nitroglycerin online, =-[[, 67834891c001a04ca7009f6d890207950d38b77f 1663 1662 2012-05-08T05:51:24Z 31.184.238.9 0 nHphIWhEgMLjXEpFr wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-monopril-online-en.html buy generic monopril, 8PPP, http://cheappurchaseonline.com/buy-generic-tadalis-sx-soft-online-en.html buy tadalis sx soft online, 788, http://cheappurchaseonline.com/buy-generic-nizoral-online-en.html nizoral, vrbk, http://cheappurchaseonline.com/buy-generic-amoxil-online-en.html amoxil, 613210, http://cheappurchaseonline.com/buy-generic-prandin-online-en.html buy generic prandin, :-O, 681c1237bed88e57c2471aed25e4c2f50783a18b 0 8 1664 1663 2012-05-08T05:52:42Z 31.184.238.15 0 CmnIYWoehgdMTjL wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-zyvox-online-en.html buy zyvox online, mcqtvl, http://cheappurchaseonline.com/buy-generic-cycrin-online-en.html cycrin, xhsyz, http://cheappurchaseonline.com/buy-generic-caverta-online-en.html buy caverta online, :-]], http://cheappurchaseonline.com/buy-generic-lanoxin-online-en.html buy generic lanoxin, nwviow, http://cheappurchaseonline.com/ generic zoloft, %D, bf5ad793364665c5440b9b7f9ec14f4022d6cdda 1666 1664 2012-05-08T05:55:42Z 31.184.238.9 0 FIOOZCvbPR wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-arcoxia-online-en.html buy arcoxia online, 172, http://cheappurchaseonline.com/buy-generic-plavix-online-en.html buy generic plavix, 79751, http://cheappurchaseonline.com/buy-generic-mevacor-online-en.html buy mevacor online, 015, http://cheappurchaseonline.com/buy-generic-imodium-online-en.html buy generic imodium, 527431, http://cheappurchaseonline.com/buy-generic-mircette-online-en.html buy generic mircette, 374, 40134398844d14c6a60213b33509677a82aa7285 1667 1666 2012-05-08T05:57:57Z 31.184.238.15 0 QIhqDNOrNb wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-apcalis-sx-oral-jelly-online-en.html apcalis sx oral jelly, %-P, http://cheappurchaseonline.com/buy-generic-flovent-online-en.html buy generic flovent, 28817, http://cheappurchaseonline.com/buy-generic-precose-online-en.html precose, 677, http://cheappurchaseonline.com/buy-generic-levothroid-online-en.html buy levothroid online, 27049, http://cheappurchaseonline.com/buy-generic-strattera-online-en.html buy strattera, uxix, 0fa0f8083dc767ca941a1ae2a19bfb2f60b1adc0 1668 1667 2012-05-08T05:59:40Z 31.184.238.9 0 nKNivavhBJOU wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-cialis-online-en.html buy cialis online, 8(, http://cheappurchaseonline.com/buy-generic-finpecia-online-en.html generic finpecia, =O, http://cheappurchaseonline.com/buy-generic-glucotrol-xl-online-en.html buy glucotrol xl online, =)), http://cheappurchaseonline.com/buy-generic-levitra-oral-jelly-online-en.html buy levitra oral jelly online, =(((, http://cheappurchaseonline.com/ buy kamagra, 52013, 1ba28b83c753942b2b3c23b51d641444ac08e3c2 1669 1668 2012-05-08T06:03:37Z 31.184.238.15 0 QNKwDBdnTqTiWejNQJ wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-geodon-online-en.html geodon, 4910, http://cheappurchaseonline.com/ buy cialis, 304, http://cheappurchaseonline.com/buy-generic-zocor-online-en.html buy zocor online, 89398, http://cheappurchaseonline.com/buy-generic-propecia-online-en.html buy generic propecia</a>, 605616, http://cheappurchaseonline.com/buy-generic-combivent-online-en.html buy combivent online, >:(((, 16227ffc38636ce561454f53c07f71bfaec5cc05 1670 1669 2012-05-08T06:04:50Z 31.184.238.9 0 gOYTDiqIToOv wikitext text/x-wiki , http://cheappurchaseonline.com/buy-generic-lanoxin-online-en.html generic lanoxin, pksg, d22d1affd577f98ca0ba230f9cd32786d735f62e 1671 1670 2012-05-08T06:08:06Z 31.184.238.15 0 fJjFGPIIBXhwnj wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-lopid-online-en.html buy lopid, 007, http://cheappurchaseonline.com/buy-generic-wellbutrin-online-en.html wellbutrin, vkfg, http://cheappurchaseonline.com/buy-generic-grisactin-online-en.html buy generic grisactin, 767, http://cheappurchaseonline.com/buy-generic-mysoline-online-en.html mysoline, 8-OO, http://cheappurchaseonline.com/buy-generic-duricef-online-en.html buy duricef, >:-OO, 8772ced906135124339dcc418bc8d054bf8a9f5b 1672 1671 2012-05-08T06:08:52Z 31.184.238.9 0 LqGmIBmApwjfZEOW wikitext text/x-wiki , http://cheappurchaseonline.com/ buy generic prednisone, 8-], 58e462acd5d5de844c5b998172ddeed42f31b580 1673 1672 2012-05-08T06:13:13Z 31.184.238.9 0 HBKbONiXWpWl wikitext text/x-wiki , http://cheappurchaseonline.com/ buy generic accutane, 8), 24c3d52e87f5a0722abd772aae8bd920db0ab5cb 1674 1673 2012-05-08T06:16:46Z 31.184.238.15 0 OhkWfJziOSDPEVffFCo wikitext text/x-wiki comment4, http://cheappurchaseonline.com/ buy kamagra online, :PPP, f988b35a81e93c48e430f89a4d45d7a98bcd87b1 1675 1674 2012-05-08T06:17:10Z 31.184.238.9 0 PuAIvmmhetMBzX wikitext text/x-wiki , http://cheappurchaseonline.com/ buy cialis super active online, 750, 231192839b5eb8e39f3829738471ec1a0d2bee19 1676 1675 2012-05-08T06:21:12Z 31.184.238.9 0 MZgOMdBp wikitext text/x-wiki , http://cheappurchaseonline.com/ lasix, %)), ef6b12754a73262929a285a1ed5f345a52b089e3 1677 1676 2012-05-08T06:21:39Z 31.184.238.15 0 RKzcmDet wikitext text/x-wiki comment4, http://cheappurchaseonline.com/ buy generic lasix, 8(, e296f310fe2247c2545289e78240b299dcea1bae 1678 1677 2012-05-08T06:25:03Z 31.184.238.9 0 mEFfdCpvgzpypamYCVD wikitext text/x-wiki , http://cheappurchaseonline.com/ generic levitra, vxsgp, e88f74143df4234ac1c284c2db1175d3d663d39a 1679 1678 2012-05-08T06:26:32Z 31.184.238.15 0 WTAgUpqmVoCxXwMRrzZ wikitext text/x-wiki comment6, http://cheappurchaseonline.com/ generic accutane, tuihl, 9445b60337779fecf7aebb4835b1f80553af353b 1680 1679 2012-05-08T06:29:09Z 31.184.238.9 0 iDXUddDxjySFfARI wikitext text/x-wiki , http://cheappurchaseonline.com/ buy generic lasix, rxgxd, 2933c4b7307ecf6431da9e3d610cf5826f96bece 1681 1680 2012-05-08T06:31:29Z 31.184.238.15 0 fIodFDTHAvEMSv wikitext text/x-wiki comment4, http://cheappurchaseonline.com/ buy accutane online, msfgdv, e4327db8b5935d1ee4f5d4b0150faf138be962b7 1682 1681 2012-05-08T06:33:28Z 31.184.238.9 0 QeGZnUqAmL wikitext text/x-wiki , http://cheappurchaseonline.com/ buy generic nolvadex, 99786, 686e7d2b6bc452d467f84a0dfdf7b6ef020bf148 1683 1682 2012-05-08T06:36:35Z 31.184.238.15 0 uxQSqLkN wikitext text/x-wiki comment6, http://cheappurchaseonline.com/ generic orlistat, 5717, 9200b564c475321e073af5ad54abe82a8140f781 1684 1683 2012-05-08T06:37:42Z 31.184.238.9 0 OHqIgbeaWP wikitext text/x-wiki , http://cheappurchaseonline.com/ buy generic kamagra, kyju, 6557570712ad758f4cbc1f225730b483d77d9e08 1685 1684 2012-05-08T06:41:46Z 31.184.238.15 0 iemqWlPSjIyGfTSc wikitext text/x-wiki comment3, http://cheappurchaseonline.com/ buy viagra professional online, %-)), 5e265fcffb3b1afc988ea76f011229485bc221a1 1686 1685 2012-05-08T06:42:20Z 31.184.238.9 0 JITIJXOEosnEiOeMDWe wikitext text/x-wiki , http://cheappurchaseonline.com/ buy generic clomid, >:OO, 8b54dd97bb198fd161a03a5981bee841e322346f 1687 1686 2012-05-08T06:46:14Z 31.184.238.9 0 UQVkYhcXWzs wikitext text/x-wiki , http://cheappurchaseonline.com/ buy propecia online, 00777, 6069c401c2aff4e6546789a7190e1bcac2ae0f5d 1688 1687 2012-05-08T06:46:25Z 31.184.238.15 0 eIdPauohGbu wikitext text/x-wiki comment5, http://cheappurchaseonline.com/ buy viagra, 50821, 575e7492ff52df5a0402d5ea85fc118f0dbf2804 1689 1688 2012-05-08T06:50:15Z 31.184.238.9 0 VodYdtrNpOWQ wikitext text/x-wiki , http://cheappurchaseonline.com/ buy generic diflucan, 49170, c72534b9ff95aeaac3e187df95d1b794c3f0b12f 1690 1689 2012-05-08T06:52:09Z 31.184.238.15 0 LTSNSpmncTYNDC wikitext text/x-wiki comment5, http://cheappurchaseonline.com/ generic orlistat, mql, e670a763e3f5478b45affa7fca243f10d5d3e330 1693 1690 2012-05-08T06:54:19Z 31.184.238.9 0 TUPTjlayZbsddgff wikitext text/x-wiki , http://cheappurchaseonline.com/ buy doxycycline online, 94058, fce237f239b9d55bb4aca51aac0c0116159a46bf 1694 1693 2012-05-08T06:58:42Z 31.184.238.9 0 LyAaokYzBXKwC wikitext text/x-wiki , http://cheappurchaseonline.com/ buy generic diflucan, >:-OO, 37df64a96a08f8ff64fe30766851688ece001ec6 1695 1694 2012-05-08T07:02:18Z 31.184.238.15 0 NjpbMHZxlpdZBM wikitext text/x-wiki comment5, http://cheappurchaseonline.com/ priligy, =-[, a86ee3ddf79ef4629fe3ab9a73f8414765884db5 1696 1695 2012-05-08T07:03:05Z 31.184.238.9 0 FPpLVIfdmIcdkCowg wikitext text/x-wiki , http://cheappurchaseonline.com/ generic kamagra, 8-D, d37e1cd481fb85298a585678690a1a7350c8cd10 1697 1696 2012-05-08T07:07:24Z 31.184.238.9 0 ckpXZLgqBIGw wikitext text/x-wiki , http://cheappurchaseonline.com/ generic cialis super active, ufzet, b29e30e1a051045271e7a8dd349e177aaeca1d0f 1698 1697 2012-05-08T07:07:43Z 31.184.238.15 0 YNnBvdYodirZeqdlm wikitext text/x-wiki comment5, http://cheappurchaseonline.com/ generic cialis, %OOO, 28462166ac95b92d17cfed64f138c5aa41864184 1699 1698 2012-05-08T07:11:24Z 31.184.238.9 0 sYbXfOPnYwHaP wikitext text/x-wiki , http://cheappurchaseonline.com/ buy generic flagyl, 533, 7d6d569996b3368015b11ca2d65416eb89c35cc5 1700 1699 2012-05-08T07:12:39Z 31.184.238.15 0 VoLEqZzfZzuePdWaJ wikitext text/x-wiki comment4, http://cheappurchaseonline.com/ buy kamagra online, oupvtd, 2e8c259eb00f8baac85095313ca963dfece5e439 1701 1700 2012-05-08T07:15:25Z 31.184.238.9 0 IaclHdxTMDFBKP wikitext text/x-wiki , http://cheappurchaseonline.com/ flagyl, 0956, d29845049a31d320c7c6e6b60b5ef66bb65bf6f1 1702 1701 2012-05-08T07:17:55Z 31.184.238.15 0 FqWymINxBXdfV wikitext text/x-wiki comment5, http://cheappurchaseonline.com/ generic orlistat, %-(, b468d55cdb2b7f02f011e4b77e4bdf355d44ae55 1703 1702 2012-05-08T07:19:54Z 31.184.238.9 0 OAjuzjKfSGXNeD wikitext text/x-wiki , http://cheappurchaseonline.com/ propecia, =OOO, 188f0b96c142a0af622a73017f58b99d47643b00 1704 1703 2012-05-08T07:23:07Z 31.184.238.15 0 SXyBIgIskhPRHC wikitext text/x-wiki comment6, http://cheappurchaseonline.com/ buy female viagra online, =[[, 1c3636f747160cc33ebb7bed9259cffdaa47b18a 1705 1704 2012-05-08T07:24:12Z 31.184.238.9 0 FXxByGyrXsADOBaNJ wikitext text/x-wiki , http://cheappurchaseonline.com/ lasix, orti, 1776454180f4f50852540763baddc18067f2b8bb 1706 1705 2012-05-08T07:28:04Z 31.184.238.9 0 SttzYWYaTaU wikitext text/x-wiki , http://cheappurchaseonline.com/ buy nolvadex online, djbmx, 4393ba50abc63f6d40669d52a74042385320a309 1707 1706 2012-05-08T07:32:05Z 31.184.238.9 0 NWmReiFj wikitext text/x-wiki , http://cheappurchaseonline.com/ female viagra, jmxxp, faffafffd00b1c5dccb305fb6ee4cb75957a994a 1708 1707 2012-05-08T07:33:05Z 31.184.238.15 0 kwdxiysjJXHHMnozRZ wikitext text/x-wiki comment5, http://cheappurchaseonline.com/ buy clomid online, >:-], 44a4ed36f6a7cf2194ede34709ddb8052794e5f5 1709 1708 2012-05-08T07:36:07Z 31.184.238.9 0 aoLPuowriTMGieppKw wikitext text/x-wiki , http://cheappurchaseonline.com/ buy clomid online, 7972, b260d575ef1c3ffd7ca2f5f08b51bf86e93f7f09 1710 1709 2012-05-08T07:37:54Z 31.184.238.15 0 pPyFYtAecbYqYN wikitext text/x-wiki comment1, http://cheappurchaseonline.com/ diflucan, 57600, e5359a2af168663cd4d6644f6a75a93b04dbca84 1711 1710 2012-05-08T07:40:10Z 31.184.238.9 0 qGCTGPKfkTFMqx wikitext text/x-wiki , http://cheappurchaseonline.com/ buy levitra, %-], 71fac98bf9f38440e0ef63b49521509c99ee67bf 1712 1711 2012-05-08T07:43:39Z 31.184.238.15 0 ufgjmCDUmUOtmLPpZwC wikitext text/x-wiki comment1, http://cheappurchaseonline.com/ buy cialis online, =OO, 79d0d140821581090409c89b42a29a4eb845b699 1713 1712 2012-05-08T07:44:11Z 31.184.238.9 0 svlAiaSNXPYRKAE wikitext text/x-wiki , http://cheappurchaseonline.com/ buy generic flagyl, 0611, b828ec2630dd5c0e0e0456f959fad15bfc410f25 1714 1713 2012-05-08T07:48:17Z 31.184.238.15 0 kHdwCpuqWriUVI wikitext text/x-wiki comment6, http://cheappurchaseonline.com/ generic diflucan, svavo, 63be243f222424f33c3e6744ec8e2bb4066cec52 1715 1714 2012-05-08T07:48:49Z 31.184.238.9 0 sKuWTKGGhWHC wikitext text/x-wiki , http://cheappurchaseonline.com/ buy generic cialis, mtm, b328749a3e90cea6bf09a93c294de4cf5fc86ca7 1716 1715 2012-05-08T07:52:51Z 31.184.238.9 0 azKEEEOVqxsrE wikitext text/x-wiki , http://cheappurchaseonline.com/ buy generic kamagra, >:-OOO, 3f5e3703138359ab5a50a2343236b7f0e28f0ad7 0 8 1717 1716 2012-05-08T07:53:34Z 31.184.238.15 0 VkogYTaLfL wikitext text/x-wiki comment2, http://cheappurchaseonline.com/ buy levitra online, :-[[[, 26bb963b1e3c22757f88d48752553d54a91a769a 1718 1717 2012-05-08T07:57:01Z 31.184.238.9 0 YjyczZLqNtP wikitext text/x-wiki , http://cheappurchaseonline.com/ generic strattera, ree, 42ddb0b327d8c3a01e2b83993f1947b01a982e05 1719 1718 2012-05-08T07:58:53Z 31.184.238.15 0 febwTbserhmOghbF wikitext text/x-wiki comment1, http://cheappurchaseonline.com/ prednisone, 70100, 21a813e610e61afc52518e07425fdb0038a09f19 1720 1719 2012-05-08T08:01:06Z 31.184.238.9 0 NATkAGsYFTdwvvIn wikitext text/x-wiki , http://cheappurchaseonline.com/ generic clomid, =-DDD, 9ea04ba16cf37978fd201ea2a24e574f930f24b6 1721 1720 2012-05-08T08:04:02Z 31.184.238.15 0 mBWgZgMsxZMJZUREYU wikitext text/x-wiki comment1, http://cheappurchaseonline.com/ strattera, :OOO, 44e0c4554898ab9ffbe5bbf358eb252356c9a420 1722 1721 2012-05-08T08:05:18Z 31.184.238.9 0 UiwNcVxZQGI wikitext text/x-wiki , http://cheappurchaseonline.com/ generic prednisone, =DDD, 40eb6fa05759cba1d122e2e8ae33dcdda0a769a3 1723 1722 2012-05-08T08:09:05Z 31.184.238.15 0 SGcnWvPpqSBNa wikitext text/x-wiki comment2, http://cheappurchaseonline.com/ generic kamagra, 66050, 6cccd30cc4893402e96e0160366b9527e64f821b 1724 1723 2012-05-08T08:09:33Z 31.184.238.9 0 kfERqeDJVQTC wikitext text/x-wiki , http://cheappurchaseonline.com/ generic doxycycline, :], 0167d7e21d7166ff32930907850a1b80b205e5c3 1725 1724 2012-05-08T08:13:45Z 31.184.238.9 0 dMtbXrHZWTKBtd wikitext text/x-wiki , http://cheappurchaseonline.com/ buy lasix, fcngex, 8a021ee34389f21bd8ec1733cf843665678b32be 1726 1725 2012-05-08T08:13:48Z 31.184.238.15 0 nPEtHZMbPobaMmkWGr wikitext text/x-wiki comment1, http://cheappurchaseonline.com/ buy strattera online, anvtjp, 173a3982f9ded0e55a52b0fa33e4579065bcf916 1727 1726 2012-05-08T08:17:47Z 31.184.238.9 0 NGlYmvLbWCS wikitext text/x-wiki , http://cheappurchaseonline.com/ lasix, 8-))), 6e882edebb463de9596fd09ead68d9068a9a26ff 1728 1727 2012-05-08T08:19:11Z 31.184.238.15 0 NCasjRLhqmEp wikitext text/x-wiki comment3, http://cheappurchaseonline.com/ buy clomid online, 901895, 2905d4b5285d2c7cc5984589288e24fed023e14c 1729 1728 2012-05-08T08:21:51Z 31.184.238.9 0 TihDshyuIox wikitext text/x-wiki , http://cheappurchaseonline.com/ buy doxycycline, xbavdc, e068b900e5c979e6e7d86faa68bdcf44578a8057 1730 1729 2012-05-08T08:24:22Z 31.184.238.15 0 sEOwejdQMDhFMLVpCC wikitext text/x-wiki comment5, http://cheappurchaseonline.com/ generic zithromax, 521, acdc101c850cbed5eb9f4515c2888b78699ca956 1731 1730 2012-05-08T08:26:02Z 31.184.238.9 0 bVrYDydeHoapZmX wikitext text/x-wiki , http://cheappurchaseonline.com/ cialis super active, =PP, 5798afe4d59b88f5effd6100f48798b3ebfae977 1732 1731 2012-05-08T08:30:19Z 31.184.238.15 0 jGgPgXMdxiX wikitext text/x-wiki comment2, http://cheappurchaseonline.com/ buy generic zithromax, rgx, fc72171e89b074b72a754173043bea9b2de5dcb1 1733 1732 2012-05-08T08:30:27Z 31.184.238.9 0 WIVtUvPssONV wikitext text/x-wiki , http://cheappurchaseonline.com/ strattera, 0921, 1dcd103d024b995ae7cdb31b3e8dfe6a8cfc4e15 1734 1733 2012-05-08T08:34:49Z 31.184.238.9 0 CtbzpPIKw wikitext text/x-wiki , http://cheappurchaseonline.com/ buy kamagra online, 8-((, e96c6922ab51a5735224370def2f403807eb269c 1735 1734 2012-05-08T08:36:01Z 31.184.238.15 0 dBXqFWHq wikitext text/x-wiki comment4, http://cheappurchaseonline.com/ generic propecia, >:[[, e486fe8ce903c0a25145c163080f532452a485b8 1736 1735 2012-05-08T08:39:01Z 31.184.238.9 0 QrxgeHKRwSiNXzfLXa wikitext text/x-wiki , http://cheappurchaseonline.com/ female viagra, 365729, 6ea312ce7770d9fb61b53c0b934e6c11c6caf7a4 1737 1736 2012-05-08T08:41:40Z 31.184.238.15 0 HPQryYPyjWyAamCbK wikitext text/x-wiki comment5, http://cheappurchaseonline.com/ viagra professional, istxya, a976f7c0f25e50f74ced765a72db35d90b0e5997 1738 1737 2012-05-08T08:43:38Z 31.184.238.9 0 lOLccNvmO wikitext text/x-wiki , http://cheappurchaseonline.com/ generic cipro, 907480, 3ac339b286d6266d63a1b2089eb63a747eddb0b1 1739 1738 2012-05-08T08:47:25Z 31.184.238.15 0 DZUhCEbVElFXIwGP wikitext text/x-wiki comment2, http://cheappurchaseonline.com/ buy cialis super active, :((, 7c9f289c11d65bc1dcef772e8ddec34ddda665ec 1740 1739 2012-05-08T08:48:11Z 31.184.238.9 0 KYLnZmjLQkezRpMjjr wikitext text/x-wiki , http://cheappurchaseonline.com/ buy levitra, %[[, 71e563c673b9345174fdd3e4b7ee9f5942f5c9a8 1741 1740 2012-05-08T08:52:26Z 31.184.238.9 0 iiYbNvFLypKmptbH wikitext text/x-wiki , http://cheappurchaseonline.com/ buy female viagra, :-P, ccfaed80dc7cafa87743e727e27ce8be211cb871 1742 1741 2012-05-08T08:52:59Z 31.184.238.15 0 tXHukRhCBNqTx wikitext text/x-wiki comment2, http://cheappurchaseonline.com/ buy generic viagra professional, mqqve, 40dfc6e6ecaecdf540abdfb43689813f54d14621 1743 1742 2012-05-08T08:56:27Z 31.184.238.9 0 FmSnlsOVEfSgihCg wikitext text/x-wiki , http://cheappurchaseonline.com/ buy doxycycline, 2475, 9b5d5c767b9cecb377e3cd43b2bcb2a709829c49 1744 1743 2012-05-08T08:58:24Z 31.184.238.15 0 VOLjRiae wikitext text/x-wiki comment6, http://cheappurchaseonline.com/ buy diflucan online, >:(, d2c75eb5885d1e0a36b36f8cfa51d2f62b7ea5a9 1745 1744 2012-05-08T09:00:42Z 31.184.238.9 0 zUZUFBBTauKhkTjjgcJ wikitext text/x-wiki , http://cheappurchaseonline.com/ generic diflucan, 609, 0d501917cbd453d7acabbbb740a4200e4de73b20 1746 1745 2012-05-08T09:03:40Z 31.184.238.15 0 GzEAuNWSvj wikitext text/x-wiki comment5, http://cheappurchaseonline.com/ buy viagra professional, eeqmtl, 6b12dded020ea205d62f6e9c2a6cb97da3eba623 1747 1746 2012-05-08T09:04:45Z 31.184.238.9 0 ONYdScTBoirqFwjvRtz wikitext text/x-wiki , http://cheappurchaseonline.com/ buy female viagra online, ilt, e5f81652cbeaa1e1b2694751681ef2879454a4e8 1748 1747 2012-05-08T09:08:40Z 31.184.238.15 0 IefiJCZBXSIalzz wikitext text/x-wiki comment5, http://cheappurchaseonline.com/ buy female viagra online, 8-[, 627288febf71bce9a7188b8007e3237e8075f0bd 1749 1748 2012-05-08T09:08:46Z 31.184.238.9 0 hqogccuvGx wikitext text/x-wiki , http://cheappurchaseonline.com/ buy doxycycline, =OOO, e98206e3b7d1eb0e31e0c0436a59c618d6f24205 1750 1749 2012-05-08T09:12:50Z 31.184.238.9 0 VXTTxifc wikitext text/x-wiki , http://cheappurchaseonline.com/ generic orlistat, 06028, b76eafc14a33b916240acc05a41cea1c95c9509e 1751 1750 2012-05-08T09:13:25Z 31.184.238.15 0 FNFTMzhNJmB wikitext text/x-wiki comment5, http://cheappurchaseonline.com/ buy generic zithromax, bmbi, 9f08e7761ab85daee2e0bfa73e3f03820a1472ac 1752 1751 2012-05-08T09:16:41Z 31.184.238.9 0 vYuNQpyOVxf wikitext text/x-wiki , http://cheappurchaseonline.com/ buy zithromax online, oefmt, 45e77a7b7797effa83baced94a82750598ee55bb 1753 1752 2012-05-08T09:18:36Z 31.184.238.15 0 XDLSABMJiczrpCyjnYK wikitext text/x-wiki comment6, http://cheappurchaseonline.com/ buy generic zithromax, %[[, 8d140c046348fb197087f5603992159c88178cd1 1754 1753 2012-05-08T09:20:38Z 31.184.238.9 0 sWiIABod wikitext text/x-wiki , http://cheappurchaseonline.com/ cialis professional, oqio, 5841f81e88fce6c8666543e3ea048a69040f1ce1 1755 1754 2012-05-08T09:23:25Z 31.184.238.15 0 QhNcHIKddzHiQKwc wikitext text/x-wiki comment4, http://cheappurchaseonline.com/ buy levitra online, >:-P, f22c7aeb32c936edad82a432ae819e68ec2e8418 1756 1755 2012-05-08T09:24:44Z 31.184.238.9 0 TmBzbFVWDnEG wikitext text/x-wiki , http://cheappurchaseonline.com/ buy diflucan online, zisbz, 3a1b26a139d959f55df3181d45ca03b8912c14b2 1757 1756 2012-05-08T09:28:26Z 31.184.238.15 0 nBqMHHXJJNCGJ wikitext text/x-wiki comment1, http://cheappurchaseonline.com/ buy generic viagra, :[, b05e8f7eb0701989da31da80901864529835e0a3 1758 1757 2012-05-08T09:29:00Z 31.184.238.9 0 bwrEBaHX wikitext text/x-wiki , http://cheappurchaseonline.com/ buy generic kamagra, smjgc, f7979969d5618f4b6aedea1098bae8a7784c1a01 1759 1758 2012-05-08T09:33:01Z 31.184.238.9 0 BxjwfAKqRIvvUpk wikitext text/x-wiki , http://cheappurchaseonline.com/ generic doxycycline, kzfl, 8e0179ff839c1f4cae783557ba7b09c45a3043a7 1760 1759 2012-05-08T09:33:23Z 31.184.238.15 0 gPXziFHUGYyAguz wikitext text/x-wiki comment5, http://cheappurchaseonline.com/ buy orlistat, 521531, a1b1ee01e92481f2363d668d20ce7ecddd667c42 1761 1760 2012-05-08T09:37:12Z 31.184.238.9 0 VztAUKNTl wikitext text/x-wiki , http://cheappurchaseonline.com/ buy generic diflucan, %O, 05d0077bd2956a0de4039fb587814568d6b6d249 1762 1761 2012-05-08T09:39:05Z 31.184.238.15 0 AlxKDuSKBW wikitext text/x-wiki comment6, http://cheappurchaseonline.com/ generic viagra, >:OO, 0b4676e6808c47eb32f2c288da95bfc1799fbe39 1763 1762 2012-05-08T09:41:25Z 31.184.238.9 0 jvVNIECCuZBAXrmW wikitext text/x-wiki , http://cheappurchaseonline.com/ levitra, %-OO, db263ba240690b2208044ae8a4e566b96a66a026 1764 1763 2012-05-08T09:43:42Z 31.184.238.15 0 lMvKIyUM wikitext text/x-wiki comment2, http://cheappurchaseonline.com/ buy zithromax online, :-]]], b5175de5ac608587544c6b4473b3baadc9dfe10b 1765 1764 2012-05-08T09:45:37Z 31.184.238.9 0 qQzQVUGEzQNjOjxtk wikitext text/x-wiki , http://cheappurchaseonline.com/ buy viagra super active, htjk, 5e1c80870e08d1a9ab8b715b49fc61d9108db813 1766 1765 2012-05-08T09:48:52Z 31.184.238.15 0 duVTTDvzhh wikitext text/x-wiki comment6, http://cheappurchaseonline.com/ buy nolvadex, %-P, e8fe93af16cfbc08b3a80d9524dd90e433acdbb1 0 8 1767 1766 2012-05-08T09:49:49Z 31.184.238.9 0 VTYLCAXSerinWPmXV wikitext text/x-wiki , http://cheappurchaseonline.com/ buy cipro online, 532092, dacb8f1a30cbd1232f627bf6f6f8619796671a44 1768 1767 2012-05-08T09:53:31Z 31.184.238.9 0 ZpUhQdTTZ wikitext text/x-wiki , http://cheappurchaseonline.com/ buy nolvadex, zkngy, 6432fa6f0310e18df77324ac5c6241cc3a4c5087 1769 1768 2012-05-08T09:54:01Z 31.184.238.15 0 qTjrKICsGB wikitext text/x-wiki comment6, http://cheappurchaseonline.com/ cialis super active, 69350, a8aaf6c9cc81d0cac69b264a54e13b3fde2e1c41 1770 1769 2012-05-08T09:57:45Z 31.184.238.9 0 JUgXIFMs wikitext text/x-wiki , http://cheappurchaseonline.com/ flagyl, 684035, ed1863c3aed893e3cf6c7066c80a9a67e0ef0320 1771 1770 2012-05-08T09:58:50Z 31.184.238.15 0 KQqVdTmxkU wikitext text/x-wiki comment6, http://cheappurchaseonline.com/ buy prednisone online, 6189, 5d3c058c07dbf6c465efa323704abf9c3956b034 1772 1771 2012-05-08T10:01:49Z 31.184.238.9 0 zbFzMBaHm wikitext text/x-wiki , http://cheappurchaseonline.com/ buy flagyl online, 2335, 0a0f0931194ffcb11940d806d973c4c861c826e8 1773 1772 2012-05-08T10:03:40Z 31.184.238.15 0 olgzovmPLpEHbYjbFw wikitext text/x-wiki comment6, http://cheappurchaseonline.com/ cipro, 343, 73c88c0e6c46b79c8a6707c6e7bf1d24f27c8288 1774 1773 2012-05-08T10:05:52Z 31.184.238.9 0 KQphcRRRVW wikitext text/x-wiki , http://cheappurchaseonline.com/ generic viagra, oxhj, 60caafe70faf442c1f44f776c4f3df125bdef133 1775 1774 2012-05-08T10:08:43Z 31.184.238.15 0 aVzRGdYUnhjYEt wikitext text/x-wiki comment5, http://cheappurchaseonline.com/ viagra professional, 89046, c78f0ace861a9e24691e720ccac118bd7245e989 1776 1775 2012-05-08T10:09:44Z 31.184.238.9 0 qXiAnyqzuK wikitext text/x-wiki , http://cheappurchaseonline.com/ buy flagyl, 9256, 001ba98315ed8fd4ca2a5f087e1d8544aeea309f 1777 1776 2012-05-08T10:13:24Z 31.184.238.15 0 WseFPwzXa wikitext text/x-wiki comment1, http://cheappurchaseonline.com/ generic flagyl, vtrxh, 26469539ebb97a016b71ea3aa8373697cb6cdf13 1778 1777 2012-05-08T10:14:19Z 31.184.238.9 0 BTgCYqNnWJVfMCDtigl wikitext text/x-wiki , http://cheappurchaseonline.com/ buy generic cipro, 666931, 52ca3c1a4e79d51a31461d567c487336f7df5aae 1779 1778 2012-05-08T10:17:47Z 31.184.238.9 0 VYRdhsSwcEdLRfEjmGv wikitext text/x-wiki , http://cheappurchaseonline.com/ generic flagyl, 67748, d025ad780d8e551399a08bd4d429a1cadec8a58a 1780 1779 2012-05-08T10:18:22Z 31.184.238.15 0 ZsvBKgSEqXzxaNdY wikitext text/x-wiki comment5, http://cheappurchaseonline.com/ buy strattera, iyhf, f656698700071fd1358e67f3c76cee4007ff373f 1781 1780 2012-05-08T10:21:52Z 31.184.238.9 0 yeYRtKHzsUaP wikitext text/x-wiki , http://cheappurchaseonline.com/ propecia, 77315, 9f21ce9e68c61cc6d3b37392b268ecb35a87cf57 1782 1781 2012-05-08T10:23:44Z 31.184.238.15 0 loepZWCIIsPgkx wikitext text/x-wiki comment4, http://cheappurchaseonline.com/ cialis super active, 3282, 3ad22fcae4b92633527ad57f01b2491367263b79 1783 1782 2012-05-08T10:26:03Z 31.184.238.9 0 OkDLajiJUklUiRf wikitext text/x-wiki , http://cheappurchaseonline.com/ buy generic priligy, astz, 1f9dd9bb7859a0d4085330f62ed2f650dee530fd 1784 1783 2012-05-08T10:29:11Z 31.184.238.15 0 RiHkEYeWznU wikitext text/x-wiki comment3, http://cheappurchaseonline.com/ generic accutane, 9066, 5ce859e43efc6cc4bbeeb7c86a4d07d36a596479 1785 1784 2012-05-08T10:30:06Z 31.184.238.9 0 iYxfgZinmTsJyCukTc wikitext text/x-wiki , http://cheappurchaseonline.com/ orlistat, %-PPP, 245d8bb842b8585c006e239762bd457208a2b652 1786 1785 2012-05-08T10:34:20Z 31.184.238.9 0 pkkOoYrLSHXBu wikitext text/x-wiki , http://cheappurchaseonline.com/ buy cialis professional online, :-DDD, 31ed857ba3e6a24609d45dbd9338e7c09a7f1785 1787 1786 2012-05-08T10:34:46Z 31.184.238.15 0 ilMahhlmtqGjBv wikitext text/x-wiki comment1, http://cheappurchaseonline.com/ buy flagyl online, 26649, d421f279c2f1a8fdfc718485dd0199fc722f0a97 1788 1787 2012-05-08T10:38:11Z 31.184.238.9 0 MCgNxPbOETpmQzuJuKd wikitext text/x-wiki , http://cheappurchaseonline.com/ buy diflucan, 8-))), 8ed14458f86d7b40a3758e97c692f7765775891f 1789 1788 2012-05-08T10:39:42Z 31.184.238.15 0 zjHNgfsbdUQdYeM wikitext text/x-wiki comment6, http://cheappurchaseonline.com/ priligy, 90564, 84a6b4bf61aeed755928802f28dc97aa6bacb0cc 1790 1789 2012-05-08T10:42:21Z 31.184.238.9 0 jilYJTMOmlfeGtoYkpE wikitext text/x-wiki , http://cheappurchaseonline.com/ buy generic levitra, gywnrm, 6f4d7d5204fbbc6041bc0bb22dfd5b5426cc6f5d 1791 1790 2012-05-08T10:44:30Z 31.184.238.15 0 GNKcEZXmkLNcL wikitext text/x-wiki comment1, http://cheappurchaseonline.com/ buy generic doxycycline, 178539, e2502216e579d5a3258e97e9d8f2da42b58ba385 1792 1791 2012-05-08T10:46:35Z 31.184.238.9 0 stILclzqJslZVvsA wikitext text/x-wiki , http://cheappurchaseonline.com/ buy kamagra, ytn, cc9f428acd09cb6cda3d917b35523ccedfe7b60a 1793 1792 2012-05-08T10:50:37Z 31.184.238.9 0 WipfqmmHWo wikitext text/x-wiki , http://cheappurchaseonline.com/ buy generic orlistat, 3020, dba6e39c9bfdc5b4c3da2fae28ddf2a17cc0255d 1794 1793 2012-05-08T10:54:35Z 31.184.238.9 0 pXTkgbmdl wikitext text/x-wiki , http://cheappurchaseonline.com/ cipro, 653, fc806960c9d07b8570ae9b78085185964a2696ab 1795 1794 2012-05-08T10:54:49Z 31.184.238.15 0 ZODatuPvhlUwot wikitext text/x-wiki comment6, http://cheappurchaseonline.com/ buy zithromax online, kcxav, d6b53271575a90612771e5db594aacc1b1e56750 1796 1795 2012-05-08T10:58:18Z 31.184.238.9 0 TYPQMMLzXp wikitext text/x-wiki , http://cheappurchaseonline.com/ female viagra, lcr, 0e5b1d251222bfed9335003bdb19532e283868c1 1797 1796 2012-05-08T10:59:58Z 31.184.238.15 0 sCrgNcYXAfsslvGP wikitext text/x-wiki comment1, http://cheappurchaseonline.com/ buy generic viagra professional, acz, 7d4f621a0ada0308f8ea0c45124e7b5d9b9049fc 1798 1797 2012-05-08T11:02:33Z 31.184.238.9 0 yPWbokMTcwGYGosMLzV wikitext text/x-wiki , http://cheappurchaseonline.com/ generic prednisone, wmkh, 54133fdbadd2bf3a7fc63320da2933c77f44b28d 1799 1798 2012-05-08T11:04:49Z 31.184.238.15 0 dCEznBlFPXxI wikitext text/x-wiki comment6, http://cheappurchaseonline.com/ buy kamagra, aiv, fc9ebb17fe19589eccd53700acbdceb1512578eb 1800 1799 2012-05-08T11:06:47Z 31.184.238.9 0 PFvXLZZk wikitext text/x-wiki , http://cheappurchaseonline.com/ buy generic cialis super active, 687441, 9968dce7208aee8c4ff746ef5ab80122fdee660d 1801 1800 2012-05-08T11:10:39Z 31.184.238.9 0 mYlArJuIoTyLsw wikitext text/x-wiki , http://cheappurchaseonline.com/ generic cialis, :((, 2b59d5f6dfc288b11ee3f645dc22032bcabcc522 1802 1801 2012-05-08T11:10:51Z 31.184.238.15 0 vlYZmluHVp wikitext text/x-wiki comment5, http://cheappurchaseonline.com/ buy generic lasix, %]], cec706f8bbeed1529c957fbc65d765ede93c174f 1804 1802 2012-05-08T11:14:40Z 31.184.238.9 0 dbUNASpbjprrbAP wikitext text/x-wiki , http://cheappurchaseonline.com/ buy priligy online, 31832, b99a278c98c3669b74ce7729acabf179867d6e97 1805 1804 2012-05-08T11:15:18Z 31.184.238.15 0 KLeuupyHxVKOV wikitext text/x-wiki comment3, http://cheappurchaseonline.com/ buy propecia, %-((, 322107c96704d0687dabae903c63a72fe7674fb4 1806 1805 2012-05-08T11:18:40Z 31.184.238.9 0 eNCWwXzTZKpJ wikitext text/x-wiki , http://cheappurchaseonline.com/ buy propecia online, 014707, ac2e64726e0d58a7a3fa08d93d43b621f642f3b9 1807 1806 2012-05-08T11:20:22Z 31.184.238.15 0 XQSfQsACYza wikitext text/x-wiki comment3, http://cheappurchaseonline.com/ cialis professional, %-]]], b728a81891d544a90a5191ced2224ef61ea534f9 1808 1807 2012-05-08T11:22:42Z 31.184.238.9 0 lgyHXSHIZYSqKXCW wikitext text/x-wiki , http://cheappurchaseonline.com/ buy kamagra, :-[[, 9512de2066f7735b75e549396551dc29a4f9cdd4 1809 1808 2012-05-08T11:25:28Z 31.184.238.15 0 UMmwxGpSh wikitext text/x-wiki comment6, http://cheappurchaseonline.com/ priligy, 7526, fd31724f1016c6dc19349cb3c028b4050f84e873 1810 1809 2012-05-08T11:26:46Z 31.184.238.9 0 CGjUWgaGZCoWCRDj wikitext text/x-wiki , http://cheappurchaseonline.com/ buy doxycycline, =-[[, 37216f970888ef2651cb87fc6baa4ca56a202aeb 1811 1810 2012-05-08T11:30:20Z 31.184.238.15 0 XqFzuLLlOqWKQ wikitext text/x-wiki comment6, http://cheappurchaseonline.com/ buy kamagra, =-PP, b5c823d25414eee46df7886cd7f1ef47e48e01c3 1812 1811 2012-05-08T11:30:46Z 31.184.238.9 0 JCpgvKOEwCLCb wikitext text/x-wiki , http://cheappurchaseonline.com/ buy doxycycline, 2593, 665dc81b2e5202cc7a02462b83990e398bf76f3e 1813 1812 2012-05-08T11:34:40Z 31.184.238.9 0 hDmLtsfGKIjuUBjprah wikitext text/x-wiki , http://cheappurchaseonline.com/ buy flagyl, 9248, 3e07cffc167fbad4bd717972f385d821d195c1e0 1814 1813 2012-05-08T11:35:22Z 31.184.238.15 0 AWNISxOiJov wikitext text/x-wiki comment6, http://cheappurchaseonline.com/ generic cialis, 333162, fb9505db2ed0613f84cfef04cf3a14028e3f2cba 1815 1814 2012-05-08T11:38:56Z 31.184.238.9 0 jXMLmsFXwrKbUuE wikitext text/x-wiki , http://cheappurchaseonline.com/ buy generic orlistat, emqug, f69b401ef67bbd59d16d41a86ed709cff5890c75 1816 1815 2012-05-08T11:41:10Z 31.184.238.15 0 SYKhUhgee wikitext text/x-wiki comment1, http://cheappurchaseonline.com/ cialis professional, vjgucc, 802d65cf8ff880839eeb81fb6e6503bdfa07f939 1817 1816 2012-05-08T11:43:16Z 31.184.238.9 0 QlDGwKCVQbEbD wikitext text/x-wiki , http://cheappurchaseonline.com/ generic doxycycline, alyni, a1da813f769176297e8b0cb4fb7b26d67dcad07f 0 8 1818 1817 2012-05-08T11:45:43Z 31.184.238.15 0 QYQTRLyivcxARAAr wikitext text/x-wiki comment1, http://cheappurchaseonline.com/ buy viagra, kck, f7aba1a13432ccee0ac3d321998d3e040223974b 1819 1818 2012-05-08T11:47:51Z 31.184.238.9 0 znLnocEbkJRsYFG wikitext text/x-wiki , http://cheappurchaseonline.com/ generic lasix, 8O, e4f7016894cc030599f818e22d3cabe27e34a664 1820 1819 2012-05-08T11:51:08Z 31.184.238.15 0 TgsoeEoW wikitext text/x-wiki comment2, http://cheappurchaseonline.com/ buy priligy, iyxsrl, 948eef214d129b822a526af49355ba08ac13cd81 1821 1820 2012-05-08T11:52:34Z 31.184.238.9 0 OQiKLEKxbOfq wikitext text/x-wiki , http://cheappurchaseonline.com/ buy flagyl, fejxns, f9ace27e54d7cf3409da95f6d08b1e9f134a41a2 1822 1821 2012-05-08T11:56:33Z 31.184.238.15 0 zRYUXQvTyIQKQGFK wikitext text/x-wiki comment3, http://cheappurchaseonline.com/ buy zithromax, 35596, dfffff17f2e05897b4f27f0cdb2df459066016fe 1823 1822 2012-05-08T11:56:34Z 31.184.238.9 0 SGTqyQTd wikitext text/x-wiki , http://cheappurchaseonline.com/ buy generic viagra professional, kflp, dd185107664aaf7935acefe61079b8abb14e87e9 1824 1823 2012-05-08T12:00:27Z 31.184.238.9 0 xDEJEjAWR wikitext text/x-wiki , http://cheappurchaseonline.com/ zoloft, 171322, 17508b1bdba158500003abff87267ef38d5bf588 1825 1824 2012-05-08T12:01:41Z 31.184.238.15 0 gbcaMsdgQ wikitext text/x-wiki comment2, http://cheappurchaseonline.com/ buy flagyl, =-(, 5765ff7aa1917681fec047609f6c684ab76fb04c 1826 1825 2012-05-08T12:04:18Z 31.184.238.9 0 ZsTaCfGlyt wikitext text/x-wiki , http://cheappurchaseonline.com/ generic nolvadex, wau, 07bda885e786fd13816a648a3a5ea05a552deed1 1827 1826 2012-05-08T12:06:52Z 31.184.238.15 0 FRqyXshSsHcrgJ wikitext text/x-wiki comment4, http://cheappurchaseonline.com/ buy priligy, 071661, d80faddb02f7aff57e5dc3157d2292cfdfa78aaa 1828 1827 2012-05-08T12:08:20Z 31.184.238.9 0 ZJSXwyOWqnsHTttx wikitext text/x-wiki , http://cheappurchaseonline.com/ levitra, =-PPP, ea4f87b7b9b2e819b853ee445da14ec4703c4dbe 1829 1828 2012-05-08T12:11:52Z 31.184.238.15 0 FtPCvMdhbNwFoD wikitext text/x-wiki comment3, http://cheappurchaseonline.com/ generic viagra super active, =-]], 62d0abc56e3444cd49b64b9ec9ffc47c43ead431 1830 1829 2012-05-08T12:12:37Z 31.184.238.9 0 KHGZtGCeNA wikitext text/x-wiki , http://shopdrugcheap.com/order-accutane-online-en.html buy generic Accutane online, phw, 838f596348cf43ae78eb4906693020896a750bba 1831 1830 2012-05-08T12:16:31Z 31.184.238.9 0 RlcsUxmbXX wikitext text/x-wiki , http://shopdrugcheap.com/order-cipro-online-en.html buy Cipro online, cxfhs, 4a59d2cb8e747f55ef0992abba45de3a81797e8e 1832 1831 2012-05-08T12:17:05Z 31.184.238.15 0 uFFCyTagUuUKW wikitext text/x-wiki comment1, http://cheappurchaseonline.com/ generic doxycycline, :P, 494842681414f091d4a60b92b26383810098cee3 1833 1832 2012-05-08T12:20:30Z 31.184.238.9 0 MwhZMxQuAuCartWClPq wikitext text/x-wiki , http://shopdrugcheap.com/order-kamagra-online-en.html buy cheap Kamagra, =]]], eae5c8fc4b991cb8be9789abba61dd0415705b80 1834 1833 2012-05-08T12:22:02Z 31.184.238.15 0 SMnKtzFfI wikitext text/x-wiki comment6, http://cheappurchaseonline.com/ buy prednisone, gdyzsf, eda9725c0b727b6c2bf5535e941b5fbc75a68c2a 1835 1834 2012-05-08T12:24:40Z 31.184.238.9 0 IbfinmMIjmAbJC wikitext text/x-wiki , http://shopdrugcheap.com/order-diflucan-online-en.html Diflucan, 458539, 8086874fbe63ab1a9dc42b9fe16b813e0ac0b5d8 1836 1835 2012-05-08T12:26:59Z 31.184.238.15 0 HhdPygHFoHQCUcvfAd wikitext text/x-wiki comment6, http://cheappurchaseonline.com/ buy amoxil, 90410, 8b8d988606e06bbee4ab1b567288115796d50942 1837 1836 2012-05-08T12:28:47Z 31.184.238.9 0 LndcVkJjxWpto wikitext text/x-wiki , http://shopdrugcheap.com/order-female-viagra-online-en.html buy cheap Female Viagra, qvaz, 4c713408fae341567b3d8aa47b58be90563ac819 1838 1837 2012-05-08T12:32:43Z 31.184.238.15 0 MHFLSJOhTI wikitext text/x-wiki comment2, http://cheappurchaseonline.com/ buy diflucan online, :-[, 73e7fbd2d6d6f6f02ff2df28f6d52c4b45e398f6 1839 1838 2012-05-08T12:32:57Z 31.184.238.9 0 qnDBWPRmkk wikitext text/x-wiki , http://shopdrugcheap.com/order-propecia-online-en.html buy Propecia online, tvswmn, cd2ed1c72b7fb258b844e673991516547a80414f 1840 1839 2012-05-08T12:42:56Z 31.184.238.15 0 SWWQTdcbVpPioObRdd wikitext text/x-wiki comment4, http://cheappurchaseonline.com/ buy levitra online, %-D, dda892ea77d94fa039c3fdab29334a7dd68a9590 1841 1840 2012-05-08T12:49:57Z 31.184.238.15 0 ccsiIwFy wikitext text/x-wiki comment3, http://cheappurchaseonline.com/ buy zithromax, 516, 9242d59a16fdd50f7982baf95dc6301bdda42e95 1842 1841 2012-05-08T12:54:34Z 31.184.238.15 0 XjiynTdUPZ wikitext text/x-wiki comment5, http://cheappurchaseonline.com/ buy amoxil online, %-(((, b471a72b848085c0c685ab635f08d207cf91cf03 1843 1842 2012-05-08T12:55:36Z 31.184.238.9 0 wseCsjuSb wikitext text/x-wiki , http://shopdrugcheap.com/order-diflucan-online-en.html generic Diflucan, xmg, cdba2e2d3314c44853180886c35f371e012030e8 1844 1843 2012-05-08T12:58:56Z 31.184.238.9 0 SbtrXfmUXCQDcQP wikitext text/x-wiki , http://price-drugs.com/order-proventil-online-en.html buy Proventil, 6161, f0958a6ee91ccae087ec5b7a69e7f6a085a50b2f 1845 1844 2012-05-08T13:00:19Z 31.184.238.15 0 ICXPtrYNo wikitext text/x-wiki comment4, http://cheappurchaseonline.com/ generic clomid, 626, 2b7ca8c18a224d223045dc605679eca875cc7000 1846 1845 2012-05-08T13:03:26Z 31.184.238.9 0 xtPuDSLkUmMK wikitext text/x-wiki , http://price-drugs.com/order-doxycycline-online-en.html buy Doxycycline online, =DD, 2cfea36971cd9b82715a2b0d7015ecf921866dc9 1847 1846 2012-05-08T13:05:02Z 31.184.238.15 0 rZHUJotUFOpulCZFkm wikitext text/x-wiki comment5, http://cheappurchaseonline.com/ generic doxycycline, hojzxo, 420943618726ea125e30ad34e8273cfd80117fed 1848 1847 2012-05-08T13:07:47Z 31.184.238.9 0 YFhECNvb wikitext text/x-wiki , http://price-drugs.com/order-doxycycline-online-en.html buy Doxycycline, nhmqa, bc8ec58e6fccd13d2eac8b312075463f1c8824a7 1849 1848 2012-05-08T13:09:19Z 31.184.238.15 0 gFLZPCSVAyhddFzUhz wikitext text/x-wiki comment5, http://cheappurchaseonline.com/ generic viagra super active, 317959, 110be2cdccdc8054dde2257fe2597aa30ef231d3 1850 1849 2012-05-08T13:16:45Z 31.184.238.15 0 GOuIoUXbifZt wikitext text/x-wiki comment3, http://cheappurchaseonline.com/ buy strattera online, 66481, 5687f5fdcdbe37d6e161d03a369c00dea0bf0f0e 1851 1850 2012-05-08T13:18:54Z 31.184.238.9 0 VJMiLXghYnqVvexZyj wikitext text/x-wiki , http://price-drugs.com/order-flagyl-online-en.html Flagyl, tcwkkp, 662b1f90e8b2cc2f842a49da8dc4b11ea1103d95 1852 1851 2012-05-08T13:21:11Z 31.184.238.15 0 cIcUattC wikitext text/x-wiki comment2, http://cheappurchaseonline.com/ buy lasix online, 8-D, dfddc53899abb7466e9f594db36b1a6c52de8d4e 1853 1852 2012-05-08T13:22:25Z 31.184.238.9 0 IoAZkvaHvzippEYNyh wikitext text/x-wiki , http://shopdrugcheap.com/order-zoloft-online-en.html generic Zoloft, 8-]], 03a4952d079e0b9b4e911e786605881b92371b6c 1854 1853 2012-05-08T13:25:31Z 31.184.238.15 0 PLYWGXVnSuNsjlf wikitext text/x-wiki comment5, http://cheappurchaseonline.com/ buy nolvadex, 404726, 102e38f815b8f3a0f6a1219cb957965e2e170eaf 1855 1854 2012-05-08T13:26:48Z 31.184.238.9 0 WRjMlyUjWI wikitext text/x-wiki , http://price-drugs.com/order-nolvadex-online-en.html buy generic Nolvadex online, >:OOO, 62ccc8a6bb6ba0c5e7bc1c0bb77a4fab6f20a968 1856 1855 2012-05-08T13:30:54Z 31.184.238.15 0 kWartuUVir wikitext text/x-wiki comment3, http://cheappurchaseonline.com/ flagyl, %-DD, b39bd011f8442da0d9607d0bd77dc5ac262634a0 1857 1856 2012-05-08T13:31:33Z 31.184.238.9 0 SpvIBBhj wikitext text/x-wiki , http://shopdrugcheap.com/order-female-viagra-online-en.html buy generic Female Viagra online, 698, fe4f2715369c928a85cd2d0f1310d1cef50b43f6 1858 1857 2012-05-08T13:36:13Z 31.184.238.9 0 kIkXOOfPfole wikitext text/x-wiki , http://shopdrugcheap.com/order-cipro-online-en.html buy generic Cipro online, 734, 7d994f34e54267ae4ccb9f5853025c5e96251e35 1859 1858 2012-05-08T13:36:26Z 31.184.238.15 0 qFWzcHTUzDTGMEq wikitext text/x-wiki comment2, http://cheappurchaseonline.com/ buy viagra professional online, lci, fc45d12b8006a782e5f49cff75ef623f1535df3d 1860 1859 2012-05-08T13:41:15Z 31.184.238.9 0 fOiMVGeuMskeHoBuor wikitext text/x-wiki , http://shopdrugcheap.com/order-cialis-online-en.html buy Cialis, hfqaqw, 599c09490e2a13e6d2797934b6fc068ff3e55fc9 1861 1860 2012-05-08T13:41:51Z 31.184.238.15 0 bxXawtTPrzkbZ wikitext text/x-wiki comment3, http://cheappurchaseonline.com/ buy accutane, :OOO, 79c979847b9c27d534f639d226cca9949beb5af6 1862 1861 2012-05-08T13:46:11Z 31.184.238.9 0 EaRtzYZGJzS wikitext text/x-wiki , http://shopdrugcheap.com/order-cialis-professional-online-en.html generic Cialis Professional, 66448, 9c2556f20df68788982a940fb601fddb6e41597d 1863 1862 2012-05-08T13:47:20Z 31.184.238.15 0 DmjJomdDLEV wikitext text/x-wiki comment4, http://cheappurchaseonline.com/ viagra super active, :((, 76908ded62c01b07262ff604910beef1ed979f23 1864 1863 2012-05-08T13:50:44Z 31.184.238.9 0 hZqjXphaniBFi wikitext text/x-wiki , http://shopdrugcheap.com/order-cialis-super-active-online-en.html buy Cialis Super Active online, 03009, 2e76d283209436a58075e2c0062d5c4414dce0c4 1865 1864 2012-05-08T13:52:41Z 31.184.238.15 0 BuXXBYVuzQDJ wikitext text/x-wiki comment3, http://cheappurchaseonline.com/ buy generic cialis, >:-], 2a24dd96ef402f07551c3581ba071def392f87dd 1866 1865 2012-05-08T13:55:32Z 31.184.238.9 0 ZnwGsmbyLNxWNWDiw wikitext text/x-wiki , http://shopdrugcheap.com/order-cialis-online-en.html buy cheap Cialis, =-[[[, 02808963172e2b5a11d891a29c4e62719ea2c72c 1867 1866 2012-05-08T13:58:10Z 31.184.238.15 0 ULnFORFQGTNFy wikitext text/x-wiki comment4, http://cheappurchaseonline.com/ buy lasix online, sethp, a261d6b1d99cffc1a6861b66cbf6df6bf295cbf2 0 8 1868 1867 2012-05-08T13:59:42Z 31.184.238.9 0 HBbWTeDSpjPK wikitext text/x-wiki , http://price-drugs.com/order-bactrim-online-en.html generic Bactrim, =-[, c9afbc0ffaeadac4ceae0cbf7cc6a1b6b209f6e6 1869 1868 2012-05-08T14:03:52Z 31.184.238.15 0 SPXxDrnpTyri wikitext text/x-wiki comment6, http://cheappurchaseonline.com/ buy female viagra, uwswlt, 7c5f6fbf08c7ff5daac72e7512563114cd953d9a 1870 1869 2012-05-08T14:04:00Z 31.184.238.9 0 RXnYliAEBXn wikitext text/x-wiki , http://shopdrugcheap.com/order-accutane-online-en.html buy cheap Accutane, :), f60cdc46c3d20a842e60a429479a69237d2e1dea 1871 1870 2012-05-08T14:08:21Z 31.184.238.9 0 bvDPUCtMJTl wikitext text/x-wiki , http://shopdrugcheap.com/order-orlistat-online-en.html Orlistat, zopt, f36b70fee776303f1bae65dd971133b850731f35 1872 1871 2012-05-08T14:08:56Z 31.184.238.15 0 UrnmKTWJqGYEzGuhZ wikitext text/x-wiki comment5, http://cheappurchaseonline.com/ buy generic nolvadex, 464, 82b6cb60df7e19cd919f533991123d720e9094a0 1873 1872 2012-05-08T14:12:47Z 31.184.238.9 0 vymENWuNCuganjXx wikitext text/x-wiki , http://shopdrugcheap.com/order-levitra-online-en.html buy generic Levitra, makj, 4a7958d2fa83d517180b01e4ccfafdaa8614ca7e 1874 1873 2012-05-08T14:14:13Z 31.184.238.15 0 TZacRreHLzj wikitext text/x-wiki comment1, http://cheappurchaseonline.com/ generic cialis super active, >:)), e75f6d5fd4841653545783bdc634af55b54b22df 1875 1874 2012-05-08T14:16:52Z 31.184.238.9 0 YXmOTZezQkWvERfFAbx wikitext text/x-wiki , http://shopdrugcheap.com/order-cialis-professional-online-en.html buy cheap Cialis Professional, egn, 5969dde16c0565877581d4f2426b3e20b717a908 1876 1875 2012-05-08T14:19:17Z 31.184.238.15 0 NBYsBkyPIqSo wikitext text/x-wiki comment1, http://cheappurchaseonline.com/ viagra, jdw, 3f6fe4cd1d79974302b517f49903011bf5f77c6f 1877 1876 2012-05-08T14:21:17Z 31.184.238.9 0 DppcysXx wikitext text/x-wiki , http://shopdrugcheap.com/order-accutane-online-en.html buy cheap Accutane, %-(, 598f313454c43509d38e6d4782e2c57cc602ee5c 1878 1877 2012-05-08T14:25:29Z 31.184.238.9 0 zDyRHGrsBe wikitext text/x-wiki , http://shopdrugcheap.com/order-diflucan-online-en.html Diflucan, aymwvg, b64472d210e69f80a32be2dd0fb3613cae069003 1879 1878 2012-05-08T14:29:55Z 31.184.238.9 0 TPWUZSdbNr wikitext text/x-wiki , http://shopdrugcheap.com/order-cialis-online-en.html buy cheap Cialis, qruphy, c7a6f7e3642e5f372edb90086c7ff5811ffc2e22 1880 1879 2012-05-08T14:30:07Z 31.184.238.15 0 CvHpjbRTidQwNUTlg wikitext text/x-wiki comment4, http://cheappurchaseonline.com/ buy zithromax, 8PPP, 99fd8fbfa8f3d522a7c301c465da8cfe02e18073 1881 1880 2012-05-08T14:34:07Z 31.184.238.9 0 VQXXEGOrHiLqnla wikitext text/x-wiki , http://shopdrugcheap.com/order-diflucan-online-en.html buy Diflucan, >:)), 697f7da38dda0ca57ca11ce04ea791186fffb1e1 1882 1881 2012-05-08T14:35:20Z 31.184.238.15 0 MCATXvZvFfgccKClU wikitext text/x-wiki comment4, http://cheappurchaseonline.com/ accutane, %-OO, 318fc988ad6c1644f9398fe02a707c1a980f3d43 1883 1882 2012-05-08T14:38:34Z 31.184.238.9 0 VvNEmjRCXQwy wikitext text/x-wiki , http://shopdrugcheap.com/order-cialis-professional-online-en.html Cialis Professional, =D, 523bb0a5889b510b5e06ef1854eafc87132d054e 1884 1883 2012-05-08T14:42:47Z 31.184.238.9 0 eGmOSDBWmTIc wikitext text/x-wiki , http://shopdrugcheap.com/order-clomid-online-en.html buy Clomid online, 279293, c853ab821ba287bb3122d0a48e8b823a2328f363 1885 1884 2012-05-08T14:46:02Z 31.184.238.15 0 ZLFjHUlBoJHaAyTTgz wikitext text/x-wiki comment3, http://cheappurchaseonline.com/ buy priligy, 908057, 8e72f96571d07517c560a5562433d921555f1e02 1886 1885 2012-05-08T14:47:10Z 31.184.238.9 0 ogapCWjSHsExs wikitext text/x-wiki , http://shopdrugcheap.com/order-cialis-super-active-online-en.html Cialis Super Active, 60035, 29482e1f8e48b3c1bed63f947445669820b92446 1887 1886 2012-05-08T14:51:04Z 31.184.238.15 0 OSAYJYDoStXydeZSvt wikitext text/x-wiki comment6, http://cheappurchaseonline.com/ buy generic doxycycline, 964118, 896b689afb8d1853c6f3e27cee52518f38ac971b 1888 1887 2012-05-08T14:51:23Z 31.184.238.9 0 YlWwxdTlB wikitext text/x-wiki , http://shopdrugcheap.com/order-clomid-online-en.html buy Clomid online, >:PP, a403e393a3f444fbfab36db4105cf69f9b55f07e 1889 1888 2012-05-08T14:55:45Z 31.184.238.9 0 SkVGyDeF wikitext text/x-wiki , http://price-drugs.com/order-prednisone-online-en.html buy generic Prednisone online, jsakad, ce6a4ca1f4789b285b799cf376f7c77c046cfc60 1890 1889 2012-05-08T14:56:25Z 31.184.238.15 0 bZfDsCfApljxTa wikitext text/x-wiki comment5, http://cheappurchaseonline.com/ buy generic propecia, 424, f21ce7270bcb49224ec8ca82fbf8bfe5fa7bef78 1891 1890 2012-05-08T14:59:52Z 31.184.238.9 0 gZlRygAqHcTEw wikitext text/x-wiki , http://shopdrugcheap.com/order-tadacip-online-en.html generic Tadacip, >:[, d9e5104400c1f8572778c02dba400d15cba2bb7d 1892 1891 2012-05-08T15:01:47Z 31.184.238.15 0 hsBOhBofWeCtKFuaq wikitext text/x-wiki comment6, http://cheappurchaseonline.com/ buy cipro, >:-]]], 79e2c36fa211e92e26366b5f7ebc72684baaae74 1893 1892 2012-05-08T15:04:28Z 31.184.238.9 0 rQtsgtHgYdjMg wikitext text/x-wiki , http://price-drugs.com/order-zoloft-online-en.html buy Zoloft online, :-P, e4159b1cca8b70e560c1ef85b4b32b94ccdea17d 1894 1893 2012-05-08T15:06:56Z 31.184.238.15 0 FHkDFAcEgemZgPBd wikitext text/x-wiki comment6, http://cheappurchaseonline.com/ buy generic strattera, 704, 9e90584d88d7e3e21fd1579d1ab5afa7c8c1bc75 1895 1894 2012-05-08T15:08:48Z 31.184.238.9 0 BmgRxbmC wikitext text/x-wiki , http://shopdrugcheap.com/order-kamagra-online-en.html Kamagra, pgew, b12bca512788cca7f8c08888dd1c9924816ef0cd 1896 1895 2012-05-08T15:11:54Z 31.184.238.15 0 keiqXOKijdhZeFk wikitext text/x-wiki comment6, http://cheappurchaseonline.com/ buy generic female viagra, =-PP, 4a01c0c95e4f49b31ffabf0fa72a2f9061708aca 1897 1896 2012-05-08T15:13:04Z 31.184.238.9 0 kFaQuJyPOB wikitext text/x-wiki , http://shopdrugcheap.com/order-proscar-online-en.html buy cheap Proscar, :-PPP, 3f6ab2aa3b1de2975f544064ecf43fbabe937cd5 1898 1897 2012-05-08T15:16:52Z 31.184.238.15 0 OqTcUxmxQkajqFwrjqO wikitext text/x-wiki comment3, http://cheappurchaseonline.com/ buy orlistat online, 504, 48c924acd971b8010c0e69e1ef22c366cd95df8a 1899 1898 2012-05-08T15:17:17Z 31.184.238.9 0 lIPQVfqu wikitext text/x-wiki , http://shopdrugcheap.com/order-kamagra-online-en.html generic Kamagra, 96936, 07a9f32bbd4bc58695406e5f828c525d2d6f3101 1900 1899 2012-05-08T15:21:48Z 31.184.238.9 0 wlajyWOlz wikitext text/x-wiki , http://shopdrugcheap.com/order-priligy-online-en.html buy generic Priligy, bacilb, 27675fba16d5cea3810e4e743bd9170d299cee5d 1901 1900 2012-05-08T15:23:21Z 31.184.238.15 0 tYgOEkxbWrgbrc wikitext text/x-wiki comment2, http://cheappurchaseonline.com/ buy generic amoxil, 14655, 5865e25366236a3d56111f447b62b74c4d58160b 1902 1901 2012-05-08T15:26:01Z 31.184.238.9 0 lTEdzCqvkYS wikitext text/x-wiki , http://shopdrugcheap.com/order-diflucan-online-en.html buy generic Diflucan, 8-], 9632ea5b334635d2b13b0d3832f71cfccd49763f 1903 1902 2012-05-08T15:27:47Z 31.184.238.15 0 KxsbYwjYQvhUqSFf wikitext text/x-wiki comment5, http://cheappurchaseonline.com/ buy flagyl, %-PPP, 49f2e9a286c452e5b29f0ce5aedd3a6bbec5a9d1 1904 1903 2012-05-08T15:29:55Z 31.184.238.9 0 UwdStSUJqJS wikitext text/x-wiki , http://shopdrugcheap.com/order-clomid-online-en.html Clomid, =), 0beb5c224bd9a308f035a771205e99da90c0013a 1906 1904 2012-05-08T15:33:09Z 31.184.238.15 0 PDHbBIUaSnldEDkCan wikitext text/x-wiki comment3, http://cheappurchaseonline.com/ clomid, 8-(((, 5d0a3d5cb2c81d0a0b7e290c3cb84d2f06f1d657 1907 1906 2012-05-08T15:34:10Z 31.184.238.9 0 OCIhkaxZTvuoDkuRnR wikitext text/x-wiki , http://shopdrugcheap.com/order-female-viagra-online-en.html buy cheap Female Viagra, %-), 2012cced079ee7d44176d8874acaadaa6f9908f4 1908 1907 2012-05-08T15:43:22Z 31.184.238.9 0 GGCxNJMdfTBQwZUIrem wikitext text/x-wiki , http://shopdrugcheap.com/order-strattera-online-en.html buy generic Strattera, teefb, 2e9a3627f8588aa3c359d31c07f259784f65ce4f 1909 1908 2012-05-08T15:44:11Z 31.184.238.15 0 qWMjRKdBZHR wikitext text/x-wiki comment1, http://cheappurchaseonline.com/ buy viagra online, 6229, 74fc29c9144613d1aea9b34ee261e4d9435a74a6 1910 1909 2012-05-08T15:51:38Z 31.184.238.9 0 kEUVqYulvpVv wikitext text/x-wiki , http://price-drugs.com/order-amoxil-online-en.html Amoxil, qqalo, ac40e6ca7fa13e7abcd123cf76e004266f60d0e5 1911 1910 2012-05-08T15:53:10Z 31.184.238.9 0 IiVJAytSfRKVDyr wikitext text/x-wiki , http://shopdrugcheap.com/ buy Accutane, 33445, 70b9a19f5150b4daa61104fa1fa058c1b998e70a 1912 1911 2012-05-08T15:55:32Z 31.184.238.15 0 rrmSujKkisDh wikitext text/x-wiki comment5, http://cheappurchaseonline.com/ buy generic viagra professional, 763, a0fee698286f6f6d418076d08af4f159800c22c3 1913 1912 2012-05-08T16:00:09Z 31.184.238.9 0 DhAssCzZGewpPVW wikitext text/x-wiki , http://price-drugs.com/order-flagyl-online-en.html buy Flagyl online, ujqx, fd2f4bf9e09016e7d846d8f3b80845c3d61218a6 1914 1913 2012-05-08T16:04:19Z 31.184.238.9 0 UEfULqfcEDOwplz wikitext text/x-wiki , http://price-drugs.com/order-female-viagra-online-en.html Female Viagra, =OO, f3ec82c0974bf77dc31a16ad38f7e1b9a0e99d53 1915 1914 2012-05-08T16:06:34Z 31.184.238.15 0 zOzVgbZzbQLGwZMerYu wikitext text/x-wiki comment4, http://cheappurchaseonline.com/ buy clomid online, =-DD, 51aea6afc89469a569c376561245344e8fbf10df 1916 1915 2012-05-08T16:08:37Z 31.184.238.9 0 BsZQYgIoidvHy wikitext text/x-wiki , http://price-drugs.com/order-zithromax-online-en.html Zithromax, =PPP, ef65695c6bba7259b18e58c28e788abb82f06363 1917 1916 2012-05-08T16:09:36Z 31.184.238.15 0 jCGxLrzJxD wikitext text/x-wiki comment2, http://cheappurchaseonline.com/ zithromax, fwl, 80280a54612bccf49cea28f251802e7835b66d77 1918 1917 2012-05-08T16:11:34Z 31.184.238.9 0 veKkpgQGhnyrtc wikitext text/x-wiki , http://shopdrugcheap.com/order-zoloft-online-en.html Zoloft, =-PP, 566a649c2ebb2b173891bfe55bb1981b96031df5 0 8 1919 1918 2012-05-08T16:30:58Z 31.184.238.9 0 wqiRBMabZwiqkWitCL wikitext text/x-wiki , http://shopdrugcheap.com/order-lasix-online-en.html buy generic Lasix online, %P, ff5b88222ce5e38063a54b6ad66a9a8a2d2b6eb4 1920 1919 2012-05-08T16:32:43Z 31.184.238.15 0 RFbqSiYEIynYDZCPfYC wikitext text/x-wiki comment5, http://cheappurchaseonline.com/ buy generic cipro, =-]], a6fc27c3fb6566aeaf50f1d5134594b4af9a6a7f 1921 1920 2012-05-08T16:33:39Z 31.184.238.9 0 KAItBraxoUMKj wikitext text/x-wiki , http://shopdrugcheap.com/order-female-viagra-online-en.html buy generic Female Viagra online, >:P, 7f852988ca7b45b3f3ebe70c238b14fa5ddc352a 1922 1921 2012-05-08T16:47:46Z 31.184.238.15 0 lSxwFgEZCrOmjrJV wikitext text/x-wiki comment3, http://cheappurchaseonline.com/ buy generic amoxil, uaqsxs, bf041d73246e905ac834e3f53b9e22ec3efd4e79 1923 1922 2012-05-08T16:50:51Z 31.184.238.9 0 bjvpxTiSH wikitext text/x-wiki , http://shopdrugcheap.com/order-strattera-online-en.html buy generic Strattera online, leltu, ff0a11724e708c6bcb944742286abeda8ec5f20a 1924 1923 2012-05-08T16:52:00Z 31.184.238.15 0 VcbTCBVPKgxCnmHi wikitext text/x-wiki comment1, http://cheappurchaseonline.com/ buy generic clomid, 8-)), d68ec72461830b5c79b4b975befd4f642ae669f1 1925 1924 2012-05-08T16:55:58Z 31.184.238.9 0 yiyTOYRyuLZeRldA wikitext text/x-wiki , http://price-drugs.com/order-viagra-online-en.html buy Viagra online, 725, 0683ed8b9547935df634f0cced4e5ef5424bf7f2 1926 1925 2012-05-08T16:58:47Z 31.184.238.15 0 fYJpdzbxKY wikitext text/x-wiki comment6, http://cheappurchaseonline.com/ priligy, axazmi, bc7a10bc406b618ec93048aa6febd54e56ecb09d 1927 1926 2012-05-08T16:59:41Z 31.184.238.9 0 NZtvUMEhEvMF wikitext text/x-wiki , http://price-drugs.com/order-cialis-super-active-online-en.html buy generic Cialis Super Active, >:]], 2ff3612a8c093f58f3343cfff29ba3a7249bfa01 1928 1927 2012-05-08T17:04:12Z 31.184.238.15 0 mUoQSpvnePyyys wikitext text/x-wiki comment1, http://cheappurchaseonline.com/ generic priligy, 568538, 04aac6b6d43aa22783f08ffabb19de55d852d8c8 1929 1928 2012-05-08T17:04:34Z 31.184.238.9 0 SOVkHZrvc wikitext text/x-wiki , http://price-drugs.com/order-ampicillin-online-en.html buy Ampicillin online, bki, ed1a521536f3e3f7761f66d8209ae9b54ce548ce 1930 1929 2012-05-08T17:08:46Z 31.184.238.15 0 hXSuFUvtRzyuOqRoZCO wikitext text/x-wiki comment6, http://cheappurchaseonline.com/ buy generic flagyl, >:-[, 48f413c099207b4248ba4d7308dfdb1ea0eacef4 1931 1930 2012-05-08T17:13:54Z 31.184.238.9 0 XGPufdlGNZkfGxvpiU wikitext text/x-wiki , http://shopdrugcheap.com/order-zithromax-online-en.html Zithromax, %-[, ba4af8724585d6210c2212503a9295142304b567 1932 1931 2012-05-08T17:14:39Z 31.184.238.15 0 znKeslgxrRchxIlK wikitext text/x-wiki comment6, http://cheappurchaseonline.com/ generic orlistat, 7664, 85d9eaa4cde3fc8e62244ee855c447edd5d86ea2 1933 1932 2012-05-08T17:17:15Z 31.184.238.9 0 bOBaHtdYHxWPsCnHzu wikitext text/x-wiki , http://shopdrugcheap.com/order-levitra-online-en.html buy cheap Levitra, mwyg, 3900f9fd38b7c45cf952faf84519fbabf1996ad4 1934 1933 2012-05-08T17:19:38Z 31.184.238.15 0 RSEuMSMeMufsDV wikitext text/x-wiki comment5, http://cheappurchaseonline.com/ generic viagra, >:-PPP, b1ebb891c373059d0936e571eb5f13a547530e34 1936 1934 2012-05-08T17:20:35Z 31.184.238.9 0 FLTnWyoTJTAVcdM wikitext text/x-wiki , http://price-drugs.com/order-lipitor-online-en.html buy Lipitor, 9594, 60b3f0b767d7791a01602a772e6c2b22ad807554 1937 1936 2012-05-08T17:25:36Z 31.184.238.15 0 SYXFZdCFKUNJwj wikitext text/x-wiki comment2, http://cheappurchaseonline.com/ kamagra, 277, ae16ab1b4a6d2f7967df14e2387ba7d2a0c16d27 1938 1937 2012-05-08T17:28:56Z 31.184.238.9 0 mdlKAomlPBevgshAVej wikitext text/x-wiki , http://price-drugs.com/order-ampicillin-online-en.html Ampicillin, 021, ce778b5363a43b7770c9bcb296dc8bcf402c74f2 1939 1938 2012-05-08T17:29:34Z 31.184.238.15 0 wlWJvJvjNq wikitext text/x-wiki comment4, http://cheappurchaseonline.com/ cialis professional, rcvj, 9cc524f44d2529c8ef0171a002d1cbabcd4922d5 1940 1939 2012-05-08T17:33:54Z 31.184.238.9 0 IUpNHxIs wikitext text/x-wiki , http://shopdrugcheap.com/order-retin-a-online-en.html buy Retin-A online, 2907, 440c7e58929c95f1e4727de25c015fc441ad6745 1941 1940 2012-05-08T17:35:49Z 31.184.238.15 0 GzquguYMiLsq wikitext text/x-wiki comment2, http://cheappurchaseonline.com/ generic prednisone, 08408, 5a5871f6b52304251a2c17a53986226889697da3 1942 1941 2012-05-08T17:38:42Z 31.184.238.9 0 zECDshsOVtaFYvCfzzM wikitext text/x-wiki , http://shopdrugcheap.com/order-viagra-professional-online-en.html buy generic Viagra Professional online, jmsmm, 2d771b98497a9015770da131892e40f5d9ef3766 1943 1942 2012-05-08T17:42:09Z 31.184.238.15 0 eqzFqTLLFVAuowg wikitext text/x-wiki comment1, http://cheappurchaseonline.com/ buy generic zithromax, 56194, 19e884e5c006fae0a7ebc5e5626430726f49c667 1944 1943 2012-05-08T17:46:21Z 31.184.238.15 0 lGSFjpTSIWLTmlwPD wikitext text/x-wiki comment4, http://cheappurchaseonline.com/ generic cipro, kzt, fa5ed81212c69aca9fa13872a5b7469dbe9255f3 1945 1944 2012-05-08T17:47:05Z 31.184.238.9 0 xydxOgZCocCPp wikitext text/x-wiki , http://price-drugs.com/order-levaquin-online-en.html buy cheap Levaquin, vwlxv, 47d38cfbc54e562cc9f87a4044261473c0fa52e4 1946 1945 2012-05-08T17:51:49Z 31.184.238.9 0 DtKunGgQddAlGI wikitext text/x-wiki , http://price-drugs.com/order-cialis-super-active-online-en.html generic Cialis Super Active, >:DD, 60dd28115827ce3b3a1188241f4da7ab15279f8e 1947 1946 2012-05-08T17:57:23Z 31.184.238.15 0 JjmtVOmpnaUoAodyQu wikitext text/x-wiki comment1, http://cheappurchaseonline.com/ buy viagra super active, 879, ea7e2882e6e4116f01ab95f32efd7f4134aecccf 1948 1947 2012-05-08T18:05:02Z 31.184.238.9 0 tCXFUhlNwmYtDr wikitext text/x-wiki , http://shopdrugcheap.com/order-lasix-online-en.html Lasix, ykw, b492b958d4e118f854e9184880557cdb13b9021b 1949 1948 2012-05-08T18:07:04Z 31.184.238.15 0 ZKWruLrmHTslXvN wikitext text/x-wiki comment5, http://cheappurchaseonline.com/ cialis, :[[[, ae1d7fc342228c8aaecf163b425920a3a4e51f90 1950 1949 2012-05-08T18:07:42Z 31.184.238.9 0 JQPjuQvhOqrQMIzq wikitext text/x-wiki , http://price-drugs.com/order-cialis-online-en.html buy generic Cialis online, =OO, e0aa9a10bbdf99a11982ee401a1ba7ecb8d33419 1951 1950 2012-05-08T18:21:39Z 31.184.238.9 0 lscUPDIHYoVVRjHmf wikitext text/x-wiki , http://price-drugs.com/order-propecia-online-en.html buy Propecia, ssfm, 3494ed87d34eeb70ffde94ee7e0e6c966207bb6a 1952 1951 2012-05-08T18:29:10Z 31.184.238.15 0 bjECYSDmndeNmSs wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-cipro-online-en.html generic Cipro, 07624, 0707c09bee66cd6f90d9c128951268e2286dd140 1953 1952 2012-05-08T18:32:39Z 31.184.238.9 0 zUYlksDqkmnltYEFNm wikitext text/x-wiki , http://price-drugs.com/order-propecia-online-en.html buy Propecia, 8]], 0a21060eaea619dc9f3632e587b6074f8b983df6 1954 1953 2012-05-08T18:38:22Z 31.184.238.9 0 XnPjipAsDECnoaO wikitext text/x-wiki , http://shopdrugcheap.com/order-accutane-online-en.html buy Accutane, 61497, 9bcf55d0e2e418322f03f6699f6fdbc6958d612e 1955 1954 2012-05-08T18:39:21Z 31.184.238.15 0 bPawoVkSqciRmstf wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic--online-en.html buy cheap accutane, 3084, 68b9e0261ba799bc55c029fe746e4b44c83591d3 1956 1955 2012-05-08T18:41:09Z 31.184.238.9 0 LMeSJWBAZd wikitext text/x-wiki , http://shopdrugcheap.com/order-clomid-online-en.html buy Clomid online, :))), fe3d8340b32e2bf26114ab29142e80c1fb307c64 1957 1956 2012-05-08T18:44:00Z 31.184.238.15 0 duyztHQtL wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-cipro-online-en.html buy cipro online, 3946, f9d67714af7604fdfc4811c4477c6e24068fd72b 1958 1957 2012-05-08T18:46:19Z 31.184.238.9 0 shgbUWTjfKuyde wikitext text/x-wiki , http://price-drugs.com/order-prednisone-online-en.html Prednisone, 888996, aa6dfbd669a63f4a41564f2f31abbdb440ec89e8 1959 1958 2012-05-08T18:48:23Z 31.184.238.15 0 KrZpwYOrKCCCPh wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-cialis-professional-online-en.html buy generic cialis professional, 8(((, 224c4cae97b425b11595bfeb4e3d9b775c6ce3ab 1960 1959 2012-05-08T18:50:02Z 31.184.238.9 0 jXupgMtJBGcgRpMRY wikitext text/x-wiki , http://price-drugs.com/order-propecia-online-en.html buy cheap Propecia, pkug, 28280e88ab8222cabe0f622afeb936b847d4f43e 1961 1960 2012-05-08T18:54:02Z 31.184.238.15 0 OUOpXVLSpYZrL wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-levitra-online-en.html buy cheap levitra, 2563, f116ddfd8bf9201bcc4c749b1b07d3ca29d16d63 1962 1961 2012-05-08T18:54:08Z 31.184.238.9 0 pRGuPxsNjw wikitext text/x-wiki , http://price-drugs.com/order-viagra-online-en.html buy Viagra, ldlxox, 29ef23591fa245141c23b3bc641b693d645a9d2e 1963 1962 2012-05-08T18:59:14Z 31.184.238.9 0 RkDSLZqCgEgfV wikitext text/x-wiki , http://shopdrugcheap.com/order-cipro-online-en.html buy Cipro online, bfznwe, c2c94e01a61dc8a4913355fadb92e3c1d2429638 1964 1963 2012-05-08T18:59:25Z 31.184.238.15 0 XZtYrEhAuWzZe wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-viagra-online-en.html buy generic viagra, sfgf, 166bc7185b64f3438128f4489ce239eee69c5989 1965 1964 2012-05-08T19:02:36Z 31.184.238.9 0 aNtaMdwjsdnMVr wikitext text/x-wiki , http://shopdrugcheap.com/order-clomid-online-en.html buy generic Clomid online, 578322, 3058a84333b46c8b59a88f6f7ab45a8fb652acea 1966 1965 2012-05-08T19:04:32Z 31.184.238.15 0 jDWRBAZsOfLwHbDR wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-flagyl-online-en.html buy flagyl, 856857, d64667788fc92e46aef27041e37bd31f37450377 1967 1966 2012-05-08T19:07:31Z 31.184.238.9 0 bFNaRHyIH wikitext text/x-wiki , http://shopdrugcheap.com/order-female-viagra-online-en.html generic Female Viagra, =-DDD, 6576fa9b6e52edd4d2520b73eb2aace9cac10bcb 1968 1967 2012-05-08T19:11:36Z 31.184.238.15 0 xpjZQfDFag wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-cipro-online-en.html cipro, iapw, 43a9f299ce0e96a68c56971b1416a78d7d8f2016 1969 1968 2012-05-08T19:12:39Z 31.184.238.9 0 XcrvwHmKt wikitext text/x-wiki , http://shopdrugcheap.com/order-zoloft-online-en.html buy cheap Zoloft, xeeikn, de2135db41760e145497c6c6ee2d3cb07b855ccb 0 8 1970 1969 2012-05-08T19:15:38Z 31.184.238.9 0 oraXuoUWyQkGkH wikitext text/x-wiki , http://price-drugs.com/order-doxycycline-online-en.html Doxycycline, nwkc, b7defad260273a94ab6ac93cb1c2ba55d4a91120 1971 1970 2012-05-08T19:16:09Z 31.184.238.15 0 FJOHFsLxvHhi wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-cialis-professional-online-en.html generic cialis professional, mip, bc4bc22c3e08ecb5905f222676b70ff9368228ea 1972 1971 2012-05-08T19:24:57Z 31.184.238.9 0 WZzrcKgAtNJn wikitext text/x-wiki , http://shopdrugcheap.com/order-female-viagra-online-en.html buy Female Viagra, 162, 05a24b0864f7dbf3bb656fea81ebb1c13d14aa65 1973 1972 2012-05-08T19:26:15Z 31.184.238.15 0 nYlVgHSRkyqCwFLWUP wikitext text/x-wiki comment5, http://cheappurchaseonline.com/ generic viagra, gbxy, 2a714e50ec296d281579e1d487b99306034c881f 1974 1973 2012-05-08T19:29:44Z 31.184.238.9 0 XjPPrmFNNkA wikitext text/x-wiki , http://shopdrugcheap.com/order-proscar-online-en.html generic Proscar, zbtj, 986d5d3ac0e474d38b09e69e68dc622599387bed 1975 1974 2012-05-08T19:33:27Z 31.184.238.15 0 tibHoZCdIURM wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-levitra-online-en.html buy levitra, 86424, 2721f025d3dddd71d3e0fa147096fa2c8f3f79b4 1976 1975 2012-05-08T19:33:46Z 31.184.238.9 0 aiXnmjVLTa wikitext text/x-wiki , http://price-drugs.com/order-doxycycline-online-en.html Doxycycline, 24274, 8eb8a9d6ee0610ace78eb339351fd3e3637d33ee 1977 1976 2012-05-08T19:36:29Z 31.184.238.9 0 vClKZsDlRgamkWTZeUa wikitext text/x-wiki , http://price-drugs.com/order-levaquin-online-en.html generic Levaquin, 8], 902732f9ee77c173cb28f12bf3d1d2b61a59f0a3 1978 1977 2012-05-08T19:37:37Z 31.184.238.15 0 urpBVwkFQSUNy wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-flagyl-online-en.html buy cheap flagyl, pgm, 2f565344e0bae543341592d1e408364e3ed91518 1979 1978 2012-05-08T19:50:32Z 31.184.238.9 0 amiheFkyulQX wikitext text/x-wiki , http://price-drugs.com/order-lipitor-online-en.html buy cheap Lipitor, %DDD, 7908b83c368426d99b2c3b9e79564f470f80e9b0 1980 1979 2012-05-08T19:53:20Z 31.184.238.9 0 vemjHJXQDk wikitext text/x-wiki , http://price-drugs.com/order-zoloft-online-en.html Zoloft, rex, 2fbdc7b4ab515a51fd7cc73f8a7899afe04817b2 1981 1980 2012-05-08T19:55:48Z 31.184.238.15 0 odMtnNXqesZGADPSzxg wikitext text/x-wiki comment5, http://cheappurchaseonline.com/ generic cialis super active, lgyysb, 5fef12a30e9d8a7c29593f349c5b871a90794497 1982 1981 2012-05-08T19:56:47Z 31.184.238.9 0 XpMwnamSvrrx wikitext text/x-wiki , http://price-drugs.com/order-propecia-online-en.html generic Propecia, lno, 6f28b7473f6b74c40f99ec8a3a671908d6f209b4 1983 1982 2012-05-08T20:04:50Z 31.184.238.9 0 rwMDqCWWoTqpcRGtKb wikitext text/x-wiki , http://price-drugs.com/order-bactrim-online-en.html generic Bactrim, 07514, 0f905b4f3bd4da1deac481f8654001a91cc91064 1984 1983 2012-05-08T20:05:33Z 31.184.238.15 0 KMvwzXMNaXTZ wikitext text/x-wiki comment3, http://cheappurchaseonline.com/ generic cialis professional, 186579, e079ee203592115ac46b62b58c48491e3d1ac26f 1985 1984 2012-05-08T20:10:18Z 31.184.238.9 0 pHXeDetOWk wikitext text/x-wiki , http://shopdrugcheap.com/order-female-viagra-online-en.html Female Viagra, %-DD, 1b56e97e0135b5f7a73fcf4e98b485a00ef0d5cc 1986 1985 2012-05-08T20:11:09Z 31.184.238.15 0 rBqIOnlJxZAgfNhWB wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-cialis-super-active-online-en.html buy cheap cialis super active, 06618, 14af3d87e04399d6c959c7644ed0ce2b675e8b6b 1987 1986 2012-05-08T20:14:21Z 31.184.238.9 0 XhbPqsRcXHbLJdqLEc wikitext text/x-wiki , http://acquistareladroga.it/comprare-acquistare-nolvadex-online-it.html vendita Nolvadex, :-DDD, 107c0b29fdc3674a74ff0ac5dd8a34c0884875b9 1988 1987 2012-05-08T20:23:39Z 31.184.238.9 0 VnsKeFbABJMOFHkwH wikitext text/x-wiki , http://acquistareladroga.it/comprare-acquistare-accutane-online-it.html generic Accutane, uedm, 146d82f3a34cfa07c28884b6238cf3d805c9d52f 1989 1988 2012-05-08T20:26:59Z 31.184.238.9 0 wDgeNBGdPv wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-levitra-online-it.html generic Levitra, :], 0383791b1a33dbda260f3757c1d3511924f2869a 1990 1989 2012-05-08T20:27:35Z 31.184.238.15 0 meisbrndbbjfNlJQ wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-cialis-professional-online-en.html buy generic cialis professional, =[[[, f25b7a7f90a13f90d17fe3e33b01cdd275ebe9b2 1991 1990 2012-05-08T20:31:39Z 31.184.238.9 0 zUHsQgHgLVMYsBTayE wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-diflucan-online-it.html comprare diflucan online, %-D, 0799e9944c83b9b9244eda05c27a8fbe50c3cdd8 1992 1991 2012-05-08T20:33:10Z 31.184.238.15 0 cCxkHNiw wikitext text/x-wiki comment2, http://cheappurchaseonline.com/ generic cialis professional, %-(((, fcc2cbdca405ed536cd7352972110addc0826fdb 1993 1992 2012-05-08T20:34:38Z 31.184.238.9 0 pvJSVcQWjG wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-orlistat-online-it.html prezzo orlistat, maaxvj, eb88e977495e19fbed40f88185fd140166996155 1994 1993 2012-05-08T20:39:44Z 31.184.238.15 0 crPeZFscZEfTOxl wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic--online-en.html buy generic accutane, bvxam, 155eb3669884683c4a14f153012210bfb663c8bc 1995 1994 2012-05-08T20:42:52Z 31.184.238.9 0 HQHqIeyrxcC wikitext text/x-wiki , http://acquistareladroga.it/comprare-acquistare-wellbutrin-online-it.html comprare wellbutrin, 6163, 47ff2a9b77ee56eb98432e5b810c333b5a28f848 1996 1995 2012-05-08T20:44:22Z 31.184.238.15 0 glVLpvHhVWGxEkukIdd wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-strattera-online-en.html generic strattera, :DDD, 9a72c6f34d4e893d57f801d10646edc9de3b2f0c 1997 1996 2012-05-08T20:47:52Z 31.184.238.9 0 UInYNdHLnCjSGDClcZJ wikitext text/x-wiki , http://acquistareladroga.it/comprare-acquistare-finpecia-online-it.html generic finpecia, >:-DDD, cabcabb446680ccf9fb0507b384620de39403cae 1998 1997 2012-05-08T20:48:54Z 31.184.238.15 0 WVSQDbslxop wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-cialis-online-en.html generic cialis, zagduz, dfab982e360f017a9116e085843c995893376cf2 1999 1998 2012-05-08T20:51:02Z 31.184.238.9 0 hEWkldpFiEovJqMM wikitext text/x-wiki , http://acquistareladroga.it/comprare-acquistare-cipro-online-it.html prezzo cipro, 105712, 384c91257f70256c8748201b7a0dc71fa3b3603a 2000 1999 2012-05-08T20:54:31Z 31.184.238.15 0 PKHtHVRWgZ wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-strattera-online-en.html buy strattera, 658876, 43139649e4a2100428615814a69bf38b5411cfa6 2001 2000 2012-05-08T20:55:30Z 31.184.238.9 0 wLOZiTimufDizYV wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-kamagra-online-it.html generico kamagra, 0471, 3ec1f1301c0de40f8547aabe058f2bc56565c9ed 2002 2001 2012-05-08T20:59:40Z 31.184.238.9 0 rLvgwoRIDzcCFsa wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-levitra-online-it.html prezzo levitra, sei, f268feae9027df57af53da8e7d52d053927623e3 2003 2002 2012-05-08T21:06:34Z 31.184.238.15 0 byMLsdhrIStQVmvpzvG wikitext text/x-wiki comment2, http://cheappurchaseonline.com/ generic cialis, udbhw, b0790b7120cde0fd413d652756d00160923426b5 2004 2003 2012-05-08T21:07:44Z 31.184.238.9 0 IubfJOhjthjHL wikitext text/x-wiki , http://acquistareladroga.it/comprare-acquistare-nolvadex-online-it.html prezzo nolvadex, uyszz, a9d1e2113c1083e5226dec4c3f1959d18a9784e4 2005 2004 2012-05-08T21:15:03Z 31.184.238.15 0 rIyTXeXgloGnozIig wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-viagra-online-en.html buy cheap viagra, liinvd, 63689636a3e85edf15b0459e5c857a5b0b18c6f3 2006 2005 2012-05-08T21:15:35Z 31.184.238.9 0 nrALVnUdL wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-diflucan-en-ligne-fr.html generique diflucan, =-[[, 1ecb0bcd73ebcf26a0aaa3847c7a4ef03b31b9ed 2007 2006 2012-05-08T21:23:13Z 31.184.238.9 0 gqJGKNJhXb wikitext text/x-wiki , http://enlignepharmacie.fr/ acheter diflucan, %)), 1a0535e2c627bb50a0e6b43ccd9dd4037fbc04f6 2008 2007 2012-05-08T21:23:36Z 31.184.238.15 0 PRrfWpQyRiwUCIO wikitext text/x-wiki comment4, http://cheappurchaseonline.com/ generic amoxil, afclcs, 763dc766dd031165df0d73e43f98aa5e70c1fe14 2009 2008 2012-05-08T21:32:06Z 31.184.238.15 0 HDhqUqFbxElonvn wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-zithromax-online-en.html zithromax, 532903, acf14a3ff076b7db7e0caf9af05758143ca08787 2010 2009 2012-05-08T21:39:27Z 31.184.238.9 0 ZVMxqbTQkFMIms wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-zoloft-online-it.html acquistare zoloft, %[, 4c118100d5c35ac6a5d926b61b5901a62abe65d5 2011 2010 2012-05-08T21:40:29Z 31.184.238.15 0 clvnKMzaGfhrFlFWb wikitext text/x-wiki comment4, http://cheappurchaseonline.com/ generic cialis professional, 8-), b8c16794db21099c40283750c90a3943e050b503 2012 2011 2012-05-08T21:47:07Z 31.184.238.9 0 PCFVGwNQXT wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-clomid-en-ligne-fr.html clomid, wozdht, 662b08b2ab27ec1fb5cb9566f7d10a258354b28c 2013 2012 2012-05-08T21:48:49Z 31.184.238.15 0 SRIcuIbsyiIK wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-amoxil-online-en.html buy generic amoxil, vzum, 5575efd2714c6c8915d6640eb0611115f2a96dd7 2014 2013 2012-05-08T21:54:54Z 31.184.238.9 0 fGmjpdmNYcQQVXucoT wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-amoxil-en-ligne-fr.html vente amoxil, 984850, fae36e069b929f24bc89c6a4756189a64fa3db79 2015 2014 2012-05-08T21:56:34Z 31.184.238.15 0 YOHUgJSIHN wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-viagra-super-active-online-en.html buy viagra super active, :(((, c1efc0751fd17a2423840f7a868bb52b467cff4b 2016 2015 2012-05-08T22:02:32Z 31.184.238.9 0 fLtCDyPKOJWzJtpGs wikitext text/x-wiki , http://onlinefarmacia.it/ comprare proscar, %DDD, 958fc3cb5f94186445af4baeb7f5068a25daa4bd 2017 2016 2012-05-08T22:05:14Z 31.184.238.15 0 TFOYbRMHdOPUFlhcfQ wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic--online-en.html buy accutane online, :-], 0922e1371bd55e5139d2f3673f5bd298f1186368 2018 2017 2012-05-08T22:09:58Z 31.184.238.9 0 IwEFDIBrJumg wikitext text/x-wiki , http://enlignepharmacie.fr/ acheter zoloft, 8-OO, 0f5de6dac214b910adeeed4743b90bc19124d02c 2019 2018 2012-05-08T22:11:09Z 31.184.238.15 0 ayKXtErpeJE wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-cipro-online-en.html cipro, %-PP, cb278c0980d498b520b8aab658011b7c0555ce8a 0 8 2020 2019 2012-05-08T22:14:16Z 31.184.238.9 0 WLZhZgZlSrlHspGLYXF wikitext text/x-wiki , http://generiquesmedicaments.fr/acheter-achat-propecia-en-ligne-fr.html acheter propecia, >:DD, a3692a50919e1a03dea9b6a1eceed05785e201c9 2021 2020 2012-05-08T22:18:16Z 31.184.238.9 0 UuJvlffvLynzMUhKy wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-doxycycline-en-ligne-fr.html generique doxycycline, %-[, ebe3498fb42a91a7968d925bc49e16b171bef339 2022 2021 2012-05-08T22:22:31Z 31.184.238.9 0 gmrcaQGvmElFTGtiUXi wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-zithromax-online-it.html comprare zithromax online, oadfs, c2d3de17c26c15f523329124885678ec6dce39e3 2023 2022 2012-05-08T22:26:33Z 31.184.238.9 0 DGDVQnmmQaNoWZjDu wikitext text/x-wiki , http://enlignepharmacie.fr/ acheter cialis, 41403, ad29290d755d55587005cb791166ffef897ba76d 2024 2023 2012-05-08T22:27:40Z 31.184.238.15 0 DpXVMILRgsBnl wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-priligy-online-en.html buy generic priligy, 8]]], 0a44173c6d7a03fccff86fb13834c96955c692ee 2025 2024 2012-05-08T22:30:44Z 31.184.238.9 0 uezXVzuyT wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-cialis-professional-en-ligne-fr.html acheter cialis professional, pnz, d9adb0ba1c0e38c2a84e7f112b1515bc60b17492 2026 2025 2012-05-08T22:32:53Z 31.184.238.15 0 oWXIOsOmGcCOCUcI wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-viagra-online-en.html viagra, 6113, 27c84b8113ba7a230ac27d2c209725ccf915ffba 2027 2026 2012-05-08T22:34:48Z 31.184.238.9 0 afIHGJESIGOQSkZjLJf wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-cialis-en-ligne-fr.html vente cialis, =[[[, 2256b423a98585bf3d5b821ece02e93bdf416c2e 2028 2027 2012-05-08T22:38:23Z 31.184.238.15 0 LEaQMYpAsQmnUWoT wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-strattera-online-en.html buy generic strattera, 8OO, 91dc2fba89c3ffd19871a5d1324ebe279659b142 2029 2028 2012-05-08T22:38:39Z 31.184.238.9 0 eqOapcArzcpsxkS wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-viagra-professional-online-it.html generic viagra professional, 636, d6ab84960f2c17f771856d12249337847c09250e 2030 2029 2012-05-08T22:42:52Z 31.184.238.9 0 lIUhnqmrKL wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-orlistat-online-it.html comprare orlistat, 156, 47d4045c1977753e4ec35580fe60000ca4600b14 2031 2030 2012-05-08T22:43:36Z 31.184.238.15 0 ewVoHLIh wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-priligy-online-en.html buy priligy, fbuint, f24c94fbff6a8f86da9aa381d7dc38bacb5e0dba 2032 2031 2012-05-08T22:47:03Z 31.184.238.9 0 ZAwBFilyNWz wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-cipro-en-ligne-fr.html cipro, 350, 190b14c1bf558f67c9ec7fcd15d3baa0e244083d 2033 2032 2012-05-08T22:49:07Z 31.184.238.15 0 SYqvkfPerlAnB wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-lasix-online-en.html buy lasix online, rwfdcx, e89bf4c77dc09dd771f93a09dd83b432f0e092fb 2034 2033 2012-05-08T22:51:08Z 31.184.238.9 0 PHoZgtyIJnfQAlXRBrU wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-viagra-super-active-online-it.html vendita viagra super active, >:-PPP, 64886ed1cdd242503b0eddbb428f3fd2333b7f57 2035 2034 2012-05-08T22:54:39Z 31.184.238.15 0 AaCPhnfpQ wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-nolvadex-online-en.html buy nolvadex</a>, 5657, 9b33682909dfe006ddd50a0f9fab41a8de61c722 2036 2035 2012-05-08T22:55:09Z 31.184.238.9 0 QawuJocnfdzd wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-propecia-online-it.html prezzo propecia, vhprbo, acbfc1d8355b6450b1589ca5f0c46a22eb2e42e8 2037 2036 2012-05-08T22:59:13Z 31.184.238.9 0 UvnglkxRjHrVRHFx wikitext text/x-wiki , http://onlinefarmacia.it/ comprare kamagra, 12916, cbf2fca91ace14571f326a3fd0c4525c8acf7533 2038 2037 2012-05-08T23:00:10Z 31.184.238.15 0 vWKhAXuEFVMh wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-zoloft-online-en.html buy generic zoloft, 545, 9336bcd788be2db3bde6e81581bda4dc361205f7 2039 2038 2012-05-08T23:03:24Z 31.184.238.9 0 liYwpUHzrlZiTWr wikitext text/x-wiki , http://enlignepharmacie.fr/ acheter nolvadex, ayoes, f51f3788fb9f45a7bac0278f554bf6348bc41200 2040 2039 2012-05-08T23:05:31Z 31.184.238.15 0 JxAXnffpXBC wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-amoxil-online-en.html amoxil, 436598, b7e59c08696a5bb137db7345a72b3245c1c5dce8 2041 2040 2012-05-08T23:07:27Z 31.184.238.9 0 vBEoKUhiRNISahtukli wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-proscar-online-it.html comprare proscar online, 0665, ea6227f1da589a7952aefee17490ad74da5a938e 2042 2041 2012-05-08T23:11:00Z 31.184.238.15 0 XhVpkbCwNbCKR wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-diflucan-online-en.html buy cheap diflucan, plcn, dfdc854d3475c4d8ca0a7b9c15ef50c00c07dc5a 2043 2042 2012-05-08T23:11:31Z 31.184.238.9 0 nwnfkZgxmemvDjXh wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-viagra-professional-online-it.html generico viagra professional, tidp, 879db408cb5c5a335c9bf38f98af79101acd160a 2044 2043 2012-05-08T23:15:53Z 31.184.238.9 0 EHBcLTfdVAuaLuOd wikitext text/x-wiki , http://enlignepharmacie.fr/ acheter viagra super active, >:-[[[, b3b9513a0a0cc40f945c16fcdd1b223699aa90bd 2045 2044 2012-05-08T23:16:29Z 31.184.238.15 0 eQhihjBeHyu wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-priligy-online-en.html buy generic priligy, %-[[, 7af84539ea8cd94b4b25e512033103d6efa9644f 2046 2045 2012-05-08T23:22:25Z 31.184.238.9 0 xQlsNbrOhzXAVm wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-accutane-en-ligne-fr.html achat accutane, 137, 7f6bf5110fd438e005ffe3124955393d34aa84eb 2047 2046 2012-05-08T23:25:25Z 31.184.238.15 0 qvMdZBBMZTTLrcAULf wikitext text/x-wiki comment3, http://cheappurchaseonline.com/ generic cialis, nvbqrc, 65c9c94a9db7747e16d98427b47882c353c548ce 2048 2047 2012-05-08T23:27:26Z 31.184.238.9 0 vbMDOqorHCVRKaMhDZM wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-orlistat-online-it.html vendita orlistat, :-(, 113a13cdd047f45f4a6aea1fb7cdc9c42915522b 2049 2048 2012-05-08T23:30:55Z 31.184.238.15 0 AkLuynikyaS wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-prednisone-online-en.html buy prednisone, %P, 35adc8d851fbcc11281dc9134925712d4afe9e1b 2050 2049 2012-05-08T23:31:59Z 31.184.238.9 0 IQoULMjsmuqwkAJmdE wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-orlistat-online-it.html generico orlistat, 2052, cb62f76e70fabbe74e7c48b2bc85f54c3785b907 2051 2050 2012-05-08T23:36:04Z 31.184.238.9 0 eWUSwRlV wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-accutane-en-ligne-fr.html acheter accutane, uln, 763c1488151729d63f7aa4b1ef5420ff7db49726 2052 2051 2012-05-08T23:36:13Z 31.184.238.15 0 LyrrGJHdcaGLJdsm wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-orlistat-online-en.html buy generic orlistat, 8DD, 83993bc1dc272779a95c872516cd1b1cdb4ca00a 2053 2052 2012-05-08T23:40:06Z 31.184.238.9 0 jisMqWuzQZ wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-viagra-online-it.html generico viagra, oszxcr, e9d5f622220c6dd98ef797a0ca4f5774e8898925 2054 2053 2012-05-08T23:41:46Z 31.184.238.15 0 GmFRtFvH wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-diflucan-online-en.html buy diflucan, 41454, a924c79fd06ec0676d1d5fbf708144369f4bafc8 2055 2054 2012-05-08T23:44:07Z 31.184.238.9 0 XbHSQbfMVsTRWpU wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-cialis-en-ligne-fr.html acheter cialis en ligne, ncs, c6568b639dc4089e845423531bebe0fa0966ffe3 2056 2055 2012-05-08T23:46:51Z 31.184.238.15 0 zDjmKJGB wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-cialis-professional-online-en.html buy cialis professional, trgja, 709bbfb4021ab626b0519f249ef5228217a3ee61 2057 2056 2012-05-08T23:48:13Z 31.184.238.9 0 CQQPTnYUPPFIlF wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-strattera-online-it.html acquistare strattera, 8-(((, 77223f808360dbe83c0aac15c584b63a9d47d0de 2058 2057 2012-05-08T23:51:44Z 31.184.238.15 0 vlEmLYCsjvDG wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-viagra-online-en.html buy viagra online, rcyqfd, 610179b268902fe6ad4300d48cfd471b9ef05c94 2059 2058 2012-05-08T23:52:25Z 31.184.238.9 0 QawDuTteVzcQyS wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-zoloft-online-it.html vendita zoloft, 8-OO, 27ab3466f287106af6d9561f4a6bbab98ba0643a 2060 2059 2012-05-08T23:56:41Z 31.184.238.9 0 hWBohjeAukAId wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-viagra-super-active-online-it.html generico viagra super active, =PP, 17d04926f99d5bb37b9654da8c1fbb7c8347dfc6 2061 2060 2012-05-08T23:57:15Z 31.184.238.15 0 GANHPEAzl wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-viagra-professional-online-en.html buy viagra professional, 489, bf31960e5632fb61375f5bb49091f4932f44c566 2062 2061 2012-05-09T00:00:31Z 31.184.238.9 0 bZFXFhgVfgtwZ wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-accutane-en-ligne-fr.html vente accutane, %-[[[, 7f9d2ff987149cb5348f13ae6e0627081cb01cfe 2063 2062 2012-05-09T00:02:54Z 31.184.238.15 0 vKJimvuYSvlsB wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-lasix-online-en.html buy cheap lasix, 506, d0158cf9dad525141f0191b3e1a76dbf011b6935 2064 2063 2012-05-09T00:04:35Z 31.184.238.9 0 SVKVWOaeNJA wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-cialis-professional-en-ligne-fr.html acheter cialis professional, 632, 78c71185e2cf9d289aaa7d7f5f3792838805cc0c 2065 2064 2012-05-09T00:08:46Z 31.184.238.9 0 kjljQaQkjsGcRzbWWF wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-viagra-professional-online-it.html generico viagra professional, 264366, c7fe30c0701f4a62e725e359dee52d0bf2073912 2066 2065 2012-05-09T00:12:38Z 31.184.238.9 0 neBytRdBLVaIqidsKSz wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-kamagra-online-it.html acquistare kamagra, rzga, 9559c8e9c41d19fcf5c01073dc48037df53b7cf7 2067 2066 2012-05-09T00:13:55Z 31.184.238.15 0 sTmNEAEUdoPqPlGNaq wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-viagra-professional-online-en.html buy generic viagra professional, 67724, 183f6487af64880d333065767fccd72d5fb2d686 2068 2067 2012-05-09T00:16:38Z 31.184.238.9 0 RMtVLKYULtG wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-viagra-online-it.html prezzo viagra, 38673, bfa49d91a5facfb7246b310cfa7e5ffa3995bc25 2069 2068 2012-05-09T00:19:33Z 31.184.238.15 0 DXAnxyzONxtD wikitext text/x-wiki comment2, http://cheappurchaseonline.com/ generic kamagra, 1460, 39ab6f460a481dcacdb8af82f3c81f527f8752e2 0 8 2070 2069 2012-05-09T00:20:42Z 31.184.238.9 0 MgkgKaAeemhDPe wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-viagra-super-active-online-it.html generic viagra super active, =-O, 3c1ff1beb3c185d20dcd555cc689ab5a7420b387 2071 2070 2012-05-09T00:24:55Z 31.184.238.9 0 mOlQoFwWitHMoDiKAOn wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-levitra-en-ligne-fr.html levitra, :DD, 8e79521c9754f0a83f990761fededa7938d9f550 2072 2071 2012-05-09T00:25:01Z 31.184.238.15 0 HvCaMUsFgfq wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic--online-en.html generic accutane, sse, 51f479ee10cd6d7eb01c29667a8a1ac3acbbccde 2073 2072 2012-05-09T00:28:54Z 31.184.238.9 0 hZGLmIjIXCXccOLUeLK wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-cialis-super-active-en-ligne-fr.html acheter cialis super active en ligne, yrbcp, e966615dd95f8ce3a7f8453ff9f48e4ca6899794 2074 2073 2012-05-09T00:30:00Z 31.184.238.15 0 sKbkAxLa wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-propecia-online-en.html buy propecia, =-), 266dcc84cfb86ca8932c6c918b3845fc89e18961 2075 2074 2012-05-09T00:32:57Z 31.184.238.9 0 aPpEgpiU wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-viagra-super-active-online-it.html generico viagra super active, %(((, 05da42a7fb367e5b4a9ddf4673e7a81162eef9e8 2076 2075 2012-05-09T00:35:27Z 31.184.238.15 0 KCnIOoPkUIjSZM wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-strattera-online-en.html strattera, 157, 37af910de2a6df716e3ff064b3666602b4d30eb9 2077 2076 2012-05-09T00:37:12Z 31.184.238.9 0 bvNmoZNiyOmSHtPME wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-viagra-online-it.html comprare viagra, 8-(((, b69bef8885f03b29bf9b3d75dcd6515cd7df1999 2078 2077 2012-05-09T00:41:02Z 31.184.238.15 0 ptJRsZSjBRcWFzZBk wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-nolvadex-online-en.html generic nolvadex, 8692, 287775aff9032ee28476f4a519cf0c4d6a2ecdb5 2079 2078 2012-05-09T00:41:12Z 31.184.238.9 0 DKuQdwvgRY wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-cialis-en-ligne-fr.html cialis, 762, 55e3fc475350645cc58bfde7a708b5f90e1792ae 2080 2079 2012-05-09T00:45:15Z 31.184.238.9 0 yfjdSuCOfRhMi wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-accutane-en-ligne-fr.html vente accutane, apyxo, 291a9a41792a43bc48cb41ebcd91181de89e2f79 2081 2080 2012-05-09T00:46:11Z 31.184.238.15 0 joBBxbzohW wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-zithromax-online-en.html zithromax, figtmw, 3cd9163579c06c266686cbded7b8907e660809a5 2082 2081 2012-05-09T00:49:19Z 31.184.238.9 0 minIoWykbkEyXcs wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-female-viagra-en-ligne-fr.html acheter female viagra, :-PP, 6449761dd54d90bbffdb7401bd91b78f459bc11e 2083 2082 2012-05-09T00:51:42Z 31.184.238.15 0 qlQLUSytVDAsynnhZV wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-viagra-super-active-online-en.html buy viagra super active, %OOO, d5af4c42bca0f40c03c78de03b95eb195a5d63db 2084 2083 2012-05-09T00:53:34Z 31.184.238.9 0 EovFEXxCFcNIYQAdy wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-accutane-online-it.html comprare accutane, >:-))), 369e31216249274d8048f5cd0fcb35caddf7787f 2085 2084 2012-05-09T00:57:01Z 31.184.238.15 0 tvmTQIRCPgkgTlv wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-zoloft-online-en.html buy generic zoloft, 661070, 24981a857fbf9aee40f50b968323f30bea0c5e9e 2086 2085 2012-05-09T00:57:55Z 31.184.238.9 0 rrpiYSOtf wikitext text/x-wiki , http://acquistareladroga.it/comprare-acquistare-tadacip-online-it.html vendita tadacip, 594307, da5a7728d9698faeea2a283ec57a7683857f6cb0 2087 2086 2012-05-09T01:01:47Z 31.184.238.9 0 DhKvokgeAtWbQj wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-levitra-online-it.html acquistare levitra, slvrs, 9b17ac7ac180a0ff65698060ca4f9c1db6a9e1b1 2088 2087 2012-05-09T01:02:14Z 31.184.238.15 0 WrulJkWJvSrJUiAPcxC wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-viagra-online-en.html buy viagra, yyrhl, 1d096fc38f1ee3c24d2525517f74f206d6a7d9df 2089 2088 2012-05-09T01:05:50Z 31.184.238.9 0 dhSqSRRpv wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-viagra-super-active-online-it.html generico viagra super active, ujsxa, 5314fb403bdfe402fcb554fcb55bdb5b3e25bdeb 2090 2089 2012-05-09T01:07:37Z 31.184.238.15 0 pFBmFdkRW wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-levitra-online-en.html buy levitra, 7745, 096636d544f2873ac30adc8556aae22ebde6ec7b 2091 2090 2012-05-09T01:10:04Z 31.184.238.9 0 MrXPSclWxNkxG wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-zoloft-online-it.html generic zoloft, 8[, a573de903e8201101c8ad803441ed2faa4add0f1 2092 2091 2012-05-09T01:12:56Z 31.184.238.15 0 BAXIVzMrigIwEcS wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-levitra-online-en.html buy generic levitra, gli, 552643c6e71e69e86f61e64ab483874e3a126781 2093 2092 2012-05-09T01:14:17Z 31.184.238.9 0 qxXFIzutFtWoqBuQ wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-priligy-online-it.html vendita priligy, shfxq, dd52c16e2c83afed34b2674a8c3f80a37e9c7979 2094 2093 2012-05-09T01:17:54Z 31.184.238.15 0 mXJfqFrkZjql wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-zithromax-online-en.html buy generic zithromax, 416, ef10e38a2e9529a5cd726c93c3f9ced97ab5c13a 2095 2094 2012-05-09T01:18:29Z 31.184.238.9 0 vZsCSyNkY wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-accutane-en-ligne-fr.html vente accutane, wbk, 6bcd6be36bd9f2406784c326296d6f7cf9a355e4 2096 2095 2012-05-09T01:22:43Z 31.184.238.9 0 daZUXzgmEgpntH wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-zithromax-en-ligne-fr.html acheter zithromax en ligne, gels, e9820ac30b1cb8d7236cec4312c02595d1578ac7 2097 2096 2012-05-09T01:23:11Z 31.184.238.15 0 lOvMxUiBBfpssK wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-strattera-online-en.html generic strattera, cglbtu, 61ffd7d68170ec988d4b8ce2daecc68893ca8047 2098 2097 2012-05-09T01:26:32Z 31.184.238.9 0 LCcfopdpEGTlBFpXVd wikitext text/x-wiki , http://enlignepharmacie.fr/ acheter nolvadex, huv, c2bebc775cf6bf5e035c6e912a82ece38f70fbe5 2099 2098 2012-05-09T01:29:20Z 31.184.238.15 0 ipfRrOec wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-clomid-online-en.html generic clomid, >:-O, 27ff7730899748c18559bbe6f0735edb26b5c55f 2100 2099 2012-05-09T01:30:49Z 31.184.238.9 0 wgNgYjEuVvyXhStM wikitext text/x-wiki , http://generiquesmedicaments.fr/acheter-achat-cialis-en-ligne-fr.html vente cialis, %-PPP, 32491d4403ae5201b416a39a9927d002bda29c32 2101 2100 2012-05-09T01:39:55Z 31.184.238.9 0 uZPMROkTfKXtKOO wikitext text/x-wiki , http://acquistareladroga.it/comprare-acquistare-wellbutrin-online-it.html acquistare wellbutrin, 59400, 769fe879e5ee8aad70b7cab561ac9d56ee70841c 2102 2101 2012-05-09T01:45:13Z 31.184.238.15 0 ddgtUhqYJ wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic--online-en.html accutane, 8OO, 9220ded3392c7d48664c9818125e8f979431647b 2103 2102 2012-05-09T01:48:27Z 31.184.238.9 0 RUJdXBygxSmzz wikitext text/x-wiki , http://enlignepharmacie.fr/ acheter clomid, =-P, ab69d89eebff6c56a6c913e1cfa70b62ba30d1c2 2104 2103 2012-05-09T01:52:20Z 31.184.238.9 0 vouWHYRnxchatgItm wikitext text/x-wiki , http://generiquesmedicaments.fr/ acheter strattera, dzzz, 47dee906cdbd74e0c8468aceab33471ae5e0d9bd 2105 2104 2012-05-09T01:56:34Z 31.184.238.9 0 LUqjKNAgoeyxKsDqxf wikitext text/x-wiki , http://acquistareladroga.it/comprare-acquistare-doxycycline-online-it.html acquistare doxycycline, 677, f6e0f432619d4a036cafbebc0d35635a67a99f23 2106 2105 2012-05-09T01:57:08Z 31.184.238.15 0 KQkjTXKTzNJjPblKL wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-cialis-online-en.html buy generic cialis, 8], e9af3c22caa2f8ce40a3d3dfef9a3f3c65e95576 2107 2106 2012-05-09T02:04:16Z 31.184.238.9 0 ChCqgVVDnQFlwcFOmL wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-lasix-online-it.html generico lasix, 790708, 2fda0f8e27a48e675e4a328aacd0b373c19c12b2 2108 2107 2012-05-09T02:07:53Z 31.184.238.15 0 tXXiPBPOsWPWNvh wikitext text/x-wiki comment4, http://cheappurchaseonline.com/ generic lasix, wjfec, 029ddd5cc0e9e94ba80c937196d86f492c514455 2109 2108 2012-05-09T02:11:12Z 31.184.238.9 0 DYeGdCpWn wikitext text/x-wiki , http://generiquesmedicaments.fr/acheter-achat-diflucan-en-ligne-fr.html generique diflucan, ytxjq, 3cb077e9ac5161781d48888468ef651586851198 2110 2109 2012-05-09T02:12:50Z 31.184.238.15 0 TsEpeCBhyMgTZINJVF wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-prednisone-online-en.html buy prednisone, 4987, 17cf162ab2c8bab1ceb9925fb4acb23595568ac2 2111 2110 2012-05-09T02:16:53Z 31.184.238.9 0 RekXQlUzeZE wikitext text/x-wiki , http://acquistareladroga.it/comprare-acquistare-strattera-online-it.html vendita strattera, 858, 44b3a988589c18039cb168905e2876a034c6e0e8 2112 2111 2012-05-09T02:18:49Z 31.184.238.15 0 XeaLprBKCwcejs wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-zoloft-online-en.html buy generic zoloft, kbwg, 4a94fc3772c5a89dd0d3d8fbf19e23c971719ffb 2113 2112 2012-05-09T02:19:57Z 31.184.238.9 0 xNhmPTSIByGmzQHrFh wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-prednisone-online-it.html generic prednisone, bufke, 7ca4af93e893e4d1559a7f8af42dc83be24e2913 2114 2113 2012-05-09T02:22:19Z 31.184.238.15 0 uUenmakVqNA wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-priligy-online-en.html generic priligy, qljmoq, 076374cd6aac0db5899b78eb00b019e6f3e77330 2115 2114 2012-05-09T02:23:37Z 31.184.238.9 0 azztkggEoSaLbV wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-zithromax-online-it.html prezzo zithromax, ftmyvy, f5ab8506926cf0d022c84b80f5b8f8833454b669 2116 2115 2012-05-09T02:27:37Z 31.184.238.9 0 zcauhrPJeUtzqYNpvS wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-propecia-online-it.html comprare propecia online, qnddhi, 6928c9a08b87d23734bcca13887f834192ebf37b 2117 2116 2012-05-09T02:27:44Z 31.184.238.15 0 YIepofZVJ wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-propecia-online-en.html buy propecia, munt, 1fff9064b117727e656442776c68a027755a7d8b 2118 2117 2012-05-09T02:31:52Z 31.184.238.9 0 FnLHXSVOkhmgvrUA wikitext text/x-wiki , http://onlinefarmacia.it/ comprare proscar, tzosc, 9e8070c1235fd55099c52773cb4bf534ec74a28c 2119 2118 2012-05-09T02:35:51Z 31.184.238.9 0 nXfctRgueoDIbNOreey wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-orlistat-online-it.html comprare orlistat, 71550, 1233d66d95f09e48eb057360239a27beaecb185e 0 8 2120 2119 2012-05-09T02:38:20Z 31.184.238.15 0 iCWozhACH wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-priligy-online-en.html generic priligy, 0131, 35fbc91beabc1a8fabcfa95656a68e1d1b30fd01 2121 2120 2012-05-09T02:39:54Z 31.184.238.9 0 YbyjPGXNwHAHuOB wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-zithromax-online-it.html generic zithromax, >:]]], d16cd1468b146eeda222c3e3db1e5f26c7fb0e0d 2122 2121 2012-05-09T02:43:34Z 31.184.238.15 0 kQYgssBEdOReo wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-zithromax-online-en.html buy zithromax online, 984475, 8770373036a9c8ae4757d9f9177e885fee4f6723 2123 2122 2012-05-09T02:44:19Z 31.184.238.9 0 NyCwDMKIRpoTRpw wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-female-viagra-en-ligne-fr.html acheter female viagra, bjfry, 7c9d6d34bf913037eb36f292870f4b83fb8fa769 2124 2123 2012-05-09T02:48:11Z 31.184.238.9 0 SqNRoxAD wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-zithromax-online-it.html prezzo zithromax, 59843, aa4442c59215aeb9082a610ce4267b8ee702d0a2 2125 2124 2012-05-09T02:48:55Z 31.184.238.15 0 OtKrJrFV wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-lasix-online-en.html generic lasix, rep, e695c0532f819504c0f965df4d4d6f62d280cdc3 2126 2125 2012-05-09T02:52:20Z 31.184.238.9 0 FBWMEkOLoRNAP wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-accutane-en-ligne-fr.html accutane, hsxigc, d143ea15d6f2835f2f3bd50daa15e26d134e4568 2127 2126 2012-05-09T02:54:17Z 31.184.238.15 0 ciTZaFBtBHNk wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-diflucan-online-en.html generic diflucan, >:-OOO, b9457f12a84bc1cc6dff6f47ae36b0913d25b896 2128 2127 2012-05-09T02:56:15Z 31.184.238.9 0 seBseATCDpbqYz wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-prednisone-online-it.html generic prednisone, fmfkx, a4482e8725fb8b0dd5441b30ed51f359483dc6dd 2129 2128 2012-05-09T02:59:44Z 31.184.238.15 0 fzNwYecdz wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-viagra-online-en.html buy viagra, smrxz, a1c60a6b5e01a87833dcc85891d18d9d062dc25a 2130 2129 2012-05-09T03:00:17Z 31.184.238.9 0 RDXfIHVmy wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-proscar-online-it.html acquistare proscar, hxcp, e75caade7ed8b499f2c6df1f31fc5d3539a1f9fd 2131 2130 2012-05-09T03:04:29Z 31.184.238.9 0 iROzoIECziEksIMwEZh wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-viagra-professional-online-it.html generic viagra professional, tqjvt, bedc15418edad524747c41bf8b6a6708a9dec7b7 2132 2131 2012-05-09T03:05:28Z 31.184.238.15 0 HsVZkSHVrUJ wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-cialis-super-active-online-en.html cialis super active, >:-))), a88f8582385b405887594722ccc9763ab3529e89 2133 2132 2012-05-09T03:08:42Z 31.184.238.9 0 eWBWrzrQMna wikitext text/x-wiki , http://enlignepharmacie.fr/ acheter cipro, %]], 663fb30c66d757994d3c9de05715e6ab440f8119 2134 2133 2012-05-09T03:10:58Z 31.184.238.15 0 etQpVwagyYjRCrawiFW wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-prednisone-online-en.html buy prednisone, qehhu, 4e0e9ac3a7297022e46eea4d4d4a131768557306 2135 2134 2012-05-09T03:12:48Z 31.184.238.9 0 UzbRwfLrYTr wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-proscar-online-it.html comprare proscar online, =(, 6d19fb1a695ea26d0dcbe5046d14776c381a7366 2136 2135 2012-05-09T03:16:12Z 31.184.238.15 0 thJFayyzNSwgBeCVp wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-diflucan-online-en.html buy diflucan online, nuvibw, aab5500dcaaec96f5418dcb01187905a43b33c5a 2137 2136 2012-05-09T03:17:12Z 31.184.238.9 0 tNyMedft wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-orlistat-online-it.html generic orlistat, :PP, 6c72ae44533a1bd83645141c1d47d3fe6806cbb9 2138 2137 2012-05-09T03:21:18Z 31.184.238.9 0 ffKSnqQDdWLPXDXr wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-viagra-super-active-online-it.html vendita viagra super active, pvd, 4be1e1ba8a501da882b4dd79eccfdebec0bc7578 2139 2138 2012-05-09T03:21:42Z 31.184.238.15 0 MmmXvcDjsZIzXjc wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-zoloft-online-en.html buy zoloft, =-DDD, 84a2b1f3f26490415224a9556dade53b60020e09 2140 2139 2012-05-09T03:25:17Z 31.184.238.9 0 KXFhHZbzrSHvavKXCG wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-zoloft-online-it.html prezzo zoloft, %OOO, 30de034771563995b8b3bc4cce7f85d1a9dad1d0 2141 2140 2012-05-09T03:27:39Z 31.184.238.15 0 MMOTTGRP wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-levitra-online-en.html buy levitra online, %(((, cfa055b9624d495770579a32d6e566facd0d2b6c 2142 2141 2012-05-09T03:29:29Z 31.184.238.9 0 vCvYOCCNy wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-priligy-online-it.html comprare priligy online, wptb, 41d5c29bce8b7a5baccac09375486ffb30a32208 2143 2142 2012-05-09T03:32:40Z 31.184.238.15 0 EVzNIlgLBspsdYrSBk wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-cipro-online-en.html buy generic cipro, 8(, 60384ab5a9075778744df26fb7e50d55d2328b14 2144 2143 2012-05-09T03:33:52Z 31.184.238.9 0 KpLZbXnvWWvoNhy wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-accutane-en-ligne-fr.html vente accutane, >:-PP, d44e45b10537ae07c73225ded5386e7ef3af787a 2145 2144 2012-05-09T03:38:15Z 31.184.238.9 0 vDMQMTNNGIXwt wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-diflucan-en-ligne-fr.html acheter diflucan en ligne, %-P, 2cea0a8c52854900e72946cf9b91be42af1cd2b0 2146 2145 2012-05-09T03:38:23Z 31.184.238.15 0 NYSNuIUBVjkFbJnzzKT wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-flagyl-online-en.html flagyl, bpp, 9e6ee94be32939971e10fa9e32043e208cc54acf 2147 2146 2012-05-09T03:42:06Z 31.184.238.9 0 peAHnHPvYYMgBiK wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-orlistat-online-it.html acquistare orlistat, uqxkaz, 072b6ae3c2a4da845bd477776dc52bd9d0b8f622 2148 2147 2012-05-09T03:43:59Z 31.184.238.15 0 aTLzSELqHBS wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-propecia-online-en.html buy propecia, >:P, 0256c40f123ea4c2f529abdda6b5fedc324956e1 2149 2148 2012-05-09T03:46:19Z 31.184.238.9 0 tjOiZJujaWfkQbccBL wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-cialis-professional-en-ligne-fr.html vente cialis professional, 561742, 75ee06cd1d4e35c2f112773f56ceb24fe6342f7b 2150 2149 2012-05-09T03:49:19Z 31.184.238.15 0 tCSIQpqGfE wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-strattera-online-en.html generic strattera, cuxl, 3b41800939c40793ee647bb71a79eb7192f69a3d 2151 2150 2012-05-09T03:50:32Z 31.184.238.9 0 xcenTGGDTI wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-viagra-online-it.html generic viagra, :), 6d25879f73e415e4fcc77a9a5f85d4279121f02e 2152 2151 2012-05-09T03:54:46Z 31.184.238.9 0 dOZOjygsWCrSOSFwTM wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-cipro-en-ligne-fr.html achat cipro, 216, 59f57c7b4b70901455fde4d40863485ecadbcc92 2153 2152 2012-05-09T03:54:51Z 31.184.238.15 0 MQacrSsGiMOoiw wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-nolvadex-online-en.html buy nolvadex</a>, 08795, 4bcd17bb2a0b7d299dd3bc4911fa99bf7d3cf93a 2154 2153 2012-05-09T03:59:01Z 31.184.238.9 0 WQrsujcsEGHMPqt wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-proscar-online-it.html vendita proscar, =[, b0c7250aa935789b32fd9d2e07fb432c51c9e648 2155 2154 2012-05-09T04:00:36Z 31.184.238.15 0 fctZAnPCJPFQ wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-diflucan-online-en.html generic diflucan, kum, 78802c07f6e17c972cbf29dd33c99aee70226313 2156 2155 2012-05-09T04:03:02Z 31.184.238.9 0 DCcHEzmjdXiC wikitext text/x-wiki , http://enlignepharmacie.fr/ acheter lasix, 8-D, 42b8cea3c3079b64438257524a80cf8acf9e3e0e 2157 2156 2012-05-09T04:05:36Z 31.184.238.15 0 ZvJyJOWpbIEsq wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-viagra-super-active-online-en.html buy viagra super active online, 246, ef6120dc4ecaf409d970f2645c79cd030080ee13 2158 2157 2012-05-09T04:07:05Z 31.184.238.9 0 iBKvrpkfkM wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-diflucan-en-ligne-fr.html vente diflucan, vct, 61dae343f1b91293717f3ccc3c05a2a053d175c5 2159 2158 2012-05-09T04:11:22Z 31.184.238.9 0 ZniipvHhnKttA wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-accutane-online-it.html prezzo accutane, gofw, cf2f64b7fbcf7c6c5dae5a466832df73efbce0e6 2160 2159 2012-05-09T04:11:43Z 31.184.238.15 0 GmfxZkZhMzzJFEDL wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-diflucan-online-en.html buy cheap diflucan, :-O, 1a5c68e099ed9dfa1af4314d2e9f8e717fbac984 2161 2160 2012-05-09T04:15:36Z 31.184.238.9 0 NhkKVAVdwX wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-clomid-en-ligne-fr.html acheter clomid, mce, ac95228e40257579e51a496d50f1b9af6af7d68e 2162 2161 2012-05-09T04:16:09Z 31.184.238.15 0 EzQXJudcgvl wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-viagra-professional-online-en.html viagra professional, =-D, f9c38dcd7e4334031890fae3424486a6cd258477 2163 2162 2012-05-09T04:19:25Z 31.184.238.9 0 NtbPMwLzvNzhC wikitext text/x-wiki , http://acquistareladroga.it/comprare-acquistare-zithromax-online-it.html generico zithromax, :[, 283cbedbe1548a3b3c0a3ec1f7d394b34ba4d8fb 2164 2163 2012-05-09T04:21:18Z 31.184.238.15 0 veEEHzRycGBvXG wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-kamagra-online-en.html generic kamagra, onrdcs, ded0caf66d4c16d4f29d9922928911a7b52cb5b4 2165 2164 2012-05-09T04:23:39Z 31.184.238.9 0 SffRHYbExwcewml wikitext text/x-wiki , http://acquistareladroga.it/ comprare cialis professional, ghibs, 7c9f2a2376aa36067b1aadf3b728773bd8166a87 2166 2165 2012-05-09T04:26:19Z 31.184.238.15 0 BRJogFoVSQVdpP wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-viagra-online-en.html buy generic viagra, 8((, 6010a22b9aa975e283d2ba9ed1a1bf1d7e15841f 2167 2166 2012-05-09T04:27:49Z 31.184.238.9 0 ThQAlevNmmbf wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-propecia-online-it.html generico propecia, 7518, b4b25f9c8e7d3c0312cbe7ba3c1d263ecc88dbfe 2168 2167 2012-05-09T04:31:20Z 31.184.238.15 0 XpBtXngpWMYvrCYJ wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-zoloft-online-en.html buy generic zoloft, %]], eadb4af28efad96e46620e843b6681aedb0d7945 2169 2168 2012-05-09T04:31:52Z 31.184.238.9 0 EeJnJrfJje wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-prednisone-online-it.html prezzo prednisone, 7099, 3c33218771879d08209f24a3599f7e962ee55656 0 8 2170 2169 2012-05-09T04:36:06Z 31.184.238.9 0 SOQevlSIVqhQtAk wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-viagra-online-it.html generic viagra, sumzmm, 49acd705c62732621765850a058c3f0cb0af1a33 2171 2170 2012-05-09T04:36:38Z 31.184.238.15 0 zhMpnDZiasOamU wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-lasix-online-en.html buy lasix online, sthskm, 2220b61654cfc6a7dde3fad2c467abf7e0229dfa 2172 2171 2012-05-09T04:40:19Z 31.184.238.9 0 nTIHhPMKwWuabmSRcl wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-flagyl-en-ligne-fr.html generique flagyl, 687, 362b78410b64f803ee77ae5eb67669b10266920d 2173 2172 2012-05-09T04:41:39Z 31.184.238.15 0 VLCHCwTFIzYTnk wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-viagra-super-active-online-en.html buy cheap viagra super active, bswsel, 4911d261cf5cc781ced93650283ebf8e42580991 2174 2173 2012-05-09T04:44:20Z 31.184.238.9 0 MXysfUXfz wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-zoloft-online-it.html comprare zoloft online, 7661, 8523ac29a319e88fd20f5bb4ea879447ecc6215b 2175 2174 2012-05-09T04:46:46Z 31.184.238.15 0 PXVCAHSVG wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-viagra-super-active-online-en.html generic viagra super active, ulb, http://cheappurchaseonline.com/buy-generic-zithromax-online-en.html buy zithromax, 2212, http://cheappurchaseonline.com/buy-generic-zoloft-online-en.html buy cheap zoloft, rygxx, bd27ea88ce8f0f48fdd77574c4cf35b738b3690e 2176 2175 2012-05-09T04:48:25Z 31.184.238.9 0 XCLNPwNQWHAkzy wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-viagra-professional-online-it.html comprare viagra professional online, >:D, a5e6eab0f275ea2c041bc97b791cbaf0ed928f0c 2177 2176 2012-05-09T04:51:59Z 31.184.238.15 0 IYRqjaUsvkAUzEQhobI wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-nolvadex-online-en.html buy nolvadex</a>, %))), http://cheappurchaseonline.com/buy-generic--online-en.html accutane, eatk, http://cheappurchaseonline.com/buy-generic-orlistat-online-en.html orlistat, izlvct, e02f789a1faeb186c7ceffd2c26ae324169752d9 2178 2177 2012-05-09T04:52:26Z 31.184.238.9 0 rxiwRMtWq wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-viagra-professional-online-it.html generico viagra professional, iddjuj, 85b3504a4f8a458c7bcb890f9439c492c40a7e64 2179 2178 2012-05-09T04:56:39Z 31.184.238.9 0 sjokVSigGC wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-doxycycline-online-it.html acquistare doxycycline, hzpave, fe7046acb672eef56924e7c413f53f47e124b7cf 2180 2179 2012-05-09T04:57:19Z 31.184.238.15 0 uOlHZeitDiXhBclbus wikitext text/x-wiki comment5, http://cheappurchaseonline.com/ generic nolvadex, =], http://cheappurchaseonline.com/ generic priligy, omd, http://cheappurchaseonline.com/ generic prednisone, %]]], 9ab559d9706d00fad3fc3f4fd72f8103c777e7bb 2181 2180 2012-05-09T05:00:40Z 31.184.238.9 0 MjBWEuUv wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-levitra-online-it.html vendita levitra, 0155, a6736166aff7f7c5222a5f3d2b27a27901f2079c 2182 2181 2012-05-09T05:02:05Z 31.184.238.15 0 czkyZKlOkgY wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-amoxil-online-en.html buy generic amoxil, 7229, http://cheappurchaseonline.com/buy-generic-cialis-online-en.html buy cialis, lwh, http://cheappurchaseonline.com/buy-generic-cialis-professional-online-en.html buy cheap cialis professional, 98069, 1625300c2a70ecfa2101fbfca543b6d783ddcdd6 2183 2182 2012-05-09T05:04:44Z 31.184.238.9 0 AtrCXmyWUMuyYQPz wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-prednisone-online-it.html prezzo prednisone, 653931, c611cbe082d925a4892ea2c9aa0f51c42fbbac36 2184 2183 2012-05-09T05:07:30Z 31.184.238.15 0 ptEkImXGaM wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-strattera-online-en.html buy cheap strattera, kaa, http://cheappurchaseonline.com/buy-generic-viagra-online-en.html buy viagra, 4849, http://cheappurchaseonline.com/buy-generic-viagra-professional-online-en.html viagra professional, 844, b1c9ce188f5abe70c0e4961de975a3ee8f2cde54 2185 2184 2012-05-09T05:09:11Z 31.184.238.9 0 LdRRtKbCvkh wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-kamagra-online-it.html vendita kamagra, eff, 42098c5d38e226eef40c38285d4bef403e1f3622 2186 2185 2012-05-09T05:12:33Z 31.184.238.15 0 JDvGONYirKMdQYj wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-amoxil-online-en.html buy cheap amoxil, aljoe, http://cheappurchaseonline.com/buy-generic-cialis-online-en.html cialis, 876361, http://cheappurchaseonline.com/buy-generic-cialis-professional-online-en.html cialis professional, ssldd, 5edc5b92f51ec996eeea01f438a123e764c97e7d 2187 2186 2012-05-09T05:13:23Z 31.184.238.9 0 RFEyNxmThaL wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-viagra-online-it.html vendita viagra, 716, 291db4c89d397ec8140b7b176dc2ab87b887a6ca 2188 2187 2012-05-09T05:17:31Z 31.184.238.15 0 aigomWrHqmmm wikitext text/x-wiki comment5, http://cheappurchaseonline.com/ generic viagra super active, 4957, http://cheappurchaseonline.com/ generic priligy, 987, http://cheappurchaseonline.com/ generic prednisone, 8-)), 0c1e6e1448601e6c7ebd17f15d2ca31196594789 2189 2188 2012-05-09T05:17:36Z 31.184.238.9 0 vNBjlfIOgBKWZGtyOk wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-kamagra-online-it.html comprare kamagra, >:((, 10a1642ef37fbf0bd7b00a631b3668db396c0bd4 2190 2189 2012-05-09T05:21:36Z 31.184.238.9 0 mVyfIXUIkMqwswRc wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-levitra-online-it.html comprare levitra online, 2339, 0c3e6f09d611a21c1a93b08739c6e09836e82f26 2191 2190 2012-05-09T05:22:35Z 31.184.238.15 0 uqSLuIGPbii wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-viagra-super-active-online-en.html buy viagra super active online, =-((, http://cheappurchaseonline.com/buy-generic-zithromax-online-en.html buy cheap zithromax, 764361, http://cheappurchaseonline.com/buy-generic-zoloft-online-en.html zoloft, %-O, 9e238b0ce4e8185cae074c1d334c7ed2574401bd 2192 2191 2012-05-09T05:25:51Z 31.184.238.9 0 ipZnLMROiJDL wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-zithromax-online-it.html prezzo zithromax, 910058, c72469f830f5c6099b211b9de2dc665949eabae9 2193 2192 2012-05-09T05:27:39Z 31.184.238.15 0 QQXquoecXmPt wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-cialis-super-active-online-en.html buy cialis super active, 92271, http://cheappurchaseonline.com/buy-generic-cipro-online-en.html generic cipro, 8-O, http://cheappurchaseonline.com/buy-generic-clomid-online-en.html clomid, 574965, 5e672ed0e346c5f96d132ecef686f938fd2eeece 2194 2193 2012-05-09T05:30:13Z 31.184.238.9 0 DjSYYTSnDRpXpBbw wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-cialis-professional-en-ligne-fr.html generique cialis professional, rpahip, ccf2a594e3108fd94f09833d571a50ff47b64f47 2195 2194 2012-05-09T05:32:55Z 31.184.238.15 0 LPCYguKJARWL wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-cialis-super-active-online-en.html buy cheap cialis super active, tzs, http://cheappurchaseonline.com/buy-generic-cipro-online-en.html generic cipro, kpkhsc, http://cheappurchaseonline.com/buy-generic-clomid-online-en.html generic clomid, 8-(((, 7249bafc13ccbfd8472e6437df938f67ea10e51f 2196 2195 2012-05-09T05:35:02Z 31.184.238.9 0 wXAraPlXOHDEJb wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-strattera-online-it.html generic strattera, efb, 6c44a4d7e4a8fc779438880de135fb3f07befb2e 2197 2196 2012-05-09T05:37:50Z 31.184.238.15 0 meMjbvHPDt wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-cialis-super-active-online-en.html generic cialis super active, 272604, http://cheappurchaseonline.com/buy-generic-cipro-online-en.html buy generic cipro, 858236, http://cheappurchaseonline.com/buy-generic-clomid-online-en.html buy clomid, =-D, 0ceaca97c19d5268cc79e2fbf7bab8242d53ffa7 2198 2197 2012-05-09T05:38:42Z 31.184.238.9 0 ZJalmdarkxMdGEMNFUK wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-zoloft-online-it.html comprare zoloft online, 119, 564c7e9ed5b209b5396ea6de78776453e1fc1f8c 2199 2198 2012-05-09T05:42:37Z 31.184.238.15 0 bEGXJOxdhwLfMMIsrSw wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-strattera-online-en.html generic strattera, %)), http://cheappurchaseonline.com/buy-generic-viagra-online-en.html buy generic viagra, >:), http://cheappurchaseonline.com/buy-generic-viagra-professional-online-en.html buy generic viagra professional, 8-P, a83e6f35a2fcc67f0bc362196bd343ec1d2f73cf 2200 2199 2012-05-09T05:42:42Z 31.184.238.9 0 SehktpnSvGfqUdaS wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-viagra-online-it.html prezzo viagra, 25961, 613be83ab7948aca126a24b3bcfe9cff9bfd0027 2201 2200 2012-05-09T05:46:56Z 31.184.238.9 0 JISKuwcLQsAPyIbFXC wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-lasix-online-it.html comprare lasix, srj, ad6b46a2abe9c60a5c24774b06be11219704bd5e 2202 2201 2012-05-09T05:47:30Z 31.184.238.15 0 rjjoxlEy wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-diflucan-online-en.html buy cheap diflucan, hioykh, http://cheappurchaseonline.com/buy-generic-doxycycline-online-en.html buy cheap doxycycline, 511, http://cheappurchaseonline.com/buy-generic-flagyl-online-en.html buy cheap flagyl, cvm, 355b8e544d72411a8e9a256486e07bcddce4cdef 2203 2202 2012-05-09T05:51:10Z 31.184.238.9 0 QyARcVuMRauCmYd wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-lasix-online-it.html generico lasix, 1973, 267a30132692218a909e012045a880578f0070df 2204 2203 2012-05-09T05:52:25Z 31.184.238.15 0 lLOzVnXSLkIurOh wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-kamagra-online-en.html buy kamagra online, ajytr, http://cheappurchaseonline.com/buy-generic-lasix-online-en.html generic lasix, ozviuy, http://cheappurchaseonline.com/buy-generic-levitra-online-en.html levitra, hrsjm, 3a7907397e91b80b282d680c8fe28ecd3fd0e2e1 2205 2204 2012-05-09T05:55:22Z 31.184.238.9 0 WzrFvgsnOkGHGeV wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-zoloft-online-it.html generico zoloft, ayugda, 229a3e3328d5e7272b14fff106bb41faee3f9b3b 2206 2205 2012-05-09T05:57:14Z 31.184.238.15 0 EWjrSUpQ wikitext text/x-wiki comment5, http://cheappurchaseonline.com/ generic cialis professional, 22408, http://cheappurchaseonline.com/ generic levitra, lhfsf, http://cheappurchaseonline.com/ generic nolvadex, 649790, 50e9003156b685a1ec89376c285ad4291c65a6aa 2207 2206 2012-05-09T05:59:46Z 31.184.238.9 0 HHpSiwmosCcyV wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-cialis-super-active-en-ligne-fr.html acheter cialis super active en ligne, 8O, 15b99ba92acbad8fde8164c3f3b776c5bcd109d6 2208 2207 2012-05-09T06:02:37Z 31.184.238.15 0 iwjeQswJlDisGjJs wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-viagra-super-active-online-en.html buy viagra super active, 3108, http://cheappurchaseonline.com/buy-generic-zithromax-online-en.html buy zithromax, kfghiu, http://cheappurchaseonline.com/buy-generic-zoloft-online-en.html buy generic zoloft, 110, 9ac7218b3c71cbacb9b0a66c758957858e925bd9 2209 2208 2012-05-09T06:03:29Z 31.184.238.9 0 eNDMpgxyjnYsQVonk wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-viagra-online-it.html comprare viagra, 801735, 85169281d8b5c550a8db4452427ad36e61fd619b 2210 2209 2012-05-09T06:07:33Z 31.184.238.9 0 dKLHuTVkcDpGfERZiQ wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-cialis-professional-en-ligne-fr.html cialis professional, >:-DDD, b16b68cda2a03df0e1d4ebb6be16cab967cc096e 2211 2210 2012-05-09T06:07:44Z 31.184.238.15 0 cjvyrRpARP wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-viagra-super-active-online-en.html buy viagra super active online, %]]], http://cheappurchaseonline.com/buy-generic-zithromax-online-en.html buy generic zithromax, 8-D, http://cheappurchaseonline.com/buy-generic-zoloft-online-en.html buy zoloft online, 525478, 51fa309d7729593329f001cd992d324316c2deea 2212 2211 2012-05-09T06:11:35Z 31.184.238.9 0 hpunhQpbqkRjNrAXLO wikitext text/x-wiki , http://onlinefarmacia.it/ comprare cialis super active, 465, 236ebde290baa64d158afcfae184b93c34e0dd2c 2213 2212 2012-05-09T06:13:05Z 31.184.238.15 0 WrfUlnhawntMMaW wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-amoxil-online-en.html amoxil, vouqj, http://cheappurchaseonline.com/buy-generic-cialis-online-en.html buy cialis online, %[[[, http://cheappurchaseonline.com/buy-generic-cialis-professional-online-en.html buy generic cialis professional, 2325, 1316d5fc4439d92f80e2f5ff1040863f21e14ff9 2214 2213 2012-05-09T06:15:52Z 31.184.238.9 0 ruYGtQoCRia wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-cipro-en-ligne-fr.html vente cipro, 905, 7e67c44517d372186cab1a93d07c333b761fb3b1 2215 2214 2012-05-09T06:18:47Z 31.184.238.15 0 nTgxdeismpiSgTJDu wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-diflucan-online-en.html buy diflucan, 8-], http://cheappurchaseonline.com/buy-generic-doxycycline-online-en.html generic doxycycline, qtgk, http://cheappurchaseonline.com/buy-generic-flagyl-online-en.html flagyl, 2517, da563d809ff624ff54a2a5cceccf6f11f22bbe26 2216 2215 2012-05-09T06:19:59Z 31.184.238.9 0 svGCVxFwH wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-zithromax-online-it.html acquistare zithromax, =], f585d77de3306d2dc07314af01eb27dd094a8914 2217 2216 2012-05-09T06:23:38Z 31.184.238.15 0 npxeVHVeDyf wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-kamagra-online-en.html buy kamagra, 896493, http://cheappurchaseonline.com/buy-generic-lasix-online-en.html buy lasix online, 53574, http://cheappurchaseonline.com/buy-generic-levitra-online-en.html levitra, 837967, d0b0cd87fa761c0e94bd29b23601782e0ccc3eb5 2218 2217 2012-05-09T06:24:12Z 31.184.238.9 0 PBoyxkDuLv wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-viagra-professional-online-it.html generico viagra professional, 8(, b99178e223fd9d8920789b0c17b4c16e2530a005 2219 2218 2012-05-09T06:28:27Z 31.184.238.9 0 fKZxmwaqjnhWmZZ wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-zoloft-online-it.html generic zoloft, 522880, 4d4eb0ea9c273e59eba47b4f004a844502f14dec 0 8 2220 2219 2012-05-09T06:28:45Z 31.184.238.15 0 tHyqPmNhosXzA wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-diflucan-online-en.html buy diflucan, xrtvos, http://cheappurchaseonline.com/buy-generic-doxycycline-online-en.html doxycycline, >:-OO, http://cheappurchaseonline.com/buy-generic-flagyl-online-en.html buy flagyl online, %), b72af788e5ef46ff6f616ef6295b7d35fab6549d 2221 2220 2012-05-09T06:32:41Z 31.184.238.9 0 jWRANQnUrFKND wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-viagra-online-it.html generic viagra, 515, 832c892c665dafa7e535fac4c8aa406f5f0df679 2222 2221 2012-05-09T06:33:41Z 31.184.238.15 0 dkqtsbLNmdqeyYVgb wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-nolvadex-online-en.html generic nolvadex, 179731, http://cheappurchaseonline.com/buy-generic--online-en.html generic accutane, 618, http://cheappurchaseonline.com/buy-generic-orlistat-online-en.html buy orlistat, 454, 9832befc9943ad9fcbdbbef0e6788b2f886c20da 2223 2222 2012-05-09T06:36:55Z 31.184.238.9 0 uWSOcQTzsPR wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-zoloft-online-it.html prezzo zoloft, =), 061d329ab54173647bcea0039f085afe0f5c4ddf 2224 2223 2012-05-09T06:38:40Z 31.184.238.15 0 BjNJNFjqG wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-viagra-super-active-online-en.html buy cheap viagra super active, 81663, http://cheappurchaseonline.com/buy-generic-zithromax-online-en.html buy zithromax, qaqj, http://cheappurchaseonline.com/buy-generic-zoloft-online-en.html buy cheap zoloft, :(((, 12ada5fb23fdb5f3e23a557f1c5d54c05a205ced 2225 2224 2012-05-09T06:41:08Z 31.184.238.9 0 EzxIZVNRxjCWvhgoE wikitext text/x-wiki , http://onlinefarmacia.it/ comprare zithromax, 665461, 932abef1f1198357903dbf13b499474a63822345 2226 2225 2012-05-09T06:43:36Z 31.184.238.15 0 czCFzJDppGFcx wikitext text/x-wiki comment2, http://cheappurchaseonline.com/ generic propecia, wuizz, http://cheappurchaseonline.com/ generic cialis, 793806, http://cheappurchaseonline.com/ generic viagra super active, >:[[, 396476239057601e736cdf4608f72d87e7cae4b0 2227 2226 2012-05-09T06:45:32Z 31.184.238.9 0 EfwIvQWF wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-lasix-online-it.html generico lasix, 2052, d638a75eddc3311fbfbecab14c2f98de3931e6a2 2228 2227 2012-05-09T06:48:45Z 31.184.238.15 0 oxJhKAQqdEbuXCuhtNS wikitext text/x-wiki comment1, http://cheappurchaseonline.com/ generic zithromax, 57432, http://cheappurchaseonline.com/ generic lasix, 571354, http://cheappurchaseonline.com/ generic accutane, bxibp, 1f72ba944c07f60b14887534dddae3c0700b6949 2229 2228 2012-05-09T06:49:35Z 31.184.238.9 0 ZlghVjRwhgWqSNpLJL wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-viagra-super-active-online-it.html generico viagra super active, 461309, 5dd5f945a590c86c18bb2fed22c06bb0b8c519c3 2230 2229 2012-05-09T06:53:47Z 31.184.238.9 0 MUHfeloLMrxaAjFZ wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-priligy-online-it.html acquistare priligy, %]]], 7ab58b5aea27b421ca073270255ba9d090d1b75b 2231 2230 2012-05-09T06:53:59Z 31.184.238.15 0 WoZiXoLIMRoceJSfUY wikitext text/x-wiki comment5, http://cheappurchaseonline.com/ generic lasix, 5033, http://cheappurchaseonline.com/ generic levitra, ziqm, http://cheappurchaseonline.com/ generic female viagra, %-OO, 0070cbf0831b15be69bb33938e41cf72f70c340c 2232 2231 2012-05-09T06:58:29Z 31.184.238.9 0 ufvHvSXaTOET wikitext text/x-wiki , http://acquistareladroga.it/comprare-acquistare-orlistat-online-it.html comprare orlistat, xnhe, de84e6a4a12789af52dbd344d4174e1c4a952b9f 2233 2232 2012-05-09T06:59:25Z 31.184.238.15 0 SYLZneCt wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-prednisone-online-en.html prednisone, =-DDD, http://cheappurchaseonline.com/buy-generic-priligy-online-en.html buy cheap priligy, kjv, http://cheappurchaseonline.com/buy-generic-propecia-online-en.html buy generic propecia, 7009, 83e53c30595579b7862063000ed630ad93bf72df 2234 2233 2012-05-09T07:02:37Z 31.184.238.9 0 SJkFNfeV wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-orlistat-en-ligne-fr.html acheter orlistat, 8[[, 5facf7ec59fb7b89e64fab329a9cc347917aee58 2235 2234 2012-05-09T07:06:39Z 31.184.238.9 0 NtxMVJFQFofguVUpi wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-kamagra-online-it.html vendita kamagra, 885, d21c625a8a2626fc720afa93d1169d535b1f8581 2236 2235 2012-05-09T07:09:55Z 31.184.238.15 0 UPsmEWnYq wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-amoxil-online-en.html buy amoxil online, evsz, http://cheappurchaseonline.com/buy-generic-cialis-online-en.html buy generic cialis, pvyx, http://cheappurchaseonline.com/buy-generic-cialis-professional-online-en.html buy generic cialis professional, 98299, 10fc1ca253d92621ec75f41616c5847510923d84 2237 2236 2012-05-09T07:10:55Z 31.184.238.9 0 nFhHjjkQOFH wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-kamagra-online-it.html comprare kamagra, 825158, a6ba07841b0c31283b0e80e2b12bc35ddb38592c 2238 2237 2012-05-09T07:15:18Z 31.184.238.9 0 zAspCaDBpuNsyKuhXCR wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-viagra-super-active-online-it.html comprare viagra super active online, =)), 56cd04787e0d3cc6ab9e7c5dc2e1514c3483e40a 2239 2238 2012-05-09T07:19:31Z 31.184.238.9 0 NFdLGlqtTJwXRBoyq wikitext text/x-wiki , http://onlinefarmacia.it/ comprare amoxil, %]]], 2b0ff20de513dd1d213dbf204537cd7b5c31ab04 2240 2239 2012-05-09T07:20:32Z 31.184.238.15 0 fupxtjnUpTcjWcVZ wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-kamagra-online-en.html buy generic kamagra, jwzg, http://cheappurchaseonline.com/buy-generic-lasix-online-en.html buy lasix, duxztf, http://cheappurchaseonline.com/buy-generic-levitra-online-en.html buy levitra online, 821631, f439262433045448da4137a3e45d4a70354b33e3 2241 2240 2012-05-09T07:23:35Z 31.184.238.9 0 TlAdOzYH wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-viagra-online-it.html generico viagra, >:[[, 89cf5dbd9e4951ff7a9ae67b3284d4f2dcaebc2e 2242 2241 2012-05-09T07:25:48Z 31.184.238.15 0 ojWodbXxbwjxqBufEJ wikitext text/x-wiki comment5, http://cheappurchaseonline.com/ generic zithromax, =-OO, http://cheappurchaseonline.com/ generic viagra super active, tzclf, http://cheappurchaseonline.com/ generic priligy, 689627, ac9c839ed39822d402588238b69011f543a38947 2243 2242 2012-05-09T07:27:37Z 31.184.238.9 0 mWZRvbUvaazOOFMDjHp wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-levitra-online-it.html generico levitra, jpra, 31743837199d8ce2ed2986a28475bb17d03df145 2244 2243 2012-05-09T07:30:53Z 31.184.238.15 0 syoCuGxHBI wikitext text/x-wiki comment4, http://cheappurchaseonline.com/ generic female viagra, dlwk, http://cheappurchaseonline.com/ generic viagra, 8))), http://cheappurchaseonline.com/ generic orlistat, =]]], c5594c2b6575949dca26bdf266a7daa5bcf92268 2246 2244 2012-05-09T07:31:51Z 31.184.238.9 0 dKcqWklhcGoNiMa wikitext text/x-wiki , http://enlignepharmacie.fr/ acheter prednisone, 1809, 6f92d9fe87e8731b1e50970e744cde4a09c70216 2247 2246 2012-05-09T07:35:52Z 31.184.238.15 0 MACHOJgHeNUYFekiA wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-amoxil-online-en.html buy amoxil online, rsknf, http://cheappurchaseonline.com/buy-generic-cialis-online-en.html buy cialis online, 020894, http://cheappurchaseonline.com/buy-generic-cialis-professional-online-en.html buy generic cialis professional, qdgkf, ce13c7cdc62dd6331df757ba9c025f14b98ea3d0 2248 2247 2012-05-09T07:36:05Z 31.184.238.9 0 DEFjyJYaGBoiY wikitext text/x-wiki , http://onlinefarmacia.it/ comprare flagyl, 8-DDD, 30ee4a18f448d37c876694f80ad38497f6b61cf9 2249 2248 2012-05-09T07:40:08Z 31.184.238.9 0 useWEAkcrImidhwOrPT wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-lasix-online-it.html comprare lasix online, >:-[[[, 3f3a01ca1bfcbc86ded2db90ac5c4d774ae7f69b 2250 2249 2012-05-09T07:40:57Z 31.184.238.15 0 pnnHUKfKX wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-cialis-super-active-online-en.html buy generic cialis super active, 4525, http://cheappurchaseonline.com/buy-generic-cipro-online-en.html generic cipro, 843, http://cheappurchaseonline.com/buy-generic-clomid-online-en.html clomid, 5071, 3da0d2d00ee076da7d61e074e43c7fda12da0d80 2251 2250 2012-05-09T07:44:21Z 31.184.238.9 0 XpIhTvXl wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-accutane-en-ligne-fr.html vente accutane, 8-], bdbcb72f7c18a58530509d9586bd89ca70d337c9 2252 2251 2012-05-09T07:46:01Z 31.184.238.15 0 rkuAPdUgoWgz wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-prednisone-online-en.html prednisone, snzcn, http://cheappurchaseonline.com/buy-generic-priligy-online-en.html buy priligy online, :[[, http://cheappurchaseonline.com/buy-generic-propecia-online-en.html buy cheap propecia, xldaw, 1826de73f68dbd330d8dcfcec03cb90fe4feb700 2253 2252 2012-05-09T07:48:22Z 31.184.238.9 0 kAuaSNbGQkSV wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-viagra-online-it.html comprare viagra online, eic, 8092ab7d16ab3e08c330287cf18189f430c5c768 2254 2253 2012-05-09T07:51:19Z 31.184.238.15 0 nRrirRSjUs wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-prednisone-online-en.html buy prednisone online, 2093, http://cheappurchaseonline.com/buy-generic-priligy-online-en.html buy generic priligy, =], http://cheappurchaseonline.com/buy-generic-propecia-online-en.html propecia, %D, 5ff3c3b9b5db8811a7ea9903530212610e82328f 2255 2254 2012-05-09T07:52:39Z 31.184.238.9 0 VpkHtAmonScAuhuzAjD wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-priligy-online-it.html acquistare priligy, 8OO, f671319dfcab34ba5ae489ff493e1cf67cb9f4f1 2256 2255 2012-05-09T07:56:21Z 31.184.238.15 0 SSpvytKitTNHV wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-cialis-super-active-online-en.html buy cialis super active online, :-]]], http://cheappurchaseonline.com/buy-generic-cipro-online-en.html cipro, fluix, http://cheappurchaseonline.com/buy-generic-clomid-online-en.html buy generic clomid, euzvfv, c4da3d5c5ac03a0967c83e1525753c2fb27314df 2257 2256 2012-05-09T07:56:39Z 31.184.238.9 0 pNKNRnMsittwmbO wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-kamagra-online-it.html generico kamagra, 852937, bbc096ee0fb95ecab466fe326aa4f57ff337f56b 2258 2257 2012-05-09T08:00:42Z 31.184.238.9 0 HRgslZhePKdNCkLZQqO wikitext text/x-wiki , http://onlinefarmacia.it/ comprare female viagra, cfn, f7c4996bd044bf1d43ce86a85c36bab42baf892c 2259 2258 2012-05-09T08:01:09Z 31.184.238.15 0 PorcvLZigRdzilz wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-strattera-online-en.html buy strattera online, =-O, http://cheappurchaseonline.com/buy-generic-viagra-online-en.html generic viagra, 985, http://cheappurchaseonline.com/buy-generic-viagra-professional-online-en.html viagra professional, mpv, 91a0ee369ca5c970febd5432cd03ed5a8e866f02 2260 2259 2012-05-09T08:04:32Z 31.184.238.9 0 ZMxFmgamg wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-kamagra-online-it.html comprare kamagra online, otovw, d212a548b81665ee6aecf5d88d1a000211c740a1 2261 2260 2012-05-09T08:06:20Z 31.184.238.15 0 kdCurbnGEbOV wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-viagra-super-active-online-en.html viagra super active, 4726, http://cheappurchaseonline.com/buy-generic-zithromax-online-en.html buy zithromax online, 8PP, http://cheappurchaseonline.com/buy-generic-zoloft-online-en.html buy zoloft, 9271, 352b2bef4a2a13c4e555e6bdb6f6f42d8dab3809 2262 2261 2012-05-09T08:08:49Z 31.184.238.9 0 jEwONHxBqY wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-viagra-super-active-online-it.html comprare viagra super active, 58166, e04e3c8952d736dd6cc32f7300fe96b4267a2f93 2263 2262 2012-05-09T08:11:52Z 31.184.238.15 0 WfGJzmWTnp wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-kamagra-online-en.html buy kamagra online, 7621, http://cheappurchaseonline.com/buy-generic-lasix-online-en.html buy lasix, %]], http://cheappurchaseonline.com/buy-generic-levitra-online-en.html buy cheap levitra, lqbpf, 8b0fa8c90fc6df35d2a1a50149a359a157920efb 2264 2263 2012-05-09T08:13:00Z 31.184.238.9 0 ViZqSAcO wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-doxycycline-online-it.html vendita doxycycline, 8-D, 8ae274da2f3a369d72999c8393b7f172d1de1697 2265 2264 2012-05-09T08:16:33Z 31.184.238.15 0 gKKbpcAkKqnL wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-cialis-super-active-online-en.html buy cialis super active, 8365, http://cheappurchaseonline.com/buy-generic-cipro-online-en.html buy cipro, 983, http://cheappurchaseonline.com/buy-generic-clomid-online-en.html buy clomid, 599, f9a5ac45de7474abe1fc4cbb8605fc0274df88e6 2266 2265 2012-05-09T08:17:02Z 31.184.238.9 0 WWAiLrvqG wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-propecia-online-it.html acquistare propecia, 9797, eeaffa1bad837001a410be07c20a9222b5d629b9 2267 2266 2012-05-09T08:21:14Z 31.184.238.9 0 RqBrsFRwDmVuRJCqg wikitext text/x-wiki , http://onlinefarmacia.it/ comprare viagra professional, 76247, 8260b78a16868da72bc1badbfe1118bf15b99b8d 2268 2267 2012-05-09T08:21:33Z 31.184.238.15 0 xWKxwTXbOHOf wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-strattera-online-en.html buy generic strattera, 2175, http://cheappurchaseonline.com/buy-generic-viagra-online-en.html buy viagra online, 56534, http://cheappurchaseonline.com/buy-generic-viagra-professional-online-en.html viagra professional, >:D, 32fe24e20819d6804ac3d49f7a3358d7ab15e567 2269 2268 2012-05-09T08:25:28Z 31.184.238.9 0 gLJSUXyDcNkh wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-levitra-online-it.html generico levitra, xzhb, f6062dfac3a28aefee158101541b3567e0005295 2270 2269 2012-05-09T08:26:47Z 31.184.238.15 0 voDTdfJhupRFNNheNg wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-diflucan-online-en.html buy cheap diflucan, 025037, http://cheappurchaseonline.com/buy-generic-doxycycline-online-en.html doxycycline, sld, http://cheappurchaseonline.com/buy-generic-flagyl-online-en.html generic flagyl, =D, 25828358e9f4ec30e374eaf0c38e80fe50a72f0e 0 8 2271 2270 2012-05-09T08:29:30Z 31.184.238.9 0 fzCIysbjXEiMqEXx wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-cialis-en-ligne-fr.html generique cialis, 51635, a97ea626fb0e1b3d733d638a96f7295aadce93a1 2272 2271 2012-05-09T08:31:47Z 31.184.238.15 0 NwllULNrhxgXjzxDL wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-diflucan-online-en.html buy diflucan, 24692, http://cheappurchaseonline.com/buy-generic-doxycycline-online-en.html generic doxycycline, 2755, http://cheappurchaseonline.com/buy-generic-flagyl-online-en.html generic flagyl, 455347, 31a059c890a8f09eae2e8b61da7cfe2da28cdf2d 2273 2272 2012-05-09T08:33:56Z 31.184.238.9 0 tTELoGNDAKnQSs wikitext text/x-wiki , http://acquistareladroga.it/comprare-acquistare-nolvadex-online-it.html comprare nolvadex, popx, cb52e8b7bd3b3304d70badb04a05ab9495e63998 2274 2273 2012-05-09T08:37:03Z 31.184.238.15 0 cOxyKphxm wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-viagra-super-active-online-en.html buy viagra super active, 388, http://cheappurchaseonline.com/buy-generic-zithromax-online-en.html zithromax, >:-O, http://cheappurchaseonline.com/buy-generic-zoloft-online-en.html buy cheap zoloft, :-DDD, 61838078a24169c896c30592b1a4bd729e508d52 2275 2274 2012-05-09T08:38:09Z 31.184.238.9 0 dlvUBLdhTcjvwSJRp wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-amoxil-en-ligne-fr.html vente amoxil, :-P, 328598164e3e855a5c537d931e763587e47fb8b9 2276 2275 2012-05-09T08:42:09Z 31.184.238.15 0 UCtXOHUeQcBmkd wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-viagra-super-active-online-en.html buy generic viagra super active, 2632, http://cheappurchaseonline.com/buy-generic-zithromax-online-en.html buy generic zithromax, ycn, http://cheappurchaseonline.com/buy-generic-zoloft-online-en.html buy cheap zoloft, =[[, 3c2851aac7708043841d17335fd62554643bbdb4 2277 2276 2012-05-09T08:42:38Z 31.184.238.9 0 uZUOQKzOjE wikitext text/x-wiki , http://acquistareladroga.it/comprare-acquistare-flagyl-online-it.html vendita flagyl, 1175, 08997cc69a5c2c484f40d4b2aa508e8c92af8178 2278 2277 2012-05-09T08:46:26Z 31.184.238.9 0 HuGDXoKKBROzNbE wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-clomid-en-ligne-fr.html acheter clomid en ligne, 349333, 58e9988ed91166d011268d30b8aae7bf24337464 2279 2278 2012-05-09T08:47:29Z 31.184.238.15 0 VyOnOTuOOyeFmZeNwh wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-viagra-super-active-online-en.html buy cheap viagra super active, 710051, http://cheappurchaseonline.com/buy-generic-zithromax-online-en.html buy zithromax online, kmlskv, http://cheappurchaseonline.com/buy-generic-zoloft-online-en.html zoloft, xutb, ed2b4c945f4411aa9cc28ca85b276444e448748f 2280 2279 2012-05-09T08:50:27Z 31.184.238.9 0 pzcYjozDTV wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-viagra-online-it.html comprare viagra, 82994, b3e1335dfba00aa43a285ebdc33602a790272112 2281 2280 2012-05-09T08:52:38Z 31.184.238.15 0 lulCosQbueWI wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-viagra-super-active-online-en.html buy generic viagra super active, :-OOO, http://cheappurchaseonline.com/buy-generic-zithromax-online-en.html buy generic zithromax, ogrg, http://cheappurchaseonline.com/buy-generic-zoloft-online-en.html generic zoloft, 6812, 67351cbe0afd2884a518e9309956d9652a81d648 2282 2281 2012-05-09T08:54:38Z 31.184.238.9 0 VwjjcgcIrqsNOZ wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-nolvadex-online-it.html prezzo nolvadex, ciq, 560b95e3a80642f6819d6a0b01c1d7fbc8a59f8a 2283 2282 2012-05-09T08:57:50Z 31.184.238.15 0 lvBOAKaPzGPhePAU wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-prednisone-online-en.html buy cheap prednisone, clim, http://cheappurchaseonline.com/buy-generic-priligy-online-en.html generic priligy, 3800, http://cheappurchaseonline.com/buy-generic-propecia-online-en.html buy propecia, iht, 8ed7b138bd80697a6caf75fef6c195e46e9b1133 2284 2283 2012-05-09T08:58:53Z 31.184.238.9 0 btWxoRsuIWOu wikitext text/x-wiki , http://onlinefarmacia.it/ comprare kamagra, 844, 17511d1a691da4a775d0e9df9f7a85f2caff977d 2285 2284 2012-05-09T09:02:43Z 31.184.238.15 0 OBFuKlfdzQJRniK wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-viagra-super-active-online-en.html buy cheap viagra super active, %-O, http://cheappurchaseonline.com/buy-generic-zithromax-online-en.html buy generic zithromax, ugxbp, http://cheappurchaseonline.com/buy-generic-zoloft-online-en.html generic zoloft, jgy, e6378cf9d091028bab17aa0967413bedbeb5c6cc 2286 2285 2012-05-09T09:03:10Z 31.184.238.9 0 ascZgivotKh wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-accutane-en-ligne-fr.html accutane, >:-DDD, 4fbd7d924a4d82cb68dd5ae11b497eb30c261ce9 2287 2286 2012-05-09T09:07:20Z 31.184.238.9 0 mhXtircpIBlSRIWtN wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-flagyl-online-it.html generic flagyl, 8-OOO, 9c2f80b8b32f51074abe70ca02d21c5c34adb3ab 2288 2287 2012-05-09T09:07:48Z 31.184.238.15 0 whSFqWvknFQOi wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-viagra-super-active-online-en.html buy viagra super active, 53079, http://cheappurchaseonline.com/buy-generic-zithromax-online-en.html zithromax, ugu, http://cheappurchaseonline.com/buy-generic-zoloft-online-en.html buy zoloft online, 403, 54826cdd0e7eeb4fc654ebfe27908e00c11ff203 2289 2288 2012-05-09T09:11:18Z 31.184.238.9 0 OxlzHSCsrEbux wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-female-viagra-online-it.html generic female viagra, cxdz, 85f4dc49ad26e27c377bf65f2d4bb71cd40b9c04 2290 2289 2012-05-09T09:12:57Z 31.184.238.15 0 jcFcBHWerPhB wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-prednisone-online-en.html prednisone, hur, http://cheappurchaseonline.com/buy-generic-priligy-online-en.html buy generic priligy, nfp, http://cheappurchaseonline.com/buy-generic-propecia-online-en.html propecia, :-OOO, 94bc4b74a524c6f739110eb48763ce5e6bacd0e1 2291 2290 2012-05-09T09:15:35Z 31.184.238.9 0 bHMoPDLPoIYcKiWTFqH wikitext text/x-wiki , http://onlinefarmacia.it/ comprare cipro, vdsc, 5770acdf972710a54580a4a693889df30133bbce 2292 2291 2012-05-09T09:17:57Z 31.184.238.15 0 tItyEPRjEVIsBHQas wikitext text/x-wiki comment3, http://cheappurchaseonline.com/ generic lasix, %OOO, http://cheappurchaseonline.com/ generic lasix, >:OO, http://cheappurchaseonline.com/ generic doxycycline, %O, b4cd71fe0cb1529fc758760be1d9f06271f00e05 2294 2292 2012-05-09T09:19:45Z 31.184.238.9 0 FsxqGadCAMOrCwVfhBO wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-lasix-online-it.html comprare lasix online, 8-[[, 2f276deaf39e211c580712c5ab527cae311322e2 2295 2294 2012-05-09T09:23:07Z 31.184.238.15 0 yUlIJEwIEaZkBhRKQdA wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-nolvadex-online-en.html buy nolvadex</a>, dlhrt, http://cheappurchaseonline.com/buy-generic--online-en.html buy generic accutane, yfex, http://cheappurchaseonline.com/buy-generic-orlistat-online-en.html buy orlistat, kfjej, 69baf294c2b11961594f60f3c9d76dde7503b514 2296 2295 2012-05-09T09:24:02Z 31.184.238.9 0 DasUfUJHUCMSJBN wikitext text/x-wiki , http://acquistareladroga.it/comprare-acquistare-viagra-online-it.html prezzo viagra, 8-[[, 558be02b8a64bb47a0fa89087f4ba350b70f7981 2297 2296 2012-05-09T09:28:15Z 31.184.238.9 0 EjPutyjDvnxVS wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-prednisone-online-it.html comprare prednisone, sdv, e5205048d6d323ba356e4f2bf250e947fd5f2990 2298 2297 2012-05-09T09:28:24Z 31.184.238.15 0 SXXgxofh wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-viagra-super-active-online-en.html generic viagra super active, 03779, http://cheappurchaseonline.com/buy-generic-zithromax-online-en.html buy zithromax, phza, http://cheappurchaseonline.com/buy-generic-zoloft-online-en.html buy generic zoloft, %], d3a97906717ad882a267d52b69f6cb7e3943e0d3 2299 2298 2012-05-09T09:32:32Z 31.184.238.9 0 JbVvgtrLZQWxbn wikitext text/x-wiki , http://onlinefarmacia.it/ comprare cialis professional, :-OOO, 839dfce7ff4dac940e75e3cb92e8283e8f589eb6 2300 2299 2012-05-09T09:33:17Z 31.184.238.15 0 idkPHjZlEaAFQx wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-nolvadex-online-en.html nolvadex, haofez, http://cheappurchaseonline.com/buy-generic--online-en.html buy cheap accutane, zhcr, http://cheappurchaseonline.com/buy-generic-orlistat-online-en.html orlistat, 8360, 8e667fec098121bb135cb18c8cb644993fdfae8f 2301 2300 2012-05-09T09:36:27Z 31.184.238.9 0 tflVViLpKbqsMD wikitext text/x-wiki , http://enlignepharmacie.fr/ acheter diflucan, >:-]], b300fd1ff2de36eb9ee62406a266d07bfda72bf1 2302 2301 2012-05-09T09:38:04Z 31.184.238.15 0 AtcNmgQIj wikitext text/x-wiki comment5, http://cheappurchaseonline.com/ generic flagyl, cgvher, http://cheappurchaseonline.com/ generic viagra, %-DD, http://cheappurchaseonline.com/ generic cialis super active, whaou, 23bcf8c2e3782706973d4f94defbc9dc0888a31e 2303 2302 2012-05-09T09:40:41Z 31.184.238.9 0 ctEhvkPZOYcFHCZz wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-priligy-online-it.html vendita priligy, 8[[[, da5b47aa1d7412d0b74f6c2beb21ae2f4da60a68 2304 2303 2012-05-09T09:42:50Z 31.184.238.15 0 ultBYeEMNebUhhyQRYM wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-diflucan-online-en.html generic diflucan, 101744, http://cheappurchaseonline.com/buy-generic-doxycycline-online-en.html buy doxycycline, 75536, http://cheappurchaseonline.com/buy-generic-flagyl-online-en.html generic flagyl, epxftt, 5c55a191f8005dc00492729051e9a678bb4a4ecd 2305 2304 2012-05-09T09:44:45Z 31.184.238.9 0 HpdSHqJhCN wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-viagra-online-it.html prezzo viagra, 764, 32e1dd4f2e71c9d5f63946b38e69e9461756a4c3 2306 2305 2012-05-09T09:47:56Z 31.184.238.15 0 hBOfxYQcUkeWQABNlK wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-prednisone-online-en.html buy cheap prednisone, ohbgf, http://cheappurchaseonline.com/buy-generic-priligy-online-en.html buy priligy, 742724, http://cheappurchaseonline.com/buy-generic-propecia-online-en.html buy propecia, vtgqg, aed7a54bd4937cd6166c79f1aa534a441f6c95ec 2307 2306 2012-05-09T09:49:00Z 31.184.238.9 0 xgqVjPUEnsZnFwnZmJ wikitext text/x-wiki , http://enlignepharmacie.fr/ acheter orlistat, wnbw, 914b8fe5cb98978a23b543189f794f212c1bbc6a 2308 2307 2012-05-09T09:52:38Z 31.184.238.15 0 ximAIOPqxeba wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-cialis-super-active-online-en.html buy cialis super active, >:-), http://cheappurchaseonline.com/buy-generic-cipro-online-en.html buy cheap cipro, 049371, http://cheappurchaseonline.com/buy-generic-clomid-online-en.html buy cheap clomid, 0912, 7b7adeaa8dcb505b18c297b29068f846945c8f28 2309 2308 2012-05-09T09:53:13Z 31.184.238.9 0 McIQDvtOFiDwTu wikitext text/x-wiki , http://onlinefarmacia.it/ comprare prednisone, 031578, e68e9c64c81a90a55c55383e5945abbe4d9917c3 2310 2309 2012-05-09T09:57:12Z 31.184.238.9 0 FbceFQwIErSyPytPFA wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-accutane-en-ligne-fr.html vente accutane, 8O, 5a691222314ea0d6c2ccc076fa285a2f0502d1cb 2311 2310 2012-05-09T09:58:21Z 31.184.238.15 0 kbvNxdfp wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-prednisone-online-en.html buy prednisone online, >:-(, http://cheappurchaseonline.com/buy-generic-priligy-online-en.html buy priligy online, gizku, http://cheappurchaseonline.com/buy-generic-propecia-online-en.html buy cheap propecia, 463876, 39106068abf12f332ffc05aa5a7476725f104103 2312 2311 2012-05-09T10:01:26Z 31.184.238.9 0 nbPSxzCVoLd wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-priligy-online-it.html acquistare priligy, 677, 6d67edc2c4190a2f028c70f31d299cefb018536c 2313 2312 2012-05-09T10:03:37Z 31.184.238.15 0 eBUJqYRaZvR wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-strattera-online-en.html strattera, >:(((, http://cheappurchaseonline.com/buy-generic-viagra-online-en.html buy cheap viagra, iwkv, http://cheappurchaseonline.com/buy-generic-viagra-professional-online-en.html buy cheap viagra professional, >:-))), cf83031708b645f7dea2ebf94c1aca7d90168852 2314 2313 2012-05-09T10:05:43Z 31.184.238.9 0 EjVByNBkW wikitext text/x-wiki , http://onlinefarmacia.it/ comprare accutane, %-(, 010649633bbd96c47a8a5e8d5a41eedcf7036db5 2315 2314 2012-05-09T10:08:46Z 31.184.238.15 0 tkVxBwuR wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-strattera-online-en.html strattera, 178, http://cheappurchaseonline.com/buy-generic-viagra-online-en.html buy cheap viagra, >:-]], http://cheappurchaseonline.com/buy-generic-viagra-professional-online-en.html buy viagra professional, 1457, bf49a9c9a099c668bc77b8d7b4f97a3bbc170c8a 2316 2315 2012-05-09T10:09:55Z 31.184.238.9 0 ouBiKQCLPdVJONdj wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-viagra-online-it.html comprare viagra online, 54026, 5bd76765c9d4b3cf4e1bc0fb2491da7d1e9cbb3e 2317 2316 2012-05-09T10:13:43Z 31.184.238.15 0 DcHAozoWLkBZcQLdl wikitext text/x-wiki comment5, http://cheappurchaseonline.com/ generic prednisone, 324, http://cheappurchaseonline.com/ generic strattera, 2025, http://cheappurchaseonline.com/ generic cialis professional, 8-PP, 4378b08ccf9bb4b3c6d930f78102e1e5b7729e51 2318 2317 2012-05-09T10:14:29Z 31.184.238.9 0 GtVdtFBWaGxPGNf wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-zoloft-online-it.html comprare zoloft online, >:-[[[, 1db7e534c36c831dcc98092b40413ebfc782a683 2319 2318 2012-05-09T10:18:10Z 31.184.238.9 0 FlnqEVoEMGSp wikitext text/x-wiki , http://onlinefarmacia.it/ comprare strattera, 548454, 073c14e6d2711e6c46334c337051aa37ad0a8c04 2320 2319 2012-05-09T10:18:47Z 31.184.238.15 0 yGIpsTgznibdpTKF wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-amoxil-online-en.html buy amoxil online, :D, http://cheappurchaseonline.com/buy-generic-cialis-online-en.html buy cialis online, xhhb, http://cheappurchaseonline.com/buy-generic-cialis-professional-online-en.html cialis professional, 03458, d556d1775061f77daf93adf064aacec6ff1f0b31 2321 2320 2012-05-09T10:22:13Z 31.184.238.9 0 EneMjOyEPrSvcNR wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-nolvadex-online-it.html comprare nolvadex, :-DD, b64b60593e6f16f19c2aff89c3b904063d6a4e79 0 8 2322 2321 2012-05-09T10:23:45Z 31.184.238.15 0 QmBvFnEEeA wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-kamagra-online-en.html buy generic kamagra, kfz, http://cheappurchaseonline.com/buy-generic-lasix-online-en.html buy cheap lasix, yepay, http://cheappurchaseonline.com/buy-generic-levitra-online-en.html buy levitra online, :[, a897aeaa788192263d0e1556494555c3d4383996 2323 2322 2012-05-09T10:26:05Z 31.184.238.9 0 yDoQpLuDMhU wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-propecia-online-it.html prezzo propecia, 8(, b3f5f28235b53ff3f4320698d662632a898adf1a 2324 2323 2012-05-09T10:28:56Z 31.184.238.15 0 crbowdTrfUEvekB wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-nolvadex-online-en.html buy nolvadex online, :(((, http://cheappurchaseonline.com/buy-generic--online-en.html generic accutane, :-O, http://cheappurchaseonline.com/buy-generic-orlistat-online-en.html buy cheap orlistat, twvdy, 10a872f94f49f87f4405c1e6a7a5e9cd6045bb40 2325 2324 2012-05-09T10:30:29Z 31.184.238.9 0 jnRmSHUsFAnsb wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-kamagra-online-it.html comprare kamagra, 53305, 0c3d3535ae18e9db58e02a09ff44fd9d61518ccc 2326 2325 2012-05-09T10:33:49Z 31.184.238.15 0 DTLzdfrDo wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-prednisone-online-en.html buy prednisone online, jyb, http://cheappurchaseonline.com/buy-generic-priligy-online-en.html buy priligy, 116, http://cheappurchaseonline.com/buy-generic-propecia-online-en.html buy cheap propecia, 701, 89dd4a4354c5675eab29541f834d3ec509323d8c 2327 2326 2012-05-09T10:34:42Z 31.184.238.9 0 ekfqVHoar wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-diflucan-en-ligne-fr.html achat diflucan, anxn, 999294fd53bd1bebc7d6e805a666a34e9a9d2458 2328 2327 2012-05-09T10:38:37Z 31.184.238.15 0 hsqEsVdIagBfHZtXpb wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-viagra-super-active-online-en.html buy viagra super active, >:[, http://cheappurchaseonline.com/buy-generic-zithromax-online-en.html buy zithromax, tbn, http://cheappurchaseonline.com/buy-generic-zoloft-online-en.html buy cheap zoloft, %-], b2a5e973d5229a1dba2c6d325bdc23d54df83c0b 2329 2328 2012-05-09T10:39:23Z 31.184.238.9 0 mureKzxFBDzmsVdH wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-zoloft-online-it.html acquistare zoloft, 295228, 1482501c160b225ea666e18088fb7885b3e5a9ca 2330 2329 2012-05-09T10:43:28Z 31.184.238.9 0 gMUZBBImSZIPq wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-cipro-en-ligne-fr.html achat cipro, 7651, 6fb9f73ca63cad6feff27c43f9d72d62fa4108de 2331 2330 2012-05-09T10:43:47Z 31.184.238.15 0 QzGQiRgYARAArHVkVCb wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-strattera-online-en.html buy generic strattera, nech, http://cheappurchaseonline.com/buy-generic-viagra-online-en.html generic viagra, :-(, http://cheappurchaseonline.com/buy-generic-viagra-professional-online-en.html viagra professional, >:-((, a883d7c89eac50bf8a31c4a2a22fe5df967a9779 2332 2331 2012-05-09T10:47:30Z 31.184.238.9 0 dRhkBkWcWLlddoUdH wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-propecia-online-it.html comprare propecia online, =-DD, 2ff51dfe85ebbe66ce375a85f1ab1a45fc15c961 2333 2332 2012-05-09T10:48:45Z 31.184.238.15 0 JqRpFeZVF wikitext text/x-wiki comment6, http://cheappurchaseonline.com/ generic cialis, mgqw, http://cheappurchaseonline.com/ generic viagra, 8), http://cheappurchaseonline.com/ generic zoloft viagra professional, 8D, e4677256c45797024a3687c8fc1242ff6190689a 2334 2333 2012-05-09T10:51:43Z 31.184.238.9 0 FWFXkqWBIPJpUSaNr wikitext text/x-wiki , http://generiquesmedicaments.fr/acheter-achat-zithromax-en-ligne-fr.html achat zithromax, 80780, 74fe232e2af1d8913256c2c776fa9bccb82b52ba 2335 2334 2012-05-09T10:53:45Z 31.184.238.15 0 kGLbcyFKeOZnjgh wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-viagra-super-active-online-en.html buy cheap viagra super active, %-]], http://cheappurchaseonline.com/buy-generic-zithromax-online-en.html generic zithromax, 645, http://cheappurchaseonline.com/buy-generic-zoloft-online-en.html buy generic zoloft, xwz, 6b900b435ee54dd98a0e1b4eb2a170e9a6f392d1 2336 2335 2012-05-09T10:56:22Z 31.184.238.9 0 mnocxAyurUuHVDejs wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-cialis-professional-en-ligne-fr.html acheter cialis professional en ligne, cndzzp, 104b60867a27a7b49ca560f89e0664585707c82e 2338 2336 2012-05-09T10:58:35Z 31.184.238.15 0 koXFTnQpWBe wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-amoxil-online-en.html buy generic amoxil, 53005, http://cheappurchaseonline.com/buy-generic-cialis-online-en.html buy generic cialis, %-D, http://cheappurchaseonline.com/buy-generic-cialis-professional-online-en.html buy generic cialis professional, ivusy, 4f99ee2bb6e8c66247cb35c2c135cacfec1c246e 2339 2338 2012-05-09T11:00:26Z 31.184.238.9 0 EkRqweKzQoRCAiG wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-zithromax-online-it.html comprare zithromax, 239661, 05f0e6325938cc878edcf689a89675a4ffc632bb 2340 2339 2012-05-09T11:03:30Z 31.184.238.15 0 QLVdsvbEp wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-prednisone-online-en.html buy generic prednisone, cxeyef, http://cheappurchaseonline.com/buy-generic-priligy-online-en.html priligy, 8-[[, http://cheappurchaseonline.com/buy-generic-propecia-online-en.html buy propecia, hmo, 75dca00e21a99ed2b58dbb1c062ef81722a41202 2341 2340 2012-05-09T11:04:30Z 31.184.238.9 0 dZSfggYvmgNbkibWs wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-lasix-online-it.html vendita lasix, :O, ed7f33e8d8b5f7068aae9cbe9028c672372362ae 2342 2341 2012-05-09T11:08:35Z 31.184.238.15 0 jFHRqcvjWWwunevdjat wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-strattera-online-en.html buy generic strattera, strszb, http://cheappurchaseonline.com/buy-generic-viagra-online-en.html buy viagra online, >:-], http://cheappurchaseonline.com/buy-generic-viagra-professional-online-en.html generic viagra professional, %-(, f27e78baecfb42553ba5dc9b64d22821526aa37a 2343 2342 2012-05-09T11:09:20Z 31.184.238.9 0 YxgAyYlDCiEj wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-accutane-en-ligne-fr.html achat accutane, ehov, 9fa9fc1a17b3b434fe39ab1c7edb56280d084d15 2344 2343 2012-05-09T11:13:05Z 31.184.238.9 0 HbsKnJlhbTu wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-nolvadex-online-it.html comprare nolvadex online, 8]], a8c51742379efe48102e9dd4a9a853c71c790562 2345 2344 2012-05-09T11:13:47Z 31.184.238.15 0 yIyWjWcobai wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-strattera-online-en.html buy generic strattera, %O, http://cheappurchaseonline.com/buy-generic-viagra-online-en.html generic viagra, ixl, http://cheappurchaseonline.com/buy-generic-viagra-professional-online-en.html buy generic viagra professional, 29107, 3c444a46f7fe000d1d2b0079fd36c92ed1208b35 2346 2345 2012-05-09T11:17:07Z 31.184.238.9 0 dkeBTLjapmLp wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-diflucan-online-it.html acquistare diflucan, :-[[[, c39095952850f9148e7a128d2613f620406b9cea 2347 2346 2012-05-09T11:18:44Z 31.184.238.15 0 uhKWzwhFhhmmO wikitext text/x-wiki comment1, http://cheappurchaseonline.com/ generic cipro, >:-), http://cheappurchaseonline.com/ generic nolvadex, kfirtq, http://cheappurchaseonline.com/ generic zithromax, 22150, c1afe9e01062801b5783829d08311d77ad5ccb28 2348 2347 2012-05-09T11:21:32Z 31.184.238.9 0 arekEwIBgKVHFWZmxns wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-propecia-online-it.html comprare propecia, 8-)), 6a8a4650943f3a167b3af38079585e68b0a37d6e 2349 2348 2012-05-09T11:23:37Z 31.184.238.15 0 RDUnUuimMy wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-amoxil-online-en.html buy generic amoxil, 61477, http://cheappurchaseonline.com/buy-generic-cialis-online-en.html cialis, 47129, http://cheappurchaseonline.com/buy-generic-cialis-professional-online-en.html buy cialis professional, =-), 173604003a2177ff2e04692bcccf339833a9f3cc 2350 2349 2012-05-09T11:25:25Z 31.184.238.9 0 lRmEMpSEWpiD wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-cialis-professional-online-it.html acquistare cialis professional, 815, 236abfd2712a4ed73b1af10fbf75c263e4577e25 2351 2350 2012-05-09T11:29:03Z 31.184.238.15 0 CjOLxJXQHtAdkTXx wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-prednisone-online-en.html prednisone, ftr, http://cheappurchaseonline.com/buy-generic-priligy-online-en.html buy generic priligy, 9498, http://cheappurchaseonline.com/buy-generic-propecia-online-en.html buy cheap propecia, mzc, 67190bcb2d91120a0176b8259ba2df4e40848dd1 2352 2351 2012-05-09T11:29:28Z 31.184.238.9 0 nnHTonkzZjdKiQ wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-nolvadex-online-it.html acquistare nolvadex, 609, 710228b9db1d531898ff8999fefaf81d8fe4f68e 2353 2352 2012-05-09T11:33:27Z 31.184.238.9 0 UzSepvhQVcjdxvce wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-female-viagra-en-ligne-fr.html generique female viagra, snhlqg, 92679277cbf382743b192fb32aac4a5b1d869543 2354 2353 2012-05-09T11:33:38Z 31.184.238.15 0 nNRGFOGod wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-kamagra-online-en.html buy cheap kamagra, 8-]]], http://cheappurchaseonline.com/buy-generic-lasix-online-en.html buy lasix, ldvve, http://cheappurchaseonline.com/buy-generic-levitra-online-en.html buy levitra online, 54511, 7e3903f56773015ecdeaa720fef049a671c849b3 2355 2354 2012-05-09T11:37:29Z 31.184.238.9 0 gFliTCvQsfyFsBG wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-lasix-online-it.html generic lasix, uknmv, 45e5462f579ba4c86f74545508d0a2ce717c81da 2356 2355 2012-05-09T11:39:06Z 31.184.238.15 0 oWEHOsWNX wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-diflucan-online-en.html buy generic diflucan, =-PP, http://cheappurchaseonline.com/buy-generic-doxycycline-online-en.html buy doxycycline online, 8D, http://cheappurchaseonline.com/buy-generic-flagyl-online-en.html generic flagyl, 83352, 2ffd3500e8caa6c2318307374635d78b63c5e988 2357 2356 2012-05-09T11:41:49Z 31.184.238.9 0 sgvUDAixJSFgVFKnwE wikitext text/x-wiki , http://enlignepharmacie.fr/ acheter kamagra, kmjh, fe13c3d9dc89a0a54aa5ebeb60532b22b87fae8f 2358 2357 2012-05-09T11:43:51Z 31.184.238.15 0 fiAvcacgA wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-kamagra-online-en.html buy cheap kamagra, 743, http://cheappurchaseonline.com/buy-generic-lasix-online-en.html buy lasix, 762, http://cheappurchaseonline.com/buy-generic-levitra-online-en.html generic levitra, 8]]], 335842bf84643aefb96f4f0eaede30604f842cdf 2359 2358 2012-05-09T11:45:43Z 31.184.238.9 0 oTpwgkyPzas wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-viagra-super-active-online-it.html acquistare viagra super active, 33286, a17a4b07103adaf37b9513ae6424378a41ba3a4c 2360 2359 2012-05-09T11:49:09Z 31.184.238.15 0 uaCnXvJJkVM wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-prednisone-online-en.html buy prednisone online, sit, http://cheappurchaseonline.com/buy-generic-priligy-online-en.html buy priligy, yqh, http://cheappurchaseonline.com/buy-generic-propecia-online-en.html buy cheap propecia, 621719, 2ac037f3a55e69b8d6be976144ba71ea99414ab4 2361 2360 2012-05-09T11:49:46Z 31.184.238.9 0 BxWNoWFqpsPoZ wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-viagra-online-it.html comprare viagra online, >:]], 04362af6cb7dd99f64459a3e7dd33449b4849fea 2362 2361 2012-05-09T11:54:00Z 31.184.238.15 0 AOLGUcLfVTkhdwZ wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-amoxil-online-en.html buy cheap amoxil, 6977, http://cheappurchaseonline.com/buy-generic-cialis-online-en.html buy cialis online, %-OOO, http://cheappurchaseonline.com/buy-generic-cialis-professional-online-en.html buy generic cialis professional, 8-[, ddebe54d0513b1d35a537c5d8f1a687690a78b00 2363 2362 2012-05-09T11:54:02Z 31.184.238.9 0 JbblTHYXcPAqigE wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-orlistat-online-it.html vendita orlistat, >:-((, 47c4f2f0caf2cdea595f12949e4ead778c82b7ec 2364 2363 2012-05-09T11:58:03Z 31.184.238.9 0 uzxzUNNYG wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-flagyl-online-it.html generico flagyl, ofio, a4c4f865b01ee314b81b71a76bef84d7c3bab6a9 2365 2364 2012-05-09T11:59:26Z 31.184.238.15 0 sXblYjsSghwt wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-cialis-super-active-online-en.html cialis super active, >:-(((, http://cheappurchaseonline.com/buy-generic-cipro-online-en.html buy cipro online, qjdgh, http://cheappurchaseonline.com/buy-generic-clomid-online-en.html clomid, 762, eca601d9740b389c4e134b890ad9ebc558e62a20 2366 2365 2012-05-09T12:02:27Z 31.184.238.9 0 jaSMpxnhxL wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-lasix-online-it.html comprare lasix, kvhbm, 134ac62c678960ca2cee326cd8950420a3997694 2367 2366 2012-05-09T12:04:23Z 31.184.238.15 0 hLoKVdovlQdBuNtwrQ wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-prednisone-online-en.html buy generic prednisone, 310, http://cheappurchaseonline.com/buy-generic-priligy-online-en.html priligy, 1011, http://cheappurchaseonline.com/buy-generic-propecia-online-en.html propecia, 999962, ecbae3a9364fc86662951f30fe03772e0aa5215d 2368 2367 2012-05-09T12:06:27Z 31.184.238.9 0 rOjvZkKcWuLTbLXU wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-orlistat-online-it.html prezzo orlistat, %-))), 5ef46dab8ac9ba6a283988ce2c21838332e233b7 2369 2368 2012-05-09T12:09:27Z 31.184.238.15 0 BQAVxhVHZHThc wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-prednisone-online-en.html buy prednisone online, :D, http://cheappurchaseonline.com/buy-generic-priligy-online-en.html generic priligy, 8730, http://cheappurchaseonline.com/buy-generic-propecia-online-en.html buy generic propecia, 8-[[, 038506369645cb63122572b1e2db9b6c93bc21a8 2370 2369 2012-05-09T12:10:44Z 31.184.238.9 0 mXsOnuLo wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-proscar-online-it.html generic proscar, 4906, 4fd7167fccc31808909e6a51ae9e05fa27f9f133 2371 2370 2012-05-09T12:14:40Z 31.184.238.15 0 uruCoRbe wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-amoxil-online-en.html generic amoxil, >:)), http://cheappurchaseonline.com/buy-generic-cialis-online-en.html cialis, =]]], http://cheappurchaseonline.com/buy-generic-cialis-professional-online-en.html buy cialis professional online, 242, b4274eb9b62862ddd86db57a073d6dfb1a614497 2372 2371 2012-05-09T12:14:46Z 31.184.238.9 0 cuOQLITXZ wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-cialis-professional-online-it.html prezzo cialis professional, kqn, 4cfc812893d03eded0d95af070faf95f6c1d4ee0 0 8 2373 2372 2012-05-09T12:19:00Z 31.184.238.9 0 ZrQLgZcbCYgENkGrd wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-strattera-online-it.html generic strattera, tdlnzm, 5412467edc0f0ddb50ef68440010de4e9b1ae98d 2374 2373 2012-05-09T12:20:01Z 31.184.238.15 0 iJCmXGHey wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-viagra-super-active-online-en.html buy viagra super active, :-O, http://cheappurchaseonline.com/buy-generic-zithromax-online-en.html buy generic zithromax, 2630, http://cheappurchaseonline.com/buy-generic-zoloft-online-en.html buy generic zoloft, :DDD, e61246daa8dbf68709b9959e96507d2e35f011e0 2375 2374 2012-05-09T12:23:21Z 31.184.238.9 0 VWziqzkV wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-orlistat-online-it.html prezzo orlistat, >:-O, 5931ea782c5c7aa45e84daac8e2eb1f063e05217 2376 2375 2012-05-09T12:25:38Z 31.184.238.15 0 UEtBYiFDajA wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-strattera-online-en.html buy generic strattera, ija, http://cheappurchaseonline.com/buy-generic-viagra-online-en.html generic viagra, 435, http://cheappurchaseonline.com/buy-generic-viagra-professional-online-en.html buy viagra professional online, yhljw, b227d933a764d6a0887e47b6fa69f3e3ea4c32ce 2377 2376 2012-05-09T12:27:35Z 31.184.238.9 0 TqgtYsOEadwTZsPt wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-levitra-online-it.html vendita levitra, cwztbh, 9cdcff1287e71912083c8c81024d6f5dc0932ba9 2378 2377 2012-05-09T12:30:33Z 31.184.238.15 0 dxODXRSIHNIC wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-diflucan-online-en.html buy diflucan online, =]], http://cheappurchaseonline.com/buy-generic-doxycycline-online-en.html buy cheap doxycycline, zciqwc, http://cheappurchaseonline.com/buy-generic-flagyl-online-en.html buy flagyl, %-DDD, da7b1e1ae339e3cae17b5eb4f72c33fab98f36e0 2379 2378 2012-05-09T12:31:49Z 31.184.238.9 0 pqtathCjZpoc wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-viagra-professional-online-it.html acquistare viagra professional, 117, bc2089178e561957675a8070bc93f44afb3cf59f 2381 2379 2012-05-09T12:36:12Z 31.184.238.9 0 MQmPsEqSPCNMENLAY wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-proscar-online-it.html comprare proscar, 0739, 4741df7d4002ed97668cd46e99e28dde2fd7a242 2382 2381 2012-05-09T12:40:26Z 31.184.238.9 0 aAhPrFnRwxm wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-nolvadex-online-it.html vendita nolvadex, cfuuk, 00de5399f19c1fca69b89d4a574e915303894581 2383 2382 2012-05-09T12:40:36Z 31.184.238.15 0 CaFwNGTTnuRk wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-amoxil-online-en.html buy generic amoxil, fpsm, http://cheappurchaseonline.com/buy-generic-cialis-online-en.html buy cialis online, =-]]], http://cheappurchaseonline.com/buy-generic-cialis-professional-online-en.html buy generic cialis professional, >:[[[, 1c94b8f52992f1552c064e3a43042d48b69f5a36 2384 2383 2012-05-09T12:44:30Z 31.184.238.9 0 FifEMIppLwYra wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-priligy-online-it.html prezzo priligy, imt, e150571fb0642a87da388599f603f475fb3c3e0d 2385 2384 2012-05-09T12:46:11Z 31.184.238.15 0 PrXJwklnkjaVGpzErS wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-nolvadex-online-en.html buy nolvadex</a>, 582, http://cheappurchaseonline.com/buy-generic--online-en.html buy cheap accutane, =-))), http://cheappurchaseonline.com/buy-generic-orlistat-online-en.html buy orlistat online, 8OO, ac080ea2eb3aba9f9d5849b64c09679d444feb84 2386 2385 2012-05-09T12:48:34Z 31.184.238.9 0 QZEGkPTvHAaBOs wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-lasix-online-it.html generico lasix, 80101, 02cb8b9ff7868e374a3afa861cb75ef6fa670408 2387 2386 2012-05-09T12:50:46Z 31.184.238.15 0 XbajhITZG wikitext text/x-wiki comment4, http://cheappurchaseonline.com/ generic zoloft viagra professional, >:-[[[, http://cheappurchaseonline.com/ generic viagra super active, 7475, http://cheappurchaseonline.com/ generic female viagra, %-OO, ed3fa1deaec96ae731344d87cb86c5bcf8b22f8f 2388 2387 2012-05-09T12:52:58Z 31.184.238.9 0 MiLLKrMLkrUgZQA wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-cialis-professional-online-it.html comprare cialis professional online, =-[[, ff89ac2d38700c3b4e31135929c0e8e4dffae8c7 2389 2388 2012-05-09T12:55:49Z 31.184.238.15 0 iTFdHRjXiKB wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-strattera-online-en.html buy strattera online, 8[[[, http://cheappurchaseonline.com/buy-generic-viagra-online-en.html buy cheap viagra, rkkg, http://cheappurchaseonline.com/buy-generic-viagra-professional-online-en.html buy viagra professional online, %-P, 242a12d11a3df48c2a4cf007818838c83e281496 2390 2389 2012-05-09T12:57:21Z 31.184.238.9 0 ZHtDgPAGNMZPcILQLw wikitext text/x-wiki , http://onlinefarmacia.it/ comprare zithromax, bmzgrm, 477fc93f5e835223b762601593f9d0492c4020bf 2391 2390 2012-05-09T13:01:20Z 31.184.238.15 0 ONmZOTOaailYUF wikitext text/x-wiki comment2, http://cheappurchaseonline.com/ generic female viagra, =(((, http://cheappurchaseonline.com/ generic strattera, xoay, http://cheappurchaseonline.com/ generic prednisone, =P, 3f57ead11170d5bbdd87ab71bf75478fe45c7818 2392 2391 2012-05-09T13:01:33Z 31.184.238.9 0 XhJFGQcbxBDJlI wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-orlistat-online-it.html acquistare orlistat, >:-[[[, 3e72b617b7326049405ef6b2061d92e75af86d91 2393 2392 2012-05-09T13:05:58Z 31.184.238.9 0 QQgEAJqUnvTXc wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-female-viagra-online-it.html comprare female viagra online, 61098, ac37cfa4e288187ce022f6ee90d148110c9a82d1 2394 2393 2012-05-09T13:06:37Z 31.184.238.15 0 xjPTiEZQme wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-amoxil-online-en.html buy amoxil, cwjz, http://cheappurchaseonline.com/buy-generic-cialis-online-en.html buy cheap cialis, =-]], http://cheappurchaseonline.com/buy-generic-cialis-professional-online-en.html cialis professional, =-P, fd47813d56dd5fcd5cd07136db3360618fd0b97b 2395 2394 2012-05-09T13:10:09Z 31.184.238.9 0 cbGjXAMjBBnafHmEgu wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-diflucan-en-ligne-fr.html acheter diflucan, 65740, a6e7f15d242c29cf6d6da368a5144e0be87d41e2 2396 2395 2012-05-09T13:11:55Z 31.184.238.15 0 tVgkJqlLfyOkX wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-strattera-online-en.html buy strattera online, axyg, http://cheappurchaseonline.com/buy-generic-viagra-online-en.html buy viagra online, 8P, http://cheappurchaseonline.com/buy-generic-viagra-professional-online-en.html buy cheap viagra professional, :DD, c8d989dfe3da12b74725b88e6027889a94082ad8 2397 2396 2012-05-09T13:14:25Z 31.184.238.9 0 gzVgfiJgSvXNyGAu wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-propecia-online-it.html generic propecia, tsptde, 86294e4f8aeb9ac59d1920bdb7b2779ebb322245 2398 2397 2012-05-09T13:17:09Z 31.184.238.15 0 TyiSFonmAmHYovnhspx wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-combivir-online-en.html generic combivir, :-O, http://cheappurchaseonline.com/buy-generic-compazine-online-en.html generic compazine, rhowey, http://cheappurchaseonline.com/buy-generic-confido-online-en.html buy confido online, 5902, http://cheappurchaseonline.com/buy-generic-copegus-online-en.html buy copegus, kob, http://cheappurchaseonline.com/buy-generic-cordarone-online-en.html buy cordarone, =-]], http://cheappurchaseonline.com/buy-generic-coreg-online-en.html buy coreg online, =))), http://cheappurchaseonline.com/buy-generic-coumadin-online-en.html buy coumadin online, 3273, http://cheappurchaseonline.com/buy-generic-coversyl-online-en.html buy coversyl online, mkwcm, 2f4f62986ec6293300b971c4933d6a1246397b4e 2399 2398 2012-05-09T13:18:57Z 31.184.238.9 0 CfvSSCGdHc wikitext text/x-wiki , http://onlinefarmacia.it/ comprare orlistat, >:DDD, d04a9f837a9a016a600c56e2f66389f8091926f7 2400 2399 2012-05-09T13:22:58Z 31.184.238.15 0 UMuoZoBdLCjaROz wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-abana-online-en.html generic abana, 04437, http://cheappurchaseonline.com/buy-generic-abilify-online-en.html buy abilify online, 169, http://cheappurchaseonline.com/buy-generic-aceon-online-en.html generic aceon, 8PP, http://cheappurchaseonline.com/buy-generic-aciclovir-online-en.html buy aciclovir, 7796, http://cheappurchaseonline.com/buy-generic-aciphex-online-en.html buy aciphex, %D, http://cheappurchaseonline.com/buy-generic-acticin-online-en.html generic acticin, %-DD, http://cheappurchaseonline.com/buy-generic-actigall-online-en.html generic actigall, %[[, http://cheappurchaseonline.com/buy-generic-actos-online-en.html buy actos online, 776541, e6c3843cdbdc4d53416e074b51a4ff562d5bd5bb 2401 2400 2012-05-09T13:23:04Z 31.184.238.9 0 GdQkrSeucvw wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-viagra-super-active-online-it.html prezzo viagra super active, :-[[, 3aed657abe3f43f73193af12ea81a1a42300b033 2402 2401 2012-05-09T13:27:31Z 31.184.238.9 0 afzVIPGdp wikitext text/x-wiki , http://onlinefarmacia.it/ comprare doxycycline, =-]], aecbef4164bc15c4a66580f9a0959993a45a569b 2403 2402 2012-05-09T13:28:11Z 31.184.238.15 0 fFRSXSFJRXOqGsQ wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-imitrex-online-en.html generic imitrex, 22131, http://cheappurchaseonline.com/buy-generic-imodium-online-en.html generic imodium, 610, http://cheappurchaseonline.com/buy-generic-imuran-online-en.html buy imuran, >:-[[, http://cheappurchaseonline.com/buy-generic-inderal-la-online-en.html generic inderal la, 8-[[[, http://cheappurchaseonline.com/buy-generic-inderal-online-en.html buy inderal, 8DDD, http://cheappurchaseonline.com/buy-generic-indinavir-online-en.html generic indinavir, xbxhmj, http://cheappurchaseonline.com/buy-generic-isoptin-online-en.html buy isoptin online, cbeavb, http://cheappurchaseonline.com/buy-generic-isoptin-sr-online-en.html buy isoptin sr, 88259, e57d43b35b4fd28e4c812c17e3d76cff7f04789c 2404 2403 2012-05-09T13:31:40Z 31.184.238.9 0 lonnXuMLSZaig wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-cipro-online-it.html comprare cipro, =DD, 70ec5d0fbac68e4f2a177d3af8eefb5759519bb4 2405 2404 2012-05-09T13:33:20Z 31.184.238.15 0 CyjSmgXMHWjQqhzt wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-epivir-hbv-online-en.html buy epivir hbv, 50832, http://cheappurchaseonline.com/buy-generic-epivir-online-en.html buy epivir online, :-OO, http://cheappurchaseonline.com/buy-generic-erythromycin-online-en.html generic erythromycin, 497414, http://cheappurchaseonline.com/buy-generic-eskalith-online-en.html buy eskalith, 8OOO, http://cheappurchaseonline.com/buy-generic-estrace-online-en.html buy estrace, uxc, http://cheappurchaseonline.com/buy-generic-etodolac-online-en.html buy etodolac, rjrqgw, http://cheappurchaseonline.com/buy-generic-evecare-online-en.html generic evecare, kpf, http://cheappurchaseonline.com/buy-generic-evista-online-en.html buy evista online, achwk, 0349e828676bef3174a4c0b655d7368ea7e162b7 2406 2405 2012-05-09T13:35:53Z 31.184.238.9 0 syJPrcrrzxRKqwyYpBT wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-viagra-online-it.html prezzo viagra, 8-OOO, 15b24723b94cd87d1e5cca5e7a42df1be228b8e9 2407 2406 2012-05-09T13:38:46Z 31.184.238.15 0 PTruXGFOPoz wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-grisactin-online-en.html buy grisactin, 485469, http://cheappurchaseonline.com/buy-generic-herbolax-online-en.html buy herbolax online, ikk, http://cheappurchaseonline.com/buy-generic-himcolin-online-en.html buy himcolin, ujwbj, http://cheappurchaseonline.com/buy-generic-himplasia-online-en.html generic himplasia, rza, http://cheappurchaseonline.com/buy-generic-hoodia-online-en.html buy hoodia online, 46151, http://cheappurchaseonline.com/buy-generic-hydrea-online-en.html buy hydrea online, =-(, http://cheappurchaseonline.com/buy-generic-hyzaar-online-en.html generic hyzaar, >:-))), http://cheappurchaseonline.com/buy-generic-imdur-online-en.html buy imdur online, 23211, 7ca7f79567a7e3b80467873ed5800c68280610a7 2408 2407 2012-05-09T13:40:18Z 31.184.238.9 0 HavjCwbrphhOvjbgWG wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-cialis-super-active-online-it.html comprare cialis super active online, uaryui, 3195d73a16c422904e717bdd2b00642c7ed32c53 2409 2408 2012-05-09T13:44:11Z 31.184.238.15 0 hCzBxdDPsrMtKHQzMES wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-premarin-online-en.html generic premarin, 5226, http://cheappurchaseonline.com/buy-generic-prevacid-online-en.html generic prevacid, 68061, http://cheappurchaseonline.com/buy-generic-prilosec-online-en.html buy prilosec, >:OOO, http://cheappurchaseonline.com/buy-generic-prinivil-online-en.html generic prinivil, 8-DD, http://cheappurchaseonline.com/buy-generic-procardia-online-en.html buy procardia online, >:-D, http://cheappurchaseonline.com/buy-generic-prograf-online-en.html buy prograf, qnclp, http://cheappurchaseonline.com/buy-generic-prometrium-online-en.html buy prometrium online, nofzv, http://cheappurchaseonline.com/buy-generic-proscar-online-en.html generic proscar, siomzh, 678b3a1efcc9ba527f12bd83edf8dbc3ba6492da 2410 2409 2012-05-09T13:44:28Z 31.184.238.9 0 FIpRulep wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-kamagra-online-it.html comprare kamagra online, 44101, 18cd524feef9993e0018c2baae2491e250420c5c 2411 2410 2012-05-09T13:48:30Z 31.184.238.9 0 FeKuCinxEXgMgR wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-flagyl-online-it.html generico flagyl, 3492, 2f252017b05e3b970c650a1b9c0ab3d35caa5319 2412 2411 2012-05-09T13:49:44Z 31.184.238.15 0 xPvrrpugo wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-combivir-online-en.html generic combivir, :P, http://cheappurchaseonline.com/buy-generic-compazine-online-en.html generic compazine, 4549, http://cheappurchaseonline.com/buy-generic-confido-online-en.html buy confido, 711, http://cheappurchaseonline.com/buy-generic-copegus-online-en.html buy copegus online, 563, http://cheappurchaseonline.com/buy-generic-cordarone-online-en.html buy cordarone online, zrm, http://cheappurchaseonline.com/buy-generic-coreg-online-en.html buy coreg, 8)), http://cheappurchaseonline.com/buy-generic-coumadin-online-en.html generic coumadin, llvb, http://cheappurchaseonline.com/buy-generic-coversyl-online-en.html generic coversyl, =-((, 3d901f31038724bbdd79fb7f9cd2cb60328ce0d2 2413 2412 2012-05-09T13:52:33Z 31.184.238.9 0 eVCPPJFhFqg wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-levitra-online-it.html acquistare levitra, fdyayi, e2c7e16faa0a4af14a983116f2635efa1daee253 2414 2413 2012-05-09T13:55:23Z 31.184.238.15 0 JdjQArVQUQokAP wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-danocrine-online-en.html buy danocrine online, 9182, http://cheappurchaseonline.com/buy-generic-dapsone-online-en.html buy dapsone, 8140, http://cheappurchaseonline.com/buy-generic-ddavp-online-en.html buy ddavp, 626, http://cheappurchaseonline.com/buy-generic-decadron-online-en.html buy decadron, 0953, http://cheappurchaseonline.com/buy-generic-depakote-online-en.html buy depakote online, 428, http://cheappurchaseonline.com/buy-generic-desogen-online-en.html generic desogen, >:OO, http://cheappurchaseonline.com/buy-generic-desyrel-online-en.html generic desyrel, 829, http://cheappurchaseonline.com/buy-generic-detrol-la-online-en.html buy detrol la, 171, 0406e069f92567e6f166954efb59bf9614e1219b 2415 2414 2012-05-09T13:57:02Z 31.184.238.9 0 jRABTavwsIiXYJyMom wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-proscar-online-it.html prezzo proscar, vmb, 8bee3c570600f2772fb63817282dd1b74cb2ca5c 2416 2415 2012-05-09T14:00:33Z 31.184.238.15 0 wdUKWcAvFYK wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-clarinex-online-en.html buy clarinex, %-[[, http://cheappurchaseonline.com/buy-generic-claritin-online-en.html generic claritin, 337734, http://cheappurchaseonline.com/buy-generic-cleocin-online-en.html buy cleocin, 20809, http://cheappurchaseonline.com/buy-generic-clonidine-online-en.html generic clonidine, 8]]], http://cheappurchaseonline.com/buy-generic-clozaril-online-en.html generic clozaril, kgs, http://cheappurchaseonline.com/buy-generic-colospa-online-en.html buy colospa online, ukos, http://cheappurchaseonline.com/buy-generic-combipres-online-en.html buy combipres, 6458, http://cheappurchaseonline.com/buy-generic-combivent-online-en.html buy combivent, zswqv, b416b5e8135d858a2ee55ef81097e67ea1498386 2417 2416 2012-05-09T14:01:00Z 31.184.238.9 0 JITiHDoH wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-kamagra-en-ligne-fr.html kamagra, olnh, 8c4cf0750f2725394fd2d5675f6e4a5b5329ab38 2418 2417 2012-05-09T14:05:15Z 31.184.238.9 0 javjUVuhZxufGEn wikitext text/x-wiki , http://enlignepharmacie.fr/ acheter cialis, wgm, 41f1f2f6becf9c62bf318e6398d2ac6e73125cc0 2419 2418 2012-05-09T14:06:48Z 31.184.238.15 0 JHrLWepg wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-risnia-online-en.html buy risnia online, ogodu, http://cheappurchaseonline.com/buy-generic-risperdal-online-en.html buy risperdal, :-PP, http://cheappurchaseonline.com/buy-generic-robaxin-online-en.html generic robaxin, 2571, http://cheappurchaseonline.com/buy-generic-rocaltrol-online-en.html generic rocaltrol, qbk, http://cheappurchaseonline.com/buy-generic-rulide-online-en.html generic rulide, :-]], http://cheappurchaseonline.com/buy-generic-rumalaya-fort-online-en.html buy rumalaya fort online, edpaq, http://cheappurchaseonline.com/buy-generic-rumalaya-online-en.html buy rumalaya, 776, http://cheappurchaseonline.com/buy-generic-rythmol-online-en.html buy rythmol, 03995, dce50fb84e541b625333644e7400f28bd919b37a 2420 2419 2012-05-09T14:09:24Z 31.184.238.9 0 YzUQRPLvMadzAwzFl wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-nolvadex-online-it.html generic nolvadex, 31060, 894cc6b4cd4eb3400fb1d8289689cc841bbb14a3 2421 2420 2012-05-09T14:11:47Z 31.184.238.15 0 HkCGgiSkW wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-combivir-online-en.html generic combivir, 8[, http://cheappurchaseonline.com/buy-generic-compazine-online-en.html buy compazine, 8105, http://cheappurchaseonline.com/buy-generic-confido-online-en.html buy confido, dqiv, http://cheappurchaseonline.com/buy-generic-copegus-online-en.html buy copegus, oqz, http://cheappurchaseonline.com/buy-generic-cordarone-online-en.html buy cordarone online, >:[, http://cheappurchaseonline.com/buy-generic-coreg-online-en.html generic coreg, :O, http://cheappurchaseonline.com/buy-generic-coumadin-online-en.html buy coumadin, 8(, http://cheappurchaseonline.com/buy-generic-coversyl-online-en.html generic coversyl, hbrd, 2b6b5e26e6ff1a68b3d56fc6a32c9b8279e42bdb 2422 2421 2012-05-09T14:13:39Z 31.184.238.9 0 blIdelxvll wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-flagyl-online-it.html comprare flagyl, 1956, 1be6e58443c1b5c9a871e7a35228425f5f82d160 2423 2422 2012-05-09T14:17:04Z 31.184.238.15 0 ercsNGIqowbIUUAjeem wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-septilin-online-en.html buy septilin, >:-[, http://cheappurchaseonline.com/buy-generic-serevent-online-en.html buy serevent, =-), http://cheappurchaseonline.com/buy-generic-serophene-online-en.html buy serophene, bez, http://cheappurchaseonline.com/buy-generic-seroquel-online-en.html generic seroquel, 108878, http://cheappurchaseonline.com/buy-generic-shallaki-online-en.html buy shallaki, >:-((, http://cheappurchaseonline.com/buy-generic-shuddha-guggulu-online-en.html buy shuddha guggulu online, 548, http://cheappurchaseonline.com/buy-generic-sinemet-cr-online-en.html buy sinemet cr, yljso, http://cheappurchaseonline.com/buy-generic-sinemet-online-en.html buy sinemet, 101040, 5dae2240455c6803aef0b74abe6fbd4313232280 0 8 2424 2423 2012-05-09T14:17:51Z 31.184.238.9 0 JAWAdijCKn wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-levitra-online-it.html vendita levitra, 8-]]], 106bbbde112d25a7857cbb94e1ca7d30efa1f188 2426 2424 2012-05-09T14:22:04Z 31.184.238.9 0 RJuJBbGBUIfIEMQ wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-prednisone-online-it.html generico prednisone, =-D, 9541ec421a74aa7126e441634131b2fdc7c87072 2427 2426 2012-05-09T14:22:40Z 31.184.238.15 0 FEmROJOWHWVMWYcsxvC wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-finpecia-online-en.html buy finpecia online, 8((, http://cheappurchaseonline.com/buy-generic-flomax-online-en.html buy flomax online, 8[[, http://cheappurchaseonline.com/buy-generic-flonase-online-en.html generic flonase, wdt, http://cheappurchaseonline.com/buy-generic-flovent-online-en.html generic flovent, iqpi, http://cheappurchaseonline.com/buy-generic-floxin-online-en.html buy floxin, tagmjx, http://cheappurchaseonline.com/buy-generic-fludac-online-en.html generic fludac, 155854, http://cheappurchaseonline.com/buy-generic-fluoxetine-online-en.html buy fluoxetine online, rtos, http://cheappurchaseonline.com/buy-generic-fosamax-online-en.html generic fosamax, rzhsvz, 94758949e1642ef2061d6fc04f3506531f6479c3 2428 2427 2012-05-09T14:26:27Z 31.184.238.9 0 VJArxlDJXlJZGsL wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-strattera-online-it.html prezzo strattera, 853, d8c5117c7e6ea3d86213d6ed915bce8d5f7e0201 2429 2428 2012-05-09T14:28:38Z 31.184.238.15 0 zIQKZTPxJvYHh wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-cozaar-online-en.html generic cozaar, 8-DD, http://cheappurchaseonline.com/buy-generic-crestor-online-en.html buy crestor, praiq, http://cheappurchaseonline.com/buy-generic-crixivan-online-en.html buy crixivan online, 87899, http://cheappurchaseonline.com/buy-generic-cymbalta-online-en.html buy cymbalta, 337042, http://cheappurchaseonline.com/buy-generic-cystone-online-en.html buy cystone, =DDD, http://cheappurchaseonline.com/buy-generic-cytotec-online-en.html buy cytotec, 761, http://cheappurchaseonline.com/buy-generic-cytoxan-online-en.html buy cytoxan, 698282, http://cheappurchaseonline.com/buy-generic-danazol-online-en.html generic danazol, vtgsda, f39d24e45ed95aada4f3c140cd06c9d631a15111 2430 2429 2012-05-09T14:30:56Z 31.184.238.9 0 owKhxeEycYKL wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-propecia-online-it.html prezzo propecia, 8O, 9f16722777ababdde560b053af64d0da021ddb55 2431 2430 2012-05-09T14:33:36Z 31.184.238.15 0 pQvWsVBAXLC wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-ampicillin-online-en.html buy ampicillin, eaf, http://cheappurchaseonline.com/buy-generic-anacin-online-en.html buy anacin online, 147832, http://cheappurchaseonline.com/buy-generic-anafranil-online-en.html buy anafranil, 690, http://cheappurchaseonline.com/buy-generic-ansaid-online-en.html buy ansaid online, 372, http://cheappurchaseonline.com/buy-generic-antabuse-online-en.html buy antabuse online, 305632, http://cheappurchaseonline.com/buy-generic-antivert-online-en.html buy antivert online, nrifsv, http://cheappurchaseonline.com/buy-generic-aralen-online-en.html buy aralen, 1431, http://cheappurchaseonline.com/buy-generic-arava-online-en.html buy arava, 6766, f21e183c5edea33b88965ecd7c63aefbcfc9c220 2432 2431 2012-05-09T14:35:08Z 31.184.238.9 0 niPnMYuQNKdbuibQL wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-proscar-online-it.html generico proscar, 153592, 5c0e7eccff9cd47659d25adf2940bb132fbc413f 2433 2432 2012-05-09T14:38:44Z 31.184.238.15 0 eSeNwowTsvmERH wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-frumil-online-en.html buy frumil, =-))), http://cheappurchaseonline.com/buy-generic-fulvicin-online-en.html buy fulvicin online, 164, http://cheappurchaseonline.com/buy-generic-furadantin-online-en.html buy furadantin online, 385, http://cheappurchaseonline.com/buy-generic-furoxone-online-en.html buy furoxone, 751, http://cheappurchaseonline.com/buy-generic-gasex-online-en.html generic gasex, bku, http://cheappurchaseonline.com/buy-generic-geodon-online-en.html buy geodon online, 8991, http://cheappurchaseonline.com/buy-generic-geriforte-online-en.html buy geriforte online, >:[[[, http://cheappurchaseonline.com/buy-generic-gestanin-online-en.html buy gestanin online, zkrkn, 92549b80a01b78bedf03a0c8c14695b9270ae16f 2434 2433 2012-05-09T14:39:20Z 31.184.238.9 0 haGbSDIkrZETYJKD wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-nolvadex-online-it.html acquistare nolvadex, wqedh, 396eaa967781f0fd0b35263aeb91d513e47b72e4 2436 2434 2012-05-09T14:43:33Z 31.184.238.9 0 BiqkAXFsfOg wikitext text/x-wiki , http://onlinefarmacia.it/ comprare doxycycline, 7558, 6c5aa85ff999170e583b76375fff093276ae34fa 2437 2436 2012-05-09T14:44:03Z 31.184.238.15 0 lbsYSkWcvKtTra wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-uroxatral-online-en.html buy uroxatral, =OOO, http://cheappurchaseonline.com/buy-generic-urso-online-en.html generic urso, gwmj, http://cheappurchaseonline.com/buy-generic-valparin-online-en.html buy valparin, pfxa, http://cheappurchaseonline.com/buy-generic-valtrex-online-en.html buy valtrex online, 8-]]], http://cheappurchaseonline.com/buy-generic-vantin-online-en.html buy vantin online, xoxrol, http://cheappurchaseonline.com/buy-generic-vasotec-online-en.html buy vasotec, >:-[[[, http://cheappurchaseonline.com/buy-generic-venlor-online-en.html buy venlor online, =-D, http://cheappurchaseonline.com/buy-generic-ventolin-online-en.html buy ventolin, ctcv, beb71cbeda62e64dc1b9a45e3132f9acc94797f7 2438 2437 2012-05-09T14:47:47Z 31.184.238.9 0 XPsAZtCmFpsU wikitext text/x-wiki , http://acquistareladroga.it/ comprare diflucan, tfsf, df295e059dc2aeaaad0767272d307e2095e2c64e 2439 2438 2012-05-09T14:52:03Z 31.184.238.9 0 FNBiNaKHnZFgeHG wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-lasix-online-it.html generico lasix, 066, 71ad8ab740d877b0d655efcbffe0f932289aeb10 2440 2439 2012-05-09T14:54:30Z 31.184.238.15 0 EWfRhaWe wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-isordil-online-en.html buy isordil, 024, http://cheappurchaseonline.com/buy-generic-karela-online-en.html generic karela, =-OOO, http://cheappurchaseonline.com/buy-generic-keflex-online-en.html buy keflex, atxhjm, http://cheappurchaseonline.com/buy-generic-keftab-online-en.html generic keftab, bmbpr, http://cheappurchaseonline.com/buy-generic-kemadrin-online-en.html buy kemadrin online, 8(, http://cheappurchaseonline.com/buy-generic-lamictal-online-en.html generic lamictal, vqhny, http://cheappurchaseonline.com/buy-generic-lamisil-online-en.html buy lamisil, :((, http://cheappurchaseonline.com/buy-generic-lamprene-online-en.html buy lamprene, tatriv, e1d0f230b01a5e4ac7df336ca15e4f2ea391fd94 2441 2440 2012-05-09T14:56:14Z 31.184.238.9 0 ZZWKCwZEvSvCBLzAt wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-flagyl-online-it.html vendita flagyl, shlax, e4119854f6ded3203accf24b400f5378fb202a38 2442 2441 2012-05-09T14:59:39Z 31.184.238.15 0 abtfjfcVtHdhlMS wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-phoslo-online-en.html buy phoslo online, 199238, http://cheappurchaseonline.com/buy-generic-pilex-online-en.html buy pilex online, 09266, http://cheappurchaseonline.com/buy-generic-plavix-online-en.html generic plavix, awhkl, http://cheappurchaseonline.com/buy-generic-plendil-online-en.html generic plendil, ofk, http://cheappurchaseonline.com/buy-generic-pletal-online-en.html buy pletal, 145615, http://cheappurchaseonline.com/buy-generic-ponstel-online-en.html generic ponstel, 8-(((, http://cheappurchaseonline.com/buy-generic-prandin-online-en.html generic prandin, hibh, http://cheappurchaseonline.com/buy-generic-precose-online-en.html buy precose, :DD, 8c3587e12795502a0075d4ae2c38248ca4657b19 2443 2442 2012-05-09T15:00:58Z 31.184.238.9 0 ncKQorUwfCbCBkVYW wikitext text/x-wiki , http://acquistareladroga.it/comprare-acquistare-viagra-professional-online-it.html prezzo viagra professional, 17625, 40d80bcf3380de948750cfbf0075f645ee4881c1 2444 2443 2012-05-09T15:04:53Z 31.184.238.9 0 pbKjoDqA wikitext text/x-wiki , http://acquistareladroga.it/comprare-acquistare-viagra-online-it.html comprare viagra online, 74926, b0474be70141e06407734a6b9eea5fdbc3c84961 2445 2444 2012-05-09T15:05:20Z 31.184.238.15 0 jCDEsKLoWVmsr wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-danocrine-online-en.html buy danocrine, :-]], http://cheappurchaseonline.com/buy-generic-dapsone-online-en.html generic dapsone, ctqg, http://cheappurchaseonline.com/buy-generic-ddavp-online-en.html buy ddavp online, xtwz, http://cheappurchaseonline.com/buy-generic-decadron-online-en.html generic decadron, :-]], http://cheappurchaseonline.com/buy-generic-depakote-online-en.html buy depakote, %PPP, http://cheappurchaseonline.com/buy-generic-desogen-online-en.html buy desogen online, 8]], http://cheappurchaseonline.com/buy-generic-desyrel-online-en.html generic desyrel, hmna, http://cheappurchaseonline.com/buy-generic-detrol-la-online-en.html generic detrol la, 153890, 364df7a3136ce217f6ef6a0e04c4ec25e2a3c062 2446 2445 2012-05-09T15:09:03Z 31.184.238.9 0 oVTHesPRwVNjleL wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-doxycycline-online-it.html prezzo doxycycline, 8-), b2a700d72423e1898aecabccd20f65f92f3594f0 2447 2446 2012-05-09T15:10:49Z 31.184.238.15 0 YMofUmRhNQlNm wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-nortriptyline-online-en.html generic nortriptyline, 804891, http://cheappurchaseonline.com/buy-generic-norvasc-online-en.html buy norvasc online, 28016, http://cheappurchaseonline.com/buy-generic-omnicef-online-en.html buy omnicef online, bvzl, http://cheappurchaseonline.com/buy-generic-ophthacare-online-en.html buy ophthacare online, 045146, http://cheappurchaseonline.com/buy-generic-oxytrol-online-en.html generic oxytrol, jqwuew, http://cheappurchaseonline.com/buy-generic-pamelor-online-en.html generic pamelor, samxkm, http://cheappurchaseonline.com/buy-generic-panadol-online-en.html generic panadol, 1886, http://cheappurchaseonline.com/buy-generic-parlodel-online-en.html buy parlodel, 81099, 3d82719d5e355173a988f740a6361899bc343f68 2448 2447 2012-05-09T15:13:38Z 31.184.238.9 0 TSSrQJEsboFcqd wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-orlistat-online-it.html comprare orlistat, oql, 585b89f2fbe96b3076b1e186e6f79539c0087797 2449 2448 2012-05-09T15:15:50Z 31.184.238.15 0 cVRKHZlHEdst wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-meclizine-online-en.html generic meclizine, 296, http://cheappurchaseonline.com/buy-generic-mellaril-online-en.html buy mellaril online, 8-]]], http://cheappurchaseonline.com/buy-generic-menosan-online-en.html buy menosan online, 163, http://cheappurchaseonline.com/buy-generic-mentat-online-en.html buy mentat, %-[[[, http://cheappurchaseonline.com/buy-generic-mestinon-online-en.html buy mestinon, 5341, http://cheappurchaseonline.com/buy-generic-methotrexate-online-en.html generic methotrexate, kpu, http://cheappurchaseonline.com/buy-generic-mevacor-online-en.html buy mevacor, fwp, http://cheappurchaseonline.com/buy-generic-micronase-online-en.html buy micronase, 721220, c7350f504b4c8aae595d66cdf6ca7f9e6a32a26f 2450 2449 2012-05-09T15:17:42Z 31.184.238.9 0 jGMTgUcCp wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-amoxil-en-ligne-fr.html vente amoxil, auljgx, c896f946d7aeb673f3f890375723fa17aaf8f2c6 2451 2450 2012-05-09T15:21:20Z 31.184.238.15 0 kMlMpHPSzZsRyFId wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-lanoxin-online-en.html buy lanoxin, ann, http://cheappurchaseonline.com/buy-generic-lasuna-online-en.html buy lasuna online, echtx, http://cheappurchaseonline.com/buy-generic-leukeran-online-en.html generic leukeran, 8665, http://cheappurchaseonline.com/buy-generic-levaquin-online-en.html buy levaquin online, :-PP, http://cheappurchaseonline.com/buy-generic-lexapro-online-en.html generic lexapro, 8-)), http://cheappurchaseonline.com/buy-generic-lincocin-online-en.html buy lincocin online, 939, http://cheappurchaseonline.com/buy-generic-lioresal-online-en.html buy lioresal online, >:OO, http://cheappurchaseonline.com/buy-generic-lipitor-online-en.html buy lipitor online, >:-PPP, 46cfd28131c4018c873cd93b152b9b43d372f8ad 2452 2451 2012-05-09T15:22:09Z 31.184.238.9 0 JPsasRKLxy wikitext text/x-wiki , http://onlinefarmacia.it/ comprare zithromax, ahvvwp, fd51c18daaed574a5fe62c2bd5e5c02508914cdc 2453 2452 2012-05-09T15:26:19Z 31.184.238.9 0 nhjxTXgD wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-cipro-online-it.html generic cipro, 503, 3d37dbdda295f85a848eb8feb827ca706b594cfd 2454 2453 2012-05-09T15:26:30Z 31.184.238.15 0 dgklVfHBDfA wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-excel-online-en.html buy excel, 31042, http://cheappurchaseonline.com/buy-generic-exelon-online-en.html generic exelon, >:], http://cheappurchaseonline.com/buy-generic-famvir-online-en.html buy famvir online, oxy, http://cheappurchaseonline.com/buy-generic-feldene-online-en.html buy feldene online, fgdm, http://cheappurchaseonline.com/buy-generic-female-cialis-online-en.html buy female cialis online, >:O, http://cheappurchaseonline.com/buy-generic-female-viagra-online-en.html buy female viagra, :(, http://cheappurchaseonline.com/buy-generic-fempro-online-en.html generic fempro, 734064, http://cheappurchaseonline.com/buy-generic-fincar-online-en.html buy fincar, %-P, f852d186dea7c5806c63b7f52ed24ff7b56d565d 2455 2454 2012-05-09T15:30:23Z 31.184.238.9 0 wAksECgCepSejN wikitext text/x-wiki , http://onlinefarmacia.it/ comprare prednisone, >:))), 774796b0404dad5f2365853e15b0f01e2c7fb75f 2456 2455 2012-05-09T15:31:46Z 31.184.238.15 0 lNyHBSzqvWmjpO wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-epivir-hbv-online-en.html generic epivir hbv, 0575, http://cheappurchaseonline.com/buy-generic-epivir-online-en.html buy epivir, 10639, http://cheappurchaseonline.com/buy-generic-erythromycin-online-en.html buy erythromycin, :-PP, http://cheappurchaseonline.com/buy-generic-eskalith-online-en.html buy eskalith, 890573, http://cheappurchaseonline.com/buy-generic-estrace-online-en.html buy estrace, >:-], http://cheappurchaseonline.com/buy-generic-etodolac-online-en.html buy etodolac, qqap, http://cheappurchaseonline.com/buy-generic-evecare-online-en.html generic evecare, 4480, http://cheappurchaseonline.com/buy-generic-evista-online-en.html buy evista online, 419796, e485787dceb497da916a471d9fc3fc0b79778336 2457 2456 2012-05-09T15:34:38Z 31.184.238.9 0 VDBwEkRIBEsJAe wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-cialis-super-active-online-it.html prezzo cialis super active, 8-))), e5195971c700a5e93dbfbed3de5992a606d2020f 2458 2457 2012-05-09T15:37:12Z 31.184.238.15 0 MSymQBHlhsUtmGYh wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-glucophage-online-en.html generic glucophage, 5312, http://cheappurchaseonline.com/buy-generic-glucophage-xr-online-en.html buy glucophage xr online, 5747, http://cheappurchaseonline.com/buy-generic-glucotrol-online-en.html buy glucotrol online, :[, http://cheappurchaseonline.com/buy-generic-glucotrol-xl-online-en.html buy glucotrol xl online, =]]], http://cheappurchaseonline.com/buy-generic-glucovance-online-en.html buy glucovance, sqi, http://cheappurchaseonline.com/buy-generic-glycomet-online-en.html buy glycomet, hfkbv, http://cheappurchaseonline.com/buy-generic-grifulvin-online-en.html buy grifulvin, 37407, http://cheappurchaseonline.com/buy-generic-grifulvin-v-online-en.html buy grifulvin v online, =DD, f10534676cc6ec776814eeafb2d1e523916d39bd 2459 2458 2012-05-09T15:38:35Z 31.184.238.9 0 BbfnKfjt wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-female-viagra-online-it.html acquistare female viagra, 04233, d8f6c9ff0db8cc74b62ab5c48d90c0f26021f7ab 2460 2459 2012-05-09T15:42:22Z 31.184.238.15 0 oDsLyinQV wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-biaxin-online-en.html generic biaxin, ymv, http://cheappurchaseonline.com/buy-generic-brafix-online-en.html buy brafix online, dccyg, http://cheappurchaseonline.com/buy-generic-brahmi-online-en.html generic brahmi, 05118, http://cheappurchaseonline.com/buy-generic-brand-temovate-online-en.html buy brand temovate online, 5555, http://cheappurchaseonline.com/buy-generic-breast-success-online-en.html buy breast success online, flyyk, http://cheappurchaseonline.com/buy-generic-brethine-online-en.html buy brethine online, jex, http://cheappurchaseonline.com/buy-generic-bupron-sr-online-en.html buy bupron sr, 032, http://cheappurchaseonline.com/buy-generic-buspar-online-en.html generic buspar, gpbdcd, 1e504c2a44826e49972f74e92ea37c3234f8d7cf 2461 2460 2012-05-09T15:42:41Z 31.184.238.9 0 gSgLeWKzHOzEDPahlG wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-viagra-super-active-online-it.html generic viagra super active, 2491, 2c7fe351ca63c8e8824418d22232dd2b3165da35 2462 2461 2012-05-09T15:46:52Z 31.184.238.9 0 frWfDviPQMf wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-levitra-online-it.html comprare levitra, 838451, bf5068f85af1fa92267dc1cd8ad9971aba4a623c 2463 2462 2012-05-09T15:47:40Z 31.184.238.15 0 reXbgaorUQkAKT wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-naprelan-online-en.html generic naprelan, 52484, http://cheappurchaseonline.com/buy-generic-neem-online-en.html buy neem, 648998, http://cheappurchaseonline.com/buy-generic-neurontin-online-en.html buy neurontin, khttz, http://cheappurchaseonline.com/buy-generic-nexium-online-en.html buy nexium online, 451, http://cheappurchaseonline.com/buy-generic-nimotop-online-en.html generic nimotop, zjkw, http://cheappurchaseonline.com/buy-generic-nitroglycerin-online-en.html buy nitroglycerin online, 8-[[[, http://cheappurchaseonline.com/buy-generic-nizoral-online-en.html buy nizoral, mshels, http://cheappurchaseonline.com/buy-generic-noroxin-online-en.html generic noroxin, 8-[, 2c3e2d88bb2d854f396d4fe5f7b88823b08c2538 2464 2463 2012-05-09T15:51:08Z 31.184.238.9 0 JZODHxVjtIVVnhBPIVH wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-female-viagra-online-it.html comprare female viagra, cvcqf, eb7cec6f49358c4cbe13978797e93af4a6530752 2465 2464 2012-05-09T15:52:54Z 31.184.238.15 0 omqnXdOjQpcGH wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-calan-online-en.html generic calan, 526, http://cheappurchaseonline.com/buy-generic-calan-sr-online-en.html buy calan sr online, 27285, http://cheappurchaseonline.com/buy-generic-calcium-carbonate-online-en.html generic calcium carbonate, afgkj, http://cheappurchaseonline.com/buy-generic-capoten-online-en.html buy capoten, %-((, http://cheappurchaseonline.com/buy-generic-carafate-online-en.html buy carafate online, >:-O, http://cheappurchaseonline.com/buy-generic-cardarone-online-en.html buy cardarone online, yic, http://cheappurchaseonline.com/buy-generic-cardura-online-en.html generic cardura, :]]], http://cheappurchaseonline.com/buy-generic-cataflam-online-en.html generic cataflam, 8885, 8bdc8a086ddada1a90180c1a0c6ff700e515a2b5 2466 2465 2012-05-09T15:55:30Z 31.184.238.9 0 ziFsfaZaaWoZ wikitext text/x-wiki , http://acquistareladroga.it/comprare-acquistare-doxycycline-online-it.html comprare doxycycline, :-[[, e73b65a257375e78d65e38db78c6688b9f7b8c22 2467 2466 2012-05-09T15:57:57Z 31.184.238.15 0 OqQJCEauSsuPsRx wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-sinequan-online-en.html buy sinequan, frl, http://cheappurchaseonline.com/buy-generic-singulair-online-en.html generic singulair, 8PP, http://cheappurchaseonline.com/buy-generic-skelaxin-online-en.html buy skelaxin online, 8-), http://cheappurchaseonline.com/buy-generic-sleepwell-online-en.html buy sleepwell, >:[[, http://cheappurchaseonline.com/buy-generic-slimfast-online-en.html generic slimfast, 367, http://cheappurchaseonline.com/buy-generic-smok-ox-online-en.html buy smok-ox online, 8-OO, http://cheappurchaseonline.com/buy-generic-speman-online-en.html buy speman, 8-], http://cheappurchaseonline.com/buy-generic-sporanox-online-en.html buy sporanox, 8D, 08a1b30da420a1bcf961c2c9edc6ca72142d7dea 2468 2467 2012-05-09T15:59:54Z 31.184.238.9 0 vVvwqxLzRF wikitext text/x-wiki , http://generiquesmedicaments.fr/acheter-achat-accutane-en-ligne-fr.html achat accutane, daau, 8ce4cfdf74e953b18d150fd5c4050e830f273194 2469 2468 2012-05-09T16:03:13Z 31.184.238.15 0 ZYurlKVYQpF wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-ditropan-xl-online-en.html generic ditropan xl, pkw, http://cheappurchaseonline.com/buy-generic-dulcolax-online-en.html buy dulcolax, 219, http://cheappurchaseonline.com/buy-generic-duricef-online-en.html buy duricef, 611, http://cheappurchaseonline.com/buy-generic-effexor-online-en.html generic effexor, 2133, http://cheappurchaseonline.com/buy-generic-effexor-xr-online-en.html buy effexor xr online, oyvxdi, http://cheappurchaseonline.com/buy-generic-eldepryl-online-en.html buy eldepryl online, =]], http://cheappurchaseonline.com/buy-generic-elimite-online-en.html buy elimite online, 241094, http://cheappurchaseonline.com/buy-generic-elocon-online-en.html generic elocon, 16234, c1b2c47c3b9ba2b251974987cd91c02ed76d617f 2470 2469 2012-05-09T16:03:49Z 31.184.238.9 0 SedrtQdlS wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-viagra-professional-online-it.html generic viagra professional, %-))), c5e5fabd60bd8be125501b9523ed8686219445dd 2471 2470 2012-05-09T16:07:59Z 31.184.238.9 0 TNVyAmuTLaYQJTkX wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-levitra-online-it.html comprare levitra, >:(, 0d4105aba268caf2ed94eff4b8ff1f250611ed22 2472 2471 2012-05-09T16:08:31Z 31.184.238.15 0 RJobhBheYOvpIeh wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-clarinex-online-en.html buy clarinex online, 129, http://cheappurchaseonline.com/buy-generic-claritin-online-en.html buy claritin online, >:-OOO, http://cheappurchaseonline.com/buy-generic-cleocin-online-en.html generic cleocin, osm, http://cheappurchaseonline.com/buy-generic-clonidine-online-en.html generic clonidine, zkaf, http://cheappurchaseonline.com/buy-generic-clozaril-online-en.html buy clozaril online, =PP, http://cheappurchaseonline.com/buy-generic-colospa-online-en.html generic colospa, 949843, http://cheappurchaseonline.com/buy-generic-combipres-online-en.html buy combipres, 91909, http://cheappurchaseonline.com/buy-generic-combivent-online-en.html buy combivent online, 030040, 046e45c3d198679995fbf99f61cec46ca4b2b61d 2473 2472 2012-05-09T16:12:17Z 31.184.238.9 0 QsUvsyPGyD wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-priligy-online-it.html vendita priligy, 088457, 28754e66abb5e3bd9b916886c7643144ed0c23c0 2474 2473 2012-05-09T16:13:52Z 31.184.238.15 0 scehzoPLPsViCcp wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-arcoxia-online-en.html buy arcoxia online, 600, http://cheappurchaseonline.com/buy-generic-aricept-online-en.html buy aricept online, 8DD, http://cheappurchaseonline.com/buy-generic-arimidex-online-en.html buy arimidex, %), http://cheappurchaseonline.com/buy-generic-aristocort-online-en.html buy aristocort online, 292335, http://cheappurchaseonline.com/buy-generic-arjuna-online-en.html buy arjuna online, jpu, http://cheappurchaseonline.com/buy-generic-artane-online-en.html buy artane online, 9117, http://cheappurchaseonline.com/buy-generic-asendin-online-en.html buy asendin, %-OOO, http://cheappurchaseonline.com/buy-generic-ashwafera-online-en.html buy ashwafera, 4462, 9614d59aef86d1f1893fcd9b8b184ae9165e07cc 2475 2474 2012-05-09T16:16:16Z 31.184.238.9 0 QdRQoRqIUzONYunKXYv wikitext text/x-wiki , http://onlinefarmacia.it/ comprare cipro, =[[[, 4b752422dd7b2b6653e443c84ac707d0e7f854f2 0 8 2476 2475 2012-05-09T16:18:43Z 31.184.238.15 0 UfoVRaxXsaTxiHg wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-starlix-online-en.html buy starlix, jlrt, http://cheappurchaseonline.com/buy-generic-stromectol-online-en.html buy stromectol, mcu, http://cheappurchaseonline.com/buy-generic-styplon-online-en.html generic styplon, %-P, http://cheappurchaseonline.com/buy-generic-suminat-online-en.html buy suminat online, 86400, http://cheappurchaseonline.com/buy-generic-sumycin-online-en.html buy sumycin, 96045, http://cheappurchaseonline.com/buy-generic-sustiva-online-en.html generic sustiva, 603149, http://cheappurchaseonline.com/buy-generic-symmetrel-online-en.html buy symmetrel, eqoo, http://cheappurchaseonline.com/buy-generic-synthroid-online-en.html buy synthroid, =-[, f0b6a6c723ba0ebdd3f3ac68cedc5405ffb2b9c3 2477 2476 2012-05-09T16:20:20Z 31.184.238.9 0 lggRTlAMAPsuYA wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-propecia-online-it.html prezzo propecia, dzn, 378d91a2caab66e83337eb940d3546d15060c48b 2478 2477 2012-05-09T16:24:41Z 31.184.238.9 0 dpGvvBcehPUc wikitext text/x-wiki , http://acquistareladroga.it/comprare-acquistare-prednisone-online-it.html comprare prednisone, lysuhr, 162c61763b2fa573390128bddd58e4a28ea0653d 2479 2478 2012-05-09T16:24:52Z 31.184.238.15 0 jeTSPSoOZ wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-catapres-online-en.html buy catapres online, tixdvz, http://cheappurchaseonline.com/buy-generic-ceclor-cd-online-en.html buy ceclor cd, mpx, http://cheappurchaseonline.com/buy-generic-ceclor-online-en.html generic ceclor, 9619, http://cheappurchaseonline.com/buy-generic-cefaclor-online-en.html buy cefaclor online, 65019, http://cheappurchaseonline.com/buy-generic-celebrex-online-en.html generic celebrex, rvoj, http://cheappurchaseonline.com/buy-generic-celexa-online-en.html generic celexa, auogrb, http://cheappurchaseonline.com/buy-generic-cephalexin-online-en.html buy cephalexin, whtim, http://cheappurchaseonline.com/buy-generic-chloromycetin-online-en.html generic chloromycetin, clh, c8ecc45c908656669d6127943020e27d2d193cc0 2480 2479 2012-05-09T16:28:43Z 31.184.238.9 0 STmKUlPaHLxmzKYOyak wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-accutane-en-ligne-fr.html acheter accutane, 5294, 5fc8b9ba4b2b5a8978d75271ec73a65a665a6917 2481 2480 2012-05-09T16:29:39Z 31.184.238.15 0 anckwHbYbmUlYiggDYC wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-lithobid-online-en.html buy lithobid, 822, http://cheappurchaseonline.com/buy-generic-liv52-drops-online-en.html buy liv.52 drops online, >:[[[, http://cheappurchaseonline.com/buy-generic-liv52-online-en.html generic liv.52, 89673, http://cheappurchaseonline.com/buy-generic-lopid-online-en.html buy lopid, >:-OOO, http://cheappurchaseonline.com/buy-generic-lopressor-online-en.html generic lopressor, >:-((, http://cheappurchaseonline.com/buy-generic-lotensin-online-en.html buy lotensin, 8[[[, http://cheappurchaseonline.com/buy-generic-lotrel-online-en.html generic lotrel, drmy, http://cheappurchaseonline.com/buy-generic-lotrisone-online-en.html buy lotrisone, rxlx, 4fecff6303e8bbee4214dddb8d129591715d4463 2482 2481 2012-05-09T16:33:01Z 31.184.238.9 0 lIGZeogKGbTllh wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-accutane-en-ligne-fr.html vente accutane, nmwnt, 8eb17dc48ebf9ec1245be649f899529fbc0a96c1 2483 2482 2012-05-09T16:34:58Z 31.184.238.15 0 euSfXyofspARlc wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-catapres-online-en.html buy catapres, 656, http://cheappurchaseonline.com/buy-generic-ceclor-cd-online-en.html generic ceclor cd, 8-]]], http://cheappurchaseonline.com/buy-generic-ceclor-online-en.html buy ceclor, 069, http://cheappurchaseonline.com/buy-generic-cefaclor-online-en.html buy cefaclor online, 91079, http://cheappurchaseonline.com/buy-generic-celebrex-online-en.html generic celebrex, =-DDD, http://cheappurchaseonline.com/buy-generic-celexa-online-en.html generic celexa, %-PP, http://cheappurchaseonline.com/buy-generic-cephalexin-online-en.html generic cephalexin, 54655, http://cheappurchaseonline.com/buy-generic-chloromycetin-online-en.html generic chloromycetin, 718, 0e47ea54e58aa9421c02e4fb18a76b73b80b4bfe 2484 2483 2012-05-09T16:37:19Z 31.184.238.9 0 hBTvQRTzv wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-diflucan-online-it.html generic diflucan, fyyzl, 54861cd5eb8f56cda5feedec1ec95c5221bfc0cb 2485 2484 2012-05-09T16:40:26Z 31.184.238.15 0 FWRYBznsijsNRrGv wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-grisactin-online-en.html generic grisactin, 90767, http://cheappurchaseonline.com/buy-generic-herbolax-online-en.html buy herbolax online, %)), http://cheappurchaseonline.com/buy-generic-himcolin-online-en.html buy himcolin online, 46583, http://cheappurchaseonline.com/buy-generic-himplasia-online-en.html buy himplasia, >:OO, http://cheappurchaseonline.com/buy-generic-hoodia-online-en.html buy hoodia online, %O, http://cheappurchaseonline.com/buy-generic-hydrea-online-en.html buy hydrea, 8-), http://cheappurchaseonline.com/buy-generic-hyzaar-online-en.html buy hyzaar, pta, http://cheappurchaseonline.com/buy-generic-imdur-online-en.html generic imdur, tfno, fdcfe9b2976a9b693a2a46f2675c67aa55bb63fd 2486 2485 2012-05-09T16:41:25Z 31.184.238.9 0 ZuKKiDUBzCla wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-strattera-online-it.html generic strattera, ywpclq, db6435fe17e2f360000882abe98bb93c2e78e9a8 2487 2486 2012-05-09T16:45:24Z 31.184.238.9 0 kbycdhONQrbRTGB wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-cialis-professional-en-ligne-fr.html acheter cialis professional, lifg, 55397da68020651602cac04eb500227a0859a428 2488 2487 2012-05-09T16:45:50Z 31.184.238.15 0 AxgrJvBNmMnuhYVcnvB wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-ditropan-xl-online-en.html buy ditropan xl, clhb, http://cheappurchaseonline.com/buy-generic-dulcolax-online-en.html generic dulcolax, 66922, http://cheappurchaseonline.com/buy-generic-duricef-online-en.html buy duricef, 8-OOO, http://cheappurchaseonline.com/buy-generic-effexor-online-en.html buy effexor, %-OO, http://cheappurchaseonline.com/buy-generic-effexor-xr-online-en.html buy effexor xr online, aupdea, http://cheappurchaseonline.com/buy-generic-eldepryl-online-en.html buy eldepryl, zujfc, http://cheappurchaseonline.com/buy-generic-elimite-online-en.html buy elimite online, >:[[, http://cheappurchaseonline.com/buy-generic-elocon-online-en.html buy elocon, 8-[, 57bfaba450a53640fd3bc1c090635f93278c02c9 2489 2488 2012-05-09T16:49:29Z 31.184.238.9 0 RXYTzMaO wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-cialis-super-active-en-ligne-fr.html generique cialis super active, qqcg, 2293290ed3501d936ef121e8639f758cd692cfb5 2490 2489 2012-05-09T16:53:32Z 31.184.238.9 0 qxTjwgoDSrsQpPJ wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-levitra-online-it.html generic levitra, 025, 42e839c98a05872f7b7d0cc92e79e34211ba8c1a 2491 2490 2012-05-09T16:57:03Z 31.184.238.15 0 wgxcBrEupncraQpFSU wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-sinequan-online-en.html generic sinequan, 8O, http://cheappurchaseonline.com/buy-generic-singulair-online-en.html generic singulair, %-[, http://cheappurchaseonline.com/buy-generic-skelaxin-online-en.html generic skelaxin, 41150, http://cheappurchaseonline.com/buy-generic-sleepwell-online-en.html buy sleepwell, 8-[, http://cheappurchaseonline.com/buy-generic-slimfast-online-en.html buy slimfast online, 33976, http://cheappurchaseonline.com/buy-generic-smok-ox-online-en.html buy smok-ox, 6321, http://cheappurchaseonline.com/buy-generic-speman-online-en.html buy speman online, 56819, http://cheappurchaseonline.com/buy-generic-sporanox-online-en.html buy sporanox online, 371581, af28b52e8fa85d0efe0680683eaaf400cea61044 2492 2491 2012-05-09T16:57:32Z 31.184.238.9 0 knlPFPSP wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-propecia-online-it.html prezzo propecia, 5013, 0c23f4d1aa784b26a84c3da63f96a3e389050904 2493 2492 2012-05-09T17:01:57Z 31.184.238.9 0 ptzhclQMgwyrKynZWa wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-strattera-online-it.html acquistare strattera, muhgrt, c010ce5709d05fa34e6a9c83cd426cbe532aa536 2494 2493 2012-05-09T17:02:13Z 31.184.238.15 0 slhKEUccDlS wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-calan-online-en.html buy calan, 7503, http://cheappurchaseonline.com/buy-generic-calan-sr-online-en.html buy calan sr, jhas, http://cheappurchaseonline.com/buy-generic-calcium-carbonate-online-en.html buy calcium carbonate online, dhz, http://cheappurchaseonline.com/buy-generic-capoten-online-en.html buy capoten online, wmzh, http://cheappurchaseonline.com/buy-generic-carafate-online-en.html buy carafate online, 529107, http://cheappurchaseonline.com/buy-generic-cardarone-online-en.html buy cardarone, 953674, http://cheappurchaseonline.com/buy-generic-cardura-online-en.html generic cardura, tyh, http://cheappurchaseonline.com/buy-generic-cataflam-online-en.html buy cataflam online, 793, 04dae2e8834b0998b2b69778baf002d7a06de59f 2495 2494 2012-05-09T17:06:09Z 31.184.238.9 0 gWnYSDXcPINWYWgZC wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-flagyl-online-it.html generico flagyl, 603, 1e68676085c66024e06f272e58b45dc1210ab01b 2496 2495 2012-05-09T17:07:26Z 31.184.238.15 0 OoSqkesjjmWVdwjS wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-cozaar-online-en.html buy cozaar, :-P, http://cheappurchaseonline.com/buy-generic-crestor-online-en.html buy crestor online, 8[, http://cheappurchaseonline.com/buy-generic-crixivan-online-en.html generic crixivan, =PPP, http://cheappurchaseonline.com/buy-generic-cymbalta-online-en.html buy cymbalta online, 30940, http://cheappurchaseonline.com/buy-generic-cystone-online-en.html buy cystone, =-((, http://cheappurchaseonline.com/buy-generic-cytotec-online-en.html buy cytotec, 1729, http://cheappurchaseonline.com/buy-generic-cytoxan-online-en.html generic cytoxan, qeqyjh, http://cheappurchaseonline.com/buy-generic-danazol-online-en.html buy danazol, 8-], 278430d134a08f1f4f0fbc99d519bfc47ddf079f 2497 2496 2012-05-09T17:10:11Z 31.184.238.9 0 ujQoxhXyMGIa wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-zithromax-online-it.html generic zithromax, efptzj, f80634d670d143aa0cb3db7b8949fe5269788eb6 2498 2497 2012-05-09T17:12:46Z 31.184.238.15 0 gRgtwLCpgNnQzv wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-calan-online-en.html buy calan online, 69023, http://cheappurchaseonline.com/buy-generic-calan-sr-online-en.html buy calan sr online, 1597, http://cheappurchaseonline.com/buy-generic-calcium-carbonate-online-en.html generic calcium carbonate, ouctym, http://cheappurchaseonline.com/buy-generic-capoten-online-en.html buy capoten online, crrd, http://cheappurchaseonline.com/buy-generic-carafate-online-en.html buy carafate online, =-), http://cheappurchaseonline.com/buy-generic-cardarone-online-en.html buy cardarone, :-((, http://cheappurchaseonline.com/buy-generic-cardura-online-en.html buy cardura online, igxqz, http://cheappurchaseonline.com/buy-generic-cataflam-online-en.html buy cataflam, 799, 654eaf84602a4ba9d2ed9017b04beffbac1afe6c 2499 2498 2012-05-09T17:14:25Z 31.184.238.9 0 HAAEXaYHpwjfSY wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-viagra-online-it.html generic viagra, yhrf, a75ed797ad23d2ae804aa8cfcd5ded29cedec59a 2500 2499 2012-05-09T17:17:52Z 31.184.238.15 0 VuYsYrQW wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-tegopen-online-en.html buy tegopen, 872799, http://cheappurchaseonline.com/buy-generic-tenormin-online-en.html generic tenormin, 96195, http://cheappurchaseonline.com/buy-generic-tentex-forte-online-en.html buy tentex forte online, mmgo, http://cheappurchaseonline.com/buy-generic-tentex-royal-online-en.html buy tentex royal, jkwenu, http://cheappurchaseonline.com/buy-generic-terramycin-online-en.html buy terramycin, 66772, http://cheappurchaseonline.com/buy-generic-tetracycline-online-en.html buy tetracycline online, 294, http://cheappurchaseonline.com/buy-generic-theo-24-cr-online-en.html buy theo-24 cr online, 79950, http://cheappurchaseonline.com/buy-generic-theo-24-sr-online-en.html buy theo-24 sr online, 903, ad0953fc33a28849d4b9919c52124b8690052735 2501 2500 2012-05-09T17:18:49Z 31.184.238.9 0 tqwzfwvjzDc wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-flagyl-online-it.html generico flagyl, rgoiow, 06e148f4d882a3e0209efdc6b0587ca78b30839a 2502 2501 2012-05-09T17:23:07Z 31.184.238.15 0 yUSjNpod wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-risnia-online-en.html generic risnia, :-P, http://cheappurchaseonline.com/buy-generic-risperdal-online-en.html buy risperdal, 262, http://cheappurchaseonline.com/buy-generic-robaxin-online-en.html generic robaxin, 878, http://cheappurchaseonline.com/buy-generic-rocaltrol-online-en.html buy rocaltrol, >:-D, http://cheappurchaseonline.com/buy-generic-rulide-online-en.html buy rulide, 1026, http://cheappurchaseonline.com/buy-generic-rumalaya-fort-online-en.html generic rumalaya fort, %((, http://cheappurchaseonline.com/buy-generic-rumalaya-online-en.html buy rumalaya, 5999, http://cheappurchaseonline.com/buy-generic-rythmol-online-en.html generic rythmol, 8[, 4fda823b62aacdff4232524c92042f8225d79ebd 2503 2502 2012-05-09T17:23:15Z 31.184.238.9 0 YRzCZxIFSMoM wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-nolvadex-online-it.html comprare nolvadex online, 141, 37f081f266bab11ff32667f3c96bb1d668eefdfc 2504 2503 2012-05-09T17:27:37Z 31.184.238.9 0 RTEhOOsowKkhAwDoXlx wikitext text/x-wiki , http://onlinefarmacia.it/ comprare cialis professional, 623890, cfda7f61b8ab697b84ca847f57bad9b203fb9d44 2505 2504 2012-05-09T17:28:05Z 31.184.238.15 0 qEWXpFTTwXxznerhQ wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-yagara-online-en.html buy yagara online, hqil, http://cheappurchaseonline.com/buy-generic-zagam-online-en.html buy zagam, vvo, http://cheappurchaseonline.com/buy-generic-zantac-online-en.html buy zantac, xnhxii, http://cheappurchaseonline.com/buy-generic-zebeta-online-en.html buy zebeta, 3786, http://cheappurchaseonline.com/buy-generic-zerit-online-en.html buy zerit, 705192, http://cheappurchaseonline.com/buy-generic-zestoretic-online-en.html buy zestoretic, 1336, http://cheappurchaseonline.com/buy-generic-zestril-online-en.html buy zestril online, opljg, http://cheappurchaseonline.com/buy-generic-zetia-online-en.html generic zetia, 219572, 072c68a99f8c53ac4dbaa4256a306fa9d932b87b 2506 2505 2012-05-09T17:32:07Z 31.184.238.9 0 WIZeccIm wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-amoxil-en-ligne-fr.html acheter amoxil en ligne, >:-[, 7162daedaa190c78b844adb33ecfad43b7ec24ee 2507 2506 2012-05-09T17:33:33Z 31.184.238.15 0 rRooCbSgh wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-epivir-hbv-online-en.html buy epivir hbv, 34785, http://cheappurchaseonline.com/buy-generic-epivir-online-en.html generic epivir, 525, http://cheappurchaseonline.com/buy-generic-erythromycin-online-en.html buy erythromycin online, lwvs, http://cheappurchaseonline.com/buy-generic-eskalith-online-en.html buy eskalith, 11246, http://cheappurchaseonline.com/buy-generic-estrace-online-en.html buy estrace online, swjfq, http://cheappurchaseonline.com/buy-generic-etodolac-online-en.html buy etodolac, =-]], http://cheappurchaseonline.com/buy-generic-evecare-online-en.html buy evecare online, :-P, http://cheappurchaseonline.com/buy-generic-evista-online-en.html generic evista, pqz, 2dd50274bb15ac7f767a3647b4757fbd445f20d1 2508 2507 2012-05-09T17:39:08Z 31.184.238.15 0 NIsJvwhm wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-phoslo-online-en.html buy phoslo, 8-(, http://cheappurchaseonline.com/buy-generic-pilex-online-en.html buy pilex online, 664, http://cheappurchaseonline.com/buy-generic-plavix-online-en.html generic plavix, 4898, http://cheappurchaseonline.com/buy-generic-plendil-online-en.html buy plendil, >:))), http://cheappurchaseonline.com/buy-generic-pletal-online-en.html buy pletal, sin, http://cheappurchaseonline.com/buy-generic-ponstel-online-en.html buy ponstel online, 8630, http://cheappurchaseonline.com/buy-generic-prandin-online-en.html buy prandin online, >:))), http://cheappurchaseonline.com/buy-generic-precose-online-en.html buy precose online, mvjegr, 9820b67b5b3fbe1de0cd146fea59314845fb2e32 2509 2508 2012-05-09T17:44:55Z 31.184.238.15 0 UnuSIdahwl wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-biaxin-online-en.html generic biaxin, 1006, http://cheappurchaseonline.com/buy-generic-brafix-online-en.html buy brafix, ezdbvp, http://cheappurchaseonline.com/buy-generic-brahmi-online-en.html generic brahmi, deea, http://cheappurchaseonline.com/buy-generic-brand-temovate-online-en.html buy brand temovate online, igpb, http://cheappurchaseonline.com/buy-generic-breast-success-online-en.html buy breast success online, weute, http://cheappurchaseonline.com/buy-generic-brethine-online-en.html buy brethine, 52411, http://cheappurchaseonline.com/buy-generic-bupron-sr-online-en.html buy bupron sr, 0090, http://cheappurchaseonline.com/buy-generic-buspar-online-en.html generic buspar, 976, 57514ab0200bc7454676d4ea87008d9fec3a5d54 2510 2509 2012-05-09T17:50:18Z 31.184.238.15 0 ldzgKWzbHsObkRsSQbQ wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-imitrex-online-en.html buy imitrex, 30593, http://cheappurchaseonline.com/buy-generic-imodium-online-en.html buy imodium, zeoue, http://cheappurchaseonline.com/buy-generic-imuran-online-en.html buy imuran, %-]], http://cheappurchaseonline.com/buy-generic-inderal-la-online-en.html generic inderal la, ourap, http://cheappurchaseonline.com/buy-generic-inderal-online-en.html buy inderal online, atn, http://cheappurchaseonline.com/buy-generic-indinavir-online-en.html generic indinavir, 3714, http://cheappurchaseonline.com/buy-generic-isoptin-online-en.html buy isoptin, 615986, http://cheappurchaseonline.com/buy-generic-isoptin-sr-online-en.html buy isoptin sr online, uxnyju, 96bb5704c23d74122a10052c4097a35808e1b91e 2511 2510 2012-05-09T17:55:47Z 31.184.238.15 0 FuaRHeXRWYmIOi wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-sinequan-online-en.html buy sinequan, jef, http://cheappurchaseonline.com/buy-generic-singulair-online-en.html generic singulair, :DDD, http://cheappurchaseonline.com/buy-generic-skelaxin-online-en.html buy skelaxin, 602015, http://cheappurchaseonline.com/buy-generic-sleepwell-online-en.html buy sleepwell online, :-DDD, http://cheappurchaseonline.com/buy-generic-slimfast-online-en.html generic slimfast, 761296, http://cheappurchaseonline.com/buy-generic-smok-ox-online-en.html buy smok-ox, >:-P, http://cheappurchaseonline.com/buy-generic-speman-online-en.html generic speman, 5569, http://cheappurchaseonline.com/buy-generic-sporanox-online-en.html buy sporanox online, zrz, 9a9dfc41b445c42cf2044b05ff608ed332a4535e 2512 2511 2012-05-09T18:00:40Z 31.184.238.15 0 qQGuObJjpcVgTDbgLQs wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-ditropan-xl-online-en.html generic ditropan xl, aqszq, http://cheappurchaseonline.com/buy-generic-dulcolax-online-en.html buy dulcolax, rkiq, http://cheappurchaseonline.com/buy-generic-duricef-online-en.html buy duricef online, 10150, http://cheappurchaseonline.com/buy-generic-effexor-online-en.html buy effexor, 86334, http://cheappurchaseonline.com/buy-generic-effexor-xr-online-en.html buy effexor xr, jplj, http://cheappurchaseonline.com/buy-generic-eldepryl-online-en.html generic eldepryl, 703, http://cheappurchaseonline.com/buy-generic-elimite-online-en.html buy elimite online, :], http://cheappurchaseonline.com/buy-generic-elocon-online-en.html generic elocon, 346, 44eb9c03eb4af6ff489c260b808a9ce44ffa403a 2513 2512 2012-05-09T18:05:33Z 31.184.238.15 0 BzipCpAznuJIbIeg wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-trecator-sc-online-en.html generic trecator-sc, qmwojh, http://cheappurchaseonline.com/buy-generic-trental-online-en.html buy trental online, chkgr, http://cheappurchaseonline.com/buy-generic-tricor-online-en.html buy tricor, crjk, http://cheappurchaseonline.com/buy-generic-trileptal-online-en.html generic trileptal, 417257, http://cheappurchaseonline.com/buy-generic-tritace-online-en.html buy tritace, :-(, http://cheappurchaseonline.com/buy-generic-tylenol-online-en.html buy tylenol, :DDD, http://cheappurchaseonline.com/buy-generic-uniphyl-cr-online-en.html buy uniphyl cr online, =-PP, http://cheappurchaseonline.com/buy-generic-urispas-online-en.html generic urispas, 81583, 33d83fd1617645530ac13595dc9daa665923da00 2514 2513 2012-05-09T18:10:40Z 31.184.238.15 0 mcCAGmhQXphHHPRsFqy wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-excel-online-en.html buy excel online, :-)), http://cheappurchaseonline.com/buy-generic-exelon-online-en.html buy exelon online, =DDD, http://cheappurchaseonline.com/buy-generic-famvir-online-en.html buy famvir, ddzi, http://cheappurchaseonline.com/buy-generic-feldene-online-en.html generic feldene, 59534, http://cheappurchaseonline.com/buy-generic-female-cialis-online-en.html buy female cialis online, 238, http://cheappurchaseonline.com/buy-generic-female-viagra-online-en.html generic female viagra, =(, http://cheappurchaseonline.com/buy-generic-fempro-online-en.html generic fempro, aqhzt, http://cheappurchaseonline.com/buy-generic-fincar-online-en.html generic fincar, vdtc, 7515f1cbc90b1ac477c6621737825a181ef69a5a 2515 2514 2012-05-09T18:15:44Z 31.184.238.15 0 qKLAJLHJDKxUlPtRg wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-isordil-online-en.html buy isordil online, 88911, http://cheappurchaseonline.com/buy-generic-karela-online-en.html generic karela, zao, http://cheappurchaseonline.com/buy-generic-keflex-online-en.html buy keflex online, 8171, http://cheappurchaseonline.com/buy-generic-keftab-online-en.html buy keftab online, yeyh, http://cheappurchaseonline.com/buy-generic-kemadrin-online-en.html generic kemadrin, :], http://cheappurchaseonline.com/buy-generic-lamictal-online-en.html buy lamictal, afw, http://cheappurchaseonline.com/buy-generic-lamisil-online-en.html buy lamisil, 576, http://cheappurchaseonline.com/buy-generic-lamprene-online-en.html generic lamprene, 82892, 84a2c88aff9744851717e1762bd4dda32343f628 2516 2515 2012-05-09T18:20:47Z 31.184.238.15 0 dpOtuKnZnnkapMWYBJ wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-epivir-hbv-online-en.html generic epivir hbv, toexf, http://cheappurchaseonline.com/buy-generic-epivir-online-en.html generic epivir, 8(((, http://cheappurchaseonline.com/buy-generic-erythromycin-online-en.html generic erythromycin, lowap, http://cheappurchaseonline.com/buy-generic-eskalith-online-en.html buy eskalith online, ynh, http://cheappurchaseonline.com/buy-generic-estrace-online-en.html buy estrace, btwko, http://cheappurchaseonline.com/buy-generic-etodolac-online-en.html buy etodolac, glwao, http://cheappurchaseonline.com/buy-generic-evecare-online-en.html generic evecare, bnjgx, http://cheappurchaseonline.com/buy-generic-evista-online-en.html generic evista, 537, 23151d6e3955c7e8bec4de36a7585e838b8a9394 2517 2516 2012-05-09T18:25:45Z 31.184.238.15 0 OPmuRyzpHK wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-avodart-online-en.html buy avodart online, 812147, http://cheappurchaseonline.com/buy-generic-aygestin-online-en.html generic aygestin, 4973, http://cheappurchaseonline.com/buy-generic-azulfidine-online-en.html buy azulfidine online, 8-[, http://cheappurchaseonline.com/buy-generic-baclofen-online-en.html buy baclofen, >:[, http://cheappurchaseonline.com/buy-generic-beloc-online-en.html buy beloc online, 68566, http://cheappurchaseonline.com/buy-generic-benadryl-online-en.html generic benadryl, =(((, http://cheappurchaseonline.com/buy-generic-benemid-online-en.html buy benemid online, fgqiun, http://cheappurchaseonline.com/buy-generic-benicar-online-en.html generic benicar, irxsva, fd36b60798b89711b48bec83a51eaa3a3024b216 2518 2517 2012-05-09T18:31:19Z 31.184.238.15 0 CyWJahnuYRCIEDaJ wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-ditropan-xl-online-en.html buy ditropan xl, =-DDD, http://cheappurchaseonline.com/buy-generic-dulcolax-online-en.html buy dulcolax, qcurwy, http://cheappurchaseonline.com/buy-generic-duricef-online-en.html generic duricef, vcrr, http://cheappurchaseonline.com/buy-generic-effexor-online-en.html generic effexor, >:PPP, http://cheappurchaseonline.com/buy-generic-effexor-xr-online-en.html buy effexor xr, 456543, http://cheappurchaseonline.com/buy-generic-eldepryl-online-en.html generic eldepryl, >:O, http://cheappurchaseonline.com/buy-generic-elimite-online-en.html buy elimite online, tkylto, http://cheappurchaseonline.com/buy-generic-elocon-online-en.html generic elocon, 640730, d3dcf4eecffd4eece431ade6b5170b022a2dbc05 2519 2518 2012-05-09T18:36:28Z 31.184.238.15 0 NSFMthsuYj wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-sinequan-online-en.html buy sinequan online, 621, http://cheappurchaseonline.com/buy-generic-singulair-online-en.html generic singulair, %-[, http://cheappurchaseonline.com/buy-generic-skelaxin-online-en.html generic skelaxin, =]]], http://cheappurchaseonline.com/buy-generic-sleepwell-online-en.html generic sleepwell, 52797, http://cheappurchaseonline.com/buy-generic-slimfast-online-en.html generic slimfast, qskas, http://cheappurchaseonline.com/buy-generic-smok-ox-online-en.html generic smok-ox, 8P, http://cheappurchaseonline.com/buy-generic-speman-online-en.html generic speman, 275, http://cheappurchaseonline.com/buy-generic-sporanox-online-en.html buy sporanox, %P, a69bcacfe0a55cb9416415a32f879086e391c47e 2520 2519 2012-05-09T18:41:38Z 31.184.238.15 0 wRUpPdgHnqd wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-voltaren-online-en.html buy voltaren, kjodim, http://cheappurchaseonline.com/buy-generic-voltaren-xr-online-en.html buy voltaren xr online, asx, http://cheappurchaseonline.com/buy-generic-voltarol-online-en.html buy voltarol, tvc, http://cheappurchaseonline.com/buy-generic-voveran-online-en.html buy voveran, 29518, http://cheappurchaseonline.com/buy-generic-voveran-sr-online-en.html buy voveran sr, 981, http://cheappurchaseonline.com/buy-generic-wondersleep-online-en.html generic wondersleep, 81916, http://cheappurchaseonline.com/buy-generic-xalatan-0005-online-en.html generic xalatan 0.005%, 566931, http://cheappurchaseonline.com/buy-generic-xeloda-online-en.html buy xeloda, %]], 5688e56c7e7b4217851b6c6dad15a79f9fee37cc 2521 2520 2012-05-09T18:46:34Z 31.184.238.15 0 MNuERvpZSKDflTkfLVS wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-yagara-online-en.html buy yagara, 01956, http://cheappurchaseonline.com/buy-generic-zagam-online-en.html buy zagam online, 5010, http://cheappurchaseonline.com/buy-generic-zantac-online-en.html buy zantac, 187653, http://cheappurchaseonline.com/buy-generic-zebeta-online-en.html buy zebeta online, 66778, http://cheappurchaseonline.com/buy-generic-zerit-online-en.html buy zerit online, jbztuc, http://cheappurchaseonline.com/buy-generic-zestoretic-online-en.html generic zestoretic, %-D, http://cheappurchaseonline.com/buy-generic-zestril-online-en.html generic zestril, crlsl, http://cheappurchaseonline.com/buy-generic-zetia-online-en.html buy zetia online, 5532, a103b43f2481ab1a758f9b0234c032b695486780 2522 2521 2012-05-09T18:51:46Z 31.184.238.15 0 xLUCWSlQpQQCtQYwIh wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-risnia-online-en.html buy risnia online, 9987, http://cheappurchaseonline.com/buy-generic-risperdal-online-en.html buy risperdal online, 510, http://cheappurchaseonline.com/buy-generic-robaxin-online-en.html buy robaxin, 8[[, http://cheappurchaseonline.com/buy-generic-rocaltrol-online-en.html buy rocaltrol online, >:), http://cheappurchaseonline.com/buy-generic-rulide-online-en.html generic rulide, luw, http://cheappurchaseonline.com/buy-generic-rumalaya-fort-online-en.html generic rumalaya fort, >:-DD, http://cheappurchaseonline.com/buy-generic-rumalaya-online-en.html buy rumalaya online, 958, http://cheappurchaseonline.com/buy-generic-rythmol-online-en.html generic rythmol, 609, 01260cb3943cf725465e4d1a8944d0b7f3b67434 2523 2522 2012-05-09T18:56:42Z 31.184.238.15 0 IDrGjMDqbmY wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-ditropan-xl-online-en.html buy ditropan xl, 217, http://cheappurchaseonline.com/buy-generic-dulcolax-online-en.html buy dulcolax, >:-(((, http://cheappurchaseonline.com/buy-generic-duricef-online-en.html buy duricef online, %-DD, http://cheappurchaseonline.com/buy-generic-effexor-online-en.html buy effexor, 4994, http://cheappurchaseonline.com/buy-generic-effexor-xr-online-en.html buy effexor xr, 319052, http://cheappurchaseonline.com/buy-generic-eldepryl-online-en.html generic eldepryl, %DDD, http://cheappurchaseonline.com/buy-generic-elimite-online-en.html generic elimite, 537477, http://cheappurchaseonline.com/buy-generic-elocon-online-en.html generic elocon, gojl, b56a4880930cd059d140d9750364d32072a8c554 2524 2523 2012-05-09T19:02:03Z 31.184.238.15 0 alSGvcqaRUOoEtXeLht wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-septilin-online-en.html buy septilin online, =-), http://cheappurchaseonline.com/buy-generic-serevent-online-en.html buy serevent, eman, http://cheappurchaseonline.com/buy-generic-serophene-online-en.html buy serophene, ibl, http://cheappurchaseonline.com/buy-generic-seroquel-online-en.html buy seroquel online, 8-OOO, http://cheappurchaseonline.com/buy-generic-shallaki-online-en.html buy shallaki, :]], http://cheappurchaseonline.com/buy-generic-shuddha-guggulu-online-en.html generic shuddha guggulu, 7631, http://cheappurchaseonline.com/buy-generic-sinemet-cr-online-en.html buy sinemet cr, btljzn, http://cheappurchaseonline.com/buy-generic-sinemet-online-en.html generic sinemet, 2705, 12bcec034fc084acf2246ebf4b709258893defb9 2525 2524 2012-05-09T19:07:15Z 31.184.238.15 0 eVBWOwSnD wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-lanoxin-online-en.html buy lanoxin online, 9115, http://cheappurchaseonline.com/buy-generic-lasuna-online-en.html buy lasuna online, klee, http://cheappurchaseonline.com/buy-generic-leukeran-online-en.html buy leukeran online, %DD, http://cheappurchaseonline.com/buy-generic-levaquin-online-en.html generic levaquin, 345, http://cheappurchaseonline.com/buy-generic-lexapro-online-en.html buy lexapro, 611932, http://cheappurchaseonline.com/buy-generic-lincocin-online-en.html buy lincocin online, ymc, http://cheappurchaseonline.com/buy-generic-lioresal-online-en.html generic lioresal, 8DD, http://cheappurchaseonline.com/buy-generic-lipitor-online-en.html buy lipitor, odisk, 7ea31172ea6a4b6279cdf535ee109ac1175eec81 0 8 2527 2525 2012-05-09T19:12:20Z 31.184.238.15 0 ebEYnaJWRHGfAKBqk wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-isordil-online-en.html buy isordil, ftpsdr, http://cheappurchaseonline.com/buy-generic-karela-online-en.html buy karela, >:]], http://cheappurchaseonline.com/buy-generic-keflex-online-en.html buy keflex, 6925, http://cheappurchaseonline.com/buy-generic-keftab-online-en.html generic keftab, %OO, http://cheappurchaseonline.com/buy-generic-kemadrin-online-en.html buy kemadrin online, cijlx, http://cheappurchaseonline.com/buy-generic-lamictal-online-en.html buy lamictal, >:DDD, http://cheappurchaseonline.com/buy-generic-lamisil-online-en.html buy lamisil, 110885, http://cheappurchaseonline.com/buy-generic-lamprene-online-en.html buy lamprene online, 8[, 0c2509cb689d38f92f6e0100ed6355b57e2eadf2 2528 2527 2012-05-09T19:17:30Z 31.184.238.15 0 MKDPmJwulWRGLqiNhww wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-risnia-online-en.html buy risnia online, =-P, http://cheappurchaseonline.com/buy-generic-risperdal-online-en.html buy risperdal online, hokyx, http://cheappurchaseonline.com/buy-generic-robaxin-online-en.html buy robaxin, few, http://cheappurchaseonline.com/buy-generic-rocaltrol-online-en.html buy rocaltrol, 5614, http://cheappurchaseonline.com/buy-generic-rulide-online-en.html buy rulide online, dmtqhw, http://cheappurchaseonline.com/buy-generic-rumalaya-fort-online-en.html buy rumalaya fort, 15475, http://cheappurchaseonline.com/buy-generic-rumalaya-online-en.html generic rumalaya, =PPP, http://cheappurchaseonline.com/buy-generic-rythmol-online-en.html generic rythmol, hcizp, 04ce503af8585ef17320aa7efd90eb2fcb3ee1ae 2529 2528 2012-05-09T19:22:31Z 31.184.238.15 0 bnKPaRVybcyyPzo wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-grisactin-online-en.html buy grisactin, :-]], http://cheappurchaseonline.com/buy-generic-herbolax-online-en.html buy herbolax online, etc, http://cheappurchaseonline.com/buy-generic-himcolin-online-en.html buy himcolin, 8-(((, http://cheappurchaseonline.com/buy-generic-himplasia-online-en.html buy himplasia, 495065, http://cheappurchaseonline.com/buy-generic-hoodia-online-en.html buy hoodia online, >:)), http://cheappurchaseonline.com/buy-generic-hydrea-online-en.html buy hydrea online, =(((, http://cheappurchaseonline.com/buy-generic-hyzaar-online-en.html buy hyzaar, tqz, http://cheappurchaseonline.com/buy-generic-imdur-online-en.html buy imdur online, %[, e0ccb5b98d7fc00ba36ab2276b1b1b65336b5fbe 2530 2529 2012-05-09T19:27:33Z 31.184.238.15 0 ebgORyOfpcUrYIxLL wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-naprelan-online-en.html buy naprelan, 865, http://cheappurchaseonline.com/buy-generic-neem-online-en.html generic neem, =-(, http://cheappurchaseonline.com/buy-generic-neurontin-online-en.html buy neurontin online, ulr, http://cheappurchaseonline.com/buy-generic-nexium-online-en.html generic nexium, qtyhf, http://cheappurchaseonline.com/buy-generic-nimotop-online-en.html generic nimotop, wky, http://cheappurchaseonline.com/buy-generic-nitroglycerin-online-en.html buy nitroglycerin, %-O, http://cheappurchaseonline.com/buy-generic-nizoral-online-en.html buy nizoral online, 313, http://cheappurchaseonline.com/buy-generic-noroxin-online-en.html buy noroxin online, 437, 35652174740d353f38107069144e04bfb1384e76 2531 2530 2012-05-09T19:32:43Z 31.184.238.15 0 lujDcfZrudrw wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-catapres-online-en.html buy catapres, =-D, http://cheappurchaseonline.com/buy-generic-ceclor-cd-online-en.html buy ceclor cd, 17853, http://cheappurchaseonline.com/buy-generic-ceclor-online-en.html generic ceclor, xlp, http://cheappurchaseonline.com/buy-generic-cefaclor-online-en.html buy cefaclor online, 8-(, http://cheappurchaseonline.com/buy-generic-celebrex-online-en.html buy celebrex, =-OOO, http://cheappurchaseonline.com/buy-generic-celexa-online-en.html buy celexa, 26225, http://cheappurchaseonline.com/buy-generic-cephalexin-online-en.html generic cephalexin, :-))), http://cheappurchaseonline.com/buy-generic-chloromycetin-online-en.html buy chloromycetin online, fdch, 4103e115de3013a2af0cacda696f8db921d8ec3a 2532 2531 2012-05-09T19:37:45Z 31.184.238.15 0 WHRVsQLUSpk wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-ditropan-xl-online-en.html generic ditropan xl, 97609, http://cheappurchaseonline.com/buy-generic-dulcolax-online-en.html buy dulcolax, paoosz, http://cheappurchaseonline.com/buy-generic-duricef-online-en.html buy duricef, 341, http://cheappurchaseonline.com/buy-generic-effexor-online-en.html buy effexor online, wtc, http://cheappurchaseonline.com/buy-generic-effexor-xr-online-en.html buy effexor xr online, :]], http://cheappurchaseonline.com/buy-generic-eldepryl-online-en.html buy eldepryl, :O, http://cheappurchaseonline.com/buy-generic-elimite-online-en.html generic elimite, lwkc, http://cheappurchaseonline.com/buy-generic-elocon-online-en.html buy elocon online, 56850, cdb5ff224007cd007b07f51aae113c69a202c830 2533 2532 2012-05-09T19:42:41Z 31.184.238.15 0 cjrXTbrV wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-starlix-online-en.html generic starlix, 96845, http://cheappurchaseonline.com/buy-generic-stromectol-online-en.html generic stromectol, 010087, http://cheappurchaseonline.com/buy-generic-styplon-online-en.html buy styplon, uat, http://cheappurchaseonline.com/buy-generic-suminat-online-en.html buy suminat, rpw, http://cheappurchaseonline.com/buy-generic-sumycin-online-en.html generic sumycin, ukl, http://cheappurchaseonline.com/buy-generic-sustiva-online-en.html generic sustiva, :DDD, http://cheappurchaseonline.com/buy-generic-symmetrel-online-en.html buy symmetrel, zhzxy, http://cheappurchaseonline.com/buy-generic-synthroid-online-en.html buy synthroid, 96483, 5aa0c256bb453184803d70098ba2056ca12165d7 2534 2533 2012-05-09T19:47:28Z 31.184.238.15 0 rAeXeLgofvPZzkRn wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-abana-online-en.html generic abana, penf, http://cheappurchaseonline.com/buy-generic-abilify-online-en.html buy abilify, 240962, http://cheappurchaseonline.com/buy-generic-aceon-online-en.html buy aceon, 0341, http://cheappurchaseonline.com/buy-generic-aciclovir-online-en.html buy aciclovir online, 22306, http://cheappurchaseonline.com/buy-generic-aciphex-online-en.html generic aciphex, :], http://cheappurchaseonline.com/buy-generic-acticin-online-en.html generic acticin, nabc, http://cheappurchaseonline.com/buy-generic-actigall-online-en.html generic actigall, >:-O, http://cheappurchaseonline.com/buy-generic-actos-online-en.html generic actos, 8[[, f28048b11ee426ceb6dd895f0cde91c29d3734b2 2535 2534 2012-05-09T19:52:26Z 31.184.238.15 0 lPBmZzPmSKdCl wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-catapres-online-en.html generic catapres, =PPP, http://cheappurchaseonline.com/buy-generic-ceclor-cd-online-en.html generic ceclor cd, 228, http://cheappurchaseonline.com/buy-generic-ceclor-online-en.html buy ceclor, =-), http://cheappurchaseonline.com/buy-generic-cefaclor-online-en.html buy cefaclor, 18239, http://cheappurchaseonline.com/buy-generic-celebrex-online-en.html buy celebrex online, =PP, http://cheappurchaseonline.com/buy-generic-celexa-online-en.html buy celexa online, zoasxs, http://cheappurchaseonline.com/buy-generic-cephalexin-online-en.html buy cephalexin, blsuen, http://cheappurchaseonline.com/buy-generic-chloromycetin-online-en.html buy chloromycetin, xpe, 43b0f26b4a56b2e0fa476fe44cbaa0d8120aa22b 2536 2535 2012-05-09T19:57:34Z 31.184.238.15 0 PSNunwlnGvPMfzhluZk wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-trecator-sc-online-en.html buy trecator-sc, wdl, http://cheappurchaseonline.com/buy-generic-trental-online-en.html generic trental, %D, http://cheappurchaseonline.com/buy-generic-tricor-online-en.html buy tricor, 8-]], http://cheappurchaseonline.com/buy-generic-trileptal-online-en.html buy trileptal, yevzf, http://cheappurchaseonline.com/buy-generic-tritace-online-en.html buy tritace online, =]]], http://cheappurchaseonline.com/buy-generic-tylenol-online-en.html buy tylenol, %-((, http://cheappurchaseonline.com/buy-generic-uniphyl-cr-online-en.html generic uniphyl cr, owar, http://cheappurchaseonline.com/buy-generic-urispas-online-en.html buy urispas, 084134, c136be2d2f6c1af89f216e9740f02166290061a4 2537 2536 2012-05-09T20:02:31Z 31.184.238.15 0 TXtYtThrjAJuIgmF wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-biaxin-online-en.html buy biaxin online, owbv, http://cheappurchaseonline.com/buy-generic-brafix-online-en.html buy brafix, =-[[[, http://cheappurchaseonline.com/buy-generic-brahmi-online-en.html buy brahmi, obsbmr, http://cheappurchaseonline.com/buy-generic-brand-temovate-online-en.html generic brand temovate, gtpn, http://cheappurchaseonline.com/buy-generic-breast-success-online-en.html buy breast success online, :-[[, http://cheappurchaseonline.com/buy-generic-brethine-online-en.html buy brethine online, %-D, http://cheappurchaseonline.com/buy-generic-bupron-sr-online-en.html buy bupron sr, dpec, http://cheappurchaseonline.com/buy-generic-buspar-online-en.html buy buspar online, %DDD, b8af1bea100e7c9646dbf9067a0483813e7f8745 2538 2537 2012-05-09T20:07:48Z 31.184.238.15 0 jVdBtGjQXj wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-adalat-online-en.html buy adalat online, %-(, http://cheappurchaseonline.com/buy-generic-aggrenox-online-en.html generic aggrenox, qykxmx, http://cheappurchaseonline.com/buy-generic-albenza-online-en.html buy albenza, vaue, http://cheappurchaseonline.com/buy-generic-alesse-online-en.html generic alesse, acy, http://cheappurchaseonline.com/buy-generic-alfacip-online-en.html generic alfacip, 7086, http://cheappurchaseonline.com/buy-generic-allegra-online-en.html generic allegra, 92207, http://cheappurchaseonline.com/buy-generic-allopurinol-online-en.html buy allopurinol, 7220, http://cheappurchaseonline.com/buy-generic-amaryl-online-en.html buy amaryl online, 132, 9e243b2a1c5c3b071025f779a08d30c0743c1b95 2539 2538 2012-05-09T20:12:55Z 31.184.238.15 0 PXdMDJvpf wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-loxitane-online-en.html buy loxitane online, aqxy, http://cheappurchaseonline.com/buy-generic-lukol-online-en.html buy lukol online, peawk, http://cheappurchaseonline.com/buy-generic-luvox-online-en.html generic luvox, 406, http://cheappurchaseonline.com/buy-generic-lynoral-online-en.html buy lynoral, 0852, http://cheappurchaseonline.com/buy-generic-macrobid-online-en.html buy macrobid, 54716, http://cheappurchaseonline.com/buy-generic-maxalt-online-en.html generic maxalt, =-)), http://cheappurchaseonline.com/buy-generic-maxaquin-online-en.html generic maxaquin, %OO, http://cheappurchaseonline.com/buy-generic-maxolon-online-en.html generic maxolon, jbvnw, c96844a77323707e6cad45baf0be2d5264a41bf4 2542 2539 2012-05-09T20:18:01Z 31.184.238.15 0 kAmOPnEiOmTDKS wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-naprelan-online-en.html buy naprelan online, 48220, http://cheappurchaseonline.com/buy-generic-neem-online-en.html buy neem, 327906, http://cheappurchaseonline.com/buy-generic-neurontin-online-en.html buy neurontin, 8[[[, http://cheappurchaseonline.com/buy-generic-nexium-online-en.html buy nexium online, :-[[, http://cheappurchaseonline.com/buy-generic-nimotop-online-en.html generic nimotop, :((, http://cheappurchaseonline.com/buy-generic-nitroglycerin-online-en.html buy nitroglycerin online, 938032, http://cheappurchaseonline.com/buy-generic-nizoral-online-en.html buy nizoral, jne, http://cheappurchaseonline.com/buy-generic-noroxin-online-en.html buy noroxin, sje, ac929d3dbffb7bb632fc695fbdc661be5f1eacd4 2543 2542 2012-05-09T20:23:17Z 31.184.238.15 0 WjeIJslXdPQo wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-lanoxin-online-en.html buy lanoxin online, prv, http://cheappurchaseonline.com/buy-generic-lasuna-online-en.html buy lasuna online, :]]], http://cheappurchaseonline.com/buy-generic-leukeran-online-en.html buy leukeran online, mdci, http://cheappurchaseonline.com/buy-generic-levaquin-online-en.html buy levaquin, >:-[, http://cheappurchaseonline.com/buy-generic-lexapro-online-en.html buy lexapro online, aqnt, http://cheappurchaseonline.com/buy-generic-lincocin-online-en.html buy lincocin, 8-[[, http://cheappurchaseonline.com/buy-generic-lioresal-online-en.html buy lioresal, =[[[, http://cheappurchaseonline.com/buy-generic-lipitor-online-en.html generic lipitor, 166, 2196106fe135ec84295b853b81117fd248c1b52e 2544 2543 2012-05-09T20:28:18Z 31.184.238.15 0 KVoKtSZjROvmfUQirIp wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-yagara-online-en.html buy yagara, 16736, http://cheappurchaseonline.com/buy-generic-zagam-online-en.html generic zagam, 8-DD, http://cheappurchaseonline.com/buy-generic-zantac-online-en.html buy zantac online, ryuk, http://cheappurchaseonline.com/buy-generic-zebeta-online-en.html buy zebeta online, =[, http://cheappurchaseonline.com/buy-generic-zerit-online-en.html buy zerit online, 876, http://cheappurchaseonline.com/buy-generic-zestoretic-online-en.html buy zestoretic, :], http://cheappurchaseonline.com/buy-generic-zestril-online-en.html generic zestril, ilb, http://cheappurchaseonline.com/buy-generic-zetia-online-en.html buy zetia, %-))), 66cc4cb68073d247b1a4ecf9e056c68999c52347 2545 2544 2012-05-09T20:33:35Z 31.184.238.15 0 NhOYHBTyT wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-tegopen-online-en.html buy tegopen, %(((, http://cheappurchaseonline.com/buy-generic-tenormin-online-en.html generic tenormin, 245, http://cheappurchaseonline.com/buy-generic-tentex-forte-online-en.html generic tentex forte, 561068, http://cheappurchaseonline.com/buy-generic-tentex-royal-online-en.html buy tentex royal online, 2351, http://cheappurchaseonline.com/buy-generic-terramycin-online-en.html buy terramycin online, :[, http://cheappurchaseonline.com/buy-generic-tetracycline-online-en.html buy tetracycline online, hfem, http://cheappurchaseonline.com/buy-generic-theo-24-cr-online-en.html buy theo-24 cr online, 431955, http://cheappurchaseonline.com/buy-generic-theo-24-sr-online-en.html buy theo-24 sr online, vob, 426f63ec7a1d28df46039031818dacd5667cb1c5 2546 2545 2012-05-09T20:38:30Z 31.184.238.15 0 WpylqeDn wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-calan-online-en.html buy calan, %)), http://cheappurchaseonline.com/buy-generic-calan-sr-online-en.html buy calan sr, zkn, http://cheappurchaseonline.com/buy-generic-calcium-carbonate-online-en.html buy calcium carbonate, 8-OO, http://cheappurchaseonline.com/buy-generic-capoten-online-en.html buy capoten online, llb, http://cheappurchaseonline.com/buy-generic-carafate-online-en.html generic carafate, fky, http://cheappurchaseonline.com/buy-generic-cardarone-online-en.html buy cardarone online, ede, http://cheappurchaseonline.com/buy-generic-cardura-online-en.html buy cardura online, 8-[[, http://cheappurchaseonline.com/buy-generic-cataflam-online-en.html buy cataflam, 47361, d88472364a2d88643f98a35676306cd45607e3f0 2547 2546 2012-05-09T20:43:36Z 31.184.238.15 0 cZewGasXd wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-glucophage-online-en.html buy glucophage online, esg, http://cheappurchaseonline.com/buy-generic-glucophage-xr-online-en.html generic glucophage xr, 3290, http://cheappurchaseonline.com/buy-generic-glucotrol-online-en.html buy glucotrol online, 404813, http://cheappurchaseonline.com/buy-generic-glucotrol-xl-online-en.html buy glucotrol xl online, vhjk, http://cheappurchaseonline.com/buy-generic-glucovance-online-en.html buy glucovance online, %-P, http://cheappurchaseonline.com/buy-generic-glycomet-online-en.html buy glycomet, 982, http://cheappurchaseonline.com/buy-generic-grifulvin-online-en.html buy grifulvin, =-O, http://cheappurchaseonline.com/buy-generic-grifulvin-v-online-en.html generic grifulvin v, :-PP, b1176a3785091cd1db6280fe912558ff46eb61a4 2548 2547 2012-05-09T20:48:37Z 31.184.238.15 0 STBWJMxtZjWqZ wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-risnia-online-en.html buy risnia, shdlil, http://cheappurchaseonline.com/buy-generic-risperdal-online-en.html generic risperdal, wrgbjd, http://cheappurchaseonline.com/buy-generic-robaxin-online-en.html buy robaxin, wukft, http://cheappurchaseonline.com/buy-generic-rocaltrol-online-en.html buy rocaltrol, %-OOO, http://cheappurchaseonline.com/buy-generic-rulide-online-en.html buy rulide, 6679, http://cheappurchaseonline.com/buy-generic-rumalaya-fort-online-en.html buy rumalaya fort online, wvsq, http://cheappurchaseonline.com/buy-generic-rumalaya-online-en.html buy rumalaya, =(, http://cheappurchaseonline.com/buy-generic-rythmol-online-en.html buy rythmol online, 371740, e6e6000ab1cb731203c736b650c7e2a8c8098db5 2549 2548 2012-05-09T20:53:38Z 31.184.238.15 0 FTxJcqKDRqwoBk wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-ampicillin-online-en.html buy ampicillin, jeipix, http://cheappurchaseonline.com/buy-generic-anacin-online-en.html buy anacin, awq, http://cheappurchaseonline.com/buy-generic-anafranil-online-en.html buy anafranil, 170, http://cheappurchaseonline.com/buy-generic-ansaid-online-en.html buy ansaid online, 109579, http://cheappurchaseonline.com/buy-generic-antabuse-online-en.html generic antabuse, pruibh, http://cheappurchaseonline.com/buy-generic-antivert-online-en.html buy antivert, %[, http://cheappurchaseonline.com/buy-generic-aralen-online-en.html buy aralen online, :OO, http://cheappurchaseonline.com/buy-generic-arava-online-en.html buy arava, 321558, e6189dbd61d17617d0ba8c7df32f7be323e34586 2550 2549 2012-05-09T20:58:48Z 31.184.238.15 0 MPsCBCMJMCemlvqN wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-meclizine-online-en.html buy meclizine, %O, http://cheappurchaseonline.com/buy-generic-mellaril-online-en.html generic mellaril, babx, http://cheappurchaseonline.com/buy-generic-menosan-online-en.html buy menosan, fthrh, http://cheappurchaseonline.com/buy-generic-mentat-online-en.html generic mentat, 86767, http://cheappurchaseonline.com/buy-generic-mestinon-online-en.html generic mestinon, egvmn, http://cheappurchaseonline.com/buy-generic-methotrexate-online-en.html buy methotrexate, >:-[[[, http://cheappurchaseonline.com/buy-generic-mevacor-online-en.html buy mevacor, syjjvh, http://cheappurchaseonline.com/buy-generic-micronase-online-en.html buy micronase, 240, 208c629d978565225bc39d6f356ab262dc862977 2551 2550 2012-05-09T21:04:40Z 31.184.238.15 0 PZGqHOCSWpRym wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-verampil-online-en.html buy verampil online, 7578, http://cheappurchaseonline.com/buy-generic-verapamil-online-en.html buy verapamil, =O, http://cheappurchaseonline.com/buy-generic-vermox-online-en.html buy vermox online, lyze, http://cheappurchaseonline.com/buy-generic-v-gel-online-en.html buy v-gel online, =[, http://cheappurchaseonline.com/buy-generic-vibramycin-online-en.html generic vibramycin, 570, http://cheappurchaseonline.com/buy-generic-viramune-online-en.html buy viramune online, macynf, http://cheappurchaseonline.com/buy-generic-vitamin-b12-online-en.html buy vitamin b12 online, cdtjz, http://cheappurchaseonline.com/buy-generic-vitamin-c-online-en.html buy vitamin c, elpkr, c18809a34c07dfd55e8c162007f4d689db543c20 2552 2551 2012-05-09T21:09:36Z 31.184.238.15 0 VyIWiIqJKOglrzrqV wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-catapres-online-en.html generic catapres, uoo, http://cheappurchaseonline.com/buy-generic-ceclor-cd-online-en.html generic ceclor cd, =[[, http://cheappurchaseonline.com/buy-generic-ceclor-online-en.html buy ceclor online, 360, http://cheappurchaseonline.com/buy-generic-cefaclor-online-en.html buy cefaclor online, ylf, http://cheappurchaseonline.com/buy-generic-celebrex-online-en.html generic celebrex, 37180, http://cheappurchaseonline.com/buy-generic-celexa-online-en.html generic celexa, =]], http://cheappurchaseonline.com/buy-generic-cephalexin-online-en.html buy cephalexin, mcn, http://cheappurchaseonline.com/buy-generic-chloromycetin-online-en.html generic chloromycetin, aro, ef275677ab8abe0ce494d636f64b15246e214517 2553 2552 2012-05-09T21:14:37Z 31.184.238.15 0 wftlwtFO wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-isordil-online-en.html generic isordil, inav, http://cheappurchaseonline.com/buy-generic-karela-online-en.html buy karela online, dbu, http://cheappurchaseonline.com/buy-generic-keflex-online-en.html buy keflex online, 51996, http://cheappurchaseonline.com/buy-generic-keftab-online-en.html generic keftab, nrjpez, http://cheappurchaseonline.com/buy-generic-kemadrin-online-en.html generic kemadrin, vszyxe, http://cheappurchaseonline.com/buy-generic-lamictal-online-en.html buy lamictal online, xqmlxa, http://cheappurchaseonline.com/buy-generic-lamisil-online-en.html buy lamisil online, :(, http://cheappurchaseonline.com/buy-generic-lamprene-online-en.html buy lamprene online, >:PP, a00e6f75877b07f6368fcf86a68f903bad21aaa5 2554 2553 2012-05-09T21:19:26Z 31.184.238.15 0 XKENXfwqg wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-avodart-online-en.html buy avodart, 869447, http://cheappurchaseonline.com/buy-generic-aygestin-online-en.html generic aygestin, 635, http://cheappurchaseonline.com/buy-generic-azulfidine-online-en.html buy azulfidine, =))), http://cheappurchaseonline.com/buy-generic-baclofen-online-en.html generic baclofen, :))), http://cheappurchaseonline.com/buy-generic-beloc-online-en.html buy beloc, =-)), http://cheappurchaseonline.com/buy-generic-benadryl-online-en.html buy benadryl online, 1735, http://cheappurchaseonline.com/buy-generic-benemid-online-en.html generic benemid, %(, http://cheappurchaseonline.com/buy-generic-benicar-online-en.html buy benicar online, bsugs, 347e95a41a6b3575d70f31306d5b91ff49695e19 2555 2554 2012-05-09T21:24:08Z 31.184.238.15 0 mkqktjwvmfJyCeUjFf wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-voltaren-online-en.html buy voltaren, :-OO, http://cheappurchaseonline.com/buy-generic-voltaren-xr-online-en.html buy voltaren xr online, 675391, http://cheappurchaseonline.com/buy-generic-voltarol-online-en.html buy voltarol, >:-]]], http://cheappurchaseonline.com/buy-generic-voveran-online-en.html buy voveran, 648, http://cheappurchaseonline.com/buy-generic-voveran-sr-online-en.html buy voveran sr, jlhdv, http://cheappurchaseonline.com/buy-generic-wondersleep-online-en.html generic wondersleep, muv, http://cheappurchaseonline.com/buy-generic-xalatan-0005-online-en.html buy xalatan 0.005%, dsgfm, http://cheappurchaseonline.com/buy-generic-xeloda-online-en.html generic xeloda, =-OO, 57ff84b1f6dd70d4eabb3c4ab7de7f1d57636ec6 2556 2555 2012-05-09T21:29:24Z 31.184.238.15 0 JlQGBEDRQrLV wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-detrol-online-en.html buy detrol online, 99945, http://cheappurchaseonline.com/buy-generic-diabecon-online-en.html buy diabecon online, 8OO, http://cheappurchaseonline.com/buy-generic-diamox-online-en.html buy diamox online, 311870, http://cheappurchaseonline.com/buy-generic-diflucan-online-en.html " ", 5870, http://cheappurchaseonline.com/buy-generic-dilantin-online-en.html generic dilantin, xtp, http://cheappurchaseonline.com/buy-generic-diltiazem-online-en.html generic diltiazem, =PPP, http://cheappurchaseonline.com/buy-generic-diovan-hct-online-en.html buy diovan hct, 81339, http://cheappurchaseonline.com/buy-generic-diovan-online-en.html generic diovan, xnt, dfba66b8f4e504f3c541d7a63f842a0119f522ed 2557 2556 2012-05-09T21:34:27Z 31.184.238.15 0 RXWHeiJa wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-danocrine-online-en.html buy danocrine, :DD, http://cheappurchaseonline.com/buy-generic-dapsone-online-en.html generic dapsone, 8[, http://cheappurchaseonline.com/buy-generic-ddavp-online-en.html buy ddavp, poal, http://cheappurchaseonline.com/buy-generic-decadron-online-en.html buy decadron, ahcj, http://cheappurchaseonline.com/buy-generic-depakote-online-en.html generic depakote, 363988, http://cheappurchaseonline.com/buy-generic-desogen-online-en.html buy desogen, 820257, http://cheappurchaseonline.com/buy-generic-desyrel-online-en.html generic desyrel, >:-P, http://cheappurchaseonline.com/buy-generic-detrol-la-online-en.html generic detrol la, :((, b82a0eeb02ee6a227f480e58ce8808ac134a1182 2558 2557 2012-05-09T21:39:56Z 31.184.238.15 0 jnUuDttEV wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-voltaren-online-en.html buy voltaren, 2886, http://cheappurchaseonline.com/buy-generic-voltaren-xr-online-en.html generic voltaren xr, cand, http://cheappurchaseonline.com/buy-generic-voltarol-online-en.html generic voltarol, hnf, http://cheappurchaseonline.com/buy-generic-voveran-online-en.html buy voveran online, >:P, http://cheappurchaseonline.com/buy-generic-voveran-sr-online-en.html buy voveran sr online, ikix, http://cheappurchaseonline.com/buy-generic-wondersleep-online-en.html buy wondersleep, 7084, http://cheappurchaseonline.com/buy-generic-xalatan-0005-online-en.html buy xalatan 0.005% online, cac, http://cheappurchaseonline.com/buy-generic-xeloda-online-en.html buy xeloda, 8734, 4614d4a64fbb85142f6839a792cea676b29dca5f 2559 2558 2012-05-09T21:45:25Z 31.184.238.15 0 mGiSSYWBI wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-verampil-online-en.html buy verampil, 6279, http://cheappurchaseonline.com/buy-generic-verapamil-online-en.html buy verapamil, 1414, http://cheappurchaseonline.com/buy-generic-vermox-online-en.html generic vermox, 6474, http://cheappurchaseonline.com/buy-generic-v-gel-online-en.html buy v-gel online, 0094, http://cheappurchaseonline.com/buy-generic-vibramycin-online-en.html generic vibramycin, :[[[, http://cheappurchaseonline.com/buy-generic-viramune-online-en.html buy viramune, cewyl, http://cheappurchaseonline.com/buy-generic-vitamin-b12-online-en.html generic vitamin b12, 9259, http://cheappurchaseonline.com/buy-generic-vitamin-c-online-en.html generic vitamin c, gxsedx, bcfda5104c85d82910c18a5c20f0d00ce1244e7f 2560 2559 2012-05-09T21:50:43Z 31.184.238.15 0 UpZeKNUnHTnwkfhMjQ wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-trecator-sc-online-en.html buy trecator-sc, %-[[, http://cheappurchaseonline.com/buy-generic-trental-online-en.html buy trental online, 935, http://cheappurchaseonline.com/buy-generic-tricor-online-en.html buy tricor online, mmctm, http://cheappurchaseonline.com/buy-generic-trileptal-online-en.html buy trileptal, sxtgc, http://cheappurchaseonline.com/buy-generic-tritace-online-en.html generic tritace, lrmou, http://cheappurchaseonline.com/buy-generic-tylenol-online-en.html generic tylenol, 79970, http://cheappurchaseonline.com/buy-generic-uniphyl-cr-online-en.html generic uniphyl cr, %-O, http://cheappurchaseonline.com/buy-generic-urispas-online-en.html buy urispas online, zmhpm, f5a0914d4df2c985e5af803b1465a4953b947ec1 2561 2560 2012-05-09T21:55:50Z 31.184.238.15 0 AsshQrUiPjn wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-frumil-online-en.html buy frumil online, hsuoxr, http://cheappurchaseonline.com/buy-generic-fulvicin-online-en.html buy fulvicin, 584465, http://cheappurchaseonline.com/buy-generic-furadantin-online-en.html generic furadantin, :), http://cheappurchaseonline.com/buy-generic-furoxone-online-en.html generic furoxone, szsbfx, http://cheappurchaseonline.com/buy-generic-gasex-online-en.html buy gasex, 761695, http://cheappurchaseonline.com/buy-generic-geodon-online-en.html buy geodon online, 25892, http://cheappurchaseonline.com/buy-generic-geriforte-online-en.html buy geriforte, 005, http://cheappurchaseonline.com/buy-generic-gestanin-online-en.html generic gestanin, bjex, 9a64e8b2dc2ec58cd67ff7cd87cab536b91f24b5 2562 2561 2012-05-09T22:01:47Z 31.184.238.15 0 MjNJEzCzDGjxL wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-amoxil-online-en.html buy generic amoxil, irj, http://cheappurchaseonline.com/buy-generic-cialis-online-en.html buy cheap cialis, =-DD, http://cheappurchaseonline.com/buy-generic-cialis-professional-online-en.html buy generic cialis professional, 3979, 671d00d7e2a70291959c2f23640e3a1ae897fa96 2563 2562 2012-05-09T22:06:28Z 31.184.238.15 0 dKsWYSwYcA wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-amoxil-online-en.html buy cheap amoxil, cgesr, http://cheappurchaseonline.com/buy-generic-cialis-online-en.html cialis, %[[, http://cheappurchaseonline.com/buy-generic-cialis-professional-online-en.html cialis professional, 8-DD, e4323d356b64291425d1911fe7ea8e82fc6625e0 2564 2563 2012-05-09T22:11:21Z 31.184.238.15 0 ZkDadLgraqm wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-prednisone-online-en.html buy prednisone online, 366541, http://cheappurchaseonline.com/buy-generic-priligy-online-en.html buy cheap priligy, jdc, http://cheappurchaseonline.com/buy-generic-propecia-online-en.html propecia, 617823, 2e3f3e14c734b9c5809ea21ad65f7a8a54f7d70a 2565 2564 2012-05-09T22:16:26Z 31.184.238.15 0 CRhaNmgVp wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-viagra-super-active-online-en.html buy cheap viagra super active, %-[[, http://cheappurchaseonline.com/buy-generic-zithromax-online-en.html buy zithromax online, ckrmp, http://cheappurchaseonline.com/buy-generic-zoloft-online-en.html zoloft, 428, 12da323f860aa4fdc7a6e0033187a08919643840 2566 2565 2012-05-09T22:21:37Z 31.184.238.15 0 COVRTYxDhMKGsWu wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-prednisone-online-en.html generic prednisone, 9636, http://cheappurchaseonline.com/buy-generic-priligy-online-en.html buy generic priligy, 222808, http://cheappurchaseonline.com/buy-generic-propecia-online-en.html propecia, :-D, d576b9563b4e529ad6025bbfaa2f9eff565821e4 2567 2566 2012-05-09T22:26:43Z 31.184.238.15 0 cYnWPqCaeHNiN wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-cialis-super-active-online-en.html buy generic cialis super active, 750084, http://cheappurchaseonline.com/buy-generic-cipro-online-en.html buy cipro, :-]]], http://cheappurchaseonline.com/buy-generic-clomid-online-en.html buy cheap clomid, %((, 611d197535bc47c3e3b79b317fae99df80a7a936 2568 2567 2012-05-09T22:47:03Z 31.184.238.15 0 jahCQnHyCuUwwz wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-nolvadex-online-en.html generic nolvadex, 878, http://cheappurchaseonline.com/buy-generic--online-en.html buy generic accutane, 12709, http://cheappurchaseonline.com/buy-generic-orlistat-online-en.html buy orlistat, 4019, 01b2f12c9fdc5f5c51cf27dd131c958d71d6ac41 2569 2568 2012-05-09T22:53:05Z 31.184.238.15 0 ouHXkJlg wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-viagra-super-active-online-en.html buy viagra super active, >:), http://cheappurchaseonline.com/buy-generic-zithromax-online-en.html zithromax, divvod, http://cheappurchaseonline.com/buy-generic-zoloft-online-en.html buy zoloft online, =DDD, 03a3caf4301eca8cb26ce4fdabb23a097386a47e 2570 2569 2012-05-09T23:03:34Z 31.184.238.15 0 lNoOfXZpgfovdIc wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-diflucan-online-en.html buy diflucan online, axknxj, http://cheappurchaseonline.com/buy-generic-doxycycline-online-en.html buy doxycycline online, >:((, http://cheappurchaseonline.com/buy-generic-flagyl-online-en.html buy flagyl, agydan, af79040ab45897a3503bd6e05ffe19c37676c421 2571 2570 2012-05-09T23:07:24Z 31.184.238.15 0 rCVgTlqTAslmCrke wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-strattera-online-en.html buy strattera online, jmc, http://cheappurchaseonline.com/buy-generic-viagra-online-en.html generic viagra, 5851, http://cheappurchaseonline.com/buy-generic-viagra-professional-online-en.html buy viagra professional online, %DD, 59ee3ab1a2930def35ed9e44a747e9f6453a6ed4 2572 2571 2012-05-09T23:12:56Z 31.184.238.15 0 rtvuaOuBsme wikitext text/x-wiki comment4, http://cheappurchaseonline.com/ generic cialis, hjusnr, http://cheappurchaseonline.com/ generic levitra, vnpxrc, http://cheappurchaseonline.com/ generic viagra super active, %-DDD, 6fdc683c929d2e9652258dc7bc02972365c307f8 2573 2572 2012-05-09T23:24:17Z 31.184.238.15 0 ELonbTlDgNoOR wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-diflucan-online-en.html buy cheap diflucan, 0567, http://cheappurchaseonline.com/buy-generic-doxycycline-online-en.html buy cheap doxycycline, 10807, http://cheappurchaseonline.com/buy-generic-flagyl-online-en.html buy generic flagyl, %P, c37aeac217ac7232f1d84ab619bfa48adae4e340 2574 2573 2012-05-09T23:28:30Z 31.184.238.15 0 DYXtCXAXzcxySwVD wikitext text/x-wiki comment4, http://cheappurchaseonline.com/ generic lasix, kikxww, http://cheappurchaseonline.com/ generic priligy, acms, http://cheappurchaseonline.com/ generic amoxil, 5684, 10164e0885daea02952720def0bf91f39f1e1635 2575 2574 2012-05-09T23:32:32Z 31.184.238.15 0 YRkvpvMPkalUjuNaoo wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-cialis-super-active-online-en.html buy cialis super active, %DD, http://cheappurchaseonline.com/buy-generic-cipro-online-en.html buy cipro online, bobdjn, http://cheappurchaseonline.com/buy-generic-clomid-online-en.html generic clomid, =-), 4a663cd03bf67181e66ae6b522c0e90ec884a40e 2576 2575 2012-05-09T23:38:13Z 31.184.238.15 0 qNaUgaMACrwojIkRYPd wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-prednisone-online-en.html generic prednisone, =-]], http://cheappurchaseonline.com/buy-generic-priligy-online-en.html buy generic priligy, laz, http://cheappurchaseonline.com/buy-generic-propecia-online-en.html generic propecia, 61422, d15bc1771d3ce5cd27ce5ef24c3fe6cb88b321a3 2577 2576 2012-05-09T23:42:35Z 31.184.238.15 0 KbGIKEzrJSqjBQvvMT wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-diflucan-online-en.html diflucan, 81430, http://cheappurchaseonline.com/buy-generic-doxycycline-online-en.html buy cheap doxycycline, 065, http://cheappurchaseonline.com/buy-generic-flagyl-online-en.html buy generic flagyl, 86829, 90360d44251d2542133a3115c7ba8051ded53880 2578 2577 2012-05-09T23:52:43Z 31.184.238.15 0 snnERYZm wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-kamagra-online-en.html buy kamagra online, 271, http://cheappurchaseonline.com/buy-generic-lasix-online-en.html generic lasix, 8-], http://cheappurchaseonline.com/buy-generic-levitra-online-en.html buy cheap levitra, 5074, b4939eae8efb53f24caa32b4a54a50264f0bfa0d 0 8 2579 2578 2012-05-09T23:57:51Z 31.184.238.15 0 hdEMVbDkSUfvLLn wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-prednisone-online-en.html buy prednisone, xjwhh, http://cheappurchaseonline.com/buy-generic-priligy-online-en.html buy generic priligy, 1400, http://cheappurchaseonline.com/buy-generic-propecia-online-en.html buy propecia, 1887, dcdf6671dd0697c276204c2145bb35ca79f0e6d7 2580 2579 2012-05-10T00:03:39Z 31.184.238.15 0 HgKJfvehkFzBbnQPhcb wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-nolvadex-online-en.html nolvadex, 8890, http://cheappurchaseonline.com/buy-generic--online-en.html generic accutane, 185604, http://cheappurchaseonline.com/buy-generic-orlistat-online-en.html generic orlistat, 9892, 01836115d72f0f1a6281b48444e76640c41b8c91 2581 2580 2012-05-10T00:08:25Z 31.184.238.15 0 qVtQVJIWXwT wikitext text/x-wiki comment4, http://cheappurchaseonline.com/ generic cialis, %PP, http://cheappurchaseonline.com/ generic cialis, 2670, http://cheappurchaseonline.com/ generic kamagra, 7091, 3d3877f68ad8d15d8177c9bfcd6969ee0b119b38 2582 2581 2012-05-10T00:13:52Z 31.184.238.15 0 RoYlwpGWjkdV wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-prednisone-online-en.html buy cheap prednisone, nyu, http://cheappurchaseonline.com/buy-generic-priligy-online-en.html buy priligy, yyfm, http://cheappurchaseonline.com/buy-generic-propecia-online-en.html buy propecia, 229, c676a17f753d209952b61103d32d8a6582c3e9ea 2583 2582 2012-05-10T00:19:21Z 31.184.238.15 0 qEEvkibMgstbCtFZQwF wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-nolvadex-online-en.html buy nolvadex</a>, =-], http://cheappurchaseonline.com/buy-generic--online-en.html buy cheap accutane, vgr, http://cheappurchaseonline.com/buy-generic-orlistat-online-en.html buy generic orlistat, 952, 9ed0402e298ce251de0a27caa07d7071903ae3c7 2584 2583 2012-05-10T00:24:54Z 31.184.238.15 0 sBqIMSuLmGUcVQbCj wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-kamagra-online-en.html buy generic kamagra, :-))), http://cheappurchaseonline.com/buy-generic-lasix-online-en.html buy lasix, 22201, http://cheappurchaseonline.com/buy-generic-levitra-online-en.html generic levitra, >:-[[[, 1dbedd3415ab76d3d79fd065b86273038e3fd2ef 2585 2584 2012-05-10T00:29:44Z 31.184.238.15 0 XCrjIjYPuU wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-kamagra-online-en.html buy kamagra online, nhu, http://cheappurchaseonline.com/buy-generic-lasix-online-en.html generic lasix, 8-P, http://cheappurchaseonline.com/buy-generic-levitra-online-en.html buy levitra, hdw, c35b77e5133251d2c926aa28c2cb05e4ecbf77b2 2586 2585 2012-05-10T00:34:41Z 31.184.238.15 0 HzfFhJUp wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-kamagra-online-en.html generic kamagra, =OOO, http://cheappurchaseonline.com/buy-generic-lasix-online-en.html lasix, 105550, http://cheappurchaseonline.com/buy-generic-levitra-online-en.html generic levitra, oziaq, 1cca5c48a104eb56f119526c7bfb6d15d21f0b2d 2587 2586 2012-05-10T00:39:43Z 31.184.238.15 0 fJltEENjr wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-viagra-super-active-online-en.html buy generic viagra super active, rlyh, http://cheappurchaseonline.com/buy-generic-zithromax-online-en.html zithromax, >:-], http://cheappurchaseonline.com/buy-generic-zoloft-online-en.html generic zoloft, %PP, 40c795984fd7e64e61d8bc13c293f1f41fcbbdec 2588 2587 2012-05-10T00:45:10Z 31.184.238.15 0 SySbzwumpGWvvnnA wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-prednisone-online-en.html buy generic prednisone, 60155, http://cheappurchaseonline.com/buy-generic-priligy-online-en.html priligy, >:], http://cheappurchaseonline.com/buy-generic-propecia-online-en.html buy generic propecia, :-P, bc7cbb56a35663d8e24998983494114a6594030b 2589 2588 2012-05-10T00:50:31Z 31.184.238.15 0 nHzsBxQhR wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-strattera-online-en.html buy strattera online, pkb, http://cheappurchaseonline.com/buy-generic-viagra-online-en.html viagra, 59204, http://cheappurchaseonline.com/buy-generic-viagra-professional-online-en.html buy cheap viagra professional, 533, b17d89f121348e273aafae320e7611497a5a3362 2590 2589 2012-05-10T00:55:35Z 31.184.238.15 0 SjvqJQIoRJ wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-prednisone-online-en.html buy generic prednisone, sdjnxc, http://cheappurchaseonline.com/buy-generic-priligy-online-en.html buy generic priligy, >:-DDD, http://cheappurchaseonline.com/buy-generic-propecia-online-en.html buy cheap propecia, 8[[, 58b9929108d03dfbcd04bea19fc4c6557f784fe5 2591 2590 2012-05-10T01:01:00Z 31.184.238.15 0 zkKohdCRDFRPFTJqi wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-amoxil-online-en.html amoxil, >:DDD, http://cheappurchaseonline.com/buy-generic-cialis-online-en.html buy cialis, mchp, http://cheappurchaseonline.com/buy-generic-cialis-professional-online-en.html buy cialis professional, tek, d2aecfb2ff46c5e9b9d78b6091b2a112f91b7ccc 2592 2591 2012-05-10T01:06:52Z 31.184.238.15 0 exsEzgUzzzEbpHAVgr wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-kamagra-online-en.html buy cheap kamagra, 612454, http://cheappurchaseonline.com/buy-generic-lasix-online-en.html buy lasix online, 2463, http://cheappurchaseonline.com/buy-generic-levitra-online-en.html buy generic levitra, azzg, 4d6f65ec00770c17909a69091fce3e5ba5a1add4 2593 2592 2012-05-10T01:12:43Z 31.184.238.15 0 ixxBbjUBIvsZ wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-kamagra-online-en.html buy generic kamagra, 42818, http://cheappurchaseonline.com/buy-generic-lasix-online-en.html buy lasix, 7069, http://cheappurchaseonline.com/buy-generic-levitra-online-en.html buy cheap levitra, ksfdx, a16a85f04f423858efd4e017b098d6d050db1ce8 2594 2593 2012-05-10T01:19:10Z 31.184.238.15 0 XlEXmAMmBPWlLY wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-cialis-super-active-online-en.html generic cialis super active, sstg, http://cheappurchaseonline.com/buy-generic-cipro-online-en.html generic cipro, 95185, http://cheappurchaseonline.com/buy-generic-clomid-online-en.html buy cheap clomid, 1630, ba3276ef948a09a958157156fb9705e028b39e2f 2595 2594 2012-05-10T01:25:55Z 31.184.238.15 0 zjEFTroaS wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-kamagra-online-en.html buy kamagra online, 53515, http://cheappurchaseonline.com/buy-generic-lasix-online-en.html buy lasix online, %-PP, http://cheappurchaseonline.com/buy-generic-levitra-online-en.html levitra, =((, e56e4ffedc48ddf26273e120e3be962c16ba479a 2596 2595 2012-05-10T01:31:22Z 31.184.238.15 0 hOMfmSDD wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-nolvadex-online-en.html buy cheap nolvadex, fjfok, http://cheappurchaseonline.com/buy-generic--online-en.html generic accutane, 8-DD, http://cheappurchaseonline.com/buy-generic-orlistat-online-en.html buy orlistat online, =-], e4412bdcb324e269befcb96f1f650e20a3a3f0dc 2597 2596 2012-05-10T01:37:14Z 31.184.238.15 0 xYDNrZiDPmdvrb wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-viagra-super-active-online-en.html buy viagra super active online, :PPP, http://cheappurchaseonline.com/buy-generic-zithromax-online-en.html zithromax, %((, http://cheappurchaseonline.com/buy-generic-zoloft-online-en.html buy cheap zoloft, vojrj, a5de47b460ced6406bb65e94a396fb1e5903217a 2598 2597 2012-05-10T01:43:18Z 31.184.238.15 0 tJDsOoBXdDrPET wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-nolvadex-online-en.html buy nolvadex</a>, =(((, http://cheappurchaseonline.com/buy-generic--online-en.html buy accutane, 8-(((, http://cheappurchaseonline.com/buy-generic-orlistat-online-en.html buy generic orlistat, 8DDD, 012af5f7e0a03938abb0428d6f4408d7af19c3cd 2599 2598 2012-05-10T01:48:50Z 31.184.238.15 0 SDJoZQCGnphtzOhnPvD wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-prednisone-online-en.html buy cheap prednisone, nxayse, http://cheappurchaseonline.com/buy-generic-priligy-online-en.html priligy, 7342, http://cheappurchaseonline.com/buy-generic-propecia-online-en.html buy propecia, 3082, 545dfda039361b7d022f2ec1b42c1c80658a5233 2600 2599 2012-05-10T01:53:58Z 31.184.238.15 0 kJXkNKbdWmjvcDCQN wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-diflucan-online-en.html buy diflucan online, 708795, http://cheappurchaseonline.com/buy-generic-doxycycline-online-en.html buy generic doxycycline, =-PP, http://cheappurchaseonline.com/buy-generic-flagyl-online-en.html buy flagyl online, 103, 1368eba0f25bcde74a265ce8ab681ef5baa57b8f 2601 2600 2012-05-10T02:00:05Z 31.184.238.15 0 eDLGpHrVqi wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-diflucan-online-en.html diflucan, xevz, http://cheappurchaseonline.com/buy-generic-doxycycline-online-en.html buy doxycycline, 8PP, http://cheappurchaseonline.com/buy-generic-flagyl-online-en.html buy flagyl online, wji, 9d255ccb527041148ff8034961efdfafcfa587c3 2602 2601 2012-05-10T02:05:42Z 31.184.238.15 0 HJLTdMiyTZ wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-diflucan-online-en.html generic diflucan, :[[, http://cheappurchaseonline.com/buy-generic-doxycycline-online-en.html doxycycline, 458370, http://cheappurchaseonline.com/buy-generic-flagyl-online-en.html buy flagyl online, :(, 7a4f04807d260155127dc8fcf21710da0444294e 2603 2602 2012-05-10T02:12:20Z 31.184.238.15 0 ULsUlvTCwcfwET wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-prednisone-online-en.html buy prednisone online, lmpxzt, http://cheappurchaseonline.com/buy-generic-priligy-online-en.html buy priligy online, vaue, http://cheappurchaseonline.com/buy-generic-propecia-online-en.html generic propecia, %-D, 35e62853c7826e2e635a18645dc3e45eeef8a521 2604 2603 2012-05-10T02:17:24Z 31.184.238.15 0 AsblSjwZEqe wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-amoxil-online-en.html buy amoxil online, 87705, http://cheappurchaseonline.com/buy-generic-cialis-online-en.html buy cialis online, 56972, http://cheappurchaseonline.com/buy-generic-cialis-professional-online-en.html buy cialis professional, 886, 8dc764fb9094d1d3a3c7cc9d9e70a3982d57f86d 2605 2604 2012-05-10T02:23:10Z 31.184.238.15 0 atbVxCtbtTFtQG wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-kamagra-online-en.html buy generic kamagra, %D, http://cheappurchaseonline.com/buy-generic-lasix-online-en.html lasix, =PPP, http://cheappurchaseonline.com/buy-generic-levitra-online-en.html buy generic levitra, 95915, 5c323f367f35b1c2cdec02667dfee5b41561dcb1 2606 2605 2012-05-10T02:28:25Z 31.184.238.15 0 dqcFDieehZR wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-strattera-online-en.html buy strattera, 971139, http://cheappurchaseonline.com/buy-generic-viagra-online-en.html buy viagra online, asvtsi, http://cheappurchaseonline.com/buy-generic-viagra-professional-online-en.html generic viagra professional, :-)), 292918443c90ee53bd3598bd8d3f2709c0995756 2607 2606 2012-05-10T02:33:45Z 31.184.238.15 0 mWDhzvCkRSpNLVJuT wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-cialis-super-active-online-en.html buy cialis super active, 147038, http://cheappurchaseonline.com/buy-generic-cipro-online-en.html buy cheap cipro, =[[[, http://cheappurchaseonline.com/buy-generic-clomid-online-en.html buy cheap clomid, 02213, b502a7e53e99c4d1cdb9b68e426749df249b5287 2608 2607 2012-05-10T02:38:56Z 31.184.238.15 0 raXaPLAosFhVWeDATbk wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-kamagra-online-en.html buy kamagra, =P, http://cheappurchaseonline.com/buy-generic-lasix-online-en.html buy generic lasix, ybkf, http://cheappurchaseonline.com/buy-generic-levitra-online-en.html levitra, :-]], 8ce2797898e17223fcc855fd98aa48b9d064bbe2 2609 2608 2012-05-10T02:44:43Z 31.184.238.15 0 IdWIxqzO wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-strattera-online-en.html generic strattera, nyyr, http://cheappurchaseonline.com/buy-generic-viagra-online-en.html buy viagra online, %-), http://cheappurchaseonline.com/buy-generic-viagra-professional-online-en.html buy generic viagra professional, :-[[[, 56af9858792a1e39f5551bf7e6993e1876e3a72c 2610 2609 2012-05-10T02:50:13Z 31.184.238.15 0 laUxMsjsNedmDlAQOlm wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-strattera-online-en.html strattera, >:-[[, http://cheappurchaseonline.com/buy-generic-viagra-online-en.html buy generic viagra, >:-PP, http://cheappurchaseonline.com/buy-generic-viagra-professional-online-en.html generic viagra professional, 7674, fdf21a324b16e03d9b34e16e10d6f92e6eefe5e8 2611 2610 2012-05-10T02:55:07Z 31.184.238.15 0 HiJRtHTEJFdDvkXdCDE wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-cialis-super-active-online-en.html buy generic cialis super active, >:DD, http://cheappurchaseonline.com/buy-generic-cipro-online-en.html cipro, hwg, http://cheappurchaseonline.com/buy-generic-clomid-online-en.html buy clomid online, 4524, a8796a556cb44bc15cb1b8ead68a73fbaddc901b 2612 2611 2012-05-10T03:00:18Z 31.184.238.15 0 OfKtGPGjJwDESQjbHuU wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-strattera-online-en.html buy generic strattera, wthf, http://cheappurchaseonline.com/buy-generic-viagra-online-en.html generic viagra, 409105, http://cheappurchaseonline.com/buy-generic-viagra-professional-online-en.html buy generic viagra professional, =-P, bff4242e97cdb3a0f92b3df9d60f8c81f8104a83 2613 2612 2012-05-10T03:05:22Z 31.184.238.15 0 YkmtmuKDI wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-kamagra-online-en.html buy kamagra, %-)), http://cheappurchaseonline.com/buy-generic-lasix-online-en.html buy cheap lasix, 6241, http://cheappurchaseonline.com/buy-generic-levitra-online-en.html buy generic levitra, 140, 561d0dcd77c1cba1a2b8d0925ab515ff62429707 2614 2613 2012-05-10T03:11:13Z 31.184.238.15 0 BkDLMvCQHDye wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-kamagra-online-en.html buy generic kamagra, =-]], http://cheappurchaseonline.com/buy-generic-lasix-online-en.html buy lasix online, 0495, http://cheappurchaseonline.com/buy-generic-levitra-online-en.html buy levitra online, axkk, 6f5b6d2b31edcd22387ba217e6f86ff9f8d5db4e 2615 2614 2012-05-10T03:16:29Z 31.184.238.15 0 kvnOVSncAGPzsCj wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-kamagra-online-en.html buy cheap kamagra, 893240, http://cheappurchaseonline.com/buy-generic-lasix-online-en.html generic lasix, =O, http://cheappurchaseonline.com/buy-generic-levitra-online-en.html buy cheap levitra, %O, 5f7943eaa44b3db20e86c7d93d80a5c820283edb 2616 2615 2012-05-10T03:21:56Z 31.184.238.15 0 WHdDTVuCUstmTI wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-diflucan-online-en.html generic diflucan, 131175, http://cheappurchaseonline.com/buy-generic-doxycycline-online-en.html buy doxycycline online, ahdtp, http://cheappurchaseonline.com/buy-generic-flagyl-online-en.html generic flagyl, 8-)), 9eded1416bb15f336a00b21f0c1e67ddd3be8616 2617 2616 2012-05-10T03:27:37Z 31.184.238.15 0 FKAufIHUrw wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-diflucan-online-en.html generic diflucan, szeuk, http://cheappurchaseonline.com/buy-generic-doxycycline-online-en.html buy doxycycline online, 866, http://cheappurchaseonline.com/buy-generic-flagyl-online-en.html buy flagyl online, yykvpn, fc474162cdea6b375a365020b3a1a6b0008e3b06 2618 2617 2012-05-10T03:33:12Z 31.184.238.15 0 gHuZGndngQLlO wikitext text/x-wiki comment5, http://cheappurchaseonline.com/ generic viagra, 164, http://cheappurchaseonline.com/ generic cialis professional, 765, http://cheappurchaseonline.com/ generic levitra, 10856, 5c6c9d98addc2121bd5f7e79a0cf6e388450a874 2619 2618 2012-05-10T03:39:25Z 31.184.238.15 0 CLMuFisWRwjwIh wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-prednisone-online-en.html generic prednisone, >:))), http://cheappurchaseonline.com/buy-generic-priligy-online-en.html priligy, 252188, http://cheappurchaseonline.com/buy-generic-propecia-online-en.html propecia, 17626, f6bb0e8592576ca4e8e0b109cdf7bc0fecd8d9e6 2620 2619 2012-05-10T03:51:25Z 31.184.238.15 0 VDEpfvokCAJiBlDwUZk wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-diflucan-online-en.html buy diflucan online, :-DDD, http://cheappurchaseonline.com/buy-generic-doxycycline-online-en.html generic doxycycline, 8-D, http://cheappurchaseonline.com/buy-generic-flagyl-online-en.html flagyl, xctp, 448378658774d42ddee3701f8cc15b52103c37c0 2621 2620 2012-05-10T03:58:09Z 31.184.238.15 0 bqZsjvdWQ wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-viagra-super-active-online-en.html buy viagra super active online, 8-[[[, http://cheappurchaseonline.com/buy-generic-zithromax-online-en.html buy cheap zithromax, jnvat, http://cheappurchaseonline.com/buy-generic-zoloft-online-en.html generic zoloft, 1990, 4eb8bdfa99fcf3762bdc7ad633db20c1fea34b59 2622 2621 2012-05-10T04:04:58Z 31.184.238.15 0 LhRGuWbyIVFWPUOs wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-kamagra-online-en.html buy kamagra, van, http://cheappurchaseonline.com/buy-generic-lasix-online-en.html buy generic lasix, 5072, http://cheappurchaseonline.com/buy-generic-levitra-online-en.html buy generic levitra, %-))), 53459ebf09fbb77d65073931518a354b2d891a21 2623 2622 2012-05-10T04:12:32Z 31.184.238.15 0 vXsaTQeT wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-kamagra-online-en.html generic kamagra, =-[[[, http://cheappurchaseonline.com/buy-generic-lasix-online-en.html buy cheap lasix, >:((, http://cheappurchaseonline.com/buy-generic-levitra-online-en.html levitra, :-((, 185bd92f57f55cc7d034d1e728cb8716c291d0e0 2624 2623 2012-05-10T04:19:05Z 31.184.238.15 0 ftGVzGxYvgaRBoxnmnO wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-nolvadex-online-en.html buy nolvadex online, 204951, http://cheappurchaseonline.com/buy-generic--online-en.html generic accutane, 090449, http://cheappurchaseonline.com/buy-generic-orlistat-online-en.html buy orlistat, 8-), e0864f7fb76cbce1651f1f84d53e62ac4f5ec82c 2625 2624 2012-05-10T04:26:15Z 31.184.238.15 0 EfcSuAYWHjgwJtTZFMM wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-diflucan-online-en.html generic diflucan, =-[, http://cheappurchaseonline.com/buy-generic-doxycycline-online-en.html buy doxycycline online, :-DDD, http://cheappurchaseonline.com/buy-generic-flagyl-online-en.html flagyl, 8[[, 2d911c01875e3ceb5c85a233fbb11c5f396c50c3 2626 2625 2012-05-10T04:32:54Z 31.184.238.15 0 eRlzRAhQ wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-kamagra-online-en.html generic kamagra, habbxw, http://cheappurchaseonline.com/buy-generic-lasix-online-en.html buy lasix, >:O, http://cheappurchaseonline.com/buy-generic-levitra-online-en.html levitra, :((, df4915ea2667455ccefba6a5467531f0a315940b 2627 2626 2012-05-10T04:39:15Z 31.184.238.15 0 cowLpcMg wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-strattera-online-en.html strattera, oskxhj, http://cheappurchaseonline.com/buy-generic-viagra-online-en.html viagra, >:O, http://cheappurchaseonline.com/buy-generic-viagra-professional-online-en.html buy generic viagra professional, :-DD, 7518b9c764ca0d9e1f20ae0efc745da93fed40f8 2628 2627 2012-05-10T04:44:39Z 31.184.238.15 0 hgVrjpSxNULZVLByNw wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-strattera-online-en.html strattera, =-(((, http://cheappurchaseonline.com/buy-generic-viagra-online-en.html buy viagra online, 702281, http://cheappurchaseonline.com/buy-generic-viagra-professional-online-en.html viagra professional, zqe, 236c87b0ed73848394740cf97906c0a105ed5a30 0 8 2629 2628 2012-05-10T04:50:29Z 31.184.238.15 0 PTmyxzTXTLr wikitext text/x-wiki comment1, http://cheappurchaseonline.com/ generic kamagra, hulv, http://cheappurchaseonline.com/ generic flagyl, xnnkk, http://cheappurchaseonline.com/ generic viagra, sxhfn, e532edc7810b847bc72d02a90a3df53cc5215c56 2630 2629 2012-05-10T05:02:01Z 31.184.238.15 0 EVcsqCRUWldl wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-amoxil-online-en.html amoxil, lkmzls, http://cheappurchaseonline.com/buy-generic-cialis-online-en.html generic cialis, nzjb, http://cheappurchaseonline.com/buy-generic-cialis-professional-online-en.html cialis professional, 232, 897c169c9f9faa5b5a2b7a599de6a7901f7fda0c 2631 2630 2012-05-10T05:07:56Z 31.184.238.15 0 QugtHosoXAARkPOV wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-nolvadex-online-en.html generic nolvadex, tbp, http://cheappurchaseonline.com/buy-generic--online-en.html buy generic accutane, 580769, http://cheappurchaseonline.com/buy-generic-orlistat-online-en.html buy cheap orlistat, %DDD, 4740d3201acecc37bbce05926c2e60e956d9bb68 2632 2631 2012-05-10T05:13:37Z 31.184.238.15 0 PjjzcHrPpmyy wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-nolvadex-online-en.html nolvadex, 8-[[, http://cheappurchaseonline.com/buy-generic--online-en.html buy generic accutane, xkcao, http://cheappurchaseonline.com/buy-generic-orlistat-online-en.html orlistat, vzes, e557cb3bd571fb252580c95c30d90e13c776ab97 2633 2632 2012-05-10T05:20:00Z 31.184.238.15 0 YSiEORBAA wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-cialis-super-active-online-en.html buy cialis super active online, >:D, http://cheappurchaseonline.com/buy-generic-cipro-online-en.html cipro, %-DDD, http://cheappurchaseonline.com/buy-generic-clomid-online-en.html buy cheap clomid, 736, 5feee86139be646aa205700df132581537f0ff24 2634 2633 2012-05-10T05:25:56Z 31.184.238.15 0 tKWRyBfQQJCoGsuCfk wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-diflucan-online-en.html buy generic diflucan, 7572, http://cheappurchaseonline.com/buy-generic-doxycycline-online-en.html buy doxycycline, lcqw, http://cheappurchaseonline.com/buy-generic-flagyl-online-en.html buy flagyl, %]]], 713be1e4d0d77fe9beb85f0b053c91c6ce270671 2635 2634 2012-05-10T05:30:53Z 31.184.238.15 0 cBYfMPIlKGzPPCisTO wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-strattera-online-en.html generic strattera, lrly, http://cheappurchaseonline.com/buy-generic-viagra-online-en.html buy viagra, 7215, http://cheappurchaseonline.com/buy-generic-viagra-professional-online-en.html buy viagra professional online, 81087, 3560336a13ee41809209713f4f66374fd94023e9 2636 2635 2012-05-10T05:36:36Z 31.184.238.15 0 xADSNSEY wikitext text/x-wiki comment1, http://cheappurchaseonline.com/ generic lasix, %-]]], http://cheappurchaseonline.com/ generic zoloft viagra professional, tea, http://cheappurchaseonline.com/ generic cialis super active, qaw, a1f009b2b0c9863335286453d0bf256ac2b242bc 2637 2636 2012-05-10T05:42:20Z 31.184.238.15 0 JYsSZJoKp wikitext text/x-wiki comment4, http://cheappurchaseonline.com/ generic kamagra, >:)), http://cheappurchaseonline.com/ generic diflucan, 132175, http://cheappurchaseonline.com/ generic diflucan, odz, bd29f2067dfa1e23ffdb508b5b649136ab841d11 2638 2637 2012-05-10T05:47:59Z 31.184.238.15 0 CyuuKpnplqTSKeMfraR wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-strattera-online-en.html generic strattera, 035, http://cheappurchaseonline.com/buy-generic-viagra-online-en.html buy generic viagra, 9395, http://cheappurchaseonline.com/buy-generic-viagra-professional-online-en.html buy cheap viagra professional, 5032, 3f5b1bce87051b233d2b4217ddb686be086019b2 2639 2638 2012-05-10T05:54:05Z 31.184.238.15 0 WtzHcxdwsYNOWTLpLgL wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-nolvadex-online-en.html buy cheap nolvadex, 08835, http://cheappurchaseonline.com/buy-generic--online-en.html buy accutane online, 923575, http://cheappurchaseonline.com/buy-generic-orlistat-online-en.html buy orlistat online, :-O, f4aa368cbd07c378be9515030a126366b85d7d5d 2640 2639 2012-05-10T05:59:59Z 31.184.238.15 0 naUmhAjvznA wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-diflucan-online-en.html buy generic diflucan, bdrf, http://cheappurchaseonline.com/buy-generic-doxycycline-online-en.html buy generic doxycycline, :O, http://cheappurchaseonline.com/buy-generic-flagyl-online-en.html generic flagyl, 786358, 693e711bd9dc8b678df442ea3207efb164527569 2641 2640 2012-05-10T06:05:37Z 31.184.238.15 0 mGrqmmxUS wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-amoxil-online-en.html buy generic amoxil, 502405, http://cheappurchaseonline.com/buy-generic-cialis-online-en.html buy generic cialis, 374509, http://cheappurchaseonline.com/buy-generic-cialis-professional-online-en.html generic cialis professional, fqex, fcaf1fc80a73266344848da5d2da671996d35e49 2642 2641 2012-05-10T06:11:30Z 31.184.238.15 0 GbgVMirLuFtcAFx wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-amoxil-online-en.html buy amoxil, ijbzpu, http://cheappurchaseonline.com/buy-generic-cialis-online-en.html cialis, :DD, http://cheappurchaseonline.com/buy-generic-cialis-professional-online-en.html buy cialis professional, qhym, 39b84bad067a9f06deeec6df2800c2632a4d32e7 2643 2642 2012-05-10T06:17:10Z 31.184.238.15 0 BlwlrlibcUXzIYuUm wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-prednisone-online-en.html buy prednisone, jenhr, http://cheappurchaseonline.com/buy-generic-priligy-online-en.html buy priligy online, :]], http://cheappurchaseonline.com/buy-generic-propecia-online-en.html buy propecia, nfixe, 4533e8a1de07cf905f50a28c57463cacc795683d 2644 2643 2012-05-10T06:22:35Z 31.184.238.15 0 NOeqBZJEG wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-amoxil-online-en.html buy cheap amoxil, %-OO, http://cheappurchaseonline.com/buy-generic-cialis-online-en.html buy cheap cialis, :-OOO, http://cheappurchaseonline.com/buy-generic-cialis-professional-online-en.html buy cheap cialis professional, futx, 4db3f04dd390e296a5368e4875243da1e4832ccc 2645 2644 2012-05-10T06:27:36Z 31.184.238.15 0 WzkXaZtpuuEmDfjNZ wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-diflucan-online-en.html buy diflucan online, 7082, http://cheappurchaseonline.com/buy-generic-doxycycline-online-en.html buy doxycycline online, :(, http://cheappurchaseonline.com/buy-generic-flagyl-online-en.html flagyl, 916, 163f3d0cd7f60df1fabed5d49426a31c0e32fb92 2646 2645 2012-05-10T06:32:39Z 31.184.238.15 0 nfSjQRiBdJIh wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-kamagra-online-en.html buy generic kamagra, %PPP, http://cheappurchaseonline.com/buy-generic-lasix-online-en.html generic lasix, 52396, http://cheappurchaseonline.com/buy-generic-levitra-online-en.html buy generic levitra, ndvta, c11990c9e3bba040f8e3f382a7bef55af15c086e 2647 2646 2012-05-10T06:37:45Z 31.184.238.15 0 wljjqriSsbeZVnpy wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-cialis-super-active-online-en.html buy cheap cialis super active, 8DD, http://cheappurchaseonline.com/buy-generic-cipro-online-en.html buy generic cipro, 980793, http://cheappurchaseonline.com/buy-generic-clomid-online-en.html buy cheap clomid, >:[[, 1df95ef4f03bf377073865a813f76698fc926634 2648 2647 2012-05-10T06:43:09Z 31.184.238.15 0 uBomedzpgnthV wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-cialis-super-active-online-en.html buy cheap cialis super active, dsz, http://cheappurchaseonline.com/buy-generic-cipro-online-en.html cipro, 80398, http://cheappurchaseonline.com/buy-generic-clomid-online-en.html generic clomid, 38682, 98e5217a2dbb9282d621d792c1dbb7894a35fed9 2651 2648 2012-05-10T06:48:26Z 31.184.238.15 0 BjVHlybxOV wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-strattera-online-en.html generic strattera, 4916, http://cheappurchaseonline.com/buy-generic-viagra-online-en.html buy viagra online, =-P, http://cheappurchaseonline.com/buy-generic-viagra-professional-online-en.html generic viagra professional, :[[[, 0f73c55baa205773fc50f8813e40145a489181b8 2652 2651 2012-05-10T06:53:49Z 31.184.238.15 0 kyCHNdSfNQnTx wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-nolvadex-online-en.html buy cheap nolvadex, %-], http://cheappurchaseonline.com/buy-generic--online-en.html buy accutane, 8-], http://cheappurchaseonline.com/buy-generic-orlistat-online-en.html buy generic orlistat, >:-PPP, f144d80901f833d9b8d4c6bd76384716054ff1d6 2653 2652 2012-05-10T06:58:43Z 31.184.238.15 0 EOmmzSbuv wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-diflucan-online-en.html generic diflucan, mjen, http://cheappurchaseonline.com/buy-generic-doxycycline-online-en.html buy generic doxycycline, 795318, http://cheappurchaseonline.com/buy-generic-flagyl-online-en.html buy generic flagyl, 47184, a45ade2a1d5e8a3c298f3194d20a36c9f955d643 2654 2653 2012-05-10T07:04:06Z 31.184.238.15 0 GeYwkbuioPkRofkQHsE wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-strattera-online-en.html buy strattera, 262567, http://cheappurchaseonline.com/buy-generic-viagra-online-en.html viagra, =-)), http://cheappurchaseonline.com/buy-generic-viagra-professional-online-en.html buy viagra professional online, :DDD, 8c5e9a5de78a26f4d81aa6ac24e6f4f588575041 2655 2654 2012-05-10T07:09:28Z 31.184.238.15 0 oHjmQvvmYzcjZrPbax wikitext text/x-wiki comment2, http://cheappurchaseonline.com/ generic female viagra, 65855, http://cheappurchaseonline.com/ generic priligy, =DD, http://cheappurchaseonline.com/ generic orlistat, bzow, d4e628e0e2a3454e295d5f1ca5344ffbd6222fe4 2656 2655 2012-05-10T07:15:05Z 31.184.238.15 0 jpzRDsUZo wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-meclizine-online-en.html buy meclizine, %-], http://cheappurchaseonline.com/buy-generic-mellaril-online-en.html buy mellaril, elytz, http://cheappurchaseonline.com/buy-generic-menosan-online-en.html generic menosan, tjnife, http://cheappurchaseonline.com/buy-generic-mentat-online-en.html buy mentat online, =P, http://cheappurchaseonline.com/buy-generic-mestinon-online-en.html buy mestinon online, qqy, http://cheappurchaseonline.com/buy-generic-methotrexate-online-en.html buy methotrexate, uwhzdu, http://cheappurchaseonline.com/buy-generic-mevacor-online-en.html generic mevacor, =-]]], http://cheappurchaseonline.com/buy-generic-micronase-online-en.html buy micronase online, 220663, 3c5d3de79536d9e8f39ffd54db012ccd13a541ec 2657 2656 2012-05-10T07:20:25Z 31.184.238.15 0 WXCzsJndlT wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-septilin-online-en.html buy septilin online, =-]], http://cheappurchaseonline.com/buy-generic-serevent-online-en.html buy serevent, =PP, http://cheappurchaseonline.com/buy-generic-serophene-online-en.html generic serophene, ddlbr, http://cheappurchaseonline.com/buy-generic-seroquel-online-en.html generic seroquel, 805, http://cheappurchaseonline.com/buy-generic-shallaki-online-en.html buy shallaki, 4782, http://cheappurchaseonline.com/buy-generic-shuddha-guggulu-online-en.html buy shuddha guggulu, 8-P, http://cheappurchaseonline.com/buy-generic-sinemet-cr-online-en.html buy sinemet cr online, xwjvke, http://cheappurchaseonline.com/buy-generic-sinemet-online-en.html generic sinemet, zhcwxl, a4a2dbe96604403be3b1d39cacfe41c451a83741 2658 2657 2012-05-10T07:25:55Z 31.184.238.15 0 GFYeBQAuTwAGTb wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-protonix-online-en.html buy protonix, ntbo, http://cheappurchaseonline.com/buy-generic-proventil-online-en.html buy proventil, >:-[[[, http://cheappurchaseonline.com/buy-generic-provera-online-en.html generic provera, 2223, http://cheappurchaseonline.com/buy-generic-prozac-online-en.html generic prozac, 8O, http://cheappurchaseonline.com/buy-generic-purim-online-en.html buy purim online, 0095, http://cheappurchaseonline.com/buy-generic-pyridium-online-en.html generic pyridium, =))), http://cheappurchaseonline.com/buy-generic-rebetol-online-en.html buy rebetol, >:-DDD, http://cheappurchaseonline.com/buy-generic-reglan-online-en.html buy reglan online, 8PP, a3ec6001b20b69b99114eb87d288f419601f9a98 2659 2658 2012-05-10T07:26:09Z 31.184.238.9 0 QQnKpMSfc wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-viagra-online-it.html generico viagra, zfmb, http://onlinefarmacia.it/comprare-acquistare-viagra-professional-online-it.html vendita viagra professional, rfmd, http://onlinefarmacia.it/comprare-acquistare-viagra-super-active-online-it.html vendita viagra super active, 9984, http://onlinefarmacia.it/comprare-acquistare-zithromax-online-it.html generic zithromax, >:]], http://onlinefarmacia.it/comprare-acquistare-zoloft-online-it.html generic zoloft, pttqu, ce8a4442b15af09c62b63b9f77670b6ca662276d 2660 2659 2012-05-10T07:30:21Z 31.184.238.9 0 ZpvieWdH wikitext text/x-wiki , http://enlignepharmacie.fr/ acheter nolvadex, qkkkxu, http://enlignepharmacie.fr/acheter-achat-doxycycline-en-ligne-fr.html achat doxycycline, 0123, http://enlignepharmacie.fr/acheter-achat-female-viagra-en-ligne-fr.html generique female viagra, yswsy, http://enlignepharmacie.fr/acheter-achat-flagyl-en-ligne-fr.html vente flagyl, 618912, http://enlignepharmacie.fr/acheter-achat-kamagra-en-ligne-fr.html vente kamagra, wxgq, bf9a638ee74efeabca884c76d5c50e907e4d4938 2661 2660 2012-05-10T07:31:38Z 31.184.238.15 0 DWFQFRqikvxsGygc wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-ditropan-xl-online-en.html generic ditropan xl, %-)), http://cheappurchaseonline.com/buy-generic-dulcolax-online-en.html buy dulcolax online, %-], http://cheappurchaseonline.com/buy-generic-duricef-online-en.html generic duricef, 84150, http://cheappurchaseonline.com/buy-generic-effexor-online-en.html buy effexor online, 851, http://cheappurchaseonline.com/buy-generic-effexor-xr-online-en.html buy effexor xr, 370494, http://cheappurchaseonline.com/buy-generic-eldepryl-online-en.html buy eldepryl online, wve, http://cheappurchaseonline.com/buy-generic-elimite-online-en.html buy elimite, 43832, http://cheappurchaseonline.com/buy-generic-elocon-online-en.html buy elocon, deoe, 0e8c760845181663de692c390de9cf0328467598 2662 2661 2012-05-10T07:34:26Z 31.184.238.9 0 PAQfEAJtrnbY wikitext text/x-wiki , http://onlinefarmacia.it/ comprare priligy, =OO, http://onlinefarmacia.it/comprare-acquistare-female-viagra-online-it.html comprare female viagra online, bimj, http://onlinefarmacia.it/comprare-acquistare-flagyl-online-it.html acquistare flagyl, hmq, http://onlinefarmacia.it/comprare-acquistare-kamagra-online-it.html prezzo kamagra, %-[[, http://onlinefarmacia.it/comprare-acquistare-lasix-online-it.html comprare lasix, 845589, 6c7332e3f7223b95b2bb55e5405219b339c7682f 2663 2662 2012-05-10T07:43:04Z 31.184.238.15 0 oPvxGRCkovAdTnZdRl wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-cozaar-online-en.html buy cozaar, rugim, http://cheappurchaseonline.com/buy-generic-crestor-online-en.html buy crestor online, 8-PP, http://cheappurchaseonline.com/buy-generic-crixivan-online-en.html buy crixivan online, 856427, http://cheappurchaseonline.com/buy-generic-cymbalta-online-en.html generic cymbalta, 8-[[[, http://cheappurchaseonline.com/buy-generic-cystone-online-en.html buy cystone, pvfyag, http://cheappurchaseonline.com/buy-generic-cytotec-online-en.html buy cytotec online, 6897, http://cheappurchaseonline.com/buy-generic-cytoxan-online-en.html buy cytoxan online, =-(, http://cheappurchaseonline.com/buy-generic-danazol-online-en.html buy danazol online, 34909, 1ad58249a4c718282e2baaab3b0de2fca2d66d6d 2664 2663 2012-05-10T07:43:55Z 31.184.238.9 0 UsLemGDHoMUyAFMWsO wikitext text/x-wiki , http://generiquesmedicaments.fr/acheter-achat-strattera-en-ligne-fr.html acheter strattera en ligne, 1931, http://generiquesmedicaments.fr/acheter-achat-viagra-en-ligne-fr.html acheter viagra, =OOO, http://generiquesmedicaments.fr/acheter-achat-viagra-professional-en-ligne-fr.html generique viagra professional, 85611, http://generiquesmedicaments.fr/acheter-achat-viagra-super-active-en-ligne-fr.html generique viagra super active, %-), http://generiquesmedicaments.fr/acheter-achat-zithromax-en-ligne-fr.html achat zithromax, %(((, 8c593704f81279be8d00f44e343daa59f2b7a6ae 2665 2664 2012-05-10T07:48:09Z 31.184.238.15 0 JfiLezbTelJAO wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-detrol-online-en.html buy detrol, edi, http://cheappurchaseonline.com/buy-generic-diabecon-online-en.html buy diabecon, :PPP, http://cheappurchaseonline.com/buy-generic-diamox-online-en.html buy diamox online, 593, http://cheappurchaseonline.com/buy-generic-diflucan-online-en.html " ", rdeke, http://cheappurchaseonline.com/buy-generic-dilantin-online-en.html buy dilantin, :-)), http://cheappurchaseonline.com/buy-generic-diltiazem-online-en.html generic diltiazem, 8-]], http://cheappurchaseonline.com/buy-generic-diovan-hct-online-en.html generic diovan hct, yensfv, http://cheappurchaseonline.com/buy-generic-diovan-online-en.html buy diovan online, :-)), c99c0cd3a5bc9b2a7bf9855431c7b43f6a7d6806 2667 2665 2012-05-10T07:51:20Z 31.184.238.9 0 cTYZHjVPE wikitext text/x-wiki , http://enlignepharmacie.fr/ acheter propecia, :-), http://enlignepharmacie.fr/acheter-achat-accutane-en-ligne-fr.html achat accutane, :PP, http://enlignepharmacie.fr/acheter-achat-amoxil-en-ligne-fr.html vente amoxil, qyvuey, http://enlignepharmacie.fr/acheter-achat-cialis-en-ligne-fr.html achat cialis, >:[[, http://enlignepharmacie.fr/acheter-achat-cialis-professional-en-ligne-fr.html generique cialis professional, 856372, 6fd7e59f1a774ed79fccc2c7aff43d89ab2e93e4 2668 2667 2012-05-10T07:54:18Z 31.184.238.15 0 RliMQftSMEEQRA wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-voltaren-online-en.html generic voltaren, 103, http://cheappurchaseonline.com/buy-generic-voltaren-xr-online-en.html generic voltaren xr, 838, http://cheappurchaseonline.com/buy-generic-voltarol-online-en.html buy voltarol, 172473, http://cheappurchaseonline.com/buy-generic-voveran-online-en.html buy voveran, jiwco, http://cheappurchaseonline.com/buy-generic-voveran-sr-online-en.html buy voveran sr, 293822, http://cheappurchaseonline.com/buy-generic-wondersleep-online-en.html buy wondersleep online, %-(, http://cheappurchaseonline.com/buy-generic-xalatan-0005-online-en.html buy xalatan 0.005%, trl, http://cheappurchaseonline.com/buy-generic-xeloda-online-en.html generic xeloda, pgkc, 1cfe5b0af73d2c20fdf49f6a4f91689de62b05d0 2669 2668 2012-05-10T07:58:49Z 31.184.238.9 0 gcWWafrIIRmBRBUay wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-cialis-super-active-online-it.html generico cialis super active, >:[[[, http://onlinefarmacia.it/comprare-acquistare-cipro-online-it.html prezzo cipro, %((, http://onlinefarmacia.it/comprare-acquistare-clomid-online-it.html acquistare clomid, 51954, http://onlinefarmacia.it/comprare-acquistare-diflucan-online-it.html comprare diflucan, fvpo, http://onlinefarmacia.it/comprare-acquistare-doxycycline-online-it.html acquistare doxycycline, =-[[, 333f11b395996dc63b31ea4b58a1bf7d200d93d4 2670 2669 2012-05-10T08:00:19Z 31.184.238.9 0 caYQYNfFoC wikitext text/x-wiki , http://generiquesmedicaments.fr/ acheter kamagra, :-(((, http://generiquesmedicaments.fr/acheter-achat-cialis-super-active-en-ligne-fr.html vente cialis super active, 291, http://generiquesmedicaments.fr/acheter-achat-cipro-en-ligne-fr.html vente cipro, 8-(, http://generiquesmedicaments.fr/acheter-achat-clomid-en-ligne-fr.html generique clomid, =]]], http://generiquesmedicaments.fr/acheter-achat-diflucan-en-ligne-fr.html vente diflucan, =]], 9a49e5fa9ec3c75e5664c9d425a587823128e812 2671 2670 2012-05-10T08:04:23Z 31.184.238.15 0 upxcUCGtUgBf wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-calan-online-en.html buy calan, ezlk, http://cheappurchaseonline.com/buy-generic-calan-sr-online-en.html buy calan sr, 080333, http://cheappurchaseonline.com/buy-generic-calcium-carbonate-online-en.html generic calcium carbonate, 8OO, http://cheappurchaseonline.com/buy-generic-capoten-online-en.html generic capoten, 338917, http://cheappurchaseonline.com/buy-generic-carafate-online-en.html buy carafate, 2507, http://cheappurchaseonline.com/buy-generic-cardarone-online-en.html buy cardarone, xyxi, http://cheappurchaseonline.com/buy-generic-cardura-online-en.html buy cardura online, gywr, http://cheappurchaseonline.com/buy-generic-cataflam-online-en.html buy cataflam online, :-))), 86a1a928285112d17599ed2df4e286411fed8546 2672 2671 2012-05-10T08:04:45Z 31.184.238.9 0 WFASoNGrprHVY wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-cialis-super-active-online-it.html vendita cialis super active, 799, http://onlinefarmacia.it/comprare-acquistare-cipro-online-it.html prezzo cipro, :-]], http://onlinefarmacia.it/comprare-acquistare-clomid-online-it.html prezzo clomid, 50754, http://onlinefarmacia.it/comprare-acquistare-diflucan-online-it.html comprare diflucan, :(((, http://onlinefarmacia.it/comprare-acquistare-doxycycline-online-it.html comprare doxycycline, 35701, 6a044f821dc4a9394f059182fa857d34933da4bd 2673 2672 2012-05-10T08:09:02Z 31.184.238.9 0 blNtWfaHNoMiTL wikitext text/x-wiki , http://enlignepharmacie.fr/ acheter zoloft, orjgf, http://enlignepharmacie.fr/acheter-achat-doxycycline-en-ligne-fr.html achat doxycycline, 2072, http://enlignepharmacie.fr/acheter-achat-female-viagra-en-ligne-fr.html achat female viagra, 7518, http://enlignepharmacie.fr/acheter-achat-flagyl-en-ligne-fr.html flagyl, iok, http://enlignepharmacie.fr/acheter-achat-kamagra-en-ligne-fr.html acheter kamagra, 265, 0c498d88e63b6af0e8635bf84ebf5dfb5785e81f 2674 2673 2012-05-10T08:09:24Z 31.184.238.15 0 KUhqhWjXlAuKwucEYn wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-thorazine-online-en.html generic thorazine, 5963, http://cheappurchaseonline.com/buy-generic-ticlid-online-en.html buy ticlid, 741671, http://cheappurchaseonline.com/buy-generic-tinidazole-online-en.html generic tinidazole, 273445, http://cheappurchaseonline.com/buy-generic-tofranil-online-en.html generic tofranil, %-)), http://cheappurchaseonline.com/buy-generic-topamax-online-en.html buy topamax online, 712, http://cheappurchaseonline.com/buy-generic-toprol-online-en.html buy toprol online, zalrk, http://cheappurchaseonline.com/buy-generic-toprol-xl-online-en.html buy toprol xl online, =OOO, http://cheappurchaseonline.com/buy-generic-trandate-online-en.html buy trandate online, yrie, f5fc2923de4722c2dd4a8ec052a77738b5abb93a 2675 2674 2012-05-10T08:13:15Z 31.184.238.9 0 eDUvaqbQKevTg wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-viagra-en-ligne-fr.html viagra, 8O, http://enlignepharmacie.fr/acheter-achat-viagra-professional-en-ligne-fr.html vente viagra professional, wtmaj, http://enlignepharmacie.fr/acheter-achat-viagra-super-active-en-ligne-fr.html acheter viagra super active, >:[[[, http://enlignepharmacie.fr/acheter-achat-zithromax-en-ligne-fr.html zithromax, 299601, http://enlignepharmacie.fr/acheter-achat-zoloft-en-ligne-fr.html achat zoloft, yrrqh, 988a29fcc0383734a57fa7db35bf81ffef14d3d4 2676 2675 2012-05-10T08:15:34Z 31.184.238.15 0 JFxNRtrjitrHqxJnl wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-avodart-online-en.html generic avodart, 1975, http://cheappurchaseonline.com/buy-generic-aygestin-online-en.html generic aygestin, aofe, http://cheappurchaseonline.com/buy-generic-azulfidine-online-en.html generic azulfidine, 239454, http://cheappurchaseonline.com/buy-generic-baclofen-online-en.html generic baclofen, 6652, http://cheappurchaseonline.com/buy-generic-beloc-online-en.html buy beloc online, >:PPP, http://cheappurchaseonline.com/buy-generic-benadryl-online-en.html buy benadryl, kkq, http://cheappurchaseonline.com/buy-generic-benemid-online-en.html generic benemid, %DDD, http://cheappurchaseonline.com/buy-generic-benicar-online-en.html generic benicar, :-(, 5c173c803bb450de42f3f4d0ddba41fa330912be 2677 2676 2012-05-10T08:17:35Z 31.184.238.9 0 IzWIbaSvWaJVWF wikitext text/x-wiki , http://acquistareladroga.it/comprare-acquistare-kamagra-online-it.html acquistare kamagra, kuaoqg, http://acquistareladroga.it/comprare-acquistare-nolvadex-online-it.html acquistare nolvadex, 814, http://acquistareladroga.it/comprare-acquistare-orlistat-online-it.html vendita orlistat, 202634, http://acquistareladroga.it/comprare-acquistare-prednisone-online-it.html acquistare prednisone, hxva, http://acquistareladroga.it/comprare-acquistare-priligy-online-it.html vendita priligy, vvwra, 7a275cdab1b955958ce20e8c44aec3dbb477cd3b 2678 2677 2012-05-10T08:19:48Z 31.184.238.15 0 FPqyNaPXsxPqEExc wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-adalat-online-en.html generic adalat, =-[[, http://cheappurchaseonline.com/buy-generic-aggrenox-online-en.html generic aggrenox, fbpbgt, http://cheappurchaseonline.com/buy-generic-albenza-online-en.html generic albenza, 6781, http://cheappurchaseonline.com/buy-generic-alesse-online-en.html buy alesse, 9864, http://cheappurchaseonline.com/buy-generic-alfacip-online-en.html generic alfacip, 6829, http://cheappurchaseonline.com/buy-generic-allegra-online-en.html buy allegra online, >:OOO, http://cheappurchaseonline.com/buy-generic-allopurinol-online-en.html generic allopurinol, jujryj, http://cheappurchaseonline.com/buy-generic-amaryl-online-en.html generic amaryl, 724102, 86bfa7c40db1fdcfb3d2965c4642107f0d93655b 2679 2678 2012-05-10T08:21:29Z 31.184.238.9 0 xTlvvabUrlBmdwQ wikitext text/x-wiki , http://generiquesmedicaments.fr/ acheter kamagra, %]], http://generiquesmedicaments.fr/acheter-achat-accutane-en-ligne-fr.html vente accutane, 067839, http://generiquesmedicaments.fr/acheter-achat-amoxil-en-ligne-fr.html amoxil, 841341, http://generiquesmedicaments.fr/acheter-achat-cialis-en-ligne-fr.html achat cialis, 9500, http://generiquesmedicaments.fr/acheter-achat-cialis-professional-en-ligne-fr.html generique cialis professional, >:PP, 2b9c0f4d59a546a14262eefda7eaeaff077da626 2680 2679 2012-05-10T08:25:23Z 31.184.238.15 0 xUkqdlxiFhXVTa wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-clarinex-online-en.html buy clarinex, klchts, http://cheappurchaseonline.com/buy-generic-claritin-online-en.html buy claritin, >:-O, http://cheappurchaseonline.com/buy-generic-cleocin-online-en.html buy cleocin, 46470, http://cheappurchaseonline.com/buy-generic-clonidine-online-en.html buy clonidine, :[[[, http://cheappurchaseonline.com/buy-generic-clozaril-online-en.html generic clozaril, 6780, http://cheappurchaseonline.com/buy-generic-colospa-online-en.html buy colospa, >:[, http://cheappurchaseonline.com/buy-generic-combipres-online-en.html generic combipres, %-DDD, http://cheappurchaseonline.com/buy-generic-combivent-online-en.html buy combivent online, qxmc, 66cb908d9cf2da4df88acc698d72d1304a5654b7 2681 2680 2012-05-10T08:25:56Z 31.184.238.9 0 nZrqCvjkOF wikitext text/x-wiki , http://generiquesmedicaments.fr/ acheter diflucan, 209598, http://generiquesmedicaments.fr/acheter-achat-cialis-super-active-en-ligne-fr.html vente cialis super active, fwl, http://generiquesmedicaments.fr/acheter-achat-cipro-en-ligne-fr.html acheter cipro en ligne, 47588, http://generiquesmedicaments.fr/acheter-achat-clomid-en-ligne-fr.html acheter clomid en ligne, ebahj, http://generiquesmedicaments.fr/acheter-achat-diflucan-en-ligne-fr.html acheter diflucan, >:PPP, cb80718daa48fee05d2038d9d20d42ca692a11ee 0 8 2682 2681 2012-05-10T08:29:57Z 31.184.238.9 0 wVYIbPyFFuIbJ wikitext text/x-wiki , http://generiquesmedicaments.fr/acheter-achat-strattera-en-ligne-fr.html acheter strattera, adytr, http://generiquesmedicaments.fr/acheter-achat-viagra-en-ligne-fr.html vente viagra, >:O, http://generiquesmedicaments.fr/acheter-achat-viagra-professional-en-ligne-fr.html vente viagra professional, pza, http://generiquesmedicaments.fr/acheter-achat-viagra-super-active-en-ligne-fr.html vente viagra super active, ivdylc, http://generiquesmedicaments.fr/acheter-achat-zithromax-en-ligne-fr.html zithromax, >:((, dc66d2f11e06d14afa61555b71b212892c997f4b 2683 2682 2012-05-10T08:30:58Z 31.184.238.15 0 QervISfzyaBjZWZp wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-excel-online-en.html buy excel online, eqe, http://cheappurchaseonline.com/buy-generic-exelon-online-en.html buy exelon, %))), http://cheappurchaseonline.com/buy-generic-famvir-online-en.html buy famvir, 8D, http://cheappurchaseonline.com/buy-generic-feldene-online-en.html generic feldene, 57892, http://cheappurchaseonline.com/buy-generic-female-cialis-online-en.html buy female cialis online, 8-))), http://cheappurchaseonline.com/buy-generic-female-viagra-online-en.html generic female viagra, 8-O, http://cheappurchaseonline.com/buy-generic-fempro-online-en.html generic fempro, 5000, http://cheappurchaseonline.com/buy-generic-fincar-online-en.html buy fincar, >:-P, 93471c1bd53c4a1ac23f7f380ca6609041221718 2684 2683 2012-05-10T08:34:08Z 31.184.238.9 0 KRaulUYCUVciRmH wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-accutane-online-it.html generic accutane, 46195, http://onlinefarmacia.it/comprare-acquistare-amoxil-online-it.html generic amoxil, =-DDD, http://onlinefarmacia.it/comprare-acquistare-bactrim-online-it.html generic bactrim, neaps, http://onlinefarmacia.it/comprare-acquistare-cialis-online-it.html comprare cialis online, 097, http://onlinefarmacia.it/comprare-acquistare-cialis-professional-online-it.html prezzo cialis professional, 056398, a20b9067cacbd3a142568dd66fd292a83eea6c8b 2685 2684 2012-05-10T08:36:34Z 31.184.238.15 0 jFxUKHOShVgDIYJG wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-glucophage-online-en.html generic glucophage, 5773, http://cheappurchaseonline.com/buy-generic-glucophage-xr-online-en.html buy glucophage xr online, hdjwsi, http://cheappurchaseonline.com/buy-generic-glucotrol-online-en.html buy glucotrol, 363, http://cheappurchaseonline.com/buy-generic-glucotrol-xl-online-en.html buy glucotrol xl online, tsn, http://cheappurchaseonline.com/buy-generic-glucovance-online-en.html buy glucovance online, svxlzz, http://cheappurchaseonline.com/buy-generic-glycomet-online-en.html generic glycomet, 47246, http://cheappurchaseonline.com/buy-generic-grifulvin-online-en.html generic grifulvin, 8PP, http://cheappurchaseonline.com/buy-generic-grifulvin-v-online-en.html buy grifulvin v, ivvu, 0d4834d8221da3b100b2116ccae09d02c46fa8bc 2686 2685 2012-05-10T08:38:22Z 31.184.238.9 0 FzrIFAtXgDY wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-viagra-en-ligne-fr.html vente viagra, >:DD, http://enlignepharmacie.fr/acheter-achat-viagra-professional-en-ligne-fr.html viagra professional, 59528, http://enlignepharmacie.fr/acheter-achat-viagra-super-active-en-ligne-fr.html acheter viagra super active, 89247, http://enlignepharmacie.fr/acheter-achat-zithromax-en-ligne-fr.html vente zithromax, ngqa, http://enlignepharmacie.fr/acheter-achat-zoloft-en-ligne-fr.html generique zoloft, 938, 5a9bace06c34f13e7827a8131b937ff0276989c4 2687 2686 2012-05-10T08:42:18Z 31.184.238.15 0 nsxLiFbtDbRo wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-risnia-online-en.html buy risnia online, :-(((, http://cheappurchaseonline.com/buy-generic-risperdal-online-en.html buy risperdal online, %-OOO, http://cheappurchaseonline.com/buy-generic-robaxin-online-en.html buy robaxin, %-(((, http://cheappurchaseonline.com/buy-generic-rocaltrol-online-en.html generic rocaltrol, vonfu, http://cheappurchaseonline.com/buy-generic-rulide-online-en.html generic rulide, ufu, http://cheappurchaseonline.com/buy-generic-rumalaya-fort-online-en.html buy rumalaya fort online, 8271, http://cheappurchaseonline.com/buy-generic-rumalaya-online-en.html buy rumalaya, >:-DDD, http://cheappurchaseonline.com/buy-generic-rythmol-online-en.html generic rythmol, 994, 3aeac8031eb3714c5bab8d9f7c9a4c3324561a78 2688 2687 2012-05-10T08:42:59Z 31.184.238.9 0 wduIMbbzzOQCN wikitext text/x-wiki , http://generiquesmedicaments.fr/acheter-achat-doxycycline-en-ligne-fr.html generique doxycycline, 8-DD, http://generiquesmedicaments.fr/ acheter doxycycline, lylghk, http://generiquesmedicaments.fr/acheter-achat--en-ligne-fr.html zoloft, wzqimi, http://generiquesmedicaments.fr/acheter-achat-female-viagra-en-ligne-fr.html acheter female viagra, :-O, http://generiquesmedicaments.fr/acheter-achat-flagyl-en-ligne-fr.html achat flagyl, 8734, 2d0aa7b920d851cdd8f8c07b17d391e29bdca44e 2689 2688 2012-05-10T08:47:24Z 31.184.238.9 0 spYzYYwANosKdslgiex wikitext text/x-wiki , http://generiquesmedicaments.fr/acheter-achat-kamagra-en-ligne-fr.html vente kamagra, >:DD, http://generiquesmedicaments.fr/acheter-achat-lasix-en-ligne-fr.html vente lasix, =-[, http://generiquesmedicaments.fr/ acheter viagra super active, =-))), http://generiquesmedicaments.fr/acheter-achat-levitra-en-ligne-fr.html achat levitra, zmlxfs, http://generiquesmedicaments.fr/acheter-achat-nolvadex-en-ligne-fr.html generique nolvadex, >:(, f1bb94660110fb0e68102020ff3fa2c24a826229 2690 2689 2012-05-10T08:47:44Z 31.184.238.15 0 cIuldgvJGdo wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-zocor-online-en.html buy zocor, 57983, http://cheappurchaseonline.com/buy-generic-zofran-online-en.html buy zofran online, wckk, http://cheappurchaseonline.com/buy-generic-zovirax-online-en.html buy zovirax, mph, http://cheappurchaseonline.com/buy-generic-zyban-online-en.html buy zyban online, %], http://cheappurchaseonline.com/buy-generic-zyloprim-online-en.html generic zyloprim, jqfkac, http://cheappurchaseonline.com/buy-generic-zyprexa-online-en.html buy zyprexa online, =-O, http://cheappurchaseonline.com/buy-generic-zyrtec-online-en.html buy zyrtec online, 550, http://cheappurchaseonline.com/buy-generic-zyvox-online-en.html buy zyvox online, >:-]]], a41e2f68f15e5293f6e62454176e6f42fcb7f699 2691 2690 2012-05-10T08:51:28Z 31.184.238.9 0 EegRnAqtgB wikitext text/x-wiki , http://onlinefarmacia.it/ comprare viagra professional, lnxwp, http://onlinefarmacia.it/comprare-acquistare-female-viagra-online-it.html acquistare female viagra, 8-]]], http://onlinefarmacia.it/comprare-acquistare-flagyl-online-it.html comprare flagyl online, mkaphy, http://onlinefarmacia.it/comprare-acquistare-kamagra-online-it.html vendita kamagra, vyv, http://onlinefarmacia.it/comprare-acquistare-lasix-online-it.html prezzo lasix, ywgro, 4973d9bacbe95e4c6a8726bba77904cb259088c6 2692 2691 2012-05-10T08:52:59Z 31.184.238.15 0 xLjQUEcBtRYrsL wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-isordil-online-en.html generic isordil, 38217, http://cheappurchaseonline.com/buy-generic-karela-online-en.html buy karela online, tjbm, http://cheappurchaseonline.com/buy-generic-keflex-online-en.html buy keflex, kycnbw, http://cheappurchaseonline.com/buy-generic-keftab-online-en.html buy keftab, %(((, http://cheappurchaseonline.com/buy-generic-kemadrin-online-en.html buy kemadrin, 324851, http://cheappurchaseonline.com/buy-generic-lamictal-online-en.html buy lamictal, bhatda, http://cheappurchaseonline.com/buy-generic-lamisil-online-en.html buy lamisil online, rrmfp, http://cheappurchaseonline.com/buy-generic-lamprene-online-en.html buy lamprene, ecia, ac0bb6b789debb6bb4af102a753993666904e73c 2693 2692 2012-05-10T08:55:26Z 31.184.238.9 0 VjMXTyLHcnEfFZ wikitext text/x-wiki , http://enlignepharmacie.fr/ acheter strattera, %], http://enlignepharmacie.fr/acheter-achat-cialis-super-active-en-ligne-fr.html acheter cialis super active, 448, http://enlignepharmacie.fr/acheter-achat-cipro-en-ligne-fr.html achat cipro, qkhs, http://enlignepharmacie.fr/acheter-achat-clomid-en-ligne-fr.html achat clomid, 424, http://enlignepharmacie.fr/acheter-achat-diflucan-en-ligne-fr.html diflucan, gxdkj, 5e10d5ababc00627d3795eafc56a3f09e09b22f3 2694 2693 2012-05-10T08:58:45Z 31.184.238.15 0 mZMPhltZFj wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-yagara-online-en.html buy yagara online, qfz, http://cheappurchaseonline.com/buy-generic-zagam-online-en.html buy zagam online, wmvbx, http://cheappurchaseonline.com/buy-generic-zantac-online-en.html generic zantac, 270, http://cheappurchaseonline.com/buy-generic-zebeta-online-en.html generic zebeta, %-((, http://cheappurchaseonline.com/buy-generic-zerit-online-en.html buy zerit, =OO, http://cheappurchaseonline.com/buy-generic-zestoretic-online-en.html buy zestoretic, 8-P, http://cheappurchaseonline.com/buy-generic-zestril-online-en.html buy zestril, =-O, http://cheappurchaseonline.com/buy-generic-zetia-online-en.html buy zetia online, 8DD, a8f412af6c2f8b27b9f2fa70399bcbcf9b13ca63 2695 2694 2012-05-10T08:59:41Z 31.184.238.9 0 SSqDyYCzJAHN wikitext text/x-wiki , http://acquistareladroga.it/comprare-acquistare-kamagra-online-it.html generic kamagra, uapsyh, http://acquistareladroga.it/comprare-acquistare-nolvadex-online-it.html vendita nolvadex, 75679, http://acquistareladroga.it/comprare-acquistare-orlistat-online-it.html vendita orlistat, =-[[[, http://acquistareladroga.it/comprare-acquistare-prednisone-online-it.html comprare prednisone online, %-D, http://acquistareladroga.it/comprare-acquistare-priligy-online-it.html prezzo priligy, %PPP, 9cecc82830efc664a1074e445bf0a3b576a7733d 2696 2695 2012-05-10T09:03:55Z 31.184.238.9 0 kfdxJAVxEDS wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-prednisone-en-ligne-fr.html achat prednisone, %-[[, http://enlignepharmacie.fr/acheter-achat-priligy-en-ligne-fr.html generique priligy, 8((, http://enlignepharmacie.fr/ acheter cialis professional, nhqdlb, http://enlignepharmacie.fr/acheter-achat-propecia-en-ligne-fr.html generique propecia, hbaxw, http://enlignepharmacie.fr/acheter-achat-strattera-en-ligne-fr.html vente strattera, lxe, 453c8423de19982cea2285a1d916ec7ac3f6d76c 2697 2696 2012-05-10T09:04:20Z 31.184.238.15 0 QCKscpoFYWBiYdz wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-calan-online-en.html generic calan, htrbt, http://cheappurchaseonline.com/buy-generic-calan-sr-online-en.html buy calan sr, 8((, http://cheappurchaseonline.com/buy-generic-calcium-carbonate-online-en.html buy calcium carbonate online, %(, http://cheappurchaseonline.com/buy-generic-capoten-online-en.html generic capoten, wqyhn, http://cheappurchaseonline.com/buy-generic-carafate-online-en.html generic carafate, eveah, http://cheappurchaseonline.com/buy-generic-cardarone-online-en.html generic cardarone, yqhp, http://cheappurchaseonline.com/buy-generic-cardura-online-en.html buy cardura, =-[[[, http://cheappurchaseonline.com/buy-generic-cataflam-online-en.html generic cataflam, veo, fcc358cfde034d6dab10e1b8f3e8b1251c6b97ac 2698 2697 2012-05-10T09:07:59Z 31.184.238.9 0 hauvXLyomCu wikitext text/x-wiki , http://acquistareladroga.it/comprare-acquistare-diflucan-online-it.html acquistare diflucan, 31616, http://acquistareladroga.it/comprare-acquistare-doxycycline-online-it.html generico doxycycline, 711, http://acquistareladroga.it/comprare-acquistare-finpecia-online-it.html acquistare finpecia, 8614, http://acquistareladroga.it/ comprare cipro, qniw, http://acquistareladroga.it/comprare-acquistare-flagyl-online-it.html generic flagyl, >:], e54d94bf8eab08fc6d41a7608c4cc89143ac6561 2699 2698 2012-05-10T09:09:53Z 31.184.238.15 0 TFSYUNLxV wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-cozaar-online-en.html buy cozaar online, =-((, http://cheappurchaseonline.com/buy-generic-crestor-online-en.html buy crestor online, nxn, http://cheappurchaseonline.com/buy-generic-crixivan-online-en.html buy crixivan, =(, http://cheappurchaseonline.com/buy-generic-cymbalta-online-en.html buy cymbalta online, woew, http://cheappurchaseonline.com/buy-generic-cystone-online-en.html buy cystone online, 1371, http://cheappurchaseonline.com/buy-generic-cytotec-online-en.html generic cytotec, dctoki, http://cheappurchaseonline.com/buy-generic-cytoxan-online-en.html generic cytoxan, aey, http://cheappurchaseonline.com/buy-generic-danazol-online-en.html buy danazol, nevbc, 4ed4db0ab3a61745257b5a7bff090a2f28a548ec 2700 2699 2012-05-10T09:12:21Z 31.184.238.9 0 zlHMwramPBwT wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-priligy-online-it.html vendita priligy, byvchh, http://onlinefarmacia.it/comprare-acquistare-propecia-online-it.html comprare propecia online, 133442, http://onlinefarmacia.it/comprare-acquistare-proscar-online-it.html generico proscar, 8DD, http://onlinefarmacia.it/ comprare orlistat, fglxd, http://onlinefarmacia.it/comprare-acquistare-strattera-online-it.html vendita strattera, =-]]], 9928e049a77f36d02f32f9de94418993d8b75e07 2701 2700 2012-05-10T09:15:41Z 31.184.238.15 0 lwfJCriqRHipWUVBg wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-paxil-cr-online-en.html generic paxil cr, omiw, http://cheappurchaseonline.com/buy-generic-paxil-online-en.html generic paxil, 62720, http://cheappurchaseonline.com/buy-generic-pentasa-online-en.html generic pentasa, 23131, http://cheappurchaseonline.com/buy-generic-pepcid-online-en.html generic pepcid, ifkql, http://cheappurchaseonline.com/buy-generic-periactin-online-en.html generic periactin, %-]]], http://cheappurchaseonline.com/buy-generic-persantine-online-en.html generic persantine, 891, http://cheappurchaseonline.com/buy-generic-phenamax-online-en.html buy phenamax, ltly, http://cheappurchaseonline.com/buy-generic-phenergan-online-en.html buy phenergan online, 97221, b42e397018472d4faf8ba4004554277996e9e275 2702 2701 2012-05-10T09:16:25Z 31.184.238.9 0 eGZpKGKUFdnpim wikitext text/x-wiki , http://acquistareladroga.it/comprare-acquistare-kamagra-online-it.html generico kamagra, 632, http://acquistareladroga.it/comprare-acquistare-nolvadex-online-it.html generic nolvadex, 200141, http://acquistareladroga.it/comprare-acquistare-orlistat-online-it.html comprare orlistat online, bftf, http://acquistareladroga.it/comprare-acquistare-prednisone-online-it.html prezzo prednisone, xdv, http://acquistareladroga.it/comprare-acquistare-priligy-online-it.html acquistare priligy, 8-]], c2b498ebfa23ae9062dbccd96abb846ca155ec4c 2703 2702 2012-05-10T09:20:37Z 31.184.238.9 0 jtMVmWQLvCYjQQ wikitext text/x-wiki , http://generiquesmedicaments.fr/acheter-achat-orlistat-en-ligne-fr.html acheter orlistat, hab, http://generiquesmedicaments.fr/acheter-achat-prednisone-en-ligne-fr.html acheter prednisone en ligne, 033421, http://generiquesmedicaments.fr/acheter-achat-priligy-en-ligne-fr.html acheter priligy en ligne, jotoh, http://generiquesmedicaments.fr/ acheter flagyl, 754, http://generiquesmedicaments.fr/acheter-achat-propecia-en-ligne-fr.html acheter propecia, 109, 653872405a5cf5357b333466e38d339f3eca34f5 2704 2703 2012-05-10T09:21:21Z 31.184.238.15 0 pXUAsvgaWkFZtwmB wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-ampicillin-online-en.html buy ampicillin, =-PPP, http://cheappurchaseonline.com/buy-generic-anacin-online-en.html buy anacin, enjxie, http://cheappurchaseonline.com/buy-generic-anafranil-online-en.html generic anafranil, saku, http://cheappurchaseonline.com/buy-generic-ansaid-online-en.html generic ansaid, >:DD, http://cheappurchaseonline.com/buy-generic-antabuse-online-en.html buy antabuse, 507458, http://cheappurchaseonline.com/buy-generic-antivert-online-en.html buy antivert online, hcsg, http://cheappurchaseonline.com/buy-generic-aralen-online-en.html buy aralen, 7263, http://cheappurchaseonline.com/buy-generic-arava-online-en.html buy arava online, 0650, 05cd3efe3ab2df31e20fc2fced369e4fc6c40c32 2705 2704 2012-05-10T09:24:41Z 31.184.238.9 0 BRuwOwUBHQKAjwsNv wikitext text/x-wiki , http://generiquesmedicaments.fr/acheter-achat-strattera-en-ligne-fr.html acheter strattera en ligne, >:-PPP, http://generiquesmedicaments.fr/acheter-achat-viagra-en-ligne-fr.html vente viagra, %-OOO, http://generiquesmedicaments.fr/acheter-achat-viagra-professional-en-ligne-fr.html acheter viagra professional en ligne, 398985, http://generiquesmedicaments.fr/acheter-achat-viagra-super-active-en-ligne-fr.html generique viagra super active, :[, http://generiquesmedicaments.fr/acheter-achat-zithromax-en-ligne-fr.html achat zithromax, 04104, af42b9a79e13e24673b44de8ffc61afc96169b11 2706 2705 2012-05-10T09:26:48Z 31.184.238.15 0 fxhfsApxLnmISFvRCA wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-naprelan-online-en.html generic naprelan, 40688, http://cheappurchaseonline.com/buy-generic-neem-online-en.html generic neem, >:-DD, http://cheappurchaseonline.com/buy-generic-neurontin-online-en.html generic neurontin, :-[, http://cheappurchaseonline.com/buy-generic-nexium-online-en.html buy nexium online, =-]]], http://cheappurchaseonline.com/buy-generic-nimotop-online-en.html buy nimotop online, 863869, http://cheappurchaseonline.com/buy-generic-nitroglycerin-online-en.html buy nitroglycerin, 35139, http://cheappurchaseonline.com/buy-generic-nizoral-online-en.html buy nizoral, 42321, http://cheappurchaseonline.com/buy-generic-noroxin-online-en.html generic noroxin, llewv, 5d5075efdaf54d4158398beff9bc8bffec7b1699 2707 2706 2012-05-10T09:28:43Z 31.184.238.9 0 BlNOoBQxESncTA wikitext text/x-wiki , http://generiquesmedicaments.fr/acheter-achat-doxycycline-en-ligne-fr.html acheter doxycycline en ligne, 91197, http://generiquesmedicaments.fr/ acheter viagra, 924409, http://generiquesmedicaments.fr/acheter-achat--en-ligne-fr.html acheter zoloft, 8-OOO, http://generiquesmedicaments.fr/acheter-achat-female-viagra-en-ligne-fr.html generique female viagra, 907415, http://generiquesmedicaments.fr/acheter-achat-flagyl-en-ligne-fr.html flagyl, 7661, 5ebce2ef59b153c87e7d27802409a230322739e8 2708 2707 2012-05-10T09:32:09Z 31.184.238.15 0 bDoiFbxskqNK wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-avodart-online-en.html generic avodart, 957374, http://cheappurchaseonline.com/buy-generic-aygestin-online-en.html buy aygestin, 457, http://cheappurchaseonline.com/buy-generic-azulfidine-online-en.html buy azulfidine online, ege, http://cheappurchaseonline.com/buy-generic-baclofen-online-en.html buy baclofen online, azoms, http://cheappurchaseonline.com/buy-generic-beloc-online-en.html buy beloc online, 4564, http://cheappurchaseonline.com/buy-generic-benadryl-online-en.html generic benadryl, >:(, http://cheappurchaseonline.com/buy-generic-benemid-online-en.html buy benemid online, %OOO, http://cheappurchaseonline.com/buy-generic-benicar-online-en.html buy benicar, 057267, b51882ae55562723838bffd990ca27b123e3bc56 2709 2708 2012-05-10T09:32:50Z 31.184.238.9 0 GrOesMEWh wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-accutane-online-it.html generic accutane, fpall, http://onlinefarmacia.it/comprare-acquistare-amoxil-online-it.html comprare amoxil, 730539, http://onlinefarmacia.it/comprare-acquistare-bactrim-online-it.html comprare bactrim online, :(((, http://onlinefarmacia.it/comprare-acquistare-cialis-online-it.html comprare cialis online, yamqij, http://onlinefarmacia.it/comprare-acquistare-cialis-professional-online-it.html comprare cialis professional, 7416, ee64c469bd18a0d57910e0981da139b504a6a609 2710 2709 2012-05-10T09:37:00Z 31.184.238.9 0 mZpPDJPbWoBniumCh wikitext text/x-wiki , http://onlinefarmacia.it/ comprare propecia, :P, http://onlinefarmacia.it/comprare-acquistare-female-viagra-online-it.html generic female viagra, >:(, http://onlinefarmacia.it/comprare-acquistare-flagyl-online-it.html acquistare flagyl, vjv, http://onlinefarmacia.it/comprare-acquistare-kamagra-online-it.html vendita kamagra, yho, http://onlinefarmacia.it/comprare-acquistare-lasix-online-it.html prezzo lasix, 50505, 4fd1aa27aaab1f1d7d09c02072f3b3bfe38b7eac 2711 2710 2012-05-10T09:37:16Z 31.184.238.15 0 yofsiAyC wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-cozaar-online-en.html generic cozaar, =-OOO, http://cheappurchaseonline.com/buy-generic-crestor-online-en.html buy crestor online, 34859, http://cheappurchaseonline.com/buy-generic-crixivan-online-en.html generic crixivan, xuy, http://cheappurchaseonline.com/buy-generic-cymbalta-online-en.html buy cymbalta online, 792, http://cheappurchaseonline.com/buy-generic-cystone-online-en.html buy cystone online, >:[[, http://cheappurchaseonline.com/buy-generic-cytotec-online-en.html buy cytotec online, >:-[[[, http://cheappurchaseonline.com/buy-generic-cytoxan-online-en.html generic cytoxan, 81356, http://cheappurchaseonline.com/buy-generic-danazol-online-en.html buy danazol, 792, 826ff0ef545915d803e47496457b06012d4927d3 2712 2711 2012-05-10T09:41:23Z 31.184.238.9 0 vaNOIrQiFO wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-accutane-online-it.html acquistare accutane, gklysq, http://onlinefarmacia.it/comprare-acquistare-amoxil-online-it.html vendita amoxil, qgghva, http://onlinefarmacia.it/comprare-acquistare-bactrim-online-it.html generico bactrim, 578005, http://onlinefarmacia.it/comprare-acquistare-cialis-online-it.html generico cialis, inlb, http://onlinefarmacia.it/comprare-acquistare-cialis-professional-online-it.html comprare cialis professional online, 1772, 760cdbcc4874f354f8faacd80425a25937af78d9 2713 2712 2012-05-10T09:42:35Z 31.184.238.15 0 XyKbXuLFpJRQuEpKO wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-clarinex-online-en.html generic clarinex, %-PPP, http://cheappurchaseonline.com/buy-generic-claritin-online-en.html generic claritin, 488540, http://cheappurchaseonline.com/buy-generic-cleocin-online-en.html buy cleocin online, 48043, http://cheappurchaseonline.com/buy-generic-clonidine-online-en.html generic clonidine, 036677, http://cheappurchaseonline.com/buy-generic-clozaril-online-en.html generic clozaril, dlfcy, http://cheappurchaseonline.com/buy-generic-colospa-online-en.html generic colospa, 3708, http://cheappurchaseonline.com/buy-generic-combipres-online-en.html buy combipres, itdxm, http://cheappurchaseonline.com/buy-generic-combivent-online-en.html buy combivent, 8-), 0b546c596b47c458209f7b737118c13dded7c731 2714 2713 2012-05-10T09:45:38Z 31.184.238.9 0 rReHaUrNyfxSYPRiI wikitext text/x-wiki , http://onlinefarmacia.it/ comprare accutane, ptktny, http://onlinefarmacia.it/comprare-acquistare-levitra-online-it.html generic levitra, 1504, http://onlinefarmacia.it/comprare-acquistare-nolvadex-online-it.html vendita nolvadex, :-((, http://onlinefarmacia.it/comprare-acquistare-orlistat-online-it.html generico orlistat, epxipb, http://onlinefarmacia.it/comprare-acquistare-prednisone-online-it.html prezzo prednisone, =-(((, 22aded6d93f3b87214ffc54cad95b75859464d27 2715 2714 2012-05-10T09:47:44Z 31.184.238.15 0 NRIAPUziuLIKSrro wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-phoslo-online-en.html buy phoslo, yxdizl, http://cheappurchaseonline.com/buy-generic-pilex-online-en.html generic pilex, 595, http://cheappurchaseonline.com/buy-generic-plavix-online-en.html buy plavix online, ikqh, http://cheappurchaseonline.com/buy-generic-plendil-online-en.html generic plendil, %DD, http://cheappurchaseonline.com/buy-generic-pletal-online-en.html generic pletal, badnda, http://cheappurchaseonline.com/buy-generic-ponstel-online-en.html buy ponstel, =-DD, http://cheappurchaseonline.com/buy-generic-prandin-online-en.html buy prandin online, 8-OO, http://cheappurchaseonline.com/buy-generic-precose-online-en.html buy precose online, 8[[, 056c9525d45f5f5951df007f5d6520a81fb58cfd 2716 2715 2012-05-10T09:50:01Z 31.184.238.9 0 tQwxnsJTNMCTJVqQ wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-viagra-online-it.html prezzo viagra, >:-PPP, http://onlinefarmacia.it/comprare-acquistare-viagra-professional-online-it.html vendita viagra professional, vjxpgo, http://onlinefarmacia.it/comprare-acquistare-viagra-super-active-online-it.html comprare viagra super active online, 700, http://onlinefarmacia.it/comprare-acquistare-zithromax-online-it.html vendita zithromax, dvuez, http://onlinefarmacia.it/comprare-acquistare-zoloft-online-it.html generico zoloft, 9376, 09e2bfea9912c22a2560bbe8174e6f7e5a0f0845 2717 2716 2012-05-10T09:53:21Z 31.184.238.15 0 fRiJIVaNyaYT wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-nortriptyline-online-en.html generic nortriptyline, inyhxf, http://cheappurchaseonline.com/buy-generic-norvasc-online-en.html buy norvasc online, eouukh, http://cheappurchaseonline.com/buy-generic-omnicef-online-en.html buy omnicef online, 285, http://cheappurchaseonline.com/buy-generic-ophthacare-online-en.html buy ophthacare, 9550, http://cheappurchaseonline.com/buy-generic-oxytrol-online-en.html generic oxytrol, 4609, http://cheappurchaseonline.com/buy-generic-pamelor-online-en.html buy pamelor online, 258242, http://cheappurchaseonline.com/buy-generic-panadol-online-en.html buy panadol, tmmhg, http://cheappurchaseonline.com/buy-generic-parlodel-online-en.html buy parlodel online, ipr, 4a293e937033c0bf7666623764eb0f5f16e49d9c 2718 2717 2012-05-10T09:54:27Z 31.184.238.9 0 WxsWNiAnvciQ wikitext text/x-wiki , http://enlignepharmacie.fr/ acheter levitra, %-], http://enlignepharmacie.fr/acheter-achat-cialis-super-active-en-ligne-fr.html generique cialis super active, dxeky, http://enlignepharmacie.fr/acheter-achat-cipro-en-ligne-fr.html vente cipro, %], http://enlignepharmacie.fr/acheter-achat-clomid-en-ligne-fr.html achat clomid, pef, http://enlignepharmacie.fr/acheter-achat-diflucan-en-ligne-fr.html acheter diflucan, 733, 22fb13141ca9721008f4dbae031cfa821e048d35 2719 2718 2012-05-10T09:58:39Z 31.184.238.15 0 nPYXlyRgFe wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-ampicillin-online-en.html buy ampicillin online, crcq, http://cheappurchaseonline.com/buy-generic-anacin-online-en.html buy anacin, qaxg, http://cheappurchaseonline.com/buy-generic-anafranil-online-en.html buy anafranil online, astlyr, http://cheappurchaseonline.com/buy-generic-ansaid-online-en.html buy ansaid, >:-DD, http://cheappurchaseonline.com/buy-generic-antabuse-online-en.html buy antabuse, 201300, http://cheappurchaseonline.com/buy-generic-antivert-online-en.html buy antivert, 923623, http://cheappurchaseonline.com/buy-generic-aralen-online-en.html buy aralen, xzv, http://cheappurchaseonline.com/buy-generic-arava-online-en.html buy arava, erzsvb, 6bbefa59149350fcaeff54576e0fbcdb39f32722 2720 2719 2012-05-10T09:58:51Z 31.184.238.9 0 cDGgxihqWNbSNKAgAb wikitext text/x-wiki , http://generiquesmedicaments.fr/acheter-achat-kamagra-en-ligne-fr.html acheter kamagra en ligne, jhkdnr, http://generiquesmedicaments.fr/acheter-achat-lasix-en-ligne-fr.html acheter lasix, 587, http://generiquesmedicaments.fr/ acheter propecia, :OO, http://generiquesmedicaments.fr/acheter-achat-levitra-en-ligne-fr.html vente levitra, :(((, http://generiquesmedicaments.fr/acheter-achat-nolvadex-en-ligne-fr.html acheter nolvadex en ligne, >:-]], 775eb7124cfb5bba231b9f5f37242522b2f06aff 2721 2720 2012-05-10T10:03:26Z 31.184.238.9 0 rXtzUVgWqLeXUTZy wikitext text/x-wiki , http://generiquesmedicaments.fr/acheter-achat-kamagra-en-ligne-fr.html achat kamagra, 300, http://generiquesmedicaments.fr/acheter-achat-lasix-en-ligne-fr.html lasix, bpw, http://generiquesmedicaments.fr/ acheter strattera, %-OO, http://generiquesmedicaments.fr/acheter-achat-levitra-en-ligne-fr.html generique levitra, %-D, http://generiquesmedicaments.fr/acheter-achat-nolvadex-en-ligne-fr.html generique nolvadex, vecpx, a4228877ac0097c549057fda5465a1f23487eb01 2722 2721 2012-05-10T10:03:45Z 31.184.238.15 0 FiyDNwvDkzwbaZPP wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-minipress-online-en.html generic minipress, npz, http://cheappurchaseonline.com/buy-generic-minocin-online-en.html generic minocin, 5787, http://cheappurchaseonline.com/buy-generic-minomycin-online-en.html buy minomycin online, 5039, http://cheappurchaseonline.com/buy-generic-monoket-online-en.html buy monoket, 8(, http://cheappurchaseonline.com/buy-generic-monopril-online-en.html buy monopril online, 2744, http://cheappurchaseonline.com/buy-generic-motilium-online-en.html generic motilium, kal, http://cheappurchaseonline.com/buy-generic-myambutol-online-en.html buy myambutol online, kzeet, http://cheappurchaseonline.com/buy-generic-mysoline-online-en.html buy mysoline, >:-DD, 5bf7401f1b88850d913b908ff07ff17a732342c4 2723 2722 2012-05-10T10:07:41Z 31.184.238.9 0 Miyygibo wikitext text/x-wiki , http://acquistareladroga.it/comprare-acquistare-cialis-professional-online-it.html acquistare cialis professional, 0514, http://acquistareladroga.it/comprare-acquistare-cialis-super-active-online-it.html vendita cialis super active, 254, http://acquistareladroga.it/comprare-acquistare-cipro-online-it.html vendita cipro, yrrew, http://acquistareladroga.it/ comprare strattera, tjov, http://acquistareladroga.it/comprare-acquistare-clomid-online-it.html vendita clomid, 5011, 94e8db43cc2b2212c16dd12439bfcd8bc4a57bca 2724 2723 2012-05-10T10:09:20Z 31.184.238.15 0 IxHznRKAGu wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-verampil-online-en.html buy verampil online, 2957, http://cheappurchaseonline.com/buy-generic-verapamil-online-en.html buy verapamil, ikq, http://cheappurchaseonline.com/buy-generic-vermox-online-en.html buy vermox, llfjyz, http://cheappurchaseonline.com/buy-generic-v-gel-online-en.html buy v-gel, 44188, http://cheappurchaseonline.com/buy-generic-vibramycin-online-en.html buy vibramycin online, :)), http://cheappurchaseonline.com/buy-generic-viramune-online-en.html buy viramune, >:[[[, http://cheappurchaseonline.com/buy-generic-vitamin-b12-online-en.html buy vitamin b12, 7553, http://cheappurchaseonline.com/buy-generic-vitamin-c-online-en.html buy vitamin c online, =-]], cf4435af9828f75a9bf4bc2b477eeb031fdf22f5 2725 2724 2012-05-10T10:11:42Z 31.184.238.9 0 schZeOuuPLKSdTtOlPG wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-cialis-super-active-online-it.html prezzo cialis super active, :-(, http://onlinefarmacia.it/comprare-acquistare-cipro-online-it.html comprare cipro, 669766, http://onlinefarmacia.it/comprare-acquistare-clomid-online-it.html generico clomid, 199, http://onlinefarmacia.it/comprare-acquistare-diflucan-online-it.html comprare diflucan online, ydfku, http://onlinefarmacia.it/comprare-acquistare-doxycycline-online-it.html generic doxycycline, 18018, 5193fba37e430d654149d76d81925cf1ec2a1e00 2726 2725 2012-05-10T10:14:40Z 31.184.238.15 0 WkqXkGPftBCBUtbs wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-ashwagandha-online-en.html buy ashwagandha, 17649, http://cheappurchaseonline.com/buy-generic-astelin-online-en.html generic astelin, %-[[[, http://cheappurchaseonline.com/buy-generic-atacand-online-en.html generic atacand, 0534, http://cheappurchaseonline.com/buy-generic-atarax-online-en.html buy atarax online, =), http://cheappurchaseonline.com/buy-generic-atrovent-online-en.html buy atrovent online, 8D, http://cheappurchaseonline.com/buy-generic-augmentin-online-en.html buy augmentin online, fgv, http://cheappurchaseonline.com/buy-generic-avandia-online-en.html buy avandia online, 5820, http://cheappurchaseonline.com/buy-generic-avapro-online-en.html buy avapro, ktnkta, add9adcee8edfc409817098a5508e9f9f7bae876 2727 2726 2012-05-10T10:15:46Z 31.184.238.9 0 viFwYFDKyNSRKtjEZj wikitext text/x-wiki , http://enlignepharmacie.fr/ acheter zithromax, >:[[, http://enlignepharmacie.fr/acheter-achat-lasix-en-ligne-fr.html acheter lasix, 8OO, http://enlignepharmacie.fr/acheter-achat-levitra-en-ligne-fr.html vente levitra, zcg, http://enlignepharmacie.fr/acheter-achat-nolvadex-en-ligne-fr.html generique nolvadex, 030582, http://enlignepharmacie.fr/acheter-achat-orlistat-en-ligne-fr.html achat orlistat, usop, da186789f9eaaf62bcd36c36ab968a4a4e779886 2728 2727 2012-05-10T10:19:59Z 31.184.238.9 0 ADbvXzWuug wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-viagra-online-it.html comprare viagra, gsv, http://onlinefarmacia.it/comprare-acquistare-viagra-professional-online-it.html vendita viagra professional, 785805, http://onlinefarmacia.it/comprare-acquistare-viagra-super-active-online-it.html generic viagra super active, 5141, http://onlinefarmacia.it/comprare-acquistare-zithromax-online-it.html generic zithromax, rcuh, http://onlinefarmacia.it/comprare-acquistare-zoloft-online-it.html comprare zoloft online, jfy, be82add9c50835092a30ccc117918c54fbef18f5 2729 2728 2012-05-10T10:20:09Z 31.184.238.15 0 WFsklhcqDtmjfsbjNN wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-premarin-online-en.html buy premarin, %-(((, http://cheappurchaseonline.com/buy-generic-prevacid-online-en.html buy prevacid online, vlxj, http://cheappurchaseonline.com/buy-generic-prilosec-online-en.html buy prilosec online, 3207, http://cheappurchaseonline.com/buy-generic-prinivil-online-en.html buy prinivil online, zxj, http://cheappurchaseonline.com/buy-generic-procardia-online-en.html generic procardia, =-], http://cheappurchaseonline.com/buy-generic-prograf-online-en.html buy prograf online, fsv, http://cheappurchaseonline.com/buy-generic-prometrium-online-en.html buy prometrium online, skfktc, http://cheappurchaseonline.com/buy-generic-proscar-online-en.html buy proscar online, 115, d6ea993a2f1b9c383ea6aadd6d40cdd59daf8d6a 2730 2729 2012-05-10T10:24:24Z 31.184.238.9 0 KSWnTCVkuZpcbXtrViZ wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-cialis-super-active-online-it.html generic cialis super active, fvvxu, http://onlinefarmacia.it/comprare-acquistare-cipro-online-it.html comprare cipro online, 87421, http://onlinefarmacia.it/comprare-acquistare-clomid-online-it.html vendita clomid, 8-], http://onlinefarmacia.it/comprare-acquistare-diflucan-online-it.html generico diflucan, 27794, http://onlinefarmacia.it/comprare-acquistare-doxycycline-online-it.html comprare doxycycline online, uma, 9511c73bf1199f85c70dd83f75c612fe2623e671 2731 2730 2012-05-10T10:25:22Z 31.184.238.15 0 xtQQFGTQyTJaXxzuNXV wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-arcoxia-online-en.html generic arcoxia, %[[, http://cheappurchaseonline.com/buy-generic-aricept-online-en.html generic aricept, 065, http://cheappurchaseonline.com/buy-generic-arimidex-online-en.html buy arimidex online, 8-P, http://cheappurchaseonline.com/buy-generic-aristocort-online-en.html buy aristocort online, lxwc, http://cheappurchaseonline.com/buy-generic-arjuna-online-en.html generic arjuna, 635, http://cheappurchaseonline.com/buy-generic-artane-online-en.html buy artane, 8OOO, http://cheappurchaseonline.com/buy-generic-asendin-online-en.html generic asendin, tvw, http://cheappurchaseonline.com/buy-generic-ashwafera-online-en.html generic ashwafera, >:))), 3fbdf96221021d4fc6a967377a4c6369083c2183 0 8 2732 2731 2012-05-10T10:28:36Z 31.184.238.9 0 ATnNBLjtBjg wikitext text/x-wiki , http://generiquesmedicaments.fr/acheter-achat-strattera-en-ligne-fr.html achat strattera, aulj, http://generiquesmedicaments.fr/acheter-achat-viagra-en-ligne-fr.html generique viagra, lfcrhc, http://generiquesmedicaments.fr/acheter-achat-viagra-professional-en-ligne-fr.html acheter viagra professional, nkquiz, http://generiquesmedicaments.fr/acheter-achat-viagra-super-active-en-ligne-fr.html acheter viagra super active en ligne, bpdvh, http://generiquesmedicaments.fr/acheter-achat-zithromax-en-ligne-fr.html acheter zithromax, 8DDD, 653e4b03157ba0c04c705ae49736e64a5cc35b04 2733 2732 2012-05-10T10:30:30Z 31.184.238.15 0 dEECekllRAzjndRk wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-calan-online-en.html buy calan online, 633, http://cheappurchaseonline.com/buy-generic-calan-sr-online-en.html buy calan sr online, :-), http://cheappurchaseonline.com/buy-generic-calcium-carbonate-online-en.html generic calcium carbonate, csch, http://cheappurchaseonline.com/buy-generic-capoten-online-en.html buy capoten, pois, http://cheappurchaseonline.com/buy-generic-carafate-online-en.html generic carafate, 089351, http://cheappurchaseonline.com/buy-generic-cardarone-online-en.html buy cardarone, :-DDD, http://cheappurchaseonline.com/buy-generic-cardura-online-en.html buy cardura online, lexood, http://cheappurchaseonline.com/buy-generic-cataflam-online-en.html buy cataflam, =-O, 49996a9b61eec21e1cdeeca748dbed554df56d82 2734 2733 2012-05-10T10:32:47Z 31.184.238.9 0 vwgtkBfEmPbeL wikitext text/x-wiki , http://enlignepharmacie.fr/ acheter diflucan, 8-(((, http://enlignepharmacie.fr/acheter-achat-cialis-super-active-en-ligne-fr.html cialis super active, 78570, http://enlignepharmacie.fr/acheter-achat-cipro-en-ligne-fr.html generique cipro, tcgp, http://enlignepharmacie.fr/acheter-achat-clomid-en-ligne-fr.html vente clomid, qhhod, http://enlignepharmacie.fr/acheter-achat-diflucan-en-ligne-fr.html diflucan, 1459, 50e3b19e7d72de3504ed71f31e2a8ceab3256354 2735 2734 2012-05-10T10:35:59Z 31.184.238.15 0 fRtrEtap wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-abana-online-en.html buy abana online, xnye, http://cheappurchaseonline.com/buy-generic-abilify-online-en.html buy abilify online, 932, http://cheappurchaseonline.com/buy-generic-aceon-online-en.html buy aceon, :-O, http://cheappurchaseonline.com/buy-generic-aciclovir-online-en.html generic aciclovir, kqi, http://cheappurchaseonline.com/buy-generic-aciphex-online-en.html buy aciphex, 450, http://cheappurchaseonline.com/buy-generic-acticin-online-en.html buy acticin, =-), http://cheappurchaseonline.com/buy-generic-actigall-online-en.html buy actigall online, %-(((, http://cheappurchaseonline.com/buy-generic-actos-online-en.html buy actos, 2889, 1741da648c985a81807953d6e7f8ff7db1caf3cc 2736 2735 2012-05-10T10:37:13Z 31.184.238.9 0 mBUhVaLwwsvqA wikitext text/x-wiki , http://generiquesmedicaments.fr/acheter-achat-orlistat-en-ligne-fr.html acheter orlistat en ligne, :[, http://generiquesmedicaments.fr/acheter-achat-prednisone-en-ligne-fr.html prednisone, :[[, http://generiquesmedicaments.fr/acheter-achat-priligy-en-ligne-fr.html generique priligy, :OOO, http://generiquesmedicaments.fr/ acheter strattera, ralkdl, http://generiquesmedicaments.fr/acheter-achat-propecia-en-ligne-fr.html propecia, 8))), ea95ad171a2e090ae1f199aa5a48549ae5c45183 2737 2736 2012-05-10T10:40:56Z 31.184.238.15 0 qHEkLNgJurfsrDRwrrG wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-loxitane-online-en.html buy loxitane, >:-[[, http://cheappurchaseonline.com/buy-generic-lukol-online-en.html generic lukol, 130402, http://cheappurchaseonline.com/buy-generic-luvox-online-en.html buy luvox, 707853, http://cheappurchaseonline.com/buy-generic-lynoral-online-en.html buy lynoral, 120464, http://cheappurchaseonline.com/buy-generic-macrobid-online-en.html generic macrobid, 74507, http://cheappurchaseonline.com/buy-generic-maxalt-online-en.html buy maxalt, 2553, http://cheappurchaseonline.com/buy-generic-maxaquin-online-en.html buy maxaquin online, 8-OO, http://cheappurchaseonline.com/buy-generic-maxolon-online-en.html buy maxolon, 161, 4bcec01e6a68c2ef2dc87aa6d3cc2beb064403d5 2738 2737 2012-05-10T10:41:14Z 31.184.238.9 0 UEBUkeJtr wikitext text/x-wiki , http://acquistareladroga.it/comprare-acquistare-kamagra-online-it.html generic kamagra, 569, http://acquistareladroga.it/comprare-acquistare-nolvadex-online-it.html generico nolvadex, odvt, http://acquistareladroga.it/comprare-acquistare-orlistat-online-it.html prezzo orlistat, 6395, http://acquistareladroga.it/comprare-acquistare-prednisone-online-it.html generic prednisone, 676, http://acquistareladroga.it/comprare-acquistare-priligy-online-it.html acquistare priligy, 062, 782953a8480bad9c3e54cbf49cf1362306a0d4f1 2739 2738 2012-05-10T10:45:40Z 31.184.238.9 0 lOtAjbWpGqDiynS wikitext text/x-wiki , http://acquistareladroga.it/ comprare nolvadex, 08185, http://acquistareladroga.it/comprare-acquistare-accutane-online-it.html comprare accutane online, 792275, http://acquistareladroga.it/comprare-acquistare-amoxil-online-it.html prezzo amoxil, 4308, http://acquistareladroga.it/comprare-acquistare-bactrim-online-it.html generico bactrim, :]]], http://acquistareladroga.it/comprare-acquistare-cialis-online-it.html generico cialis, :P, 99e28859a163069b11b172932220e8d7a9d1c3b1 2740 2739 2012-05-10T10:46:03Z 31.184.238.15 0 PhuCfeJCLWOfUq wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-nortriptyline-online-en.html generic nortriptyline, :-[[, http://cheappurchaseonline.com/buy-generic-norvasc-online-en.html buy norvasc online, :-]]], http://cheappurchaseonline.com/buy-generic-omnicef-online-en.html generic omnicef, 99603, http://cheappurchaseonline.com/buy-generic-ophthacare-online-en.html buy ophthacare, tznn, http://cheappurchaseonline.com/buy-generic-oxytrol-online-en.html buy oxytrol online, %DDD, http://cheappurchaseonline.com/buy-generic-pamelor-online-en.html buy pamelor, 477, http://cheappurchaseonline.com/buy-generic-panadol-online-en.html buy panadol online, 5929, http://cheappurchaseonline.com/buy-generic-parlodel-online-en.html buy parlodel online, hfzmiv, aa8468d1740110370cf409ca96ad827c7dc4d4eb 2741 2740 2012-05-10T10:50:04Z 31.184.238.9 0 ogukFqnUjCayP wikitext text/x-wiki , http://acquistareladroga.it/ comprare amoxil, ozbrqf, http://acquistareladroga.it/comprare-acquistare-propecia-online-it.html vendita propecia, 8OOO, http://acquistareladroga.it/comprare-acquistare-strattera-online-it.html comprare strattera online, psejxg, http://acquistareladroga.it/comprare-acquistare-tadacip-online-it.html comprare tadacip online, 904117, http://acquistareladroga.it/comprare-acquistare-viagra-online-it.html vendita viagra, bkb, c4c4c12fc00458b1d157dca62a16331c8858ccb1 2742 2741 2012-05-10T10:51:16Z 31.184.238.15 0 qTnOMFTVaEsSjq wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-avodart-online-en.html buy avodart, ilro, http://cheappurchaseonline.com/buy-generic-aygestin-online-en.html buy aygestin online, 2030, http://cheappurchaseonline.com/buy-generic-azulfidine-online-en.html buy azulfidine, flpfn, http://cheappurchaseonline.com/buy-generic-baclofen-online-en.html buy baclofen online, 669776, http://cheappurchaseonline.com/buy-generic-beloc-online-en.html buy beloc online, mom, http://cheappurchaseonline.com/buy-generic-benadryl-online-en.html buy benadryl, 360, http://cheappurchaseonline.com/buy-generic-benemid-online-en.html buy benemid, 86329, http://cheappurchaseonline.com/buy-generic-benicar-online-en.html buy benicar, 67402, 23ce39a7f05daa9d640773bb99068bb96fe65d80 2743 2742 2012-05-10T10:54:19Z 31.184.238.9 0 IXXvhWyWb wikitext text/x-wiki , http://generiquesmedicaments.fr/acheter-achat-kamagra-en-ligne-fr.html achat kamagra, 299, http://generiquesmedicaments.fr/acheter-achat-lasix-en-ligne-fr.html acheter lasix en ligne, jis, http://generiquesmedicaments.fr/ acheter viagra professional, xwd, http://generiquesmedicaments.fr/acheter-achat-levitra-en-ligne-fr.html generique levitra, rhtcu, http://generiquesmedicaments.fr/acheter-achat-nolvadex-en-ligne-fr.html acheter nolvadex, :-((, 480ab6e911f9649e77128995ab45c7d0c62958fd 2744 2743 2012-05-10T10:56:42Z 31.184.238.15 0 uBTNGcIpFwIVrMwTpd wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-combivir-online-en.html generic combivir, kxysej, http://cheappurchaseonline.com/buy-generic-compazine-online-en.html buy compazine online, 8), http://cheappurchaseonline.com/buy-generic-confido-online-en.html buy confido, 676020, http://cheappurchaseonline.com/buy-generic-copegus-online-en.html generic copegus, 769844, http://cheappurchaseonline.com/buy-generic-cordarone-online-en.html generic cordarone, jcy, http://cheappurchaseonline.com/buy-generic-coreg-online-en.html generic coreg, 5396, http://cheappurchaseonline.com/buy-generic-coumadin-online-en.html buy coumadin online, :-PPP, http://cheappurchaseonline.com/buy-generic-coversyl-online-en.html buy coversyl online, nyyqq, 29ef02b158543308db6ec2dd593056170da87149 2745 2744 2012-05-10T10:58:35Z 31.184.238.9 0 iEtOHJOTRmjVBagGOWw wikitext text/x-wiki , http://acquistareladroga.it/ comprare viagra professional, kdyb, http://acquistareladroga.it/comprare-acquistare-accutane-online-it.html generic accutane, nzi, http://acquistareladroga.it/comprare-acquistare-amoxil-online-it.html generic amoxil, 582, http://acquistareladroga.it/comprare-acquistare-bactrim-online-it.html acquistare bactrim, nmusoa, http://acquistareladroga.it/comprare-acquistare-cialis-online-it.html comprare cialis, roo, 03c462c56c7283c1c385a20af826fd1f71feaaea 2746 2745 2012-05-10T11:02:05Z 31.184.238.15 0 yPUmyWsaR wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-clarinex-online-en.html buy clarinex, flsxwa, http://cheappurchaseonline.com/buy-generic-claritin-online-en.html buy claritin, kqeazm, http://cheappurchaseonline.com/buy-generic-cleocin-online-en.html buy cleocin, ojy, http://cheappurchaseonline.com/buy-generic-clonidine-online-en.html generic clonidine, =(((, http://cheappurchaseonline.com/buy-generic-clozaril-online-en.html buy clozaril, ziz, http://cheappurchaseonline.com/buy-generic-colospa-online-en.html generic colospa, =))), http://cheappurchaseonline.com/buy-generic-combipres-online-en.html generic combipres, orrx, http://cheappurchaseonline.com/buy-generic-combivent-online-en.html generic combivent, >:-(, 1b80752fed1920c961d41b2a8953f1bf0d8887aa 2747 2746 2012-05-10T11:02:34Z 31.184.238.9 0 SZvGtdXtfxFEzmgZ wikitext text/x-wiki , http://generiquesmedicaments.fr/acheter-achat-strattera-en-ligne-fr.html generique strattera, 773792, http://generiquesmedicaments.fr/acheter-achat-viagra-en-ligne-fr.html generique viagra, 062, http://generiquesmedicaments.fr/acheter-achat-viagra-professional-en-ligne-fr.html achat viagra professional, 8-), http://generiquesmedicaments.fr/acheter-achat-viagra-super-active-en-ligne-fr.html viagra super active, 559781, http://generiquesmedicaments.fr/acheter-achat-zithromax-en-ligne-fr.html acheter zithromax, 496, 1a0be7e1aaefbaf3e50db005d936ce882d788aab 2750 2747 2012-05-10T11:06:50Z 31.184.238.9 0 FEmfsdVRHuQDrVba wikitext text/x-wiki , http://generiquesmedicaments.fr/ acheter kamagra, =-PPP, http://generiquesmedicaments.fr/acheter-achat-accutane-en-ligne-fr.html generique accutane, 596986, http://generiquesmedicaments.fr/acheter-achat-amoxil-en-ligne-fr.html vente amoxil, >:], http://generiquesmedicaments.fr/acheter-achat-cialis-en-ligne-fr.html vente cialis, 8], http://generiquesmedicaments.fr/acheter-achat-cialis-professional-en-ligne-fr.html acheter cialis professional en ligne, 717, 09ed7ae96d62bea67647de792296b3eadc9da876 2751 2750 2012-05-10T11:07:40Z 31.184.238.15 0 ZmLbKJNf wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-voltaren-online-en.html buy voltaren online, :P, http://cheappurchaseonline.com/buy-generic-voltaren-xr-online-en.html buy voltaren xr, 8817, http://cheappurchaseonline.com/buy-generic-voltarol-online-en.html generic voltarol, vngmy, http://cheappurchaseonline.com/buy-generic-voveran-online-en.html buy voveran online, 944148, http://cheappurchaseonline.com/buy-generic-voveran-sr-online-en.html buy voveran sr, hxd, http://cheappurchaseonline.com/buy-generic-wondersleep-online-en.html generic wondersleep, hnwa, http://cheappurchaseonline.com/buy-generic-xalatan-0005-online-en.html generic xalatan 0.005%, 648399, http://cheappurchaseonline.com/buy-generic-xeloda-online-en.html buy xeloda online, 47174, 3974ba52bacce335c93a6f298fcc6ad75e77174b 2752 2751 2012-05-10T11:11:01Z 31.184.238.9 0 pVwXQxNiV wikitext text/x-wiki , http://enlignepharmacie.fr/ acheter levitra, lbzqkd, http://enlignepharmacie.fr/acheter-achat-doxycycline-en-ligne-fr.html generique doxycycline, 1482, http://enlignepharmacie.fr/acheter-achat-female-viagra-en-ligne-fr.html acheter female viagra en ligne, 8471, http://enlignepharmacie.fr/acheter-achat-flagyl-en-ligne-fr.html acheter flagyl en ligne, =O, http://enlignepharmacie.fr/acheter-achat-kamagra-en-ligne-fr.html acheter kamagra en ligne, 171, d458e6588d9ab5d84955a2ca3aca0bf5d6527994 2753 2752 2012-05-10T11:13:15Z 31.184.238.15 0 IMxUGALZGxL wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-meclizine-online-en.html generic meclizine, 8-[[[, http://cheappurchaseonline.com/buy-generic-mellaril-online-en.html buy mellaril, mofwaz, http://cheappurchaseonline.com/buy-generic-menosan-online-en.html generic menosan, 3664, http://cheappurchaseonline.com/buy-generic-mentat-online-en.html buy mentat online, dhlzfn, http://cheappurchaseonline.com/buy-generic-mestinon-online-en.html buy mestinon, =-(, http://cheappurchaseonline.com/buy-generic-methotrexate-online-en.html buy methotrexate online, %), http://cheappurchaseonline.com/buy-generic-mevacor-online-en.html generic mevacor, rmvu, http://cheappurchaseonline.com/buy-generic-micronase-online-en.html buy micronase, 109460, 607b79dfe40480c8af7fb8d1e2da4bb0d8faf5e1 2754 2753 2012-05-10T11:15:25Z 31.184.238.9 0 Ygheuqwk wikitext text/x-wiki , http://onlinefarmacia.it/ comprare lasix, %PP, http://onlinefarmacia.it/comprare-acquistare-female-viagra-online-it.html generic female viagra, 35378, http://onlinefarmacia.it/comprare-acquistare-flagyl-online-it.html comprare flagyl online, 03720, http://onlinefarmacia.it/comprare-acquistare-kamagra-online-it.html generico kamagra, 6589, http://onlinefarmacia.it/comprare-acquistare-lasix-online-it.html generico lasix, >:-PPP, 249da01f8ce14a2f193920a2c8aa8ab8188d1fc6 2755 2754 2012-05-10T11:18:29Z 31.184.238.15 0 IvtmvHTGvvtyioDbbfk wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-lithobid-online-en.html buy lithobid, >:-[, http://cheappurchaseonline.com/buy-generic-liv52-drops-online-en.html buy liv.52 drops online, wtrdo, http://cheappurchaseonline.com/buy-generic-liv52-online-en.html buy liv.52 online, 09220, http://cheappurchaseonline.com/buy-generic-lopid-online-en.html buy lopid online, gvks, http://cheappurchaseonline.com/buy-generic-lopressor-online-en.html buy lopressor online, ddpr, http://cheappurchaseonline.com/buy-generic-lotensin-online-en.html generic lotensin, :-P, http://cheappurchaseonline.com/buy-generic-lotrel-online-en.html buy lotrel online, 793455, http://cheappurchaseonline.com/buy-generic-lotrisone-online-en.html buy lotrisone online, 210550, ec87e12f4c889ba59bdd8d549b475828b3af57f6 2756 2755 2012-05-10T11:19:59Z 31.184.238.9 0 JhAuMdhNegTwofgmLFE wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-priligy-online-it.html generic priligy, 82003, http://onlinefarmacia.it/comprare-acquistare-propecia-online-it.html comprare propecia, dofd, http://onlinefarmacia.it/comprare-acquistare-proscar-online-it.html comprare proscar, 946, http://onlinefarmacia.it/ comprare doxycycline, :(((, http://onlinefarmacia.it/comprare-acquistare-strattera-online-it.html generic strattera, hmja, 01cf53d24a876d36bf33c6529535b30486dfa7f7 2757 2756 2012-05-10T11:23:35Z 31.184.238.15 0 dwUIAarIjeeWIeNsThH wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-avodart-online-en.html generic avodart, rdsm, http://cheappurchaseonline.com/buy-generic-aygestin-online-en.html buy aygestin online, 1540, http://cheappurchaseonline.com/buy-generic-azulfidine-online-en.html generic azulfidine, 653333, http://cheappurchaseonline.com/buy-generic-baclofen-online-en.html buy baclofen, 26135, http://cheappurchaseonline.com/buy-generic-beloc-online-en.html generic beloc, kjyq, http://cheappurchaseonline.com/buy-generic-benadryl-online-en.html buy benadryl online, 8-PPP, http://cheappurchaseonline.com/buy-generic-benemid-online-en.html buy benemid, =-OOO, http://cheappurchaseonline.com/buy-generic-benicar-online-en.html buy benicar online, evhrf, eae9d419f70f4ce975bd194c14ef10c8a90c267e 2758 2757 2012-05-10T11:24:23Z 31.184.238.9 0 QTDwEUxGwjelY wikitext text/x-wiki , http://acquistareladroga.it/ comprare orlistat, =)), http://acquistareladroga.it/comprare-acquistare-propecia-online-it.html prezzo propecia, yubu, http://acquistareladroga.it/comprare-acquistare-strattera-online-it.html acquistare strattera, 68424, http://acquistareladroga.it/comprare-acquistare-tadacip-online-it.html comprare tadacip, %(, http://acquistareladroga.it/comprare-acquistare-viagra-online-it.html generico viagra, 286, c7b8b56981b025426897d215b41cf0f22c581bda 2759 2758 2012-05-10T11:28:54Z 31.184.238.15 0 AXKUdJsZj wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-naprelan-online-en.html generic naprelan, %-DD, http://cheappurchaseonline.com/buy-generic-neem-online-en.html buy neem, 641495, http://cheappurchaseonline.com/buy-generic-neurontin-online-en.html buy neurontin online, 186, http://cheappurchaseonline.com/buy-generic-nexium-online-en.html buy nexium, 75292, http://cheappurchaseonline.com/buy-generic-nimotop-online-en.html buy nimotop online, 858459, http://cheappurchaseonline.com/buy-generic-nitroglycerin-online-en.html buy nitroglycerin online, onq, http://cheappurchaseonline.com/buy-generic-nizoral-online-en.html buy nizoral online, =-P, http://cheappurchaseonline.com/buy-generic-noroxin-online-en.html buy noroxin online, >:-P, 13c381e2a7a97c22953eeaae79fccf1959fbadd9 2760 2759 2012-05-10T11:28:56Z 31.184.238.9 0 ZBLCEArHLoQBu wikitext text/x-wiki , http://acquistareladroga.it/comprare-acquistare-viagra-professional-online-it.html generic viagra professional, mxe, http://acquistareladroga.it/comprare-acquistare-viagra-super-active-online-it.html acquistare viagra super active, >:[[[, http://acquistareladroga.it/comprare-acquistare-wellbutrin-online-it.html generico wellbutrin, 955, http://acquistareladroga.it/comprare-acquistare-zithromax-online-it.html generico zithromax, 688308, http://onlinefarmacia.it/ comprare zithromax, :-((, a8a4153cd439d95cc9b67be5903f359126dab55a 2761 2760 2012-05-10T11:32:59Z 31.184.238.9 0 gAHqOrzHdJFnvxNYpR wikitext text/x-wiki , http://acquistareladroga.it/comprare-acquistare-diflucan-online-it.html vendita diflucan, byffed, http://acquistareladroga.it/comprare-acquistare-doxycycline-online-it.html generico doxycycline, 9698, http://acquistareladroga.it/comprare-acquistare-finpecia-online-it.html comprare finpecia, jffhe, http://acquistareladroga.it/ comprare propecia, 733, http://acquistareladroga.it/comprare-acquistare-flagyl-online-it.html vendita flagyl, ysqaw, ed363310e2d77a8ca0a26af6197995e1194e9b96 2762 2761 2012-05-10T11:34:02Z 31.184.238.15 0 YCbfIiLwm wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-verampil-online-en.html buy verampil, xvloy, http://cheappurchaseonline.com/buy-generic-verapamil-online-en.html buy verapamil, xxvbd, http://cheappurchaseonline.com/buy-generic-vermox-online-en.html generic vermox, %-PPP, http://cheappurchaseonline.com/buy-generic-v-gel-online-en.html buy v-gel, >:OO, http://cheappurchaseonline.com/buy-generic-vibramycin-online-en.html buy vibramycin online, 8D, http://cheappurchaseonline.com/buy-generic-viramune-online-en.html generic viramune, >:-OO, http://cheappurchaseonline.com/buy-generic-vitamin-b12-online-en.html generic vitamin b12, afxzh, http://cheappurchaseonline.com/buy-generic-vitamin-c-online-en.html generic vitamin c, =[[[, 6ed5955cf9bcafdc5172a5d2ac76348bb5fbccfe 2763 2762 2012-05-10T11:37:13Z 31.184.238.9 0 eVYZPTGzZFJkAmfI wikitext text/x-wiki , http://acquistareladroga.it/comprare-acquistare-cialis-professional-online-it.html generic cialis professional, 8-], http://acquistareladroga.it/comprare-acquistare-cialis-super-active-online-it.html comprare cialis super active, gpk, http://acquistareladroga.it/comprare-acquistare-cipro-online-it.html acquistare cipro, 981, http://acquistareladroga.it/ comprare wellbutrin, nzsz, http://acquistareladroga.it/comprare-acquistare-clomid-online-it.html vendita clomid, :-OOO, 0a94f64ae1bcbae0840912bb2755839f40f02023 2764 2763 2012-05-10T11:39:10Z 31.184.238.15 0 bHADlrllPyeDgrtntmf wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-tegopen-online-en.html buy tegopen online, 8OOO, http://cheappurchaseonline.com/buy-generic-tenormin-online-en.html buy tenormin, =DD, http://cheappurchaseonline.com/buy-generic-tentex-forte-online-en.html generic tentex forte, chgo, http://cheappurchaseonline.com/buy-generic-tentex-royal-online-en.html generic tentex royal, =-(, http://cheappurchaseonline.com/buy-generic-terramycin-online-en.html buy terramycin online, >:[[[, http://cheappurchaseonline.com/buy-generic-tetracycline-online-en.html buy tetracycline, zndzey, http://cheappurchaseonline.com/buy-generic-theo-24-cr-online-en.html buy theo-24 cr, =(, http://cheappurchaseonline.com/buy-generic-theo-24-sr-online-en.html generic theo-24 sr, %-PPP, 0c261ddf69f3ad0d9c2970b94267ccc3f25800eb 2765 2764 2012-05-10T11:41:18Z 31.184.238.9 0 DvxCDVIvasOGLJmF wikitext text/x-wiki , http://generiquesmedicaments.fr/acheter-achat-kamagra-en-ligne-fr.html acheter kamagra en ligne, 151864, http://generiquesmedicaments.fr/acheter-achat-lasix-en-ligne-fr.html acheter lasix, 315503, http://generiquesmedicaments.fr/ acheter cialis professional, 8-PPP, http://generiquesmedicaments.fr/acheter-achat-levitra-en-ligne-fr.html vente levitra, bhxzoq, http://generiquesmedicaments.fr/acheter-achat-nolvadex-en-ligne-fr.html nolvadex, mxip, b9e4e45995cea51fc0dfc20df679f0711117f18f 2766 2765 2012-05-10T11:44:29Z 31.184.238.15 0 BCgvMUtd wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-premarin-online-en.html buy premarin online, :-D, http://cheappurchaseonline.com/buy-generic-prevacid-online-en.html buy prevacid, pqqpap, http://cheappurchaseonline.com/buy-generic-prilosec-online-en.html buy prilosec, 8-(, http://cheappurchaseonline.com/buy-generic-prinivil-online-en.html generic prinivil, =-), http://cheappurchaseonline.com/buy-generic-procardia-online-en.html buy procardia online, rsoy, http://cheappurchaseonline.com/buy-generic-prograf-online-en.html generic prograf, gxaea, http://cheappurchaseonline.com/buy-generic-prometrium-online-en.html generic prometrium, ykpqo, http://cheappurchaseonline.com/buy-generic-proscar-online-en.html generic proscar, amp, 59c0e52ae37f497d8cec769b1e6260ba77398a9a 2767 2766 2012-05-10T11:45:31Z 31.184.238.9 0 rcYPsXDYoQzAxAMFzSQ wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-priligy-online-it.html comprare priligy online, 388661, http://onlinefarmacia.it/comprare-acquistare-propecia-online-it.html acquistare propecia, 9504, http://onlinefarmacia.it/comprare-acquistare-proscar-online-it.html vendita proscar, :(, http://onlinefarmacia.it/ comprare viagra professional, qlpth, http://onlinefarmacia.it/comprare-acquistare-strattera-online-it.html generico strattera, :((, cc69367c119e2697e5170c6ec8aa6a99104dd493 2768 2767 2012-05-10T11:49:31Z 31.184.238.9 0 XYiZtgADicS wikitext text/x-wiki , http://acquistareladroga.it/ comprare tadacip, 131, http://acquistareladroga.it/comprare-acquistare-accutane-online-it.html generic accutane, 38503, http://acquistareladroga.it/comprare-acquistare-amoxil-online-it.html comprare amoxil online, 888, http://acquistareladroga.it/comprare-acquistare-bactrim-online-it.html prezzo bactrim, =), http://acquistareladroga.it/comprare-acquistare-cialis-online-it.html generico cialis, ruojg, 31a83c9152129b59779c0877e4329ccf3f0c0f46 2769 2768 2012-05-10T11:49:48Z 31.184.238.15 0 epPsBiWnG wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-finpecia-online-en.html buy finpecia, 65697, http://cheappurchaseonline.com/buy-generic-flomax-online-en.html generic flomax, 3014, http://cheappurchaseonline.com/buy-generic-flonase-online-en.html buy flonase, :OO, http://cheappurchaseonline.com/buy-generic-flovent-online-en.html generic flovent, dsumm, http://cheappurchaseonline.com/buy-generic-floxin-online-en.html generic floxin, mbygkr, http://cheappurchaseonline.com/buy-generic-fludac-online-en.html buy fludac, 58367, http://cheappurchaseonline.com/buy-generic-fluoxetine-online-en.html buy fluoxetine online, tuinz, http://cheappurchaseonline.com/buy-generic-fosamax-online-en.html buy fosamax, 947726, 5b3c16d9b3e9f983c455c76ce2fbabb1dced626b 2770 2769 2012-05-10T11:53:34Z 31.184.238.9 0 FEkntfBApnaWS wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-priligy-online-it.html prezzo priligy, 19739, http://onlinefarmacia.it/comprare-acquistare-propecia-online-it.html vendita propecia, mbjbc, http://onlinefarmacia.it/comprare-acquistare-proscar-online-it.html comprare proscar online, %OO, http://onlinefarmacia.it/ comprare doxycycline, msud, http://onlinefarmacia.it/comprare-acquistare-strattera-online-it.html comprare strattera online, veud, 107af2b8ee6bda179575abb78bccb0bd911ee7ea 2771 2770 2012-05-10T11:55:24Z 31.184.238.15 0 RoWtRKZGKbQeFC wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-verampil-online-en.html generic verampil, wgvp, http://cheappurchaseonline.com/buy-generic-verapamil-online-en.html buy verapamil, 8]]], http://cheappurchaseonline.com/buy-generic-vermox-online-en.html buy vermox online, =OO, http://cheappurchaseonline.com/buy-generic-v-gel-online-en.html generic v-gel, 8[, http://cheappurchaseonline.com/buy-generic-vibramycin-online-en.html buy vibramycin online, 8(, http://cheappurchaseonline.com/buy-generic-viramune-online-en.html buy viramune online, wajwj, http://cheappurchaseonline.com/buy-generic-vitamin-b12-online-en.html buy vitamin b12 online, =[[[, http://cheappurchaseonline.com/buy-generic-vitamin-c-online-en.html buy vitamin c online, 922477, 58e747895e07a45027cf72442626fce4b9a91ed7 2772 2771 2012-05-10T11:57:38Z 31.184.238.9 0 hFRxamlEoOXB wikitext text/x-wiki , http://onlinefarmacia.it/ comprare diflucan, %-DD, http://onlinefarmacia.it/comprare-acquistare-levitra-online-it.html acquistare levitra, fqn, http://onlinefarmacia.it/comprare-acquistare-nolvadex-online-it.html generic nolvadex, >:-), http://onlinefarmacia.it/comprare-acquistare-orlistat-online-it.html generic orlistat, 38232, http://onlinefarmacia.it/comprare-acquistare-prednisone-online-it.html generico prednisone, 894, 99915bcb3961116acb8ef7cf7565e78d9608356c 2773 2772 2012-05-10T12:00:48Z 31.184.238.15 0 YzyMjxkPHbWUl wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-catapres-online-en.html buy catapres, lhmhf, http://cheappurchaseonline.com/buy-generic-ceclor-cd-online-en.html buy ceclor cd online, >:-P, http://cheappurchaseonline.com/buy-generic-ceclor-online-en.html generic ceclor, 193962, http://cheappurchaseonline.com/buy-generic-cefaclor-online-en.html buy cefaclor online, >:O, http://cheappurchaseonline.com/buy-generic-celebrex-online-en.html buy celebrex, %-), http://cheappurchaseonline.com/buy-generic-celexa-online-en.html generic celexa, 921, http://cheappurchaseonline.com/buy-generic-cephalexin-online-en.html generic cephalexin, 73213, http://cheappurchaseonline.com/buy-generic-chloromycetin-online-en.html buy chloromycetin, 92463, 6e29650e246c32416a5a6e6fd7c9533ea9370c51 2774 2773 2012-05-10T12:02:05Z 31.184.238.9 0 TWGqMmCYai wikitext text/x-wiki , http://generiquesmedicaments.fr/acheter-achat-strattera-en-ligne-fr.html strattera, 6402, http://generiquesmedicaments.fr/acheter-achat-viagra-en-ligne-fr.html acheter viagra, 18625, http://generiquesmedicaments.fr/acheter-achat-viagra-professional-en-ligne-fr.html vente viagra professional, 8-D, http://generiquesmedicaments.fr/acheter-achat-viagra-super-active-en-ligne-fr.html acheter viagra super active en ligne, %DD, http://generiquesmedicaments.fr/acheter-achat-zithromax-en-ligne-fr.html vente zithromax, gmys, 4d2dbc133633d13cf7cc6b5ed8e1faaa2a822be3 2775 2774 2012-05-10T12:06:08Z 31.184.238.15 0 RNJhSxaFQov wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-protonix-online-en.html generic protonix, 553494, http://cheappurchaseonline.com/buy-generic-proventil-online-en.html buy proventil, zft, http://cheappurchaseonline.com/buy-generic-provera-online-en.html buy provera, >:-[[, http://cheappurchaseonline.com/buy-generic-prozac-online-en.html generic prozac, kjwhqj, http://cheappurchaseonline.com/buy-generic-purim-online-en.html buy purim, :], http://cheappurchaseonline.com/buy-generic-pyridium-online-en.html generic pyridium, qhdrk, http://cheappurchaseonline.com/buy-generic-rebetol-online-en.html buy rebetol online, 034071, http://cheappurchaseonline.com/buy-generic-reglan-online-en.html buy reglan, 95715, d56db001839e9218c95df1ec75a058fc15ab08ca 2776 2775 2012-05-10T12:10:23Z 31.184.238.9 0 fsJbbEHOjFrqWZBgdQV wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-viagra-en-ligne-fr.html vente viagra, 0979, http://enlignepharmacie.fr/acheter-achat-viagra-professional-en-ligne-fr.html generique viagra professional, hugro, http://enlignepharmacie.fr/acheter-achat-viagra-super-active-en-ligne-fr.html acheter viagra super active, aiusr, http://enlignepharmacie.fr/acheter-achat-zithromax-en-ligne-fr.html generique zithromax, 08292, http://enlignepharmacie.fr/acheter-achat-zoloft-en-ligne-fr.html zoloft, hvgy, dbef635d64bddc621a1fcd737db37422ac3d9312 2777 2776 2012-05-10T12:11:34Z 31.184.238.15 0 FWSCunZUrlt wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-verampil-online-en.html buy verampil, 733525, http://cheappurchaseonline.com/buy-generic-verapamil-online-en.html buy verapamil, 14535, http://cheappurchaseonline.com/buy-generic-vermox-online-en.html buy vermox, gwh, http://cheappurchaseonline.com/buy-generic-v-gel-online-en.html buy v-gel online, 808, http://cheappurchaseonline.com/buy-generic-vibramycin-online-en.html buy vibramycin online, =P, http://cheappurchaseonline.com/buy-generic-viramune-online-en.html buy viramune online, avg, http://cheappurchaseonline.com/buy-generic-vitamin-b12-online-en.html buy vitamin b12, :), http://cheappurchaseonline.com/buy-generic-vitamin-c-online-en.html buy vitamin c, 812000, 595fb646aa9b86e2e3b541b27647829d751c4c34 2778 2777 2012-05-10T12:14:23Z 31.184.238.9 0 WGotBzyknJcbr wikitext text/x-wiki , http://acquistareladroga.it/comprare-acquistare-cialis-professional-online-it.html generic cialis professional, =-(, http://acquistareladroga.it/comprare-acquistare-cialis-super-active-online-it.html acquistare cialis super active, >:-(((, http://acquistareladroga.it/comprare-acquistare-cipro-online-it.html prezzo cipro, 9607, http://acquistareladroga.it/ comprare strattera, 768, http://acquistareladroga.it/comprare-acquistare-clomid-online-it.html acquistare clomid, rpso, a8bdba07f25796b65063c0e444e4758141b24c57 2779 2778 2012-05-10T12:17:03Z 31.184.238.15 0 fPvOROWhspMlNgxFFb wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-meclizine-online-en.html buy meclizine, fnuka, http://cheappurchaseonline.com/buy-generic-mellaril-online-en.html buy mellaril, xafe, http://cheappurchaseonline.com/buy-generic-menosan-online-en.html generic menosan, enw, http://cheappurchaseonline.com/buy-generic-mentat-online-en.html buy mentat online, :OO, http://cheappurchaseonline.com/buy-generic-mestinon-online-en.html buy mestinon online, %-]]], http://cheappurchaseonline.com/buy-generic-methotrexate-online-en.html buy methotrexate, 85865, http://cheappurchaseonline.com/buy-generic-mevacor-online-en.html buy mevacor, 358, http://cheappurchaseonline.com/buy-generic-micronase-online-en.html generic micronase, 631328, 0a71740dd70c531d8b47d1838c5c1fd2820b77f3 2780 2779 2012-05-10T12:18:25Z 31.184.238.9 0 VkyTphmim wikitext text/x-wiki , http://enlignepharmacie.fr/ acheter priligy, fvx, http://enlignepharmacie.fr/acheter-achat-cialis-super-active-en-ligne-fr.html achat cialis super active, 7291, http://enlignepharmacie.fr/acheter-achat-cipro-en-ligne-fr.html acheter cipro, knk, http://enlignepharmacie.fr/acheter-achat-clomid-en-ligne-fr.html vente clomid, xowqx, http://enlignepharmacie.fr/acheter-achat-diflucan-en-ligne-fr.html generique diflucan, 374410, a87d4837a3f2dbac1ee5c9a0383c1dd648427707 2781 2780 2012-05-10T12:22:18Z 31.184.238.15 0 aWVBkYwleVOqXjMb wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-minipress-online-en.html generic minipress, %), http://cheappurchaseonline.com/buy-generic-minocin-online-en.html buy minocin, 6810, http://cheappurchaseonline.com/buy-generic-minomycin-online-en.html buy minomycin online, iol, http://cheappurchaseonline.com/buy-generic-monoket-online-en.html buy monoket, leywg, http://cheappurchaseonline.com/buy-generic-monopril-online-en.html buy monopril, =]]], http://cheappurchaseonline.com/buy-generic-motilium-online-en.html buy motilium online, prm, http://cheappurchaseonline.com/buy-generic-myambutol-online-en.html buy myambutol online, %-PP, http://cheappurchaseonline.com/buy-generic-mysoline-online-en.html buy mysoline, 8(((, 9f5d5e076ccad98eac08c0784c431d074ad88e48 2782 2781 2012-05-10T12:22:44Z 31.184.238.9 0 DUThYnQADWqNxgxf wikitext text/x-wiki , http://acquistareladroga.it/comprare-acquistare-cialis-professional-online-it.html vendita cialis professional, %]]], http://acquistareladroga.it/comprare-acquistare-cialis-super-active-online-it.html comprare cialis super active online, fjz, http://acquistareladroga.it/comprare-acquistare-cipro-online-it.html acquistare cipro, 88646, http://acquistareladroga.it/ comprare bactrim, 89489, http://acquistareladroga.it/comprare-acquistare-clomid-online-it.html acquistare clomid, 17668, f6cdddaf8a02dd01bb843079e1248cb156d2400c 2783 2782 2012-05-10T12:26:43Z 31.184.238.9 0 EKvpagEfeKUjwVnvzs wikitext text/x-wiki , http://generiquesmedicaments.fr/acheter-achat-doxycycline-en-ligne-fr.html doxycycline, %OOO, http://generiquesmedicaments.fr/ acheter accutane, prrau, http://generiquesmedicaments.fr/acheter-achat--en-ligne-fr.html vente zoloft, zscysg, http://generiquesmedicaments.fr/acheter-achat-female-viagra-en-ligne-fr.html vente female viagra, >:-D, http://generiquesmedicaments.fr/acheter-achat-flagyl-en-ligne-fr.html achat flagyl, ofx, 91ea7266b87a8f6b385db9910bfca571322f1213 0 8 2784 2783 2012-05-10T12:27:27Z 31.184.238.15 0 AZjCYNnHCofLYEeAvB wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-abana-online-en.html generic abana, edbt, http://cheappurchaseonline.com/buy-generic-abilify-online-en.html buy abilify online, =(((, http://cheappurchaseonline.com/buy-generic-aceon-online-en.html buy aceon, 29801, http://cheappurchaseonline.com/buy-generic-aciclovir-online-en.html buy aciclovir, :-PPP, http://cheappurchaseonline.com/buy-generic-aciphex-online-en.html buy aciphex, 7407, http://cheappurchaseonline.com/buy-generic-acticin-online-en.html buy acticin, zpcxjt, http://cheappurchaseonline.com/buy-generic-actigall-online-en.html generic actigall, kfzevt, http://cheappurchaseonline.com/buy-generic-actos-online-en.html generic actos, 3857, 98efdd5e6d7f68174ad8110ecba0551634f43b5c 2785 2784 2012-05-10T12:30:55Z 31.184.238.9 0 KPiYUIeiWHOZCNlHaqR wikitext text/x-wiki , http://acquistareladroga.it/comprare-acquistare-diflucan-online-it.html generic diflucan, lcgrcx, http://acquistareladroga.it/comprare-acquistare-doxycycline-online-it.html generico doxycycline, 8224, http://acquistareladroga.it/comprare-acquistare-finpecia-online-it.html comprare finpecia, atcwh, http://acquistareladroga.it/ comprare finpecia, >:), http://acquistareladroga.it/comprare-acquistare-flagyl-online-it.html vendita flagyl, dnljg, 5b28edaeb6f35591480413466e11f7f7e1db7bc6 2786 2785 2012-05-10T12:32:52Z 31.184.238.15 0 HBFSWDKMFGycRFpS wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-zocor-online-en.html generic zocor, uscea, http://cheappurchaseonline.com/buy-generic-zofran-online-en.html buy zofran online, %OOO, http://cheappurchaseonline.com/buy-generic-zovirax-online-en.html buy zovirax, jztfob, http://cheappurchaseonline.com/buy-generic-zyban-online-en.html generic zyban, >:-]]], http://cheappurchaseonline.com/buy-generic-zyloprim-online-en.html buy zyloprim, %-PPP, http://cheappurchaseonline.com/buy-generic-zyprexa-online-en.html buy zyprexa, 7382, http://cheappurchaseonline.com/buy-generic-zyrtec-online-en.html buy zyrtec online, 886, http://cheappurchaseonline.com/buy-generic-zyvox-online-en.html generic zyvox, arsdzt, 88d87d36f9336d323a2df5ce5265b1977d44ab40 2787 2786 2012-05-10T12:35:08Z 31.184.238.9 0 tupdvwEflTwSwtV wikitext text/x-wiki , http://acquistareladroga.it/comprare-acquistare-kamagra-online-it.html acquistare kamagra, >:-PP, http://acquistareladroga.it/comprare-acquistare-nolvadex-online-it.html comprare nolvadex online, 991, http://acquistareladroga.it/comprare-acquistare-orlistat-online-it.html comprare orlistat online, xla, http://acquistareladroga.it/comprare-acquistare-prednisone-online-it.html prezzo prednisone, 259696, http://acquistareladroga.it/comprare-acquistare-priligy-online-it.html generic priligy, =-P, b08238c69bb480e1b77e6ba15999157b160445ee 2788 2787 2012-05-10T12:38:01Z 31.184.238.15 0 aqSzIKLGmySxnPadT wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-ampicillin-online-en.html generic ampicillin, =-], http://cheappurchaseonline.com/buy-generic-anacin-online-en.html buy anacin online, 47656, http://cheappurchaseonline.com/buy-generic-anafranil-online-en.html buy anafranil online, qwd, http://cheappurchaseonline.com/buy-generic-ansaid-online-en.html buy ansaid, >:-DD, http://cheappurchaseonline.com/buy-generic-antabuse-online-en.html buy antabuse online, =]], http://cheappurchaseonline.com/buy-generic-antivert-online-en.html generic antivert, jugb, http://cheappurchaseonline.com/buy-generic-aralen-online-en.html generic aralen, 594, http://cheappurchaseonline.com/buy-generic-arava-online-en.html buy arava online, 87384, 16d8b0eb24925e0b0268359f4a9f4552d8c379bc 2789 2788 2012-05-10T12:39:33Z 31.184.238.9 0 TbdXXRdchaKeh wikitext text/x-wiki , http://acquistareladroga.it/comprare-acquistare-kamagra-online-it.html generico kamagra, =-[, http://acquistareladroga.it/comprare-acquistare-nolvadex-online-it.html generic nolvadex, tis, http://acquistareladroga.it/comprare-acquistare-orlistat-online-it.html generic orlistat, 8DDD, http://acquistareladroga.it/comprare-acquistare-prednisone-online-it.html prezzo prednisone, %-DD, http://acquistareladroga.it/comprare-acquistare-priligy-online-it.html acquistare priligy, clgem, 25c61313d8dcc59d822d1fc1b6f5214d5e9e706c 2790 2789 2012-05-10T12:43:09Z 31.184.238.15 0 sPLJTzBrJLHgwmE wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-clarinex-online-en.html generic clarinex, =]], http://cheappurchaseonline.com/buy-generic-claritin-online-en.html generic claritin, >:-O, http://cheappurchaseonline.com/buy-generic-cleocin-online-en.html generic cleocin, xkil, http://cheappurchaseonline.com/buy-generic-clonidine-online-en.html generic clonidine, sqily, http://cheappurchaseonline.com/buy-generic-clozaril-online-en.html buy clozaril, =), http://cheappurchaseonline.com/buy-generic-colospa-online-en.html buy colospa online, =P, http://cheappurchaseonline.com/buy-generic-combipres-online-en.html generic combipres, rbpyv, http://cheappurchaseonline.com/buy-generic-combivent-online-en.html buy combivent, >:)), d50cdf616c38b0882db02fdddd01ca27c4047f4b 2791 2790 2012-05-10T12:43:38Z 31.184.238.9 0 dpSESuywJM wikitext text/x-wiki , http://enlignepharmacie.fr/ acheter nolvadex, :]]], http://enlignepharmacie.fr/acheter-achat-lasix-en-ligne-fr.html acheter lasix, 8-)), http://enlignepharmacie.fr/acheter-achat-levitra-en-ligne-fr.html acheter levitra, dvdr, http://enlignepharmacie.fr/acheter-achat-nolvadex-en-ligne-fr.html generique nolvadex, 777843, http://enlignepharmacie.fr/acheter-achat-orlistat-en-ligne-fr.html vente orlistat, kyj, 897bbff4a1bba9ce42c892436298520e0eb8de31 2792 2791 2012-05-10T12:47:45Z 31.184.238.9 0 yasVXOfCFJo wikitext text/x-wiki , http://acquistareladroga.it/comprare-acquistare-viagra-professional-online-it.html generic viagra professional, htnj, http://acquistareladroga.it/comprare-acquistare-viagra-super-active-online-it.html generic viagra super active, cdck, http://acquistareladroga.it/comprare-acquistare-wellbutrin-online-it.html vendita wellbutrin, >:PPP, http://acquistareladroga.it/comprare-acquistare-zithromax-online-it.html comprare zithromax, 2419, http://onlinefarmacia.it/ comprare viagra professional, fbpaf, de6a6f326e741cc1427785d050bae7f8447d029f 2793 2792 2012-05-10T12:48:49Z 31.184.238.15 0 frfgSIaZTZzf wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-imitrex-online-en.html buy imitrex, 8-DD, http://cheappurchaseonline.com/buy-generic-imodium-online-en.html generic imodium, nca, http://cheappurchaseonline.com/buy-generic-imuran-online-en.html generic imuran, :DDD, http://cheappurchaseonline.com/buy-generic-inderal-la-online-en.html buy inderal la, ejxgrt, http://cheappurchaseonline.com/buy-generic-inderal-online-en.html buy inderal online, 62401, http://cheappurchaseonline.com/buy-generic-indinavir-online-en.html generic indinavir, 9394, http://cheappurchaseonline.com/buy-generic-isoptin-online-en.html generic isoptin, 30086, http://cheappurchaseonline.com/buy-generic-isoptin-sr-online-en.html generic isoptin sr, tumdr, 2a593b5b47a0d776af2fe1c3b53f513d57768e12 2794 2793 2012-05-10T12:52:12Z 31.184.238.9 0 MSEAWhWOyG wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-prednisone-en-ligne-fr.html prednisone, 219, http://enlignepharmacie.fr/acheter-achat-priligy-en-ligne-fr.html achat priligy, kzk, http://enlignepharmacie.fr/ acheter zoloft, 43793, http://enlignepharmacie.fr/acheter-achat-propecia-en-ligne-fr.html achat propecia, 480623, http://enlignepharmacie.fr/acheter-achat-strattera-en-ligne-fr.html strattera, =-), 452220edd31571da80844fb53fda8256ca832d1d 2795 2794 2012-05-10T12:53:49Z 31.184.238.15 0 UFJRdDjHYp wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-lithobid-online-en.html buy lithobid, 8-]]], http://cheappurchaseonline.com/buy-generic-liv52-drops-online-en.html buy liv.52 drops, %-OO, http://cheappurchaseonline.com/buy-generic-liv52-online-en.html generic liv.52, dsizh, http://cheappurchaseonline.com/buy-generic-lopid-online-en.html buy lopid online, >:-P, http://cheappurchaseonline.com/buy-generic-lopressor-online-en.html generic lopressor, wksu, http://cheappurchaseonline.com/buy-generic-lotensin-online-en.html buy lotensin online, reew, http://cheappurchaseonline.com/buy-generic-lotrel-online-en.html generic lotrel, jitw, http://cheappurchaseonline.com/buy-generic-lotrisone-online-en.html buy lotrisone online, >:]], b76fed34f52e1bdb3aa273b4f7b8c9325917aa23 2796 2795 2012-05-10T12:56:38Z 31.184.238.9 0 kthIabbyr wikitext text/x-wiki , http://enlignepharmacie.fr/ acheter accutane, fhvlei, http://enlignepharmacie.fr/acheter-achat-cialis-super-active-en-ligne-fr.html generique cialis super active, ornf, http://enlignepharmacie.fr/acheter-achat-cipro-en-ligne-fr.html acheter cipro, 453468, http://enlignepharmacie.fr/acheter-achat-clomid-en-ligne-fr.html vente clomid, mwkvf, http://enlignepharmacie.fr/acheter-achat-diflucan-en-ligne-fr.html acheter diflucan en ligne, 8DD, b8aa82a811f0496e5385d83c311afd39ff219b5a 2797 2796 2012-05-10T12:59:23Z 31.184.238.15 0 QmBhSnfdPEDVtMVmN wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-ditropan-xl-online-en.html buy ditropan xl, yzdbm, http://cheappurchaseonline.com/buy-generic-dulcolax-online-en.html buy dulcolax, 492420, http://cheappurchaseonline.com/buy-generic-duricef-online-en.html buy duricef, ghozmd, http://cheappurchaseonline.com/buy-generic-effexor-online-en.html buy effexor online, :-OO, http://cheappurchaseonline.com/buy-generic-effexor-xr-online-en.html generic effexor xr, wrdeh, http://cheappurchaseonline.com/buy-generic-eldepryl-online-en.html buy eldepryl, 597658, http://cheappurchaseonline.com/buy-generic-elimite-online-en.html generic elimite, 09859, http://cheappurchaseonline.com/buy-generic-elocon-online-en.html generic elocon, eqeuym, 86ca932045ba1c4532994bbc4603337497c0bdf3 2798 2797 2012-05-10T13:01:04Z 31.184.238.9 0 EREUrpIZyuDL wikitext text/x-wiki , http://onlinefarmacia.it/ comprare priligy, pcof, http://onlinefarmacia.it/comprare-acquistare-levitra-online-it.html generico levitra, :(, http://onlinefarmacia.it/comprare-acquistare-nolvadex-online-it.html comprare nolvadex online, 496, http://onlinefarmacia.it/comprare-acquistare-orlistat-online-it.html prezzo orlistat, 8-PP, http://onlinefarmacia.it/comprare-acquistare-prednisone-online-it.html prezzo prednisone, 7518, bc117f8d6ac6427ab193798eb3920c7e14251b54 2799 2798 2012-05-10T13:04:33Z 31.184.238.15 0 ucGOTaPvmliORXMVRn wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-thorazine-online-en.html buy thorazine online, kqoe, http://cheappurchaseonline.com/buy-generic-ticlid-online-en.html generic ticlid, 8853, http://cheappurchaseonline.com/buy-generic-tinidazole-online-en.html buy tinidazole, wit, http://cheappurchaseonline.com/buy-generic-tofranil-online-en.html generic tofranil, 139730, http://cheappurchaseonline.com/buy-generic-topamax-online-en.html generic topamax, 663, http://cheappurchaseonline.com/buy-generic-toprol-online-en.html buy toprol online, 020, http://cheappurchaseonline.com/buy-generic-toprol-xl-online-en.html generic toprol xl, owfjb, http://cheappurchaseonline.com/buy-generic-trandate-online-en.html buy trandate online, 034419, 2258a54f7e52177192661d15b4397328a8fdba26 2800 2799 2012-05-10T13:05:17Z 31.184.238.9 0 iQLkZJOwV wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-viagra-online-it.html vendita viagra, 088, http://onlinefarmacia.it/comprare-acquistare-viagra-professional-online-it.html acquistare viagra professional, 69567, http://onlinefarmacia.it/comprare-acquistare-viagra-super-active-online-it.html comprare viagra super active, %-(((, http://onlinefarmacia.it/comprare-acquistare-zithromax-online-it.html generic zithromax, :-]], http://onlinefarmacia.it/comprare-acquistare-zoloft-online-it.html vendita zoloft, %-PPP, b69eb85bbb965e0a6486f0505363dad4de573cb6 2801 2800 2012-05-10T13:09:39Z 31.184.238.9 0 sQfbwNxoFv wikitext text/x-wiki , http://generiquesmedicaments.fr/acheter-achat-doxycycline-en-ligne-fr.html acheter doxycycline en ligne, ptslr, http://generiquesmedicaments.fr/ acheter cialis professional, 570, http://generiquesmedicaments.fr/acheter-achat--en-ligne-fr.html acheter zoloft, 97086, http://generiquesmedicaments.fr/acheter-achat-female-viagra-en-ligne-fr.html vente female viagra, tnsaag, http://generiquesmedicaments.fr/acheter-achat-flagyl-en-ligne-fr.html flagyl, vnrzfe, 7ac0d29df6f19cb40415a00d2100584bfac73c2c 2802 2801 2012-05-10T13:09:49Z 31.184.238.15 0 VThFumceJxyNCibn wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-septilin-online-en.html buy septilin online, %]]], http://cheappurchaseonline.com/buy-generic-serevent-online-en.html generic serevent, 887530, http://cheappurchaseonline.com/buy-generic-serophene-online-en.html buy serophene, jfrybm, http://cheappurchaseonline.com/buy-generic-seroquel-online-en.html generic seroquel, 207, http://cheappurchaseonline.com/buy-generic-shallaki-online-en.html buy shallaki online, 07324, http://cheappurchaseonline.com/buy-generic-shuddha-guggulu-online-en.html buy shuddha guggulu online, >:OOO, http://cheappurchaseonline.com/buy-generic-sinemet-cr-online-en.html buy sinemet cr online, nikxfx, http://cheappurchaseonline.com/buy-generic-sinemet-online-en.html buy sinemet, 33637, 120fe65418723934d153e81e15277758f0fb2313 2803 2802 2012-05-10T13:13:44Z 31.184.238.9 0 qgzLtyuTOETNgRYhAo wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-viagra-en-ligne-fr.html achat viagra, dith, http://enlignepharmacie.fr/acheter-achat-viagra-professional-en-ligne-fr.html generique viagra professional, =-]]], http://enlignepharmacie.fr/acheter-achat-viagra-super-active-en-ligne-fr.html viagra super active, gdfji, http://enlignepharmacie.fr/acheter-achat-zithromax-en-ligne-fr.html achat zithromax, 8P, http://enlignepharmacie.fr/acheter-achat-zoloft-en-ligne-fr.html achat zoloft, 8), 414fb192b1f1179e683a926cb5887485c8bbe5f2 2804 2803 2012-05-10T13:15:03Z 31.184.238.15 0 SCUTdMjFaeav wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-cozaar-online-en.html buy cozaar online, nxco, http://cheappurchaseonline.com/buy-generic-crestor-online-en.html buy crestor, 280, http://cheappurchaseonline.com/buy-generic-crixivan-online-en.html generic crixivan, pbj, http://cheappurchaseonline.com/buy-generic-cymbalta-online-en.html generic cymbalta, 8-(, http://cheappurchaseonline.com/buy-generic-cystone-online-en.html buy cystone online, %-D, http://cheappurchaseonline.com/buy-generic-cytotec-online-en.html buy cytotec online, wbacw, http://cheappurchaseonline.com/buy-generic-cytoxan-online-en.html buy cytoxan, iwaqxo, http://cheappurchaseonline.com/buy-generic-danazol-online-en.html buy danazol online, 18657, ff2190830233336edaeb810112868798d5c32710 2805 2804 2012-05-10T13:18:42Z 31.184.238.9 0 tfylBYdgSCGGwDqdB wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-cialis-super-active-online-it.html comprare cialis super active, 75184, http://onlinefarmacia.it/comprare-acquistare-cipro-online-it.html vendita cipro, =DDD, http://onlinefarmacia.it/comprare-acquistare-clomid-online-it.html comprare clomid online, euk, http://onlinefarmacia.it/comprare-acquistare-diflucan-online-it.html prezzo diflucan, 8DD, http://onlinefarmacia.it/comprare-acquistare-doxycycline-online-it.html prezzo doxycycline, 2292, e9279776e1b9d5cc86ee3731cc72c7f86572e8f0 2806 2805 2012-05-10T13:20:28Z 31.184.238.15 0 JHNRbpibxepOjr wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-starlix-online-en.html buy starlix online, =-)), http://cheappurchaseonline.com/buy-generic-stromectol-online-en.html generic stromectol, ilaxlm, http://cheappurchaseonline.com/buy-generic-styplon-online-en.html buy styplon, kymfer, http://cheappurchaseonline.com/buy-generic-suminat-online-en.html buy suminat online, 8[[[, http://cheappurchaseonline.com/buy-generic-sumycin-online-en.html generic sumycin, 686107, http://cheappurchaseonline.com/buy-generic-sustiva-online-en.html buy sustiva, gcbjim, http://cheappurchaseonline.com/buy-generic-symmetrel-online-en.html generic symmetrel, 397, http://cheappurchaseonline.com/buy-generic-synthroid-online-en.html buy synthroid, nsyyp, d053f015d1984838a796efc8e909c868eeeba66f 2807 2806 2012-05-10T13:22:46Z 31.184.238.9 0 TmwvuNjrUA wikitext text/x-wiki , http://generiquesmedicaments.fr/acheter-achat-kamagra-en-ligne-fr.html kamagra, blze, http://generiquesmedicaments.fr/acheter-achat-lasix-en-ligne-fr.html generique lasix, 4617, http://generiquesmedicaments.fr/ acheter levitra, 573, http://generiquesmedicaments.fr/acheter-achat-levitra-en-ligne-fr.html vente levitra, lyh, http://generiquesmedicaments.fr/acheter-achat-nolvadex-en-ligne-fr.html generique nolvadex, 017710, a78eb462ebf292400b4b875a3b63c09b5999d0be 2808 2807 2012-05-10T13:25:57Z 31.184.238.15 0 dOxRgMsiFToZcdxIlbo wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-danocrine-online-en.html buy danocrine online, 8-PPP, http://cheappurchaseonline.com/buy-generic-dapsone-online-en.html generic dapsone, >:-]], http://cheappurchaseonline.com/buy-generic-ddavp-online-en.html generic ddavp, >:[[, http://cheappurchaseonline.com/buy-generic-decadron-online-en.html generic decadron, sedpej, http://cheappurchaseonline.com/buy-generic-depakote-online-en.html buy depakote online, 05853, http://cheappurchaseonline.com/buy-generic-desogen-online-en.html buy desogen online, pzg, http://cheappurchaseonline.com/buy-generic-desyrel-online-en.html generic desyrel, >:OOO, http://cheappurchaseonline.com/buy-generic-detrol-la-online-en.html buy detrol la, 271, ada488d7c1ff6ec86ca43a5db923d5305ed88f62 2809 2808 2012-05-10T13:27:07Z 31.184.238.9 0 OtyIpusJ wikitext text/x-wiki , http://generiquesmedicaments.fr/ acheter cipro, 8-]], http://generiquesmedicaments.fr/acheter-achat-cialis-super-active-en-ligne-fr.html acheter cialis super active en ligne, iscek, http://generiquesmedicaments.fr/acheter-achat-cipro-en-ligne-fr.html vente cipro, 71085, http://generiquesmedicaments.fr/acheter-achat-clomid-en-ligne-fr.html clomid, 5491, http://generiquesmedicaments.fr/acheter-achat-diflucan-en-ligne-fr.html generique diflucan, swxi, b7819b28a089b2d7ffe3fbc568b3618be625a5b7 2810 2809 2012-05-10T13:31:19Z 31.184.238.9 0 KtvNSkTrMo wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-prednisone-en-ligne-fr.html prednisone, jqezek, http://enlignepharmacie.fr/acheter-achat-priligy-en-ligne-fr.html generique priligy, eenpum, http://enlignepharmacie.fr/ acheter kamagra, 8-[, http://enlignepharmacie.fr/acheter-achat-propecia-en-ligne-fr.html acheter propecia en ligne, =-(, http://enlignepharmacie.fr/acheter-achat-strattera-en-ligne-fr.html achat strattera, lufkk, ae7e1c9affe3791b092dd66e192524627a2c4b6e 2811 2810 2012-05-10T13:35:35Z 31.184.238.9 0 hpdzqUOM wikitext text/x-wiki , http://generiquesmedicaments.fr/ acheter cialis, tcxs, http://generiquesmedicaments.fr/acheter-achat-cialis-super-active-en-ligne-fr.html vente cialis super active, >:(, http://generiquesmedicaments.fr/acheter-achat-cipro-en-ligne-fr.html acheter cipro, 916, http://generiquesmedicaments.fr/acheter-achat-clomid-en-ligne-fr.html clomid, 797377, http://generiquesmedicaments.fr/acheter-achat-diflucan-en-ligne-fr.html generique diflucan, 8-OOO, 0e4851ea54df64f00037610cbcc83d05afb8acfa 2812 2811 2012-05-10T13:36:37Z 31.184.238.15 0 vhSNugYZqdVqGJyuFV wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-verampil-online-en.html generic verampil, ppn, http://cheappurchaseonline.com/buy-generic-verapamil-online-en.html buy verapamil online, 018, http://cheappurchaseonline.com/buy-generic-vermox-online-en.html buy vermox, btwp, http://cheappurchaseonline.com/buy-generic-v-gel-online-en.html buy v-gel online, enmjbv, http://cheappurchaseonline.com/buy-generic-vibramycin-online-en.html generic vibramycin, =], http://cheappurchaseonline.com/buy-generic-viramune-online-en.html generic viramune, 79375, http://cheappurchaseonline.com/buy-generic-vitamin-b12-online-en.html generic vitamin b12, %-OO, http://cheappurchaseonline.com/buy-generic-vitamin-c-online-en.html buy vitamin c online, 831981, f1741bc14563abedc27675bcb7c8b3f4317f0a0d 2813 2812 2012-05-10T13:39:42Z 31.184.238.9 0 jHvqjceM wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-priligy-online-it.html generico priligy, %DD, http://onlinefarmacia.it/comprare-acquistare-propecia-online-it.html generic propecia, 00052, http://onlinefarmacia.it/comprare-acquistare-proscar-online-it.html vendita proscar, =D, http://onlinefarmacia.it/ comprare cipro, ytahk, http://onlinefarmacia.it/comprare-acquistare-strattera-online-it.html generic strattera, :-((, 2dcb49479bb0f510c3d76011768b15fc84647858 2814 2813 2012-05-10T13:42:21Z 31.184.238.15 0 pLDabFzocT wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-adalat-online-en.html buy adalat, =-P, http://cheappurchaseonline.com/buy-generic-aggrenox-online-en.html buy aggrenox, lghs, http://cheappurchaseonline.com/buy-generic-albenza-online-en.html buy albenza, 81753, http://cheappurchaseonline.com/buy-generic-alesse-online-en.html generic alesse, >:), http://cheappurchaseonline.com/buy-generic-alfacip-online-en.html generic alfacip, 841, http://cheappurchaseonline.com/buy-generic-allegra-online-en.html buy allegra online, nkg, http://cheappurchaseonline.com/buy-generic-allopurinol-online-en.html generic allopurinol, fda, http://cheappurchaseonline.com/buy-generic-amaryl-online-en.html buy amaryl online, vfoxwr, f02910a183df317db52d8151508e88f8045041a3 2815 2814 2012-05-10T13:43:58Z 31.184.238.9 0 BGlCXGIXDkVNuodpCa wikitext text/x-wiki , http://acquistareladroga.it/comprare-acquistare-kamagra-online-it.html prezzo kamagra, %-]]], http://acquistareladroga.it/comprare-acquistare-nolvadex-online-it.html comprare nolvadex, 48217, http://acquistareladroga.it/comprare-acquistare-orlistat-online-it.html vendita orlistat, =-PP, http://acquistareladroga.it/comprare-acquistare-prednisone-online-it.html vendita prednisone, =-PP, http://acquistareladroga.it/comprare-acquistare-priligy-online-it.html vendita priligy, 8996, 3bf5971c0fc7da29961ad1a9438fd20f5fe94655 2816 2815 2012-05-10T13:47:55Z 31.184.238.15 0 ZfubzWMs wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-relafen-online-en.html buy relafen online, 741, http://cheappurchaseonline.com/buy-generic-remeron-online-en.html generic remeron, 218062, http://cheappurchaseonline.com/buy-generic-reminyl-online-en.html generic reminyl, 501, http://cheappurchaseonline.com/buy-generic-reosto-online-en.html generic reosto, doui, http://cheappurchaseonline.com/buy-generic-requip-online-en.html generic requip, rgpqg, http://cheappurchaseonline.com/buy-generic-retin-a-online-en.html buy retin-a, wsce, http://cheappurchaseonline.com/buy-generic-retrovir-online-en.html buy retrovir online, uulxy, http://cheappurchaseonline.com/buy-generic-revia-online-en.html buy revia online, >:]], 17d06647c8c094cca2a5216ab2e00e4a97355f21 2817 2816 2012-05-10T13:48:13Z 31.184.238.9 0 TSPHYzYxXUyu wikitext text/x-wiki , http://onlinefarmacia.it/ comprare propecia, 76130, http://onlinefarmacia.it/comprare-acquistare-female-viagra-online-it.html prezzo female viagra, 8206, http://onlinefarmacia.it/comprare-acquistare-flagyl-online-it.html comprare flagyl, mgqoiw, http://onlinefarmacia.it/comprare-acquistare-kamagra-online-it.html generico kamagra, :-OOO, http://onlinefarmacia.it/comprare-acquistare-lasix-online-it.html comprare lasix, :-OOO, d9a7819d2cf75f3af6732831169bfea02289f715 2818 2817 2012-05-10T13:53:12Z 31.184.238.9 0 NgEERCAoXVVRuIv wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-accutane-online-it.html acquistare accutane, 933, http://onlinefarmacia.it/comprare-acquistare-amoxil-online-it.html comprare amoxil online, 256, http://onlinefarmacia.it/comprare-acquistare-bactrim-online-it.html prezzo bactrim, qjz, http://onlinefarmacia.it/comprare-acquistare-cialis-online-it.html comprare cialis, :D, http://onlinefarmacia.it/comprare-acquistare-cialis-professional-online-it.html generico cialis professional, zivlz, 64a2eac35f67ed8acbf30dc6341420290e0e8a0f 2819 2818 2012-05-10T13:57:47Z 31.184.238.9 0 CGSIwYDeOOsnImQwnE wikitext text/x-wiki , http://enlignepharmacie.fr/ acheter levitra, tspbvg, http://enlignepharmacie.fr/acheter-achat-cialis-super-active-en-ligne-fr.html vente cialis super active, :))), http://enlignepharmacie.fr/acheter-achat-cipro-en-ligne-fr.html generique cipro, 03771, http://enlignepharmacie.fr/acheter-achat-clomid-en-ligne-fr.html acheter clomid, woy, http://enlignepharmacie.fr/acheter-achat-diflucan-en-ligne-fr.html diflucan, 8-P, 7e8a6df23757eac0ea81a0a87d1d6e3f287f3503 2820 2819 2012-05-10T13:59:53Z 31.184.238.15 0 rBmxtvOeSPZnTHl wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-lanoxin-online-en.html buy lanoxin online, hulzym, http://cheappurchaseonline.com/buy-generic-lasuna-online-en.html buy lasuna, >:[[, http://cheappurchaseonline.com/buy-generic-leukeran-online-en.html generic leukeran, 8-], http://cheappurchaseonline.com/buy-generic-levaquin-online-en.html buy levaquin, :[[[, http://cheappurchaseonline.com/buy-generic-lexapro-online-en.html buy lexapro online, biywz, http://cheappurchaseonline.com/buy-generic-lincocin-online-en.html buy lincocin online, 96478, http://cheappurchaseonline.com/buy-generic-lioresal-online-en.html generic lioresal, 4607, http://cheappurchaseonline.com/buy-generic-lipitor-online-en.html buy lipitor online, 758, 2d9875cfc8892e5b958bde7941fc0dfcf9e180d2 2821 2820 2012-05-10T14:01:22Z 31.184.238.9 0 pxkZxvwLiClzXJoFVRU wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-viagra-en-ligne-fr.html acheter viagra en ligne, >:-[[, http://enlignepharmacie.fr/acheter-achat-viagra-professional-en-ligne-fr.html achat viagra professional, 634504, http://enlignepharmacie.fr/acheter-achat-viagra-super-active-en-ligne-fr.html achat viagra super active, jmiwaz, http://enlignepharmacie.fr/acheter-achat-zithromax-en-ligne-fr.html vente zithromax, lsd, http://enlignepharmacie.fr/acheter-achat-zoloft-en-ligne-fr.html zoloft, 20304, 86cd0276ce4a7c41b1b1d75d4449e08aad786c34 2822 2821 2012-05-10T14:16:54Z 31.184.238.15 0 rEAWnhFpZlEIHmxFAh wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-danocrine-online-en.html generic danocrine, 6866, http://cheappurchaseonline.com/buy-generic-dapsone-online-en.html buy dapsone, 3394, http://cheappurchaseonline.com/buy-generic-ddavp-online-en.html buy ddavp, 08082, http://cheappurchaseonline.com/buy-generic-decadron-online-en.html buy decadron, 574592, http://cheappurchaseonline.com/buy-generic-depakote-online-en.html buy depakote online, mmgz, http://cheappurchaseonline.com/buy-generic-desogen-online-en.html buy desogen online, 731586, http://cheappurchaseonline.com/buy-generic-desyrel-online-en.html buy desyrel online, 755, http://cheappurchaseonline.com/buy-generic-detrol-la-online-en.html generic detrol la, %), 1cb51e0c767c87e4f100f8fe67ad9fcd16aae088 2823 2822 2012-05-10T14:19:01Z 31.184.238.9 0 rtceniVCMILGngweyRa wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-cialis-super-active-online-it.html comprare cialis super active, 5898, http://onlinefarmacia.it/comprare-acquistare-cipro-online-it.html prezzo cipro, :(((, http://onlinefarmacia.it/comprare-acquistare-clomid-online-it.html generic clomid, =]], http://onlinefarmacia.it/comprare-acquistare-diflucan-online-it.html vendita diflucan, 2854, http://onlinefarmacia.it/comprare-acquistare-doxycycline-online-it.html vendita doxycycline, 875, ff0a7d821b146a9b902de4ed2265d24d34e4c4ab 2824 2823 2012-05-10T14:22:50Z 31.184.238.15 0 DOYyceeNfjvDXQ wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-trecator-sc-online-en.html buy trecator-sc online, 8-(, http://cheappurchaseonline.com/buy-generic-trental-online-en.html buy trental, 007, http://cheappurchaseonline.com/buy-generic-tricor-online-en.html buy tricor online, 241505, http://cheappurchaseonline.com/buy-generic-trileptal-online-en.html generic trileptal, >:-PP, http://cheappurchaseonline.com/buy-generic-tritace-online-en.html buy tritace, 548, http://cheappurchaseonline.com/buy-generic-tylenol-online-en.html buy tylenol online, 8-]], http://cheappurchaseonline.com/buy-generic-uniphyl-cr-online-en.html buy uniphyl cr online, :]]], http://cheappurchaseonline.com/buy-generic-urispas-online-en.html generic urispas, mamy, 74be44cd717c0b9b88f896f9ab3239806538d8be 2825 2824 2012-05-10T14:23:32Z 31.184.238.9 0 IriCFKeTInpsi wikitext text/x-wiki , http://generiquesmedicaments.fr/acheter-achat-strattera-en-ligne-fr.html acheter strattera en ligne, aqcoxf, http://generiquesmedicaments.fr/acheter-achat-viagra-en-ligne-fr.html generique viagra, >:OOO, http://generiquesmedicaments.fr/acheter-achat-viagra-professional-en-ligne-fr.html acheter viagra professional, %-OO, http://generiquesmedicaments.fr/acheter-achat-viagra-super-active-en-ligne-fr.html generique viagra super active, 184, http://generiquesmedicaments.fr/acheter-achat-zithromax-en-ligne-fr.html acheter zithromax, =-OO, f10fbb9020c2aea1a846e8ef52f28408a1d33e22 2826 2825 2012-05-10T14:27:12Z 31.184.238.15 0 fdrtKRGFLpQmb wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-naprelan-online-en.html buy naprelan, 1508, http://cheappurchaseonline.com/buy-generic-neem-online-en.html buy neem online, 628806, http://cheappurchaseonline.com/buy-generic-neurontin-online-en.html buy neurontin online, 008922, http://cheappurchaseonline.com/buy-generic-nexium-online-en.html buy nexium online, 643401, http://cheappurchaseonline.com/buy-generic-nimotop-online-en.html buy nimotop, 10240, http://cheappurchaseonline.com/buy-generic-nitroglycerin-online-en.html generic nitroglycerin, 141246, http://cheappurchaseonline.com/buy-generic-nizoral-online-en.html buy nizoral, 92990, http://cheappurchaseonline.com/buy-generic-noroxin-online-en.html buy noroxin online, hzxl, e4972418fc60c3d300d9d42e0834376ad8f333ae 2827 2826 2012-05-10T14:27:31Z 31.184.238.9 0 dUxyCkfoqY wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-accutane-online-it.html generic accutane, :-PP, http://onlinefarmacia.it/comprare-acquistare-amoxil-online-it.html generico amoxil, %-((, http://onlinefarmacia.it/comprare-acquistare-bactrim-online-it.html comprare bactrim, awi, http://onlinefarmacia.it/comprare-acquistare-cialis-online-it.html prezzo cialis, dploxf, http://onlinefarmacia.it/comprare-acquistare-cialis-professional-online-it.html generic cialis professional, 919, 4ed9c29c0289bc6747a06d449c5b7071901709c7 2828 2827 2012-05-10T14:31:52Z 31.184.238.9 0 iKsYQpRL wikitext text/x-wiki , http://acquistareladroga.it/comprare-acquistare-diflucan-online-it.html generic diflucan, >:-]], http://acquistareladroga.it/comprare-acquistare-doxycycline-online-it.html vendita doxycycline, 8-)), http://acquistareladroga.it/comprare-acquistare-finpecia-online-it.html vendita finpecia, 832238, http://acquistareladroga.it/ comprare strattera, qomtt, http://acquistareladroga.it/comprare-acquistare-flagyl-online-it.html comprare flagyl online, >:[[[, f2089e38dd0817f27b432e73f4571486f01455b1 2829 2828 2012-05-10T14:33:06Z 31.184.238.15 0 CSTdGDsIRnpByjdcPxs wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-verampil-online-en.html buy verampil, 8], http://cheappurchaseonline.com/buy-generic-verapamil-online-en.html buy verapamil, 7236, http://cheappurchaseonline.com/buy-generic-vermox-online-en.html buy vermox online, 8-[[, http://cheappurchaseonline.com/buy-generic-v-gel-online-en.html generic v-gel, jvr, http://cheappurchaseonline.com/buy-generic-vibramycin-online-en.html buy vibramycin, hyhfi, http://cheappurchaseonline.com/buy-generic-viramune-online-en.html generic viramune, vdrwn, http://cheappurchaseonline.com/buy-generic-vitamin-b12-online-en.html generic vitamin b12, ycpzzg, http://cheappurchaseonline.com/buy-generic-vitamin-c-online-en.html buy vitamin c online, jkdhf, 53a8dd43fe98ca72ee9e817a91dacd37dca39b3b 2830 2829 2012-05-10T14:36:20Z 31.184.238.9 0 NqqiloLZBvGwa wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-priligy-online-it.html prezzo priligy, :(, http://onlinefarmacia.it/comprare-acquistare-propecia-online-it.html generico propecia, 8-[[, http://onlinefarmacia.it/comprare-acquistare-proscar-online-it.html generic proscar, 8390, http://onlinefarmacia.it/ comprare viagra professional, 948, http://onlinefarmacia.it/comprare-acquistare-strattera-online-it.html comprare strattera online, fhcp, 3a0038244336fce572bcc8446d02aef652259ba2 2831 2830 2012-05-10T14:39:15Z 31.184.238.15 0 OXPiJHebGnydXwrN wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-calan-online-en.html buy calan online, ospg, http://cheappurchaseonline.com/buy-generic-calan-sr-online-en.html buy calan sr, %-(, http://cheappurchaseonline.com/buy-generic-calcium-carbonate-online-en.html buy calcium carbonate, 0558, http://cheappurchaseonline.com/buy-generic-capoten-online-en.html buy capoten, yrq, http://cheappurchaseonline.com/buy-generic-carafate-online-en.html buy carafate, 8-PPP, http://cheappurchaseonline.com/buy-generic-cardarone-online-en.html generic cardarone, witopa, http://cheappurchaseonline.com/buy-generic-cardura-online-en.html buy cardura, 49872, http://cheappurchaseonline.com/buy-generic-cataflam-online-en.html buy cataflam online, 64065, 7c6197424866d3a149c0ed649758892a23a1f372 2832 2831 2012-05-10T14:40:40Z 31.184.238.9 0 GQswTqGSmDZzuMJsQyO wikitext text/x-wiki , http://acquistareladroga.it/comprare-acquistare-cialis-professional-online-it.html generic cialis professional, %-], http://acquistareladroga.it/comprare-acquistare-cialis-super-active-online-it.html comprare cialis super active online, %O, http://acquistareladroga.it/comprare-acquistare-cipro-online-it.html acquistare cipro, mrgyd, http://acquistareladroga.it/ comprare prednisone, 7888, http://acquistareladroga.it/comprare-acquistare-clomid-online-it.html acquistare clomid, :-PPP, 106ca7cad5b9ed6fec020e2a359ac262ccb80ac4 2833 2832 2012-05-10T14:44:11Z 31.184.238.15 0 oWGBCbOVYDDOnVd wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-protonix-online-en.html buy protonix online, zptldk, http://cheappurchaseonline.com/buy-generic-proventil-online-en.html generic proventil, 8]]], http://cheappurchaseonline.com/buy-generic-provera-online-en.html generic provera, 35982, http://cheappurchaseonline.com/buy-generic-prozac-online-en.html buy prozac, udx, http://cheappurchaseonline.com/buy-generic-purim-online-en.html buy purim online, mfydn, http://cheappurchaseonline.com/buy-generic-pyridium-online-en.html buy pyridium online, %D, http://cheappurchaseonline.com/buy-generic-rebetol-online-en.html generic rebetol, rss, http://cheappurchaseonline.com/buy-generic-reglan-online-en.html buy reglan online, :PPP, ea6273f5c7ac9c1fbee5895b60f0a761c7f9ae04 0 8 2834 2833 2012-05-10T14:45:06Z 31.184.238.9 0 YBByqdDuWmdNbKm wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-cialis-super-active-online-it.html comprare cialis super active online, 9773, http://onlinefarmacia.it/comprare-acquistare-cipro-online-it.html acquistare cipro, eeiaxz, http://onlinefarmacia.it/comprare-acquistare-clomid-online-it.html vendita clomid, ylbih, http://onlinefarmacia.it/comprare-acquistare-diflucan-online-it.html prezzo diflucan, :-))), http://onlinefarmacia.it/comprare-acquistare-doxycycline-online-it.html acquistare doxycycline, 397819, 8eff96216cfe4a52bd254b75130909cf7081b339 2835 2834 2012-05-10T14:49:19Z 31.184.238.9 0 uuGUXIpc wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-accutane-online-it.html vendita accutane, 070324, http://onlinefarmacia.it/comprare-acquistare-amoxil-online-it.html vendita amoxil, %], http://onlinefarmacia.it/comprare-acquistare-bactrim-online-it.html generico bactrim, =-[, http://onlinefarmacia.it/comprare-acquistare-cialis-online-it.html comprare cialis, 311, http://onlinefarmacia.it/comprare-acquistare-cialis-professional-online-it.html prezzo cialis professional, 537, f37828c4ca8b96d34c666e8ce658aa7b650b6f38 2836 2835 2012-05-10T14:53:35Z 31.184.238.9 0 IuXecbTLyFYZgoSXZ wikitext text/x-wiki , http://enlignepharmacie.fr/ acheter priligy, 240, http://enlignepharmacie.fr/acheter-achat-cialis-super-active-en-ligne-fr.html cialis super active, %))), http://enlignepharmacie.fr/acheter-achat-cipro-en-ligne-fr.html cipro, fvin, http://enlignepharmacie.fr/acheter-achat-clomid-en-ligne-fr.html clomid, 8O, http://enlignepharmacie.fr/acheter-achat-diflucan-en-ligne-fr.html vente diflucan, %-[, bf1a7b8d994edaeeaa9b70e7d2d6bf69407396e5 2837 2836 2012-05-10T14:55:58Z 31.184.238.15 0 AJrzbssgSjOeIds wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-detrol-online-en.html buy detrol, 8PPP, http://cheappurchaseonline.com/buy-generic-diabecon-online-en.html buy diabecon, egxame, http://cheappurchaseonline.com/buy-generic-diamox-online-en.html generic diamox, >:P, http://cheappurchaseonline.com/buy-generic-diflucan-online-en.html " buy diflucan online, %OOO, http://cheappurchaseonline.com/buy-generic-dilantin-online-en.html generic dilantin, 366709, http://cheappurchaseonline.com/buy-generic-diltiazem-online-en.html buy diltiazem, 8))), http://cheappurchaseonline.com/buy-generic-diovan-hct-online-en.html buy diovan hct, 3550, http://cheappurchaseonline.com/buy-generic-diovan-online-en.html generic diovan, 11866, 1532ed23085776c59add4866b3ef2bbf6f03ca23 2838 2837 2012-05-10T14:57:56Z 31.184.238.9 0 HNGoGRqIVIylAeYNbSw wikitext text/x-wiki , http://generiquesmedicaments.fr/acheter-achat-strattera-en-ligne-fr.html achat strattera, =DD, http://generiquesmedicaments.fr/acheter-achat-viagra-en-ligne-fr.html viagra, 732, http://generiquesmedicaments.fr/acheter-achat-viagra-professional-en-ligne-fr.html generique viagra professional, quuq, http://generiquesmedicaments.fr/acheter-achat-viagra-super-active-en-ligne-fr.html generique viagra super active, 7572, http://generiquesmedicaments.fr/acheter-achat-zithromax-en-ligne-fr.html acheter zithromax, 140736, 49028302218a23db33521cdbc8df8daeb8c4ba7b 2839 2838 2012-05-10T15:02:07Z 31.184.238.15 0 LkEivRucmm wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-ampicillin-online-en.html buy ampicillin online, 2913, http://cheappurchaseonline.com/buy-generic-anacin-online-en.html generic anacin, gqrp, http://cheappurchaseonline.com/buy-generic-anafranil-online-en.html generic anafranil, 577459, http://cheappurchaseonline.com/buy-generic-ansaid-online-en.html buy ansaid, hsdup, http://cheappurchaseonline.com/buy-generic-antabuse-online-en.html buy antabuse online, znbcrw, http://cheappurchaseonline.com/buy-generic-antivert-online-en.html buy antivert, czmhzq, http://cheappurchaseonline.com/buy-generic-aralen-online-en.html generic aralen, mqgn, http://cheappurchaseonline.com/buy-generic-arava-online-en.html buy arava, dqto, 7ae28b32f24ff77e389384709512cde503b52324 2840 2839 2012-05-10T15:02:17Z 31.184.238.9 0 OKzOUhqMJ wikitext text/x-wiki , http://generiquesmedicaments.fr/ acheter doxycycline, %-PPP, http://generiquesmedicaments.fr/acheter-achat-accutane-en-ligne-fr.html generique accutane, axddq, http://generiquesmedicaments.fr/acheter-achat-amoxil-en-ligne-fr.html vente amoxil, %((, http://generiquesmedicaments.fr/acheter-achat-cialis-en-ligne-fr.html generique cialis, 282, http://generiquesmedicaments.fr/acheter-achat-cialis-professional-en-ligne-fr.html achat cialis professional, :OOO, fd0c4ef80f487fc957cccf3820d7c5545f251c3e 2841 2840 2012-05-10T15:06:32Z 31.184.238.9 0 SGycYpjCXFN wikitext text/x-wiki , http://enlignepharmacie.fr/ acheter female viagra, >:[[[, http://enlignepharmacie.fr/acheter-achat-doxycycline-en-ligne-fr.html achat doxycycline, 5462, http://enlignepharmacie.fr/acheter-achat-female-viagra-en-ligne-fr.html acheter female viagra, >:-)), http://enlignepharmacie.fr/acheter-achat-flagyl-en-ligne-fr.html generique flagyl, 103, http://enlignepharmacie.fr/acheter-achat-kamagra-en-ligne-fr.html achat kamagra, %))), ff80a8fed65ee746607018a0db362f215557200f 2842 2841 2012-05-10T15:08:05Z 31.184.238.15 0 NgdyFeGlgMAnb wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-ampicillin-online-en.html buy ampicillin online, %-[, http://cheappurchaseonline.com/buy-generic-anacin-online-en.html generic anacin, %), http://cheappurchaseonline.com/buy-generic-anafranil-online-en.html generic anafranil, =D, http://cheappurchaseonline.com/buy-generic-ansaid-online-en.html buy ansaid, ycdzb, http://cheappurchaseonline.com/buy-generic-antabuse-online-en.html generic antabuse, 593, http://cheappurchaseonline.com/buy-generic-antivert-online-en.html buy antivert online, 754, http://cheappurchaseonline.com/buy-generic-aralen-online-en.html generic aralen, 97979, http://cheappurchaseonline.com/buy-generic-arava-online-en.html generic arava, :-DD, f4c981a677a95938ab95ef29ac01bc151bab8e1b 2843 2842 2012-05-10T15:10:58Z 31.184.238.9 0 uaLAZdNxHJ wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-viagra-en-ligne-fr.html achat viagra, >:PPP, http://enlignepharmacie.fr/acheter-achat-viagra-professional-en-ligne-fr.html acheter viagra professional en ligne, 5529, http://enlignepharmacie.fr/acheter-achat-viagra-super-active-en-ligne-fr.html acheter viagra super active en ligne, =-(, http://enlignepharmacie.fr/acheter-achat-zithromax-en-ligne-fr.html achat zithromax, :-]], http://enlignepharmacie.fr/acheter-achat-zoloft-en-ligne-fr.html generique zoloft, :[[, 6c1d8dfabfaa7374748dd954c3c3e834eb32651e 2844 2843 2012-05-10T15:13:54Z 31.184.238.15 0 ixahPoBeDxWdN wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-sinequan-online-en.html generic sinequan, 18346, http://cheappurchaseonline.com/buy-generic-singulair-online-en.html buy singulair online, 8]], http://cheappurchaseonline.com/buy-generic-skelaxin-online-en.html buy skelaxin, eletqm, http://cheappurchaseonline.com/buy-generic-sleepwell-online-en.html buy sleepwell online, :OO, http://cheappurchaseonline.com/buy-generic-slimfast-online-en.html buy slimfast online, 5093, http://cheappurchaseonline.com/buy-generic-smok-ox-online-en.html buy smok-ox online, >:[, http://cheappurchaseonline.com/buy-generic-speman-online-en.html buy speman online, 8PP, http://cheappurchaseonline.com/buy-generic-sporanox-online-en.html buy sporanox online, 258864, 363adad03e9f1cf7b8ec1668b265a036f13c0184 2845 2844 2012-05-10T15:15:09Z 31.184.238.9 0 DLuMYGEYh wikitext text/x-wiki , http://acquistareladroga.it/comprare-acquistare-diflucan-online-it.html acquistare diflucan, ivavcx, http://acquistareladroga.it/comprare-acquistare-doxycycline-online-it.html prezzo doxycycline, 08147, http://acquistareladroga.it/comprare-acquistare-finpecia-online-it.html acquistare finpecia, zrxu, http://acquistareladroga.it/ comprare cialis professional, 21556, http://acquistareladroga.it/comprare-acquistare-flagyl-online-it.html prezzo flagyl, rgcbv, 0c82a0fcf0adace6d1602915aa634bcb97483e85 2846 2845 2012-05-10T15:19:27Z 31.184.238.9 0 ehMJuGwlgRB wikitext text/x-wiki , http://enlignepharmacie.fr/ acheter kamagra, 8232, http://enlignepharmacie.fr/acheter-achat-lasix-en-ligne-fr.html vente lasix, gelvu, http://enlignepharmacie.fr/acheter-achat-levitra-en-ligne-fr.html acheter levitra, byb, http://enlignepharmacie.fr/acheter-achat-nolvadex-en-ligne-fr.html generique nolvadex, jsxcw, http://enlignepharmacie.fr/acheter-achat-orlistat-en-ligne-fr.html acheter orlistat en ligne, %[[[, 9d7f08f4b1758591880d1919565bf91ec6ce08a5 2847 2846 2012-05-10T15:23:50Z 31.184.238.9 0 eoBpXWwStgStaaATcFJ wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-viagra-en-ligne-fr.html achat viagra, iausvl, http://enlignepharmacie.fr/acheter-achat-viagra-professional-en-ligne-fr.html viagra professional, 8494, http://enlignepharmacie.fr/acheter-achat-viagra-super-active-en-ligne-fr.html acheter viagra super active en ligne, rgg, http://enlignepharmacie.fr/acheter-achat-zithromax-en-ligne-fr.html achat zithromax, lhfe, http://enlignepharmacie.fr/acheter-achat-zoloft-en-ligne-fr.html acheter zoloft en ligne, 1239, f0f72d546a75af3328ed6e7f629f253491af0c72 2848 2847 2012-05-10T15:25:31Z 31.184.238.15 0 EHhtMvjIp wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-trecator-sc-online-en.html generic trecator-sc, 0185, http://cheappurchaseonline.com/buy-generic-trental-online-en.html generic trental, 639, http://cheappurchaseonline.com/buy-generic-tricor-online-en.html generic tricor, bkg, http://cheappurchaseonline.com/buy-generic-trileptal-online-en.html buy trileptal, 624569, http://cheappurchaseonline.com/buy-generic-tritace-online-en.html buy tritace, :[[[, http://cheappurchaseonline.com/buy-generic-tylenol-online-en.html buy tylenol online, ltlhud, http://cheappurchaseonline.com/buy-generic-uniphyl-cr-online-en.html buy uniphyl cr, 417465, http://cheappurchaseonline.com/buy-generic-urispas-online-en.html buy urispas, 279, a97c6f74a99dae2522c8c169a0f329fa5e1d0f70 2849 2848 2012-05-10T15:28:15Z 31.184.238.9 0 THHBdqSeb wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-priligy-online-it.html generic priligy, 878, http://onlinefarmacia.it/comprare-acquistare-propecia-online-it.html acquistare propecia, ufyab, http://onlinefarmacia.it/comprare-acquistare-proscar-online-it.html generic proscar, 596433, http://onlinefarmacia.it/ comprare propecia, >:-], http://onlinefarmacia.it/comprare-acquistare-strattera-online-it.html comprare strattera online, jsn, c4fc39e2efe866fe71d303041278b9f0fa377229 2850 2849 2012-05-10T15:31:08Z 31.184.238.15 0 wVYKKqIYmw wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-relafen-online-en.html buy relafen, 9677, http://cheappurchaseonline.com/buy-generic-remeron-online-en.html generic remeron, 98236, http://cheappurchaseonline.com/buy-generic-reminyl-online-en.html generic reminyl, 7995, http://cheappurchaseonline.com/buy-generic-reosto-online-en.html buy reosto online, 93706, http://cheappurchaseonline.com/buy-generic-requip-online-en.html generic requip, %-P, http://cheappurchaseonline.com/buy-generic-retin-a-online-en.html generic retin-a, sxqyz, http://cheappurchaseonline.com/buy-generic-retrovir-online-en.html buy retrovir online, 4630, http://cheappurchaseonline.com/buy-generic-revia-online-en.html buy revia, sho, 8ccf8146c90718e2e15d14cdf42bce47d6244f6a 2851 2850 2012-05-10T15:32:48Z 31.184.238.9 0 dvDoylNJgijvNrBjzn wikitext text/x-wiki , http://enlignepharmacie.fr/ acheter prednisone, 66991, http://enlignepharmacie.fr/acheter-achat-doxycycline-en-ligne-fr.html achat doxycycline, fusejm, http://enlignepharmacie.fr/acheter-achat-female-viagra-en-ligne-fr.html generique female viagra, mtg, http://enlignepharmacie.fr/acheter-achat-flagyl-en-ligne-fr.html flagyl, efa, http://enlignepharmacie.fr/acheter-achat-kamagra-en-ligne-fr.html acheter kamagra en ligne, 57968, 23ce9abf8288851e0667881d7e11a32ef9ba9fbb 2852 2851 2012-05-10T15:37:01Z 31.184.238.15 0 qBIXwXuWOZCRYaSRE wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-uroxatral-online-en.html buy uroxatral, 9765, http://cheappurchaseonline.com/buy-generic-urso-online-en.html buy urso, nkfgu, http://cheappurchaseonline.com/buy-generic-valparin-online-en.html buy valparin online, 515143, http://cheappurchaseonline.com/buy-generic-valtrex-online-en.html buy valtrex, pexem, http://cheappurchaseonline.com/buy-generic-vantin-online-en.html buy vantin online, :-]]], http://cheappurchaseonline.com/buy-generic-vasotec-online-en.html buy vasotec, >:-(((, http://cheappurchaseonline.com/buy-generic-venlor-online-en.html buy venlor, 018, http://cheappurchaseonline.com/buy-generic-ventolin-online-en.html buy ventolin online, gwl, 189c6f34a56fe23a4f8614babb32336ad28c18f7 2853 2852 2012-05-10T15:37:03Z 31.184.238.9 0 UKAtpoJmVktMMquq wikitext text/x-wiki , http://generiquesmedicaments.fr/ acheter levitra, >:]], http://generiquesmedicaments.fr/acheter-achat-cialis-super-active-en-ligne-fr.html vente cialis super active, >:-(((, http://generiquesmedicaments.fr/acheter-achat-cipro-en-ligne-fr.html achat cipro, :[[[, http://generiquesmedicaments.fr/acheter-achat-clomid-en-ligne-fr.html vente clomid, 2090, http://generiquesmedicaments.fr/acheter-achat-diflucan-en-ligne-fr.html vente diflucan, jvipj, 9ce9a318371ec86fd2de37b7444ff7e6c858cdc9 2854 2853 2012-05-10T15:41:28Z 31.184.238.9 0 JhftlsPxkYftizJ wikitext text/x-wiki , http://enlignepharmacie.fr/ acheter cialis, 447, http://enlignepharmacie.fr/acheter-achat-doxycycline-en-ligne-fr.html acheter doxycycline en ligne, 965, http://enlignepharmacie.fr/acheter-achat-female-viagra-en-ligne-fr.html female viagra, zol, http://enlignepharmacie.fr/acheter-achat-flagyl-en-ligne-fr.html vente flagyl, ltz, http://enlignepharmacie.fr/acheter-achat-kamagra-en-ligne-fr.html vente kamagra, 91565, b6125a4bb43e7d075c2c5d4bf2e0a9a5e87aa8ed 2855 2854 2012-05-10T15:43:25Z 31.184.238.15 0 XnzYSUZJmAYrIp wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-risnia-online-en.html generic risnia, yunwzi, http://cheappurchaseonline.com/buy-generic-risperdal-online-en.html buy risperdal, 103, http://cheappurchaseonline.com/buy-generic-robaxin-online-en.html buy robaxin, :-PPP, http://cheappurchaseonline.com/buy-generic-rocaltrol-online-en.html generic rocaltrol, %(((, http://cheappurchaseonline.com/buy-generic-rulide-online-en.html buy rulide online, oml, http://cheappurchaseonline.com/buy-generic-rumalaya-fort-online-en.html generic rumalaya fort, mnlkcr, http://cheappurchaseonline.com/buy-generic-rumalaya-online-en.html generic rumalaya, apj, http://cheappurchaseonline.com/buy-generic-rythmol-online-en.html buy rythmol, 963, 9b4b3652f551decf3fa68263da3e19ba57ae959e 2856 2855 2012-05-10T15:45:29Z 31.184.238.9 0 pFliCLNzHIJaLvFvWt wikitext text/x-wiki , http://acquistareladroga.it/ comprare propecia, :-((, http://acquistareladroga.it/comprare-acquistare-accutane-online-it.html vendita accutane, 555493, http://acquistareladroga.it/comprare-acquistare-amoxil-online-it.html prezzo amoxil, knchz, http://acquistareladroga.it/comprare-acquistare-bactrim-online-it.html acquistare bactrim, :-]], http://acquistareladroga.it/comprare-acquistare-cialis-online-it.html comprare cialis, =D, bc3f58567ff6880f364fdb4ea002e38f62d33ba6 2857 2856 2012-05-10T15:49:21Z 31.184.238.15 0 QBgtIEFsSbnxgnrdrb wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-epivir-hbv-online-en.html generic epivir hbv, waj, http://cheappurchaseonline.com/buy-generic-epivir-online-en.html buy epivir, nmxzcu, http://cheappurchaseonline.com/buy-generic-erythromycin-online-en.html buy erythromycin, >:((, http://cheappurchaseonline.com/buy-generic-eskalith-online-en.html buy eskalith online, uddj, http://cheappurchaseonline.com/buy-generic-estrace-online-en.html buy estrace online, %(, http://cheappurchaseonline.com/buy-generic-etodolac-online-en.html buy etodolac, :-(((, http://cheappurchaseonline.com/buy-generic-evecare-online-en.html buy evecare, 8P, http://cheappurchaseonline.com/buy-generic-evista-online-en.html generic evista, dbbsq, e1788a1a743d43827f089c859c24343af25fcd6b 2858 2857 2012-05-10T15:49:41Z 31.184.238.9 0 DDbXzERMTXzCXhl wikitext text/x-wiki , http://generiquesmedicaments.fr/ acheter cipro, 468108, http://generiquesmedicaments.fr/acheter-achat-accutane-en-ligne-fr.html acheter accutane, 8DD, http://generiquesmedicaments.fr/acheter-achat-amoxil-en-ligne-fr.html acheter amoxil, izwqv, http://generiquesmedicaments.fr/acheter-achat-cialis-en-ligne-fr.html cialis, rff, http://generiquesmedicaments.fr/acheter-achat-cialis-professional-en-ligne-fr.html generique cialis professional, 734243, be41efc8ee7fc7eb637b7c14491b11fa613169ae 2859 2858 2012-05-10T15:53:55Z 31.184.238.9 0 rFhxMHhfSRkMCmtABU wikitext text/x-wiki , http://enlignepharmacie.fr/ acheter viagra, 302679, http://enlignepharmacie.fr/acheter-achat-doxycycline-en-ligne-fr.html acheter doxycycline, ythel, http://enlignepharmacie.fr/acheter-achat-female-viagra-en-ligne-fr.html vente female viagra, %-(((, http://enlignepharmacie.fr/acheter-achat-flagyl-en-ligne-fr.html achat flagyl, whgqz, http://enlignepharmacie.fr/acheter-achat-kamagra-en-ligne-fr.html vente kamagra, vssrwp, 1a9297373cfd156a46eeac9a56341eae76adafd3 2860 2859 2012-05-10T15:55:12Z 31.184.238.15 0 wiUrIsfoHfr wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-premarin-online-en.html generic premarin, =OOO, http://cheappurchaseonline.com/buy-generic-prevacid-online-en.html buy prevacid, 14382, http://cheappurchaseonline.com/buy-generic-prilosec-online-en.html buy prilosec online, 612166, http://cheappurchaseonline.com/buy-generic-prinivil-online-en.html buy prinivil, =[[, http://cheappurchaseonline.com/buy-generic-procardia-online-en.html buy procardia online, 339531, http://cheappurchaseonline.com/buy-generic-prograf-online-en.html buy prograf online, 72126, http://cheappurchaseonline.com/buy-generic-prometrium-online-en.html generic prometrium, %-[, http://cheappurchaseonline.com/buy-generic-proscar-online-en.html buy proscar online, 709, 82cec773babc33305160b91f3e9d86091f79b0df 2861 2860 2012-05-10T15:58:20Z 31.184.238.9 0 UVlcScmvFSRelyILR wikitext text/x-wiki , http://generiquesmedicaments.fr/acheter-achat-kamagra-en-ligne-fr.html acheter kamagra en ligne, =PPP, http://generiquesmedicaments.fr/acheter-achat-lasix-en-ligne-fr.html generique lasix, joz, http://generiquesmedicaments.fr/ acheter zoloft, gzjikh, http://generiquesmedicaments.fr/acheter-achat-levitra-en-ligne-fr.html achat levitra, 9852, http://generiquesmedicaments.fr/acheter-achat-nolvadex-en-ligne-fr.html nolvadex, 750, b259f8977e40ef8afea197bad3563d03146ebb20 2862 2861 2012-05-10T16:00:49Z 31.184.238.15 0 xvSztbTouWYzulCN wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-calan-online-en.html buy calan, :-P, http://cheappurchaseonline.com/buy-generic-calan-sr-online-en.html buy calan sr online, pxo, http://cheappurchaseonline.com/buy-generic-calcium-carbonate-online-en.html buy calcium carbonate online, pdfnc, http://cheappurchaseonline.com/buy-generic-capoten-online-en.html buy capoten online, 785819, http://cheappurchaseonline.com/buy-generic-carafate-online-en.html generic carafate, qfu, http://cheappurchaseonline.com/buy-generic-cardarone-online-en.html buy cardarone, ooexks, http://cheappurchaseonline.com/buy-generic-cardura-online-en.html buy cardura, hhi, http://cheappurchaseonline.com/buy-generic-cataflam-online-en.html buy cataflam, :PP, fa3adc805715516f1419678d365fc44080e50e2a 2863 2862 2012-05-10T16:02:46Z 31.184.238.9 0 VLyvxRUrbdgLWNGCEol wikitext text/x-wiki , http://acquistareladroga.it/ comprare clomid, >:-O, http://acquistareladroga.it/comprare-acquistare-propecia-online-it.html generico propecia, 00860, http://acquistareladroga.it/comprare-acquistare-strattera-online-it.html generic strattera, ijcfi, http://acquistareladroga.it/comprare-acquistare-tadacip-online-it.html prezzo tadacip, %-P, http://acquistareladroga.it/comprare-acquistare-viagra-online-it.html generico viagra, =(((, 52d2171f05baccaff02ea5dbec966be7aee63bd2 2864 2863 2012-05-10T16:07:07Z 31.184.238.9 0 waUZpDwcRFfCAJQhJ wikitext text/x-wiki , http://generiquesmedicaments.fr/acheter-achat-kamagra-en-ligne-fr.html achat kamagra, 083, http://generiquesmedicaments.fr/acheter-achat-lasix-en-ligne-fr.html acheter lasix en ligne, 4968, http://generiquesmedicaments.fr/ acheter diflucan, 66085, http://generiquesmedicaments.fr/acheter-achat-levitra-en-ligne-fr.html acheter levitra, 015, http://generiquesmedicaments.fr/acheter-achat-nolvadex-en-ligne-fr.html acheter nolvadex, ozk, ee77e4eef3c640e8eade72e4de3951b6df14a284 2865 2864 2012-05-10T16:07:26Z 31.184.238.15 0 XWegxhojGYC wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-imitrex-online-en.html generic imitrex, 724, http://cheappurchaseonline.com/buy-generic-imodium-online-en.html buy imodium, 463, http://cheappurchaseonline.com/buy-generic-imuran-online-en.html buy imuran online, %-))), http://cheappurchaseonline.com/buy-generic-inderal-la-online-en.html buy inderal la, nsrbt, http://cheappurchaseonline.com/buy-generic-inderal-online-en.html generic inderal, %[[[, http://cheappurchaseonline.com/buy-generic-indinavir-online-en.html generic indinavir, 8DDD, http://cheappurchaseonline.com/buy-generic-isoptin-online-en.html buy isoptin, mojrsm, http://cheappurchaseonline.com/buy-generic-isoptin-sr-online-en.html buy isoptin sr online, :-PP, b824bddb37d1ceeb55bf8768ca099d98e949db2a 2866 2865 2012-05-10T16:11:44Z 31.184.238.9 0 AixUugXsSzLujEmv wikitext text/x-wiki , http://acquistareladroga.it/comprare-acquistare-cialis-professional-online-it.html generico cialis professional, 8247, http://acquistareladroga.it/comprare-acquistare-cialis-super-active-online-it.html generic cialis super active, =-((, http://acquistareladroga.it/comprare-acquistare-cipro-online-it.html generic cipro, 982, http://acquistareladroga.it/ comprare cialis professional, tgpv, http://acquistareladroga.it/comprare-acquistare-clomid-online-it.html generic clomid, >:), 1f7dfd16c0f9a38faaa4d7643f2c01f749ec57e6 2867 2866 2012-05-10T16:12:32Z 31.184.238.15 0 ACFpjaGZgMRbXa wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-arcoxia-online-en.html buy arcoxia, 6075, http://cheappurchaseonline.com/buy-generic-aricept-online-en.html buy aricept online, mjs, http://cheappurchaseonline.com/buy-generic-arimidex-online-en.html generic arimidex, iwgua, http://cheappurchaseonline.com/buy-generic-aristocort-online-en.html buy aristocort, >:], http://cheappurchaseonline.com/buy-generic-arjuna-online-en.html buy arjuna, 11760, http://cheappurchaseonline.com/buy-generic-artane-online-en.html buy artane online, 745, http://cheappurchaseonline.com/buy-generic-asendin-online-en.html buy asendin online, 7576, http://cheappurchaseonline.com/buy-generic-ashwafera-online-en.html buy ashwafera online, lsfysh, 7b269e741702cf7d0c551ca1f0cb72c0b8f82554 2868 2867 2012-05-10T16:16:07Z 31.184.238.9 0 fcTNrWqtIVDlmsJP wikitext text/x-wiki , http://acquistareladroga.it/comprare-acquistare-diflucan-online-it.html comprare diflucan, %]]], http://acquistareladroga.it/comprare-acquistare-doxycycline-online-it.html vendita doxycycline, %-P, http://acquistareladroga.it/comprare-acquistare-finpecia-online-it.html acquistare finpecia, :OOO, http://acquistareladroga.it/ comprare cipro, 673, http://acquistareladroga.it/comprare-acquistare-flagyl-online-it.html prezzo flagyl, mfegns, e44d96c48cdad605f8c947b408078a6bade20469 2869 2868 2012-05-10T16:18:58Z 31.184.238.15 0 tpONwPpAxpyE wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-frumil-online-en.html buy frumil online, 0695, http://cheappurchaseonline.com/buy-generic-fulvicin-online-en.html generic fulvicin, qgncv, http://cheappurchaseonline.com/buy-generic-furadantin-online-en.html buy furadantin online, wthn, http://cheappurchaseonline.com/buy-generic-furoxone-online-en.html generic furoxone, =-[[[, http://cheappurchaseonline.com/buy-generic-gasex-online-en.html generic gasex, 43091, http://cheappurchaseonline.com/buy-generic-geodon-online-en.html buy geodon, 067, http://cheappurchaseonline.com/buy-generic-geriforte-online-en.html generic geriforte, pplevr, http://cheappurchaseonline.com/buy-generic-gestanin-online-en.html buy gestanin online, :-[, 3fffc6e49504890120fc712e648e137f9845a8af 2870 2869 2012-05-10T16:20:32Z 31.184.238.9 0 UGEWuuwlxrAux wikitext text/x-wiki , http://generiquesmedicaments.fr/ acheter nolvadex, 8-(, http://generiquesmedicaments.fr/acheter-achat-cialis-super-active-en-ligne-fr.html acheter cialis super active en ligne, gywkv, http://generiquesmedicaments.fr/acheter-achat-cipro-en-ligne-fr.html acheter cipro, vza, http://generiquesmedicaments.fr/acheter-achat-clomid-en-ligne-fr.html achat clomid, mzk, http://generiquesmedicaments.fr/acheter-achat-diflucan-en-ligne-fr.html generique diflucan, =-(((, 9da11c6958ebb33191b5da2c42f9396742665be4 2871 2870 2012-05-10T16:24:45Z 31.184.238.9 0 dVMrmcaceGTfjaHPTPC wikitext text/x-wiki , http://generiquesmedicaments.fr/acheter-achat-kamagra-en-ligne-fr.html achat kamagra, :-))), http://generiquesmedicaments.fr/acheter-achat-lasix-en-ligne-fr.html achat lasix, dfk, http://generiquesmedicaments.fr/ acheter female viagra, 095, http://generiquesmedicaments.fr/acheter-achat-levitra-en-ligne-fr.html vente levitra, 08699, http://generiquesmedicaments.fr/acheter-achat-nolvadex-en-ligne-fr.html nolvadex, 917, 0a74812382e84312add30297a956ac5a50374820 2872 2871 2012-05-10T16:25:09Z 31.184.238.15 0 XaPkZeJufxFqU wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-viagra-super-active-online-en.html buy generic viagra super active, 8((, http://cheappurchaseonline.com/buy-generic-zithromax-online-en.html zithromax, obxcr, http://cheappurchaseonline.com/ generic viagra super active, 8-)), 437811d4a8ce5baa8506972a4d6b4fa5cc0f1452 2873 2872 2012-05-10T16:29:01Z 31.184.238.9 0 UMhiHBcMANkaMqYK wikitext text/x-wiki , http://acquistareladroga.it/comprare-acquistare-viagra-professional-online-it.html generic viagra professional, jbv, http://acquistareladroga.it/comprare-acquistare-viagra-super-active-online-it.html generico viagra super active, 840, http://acquistareladroga.it/comprare-acquistare-wellbutrin-online-it.html vendita wellbutrin, btrx, http://acquistareladroga.it/comprare-acquistare-zithromax-online-it.html prezzo zithromax, 9620, http://onlinefarmacia.it/ comprare propecia, :-[[[, f15427958081ce165bc27b31025bd41b58ac6b0f 2874 2873 2012-05-10T16:30:58Z 31.184.238.15 0 MejMAvXicYxpgmdnIu wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-cialis-super-active-online-en.html buy cialis super active online, 2618, http://cheappurchaseonline.com/ generic lasix, >:PP, http://cheappurchaseonline.com/buy-generic-cipro-online-en.html buy cipro, 90159, edfd1239913515f70fbf8cd4bcc96806fd5495e2 2875 2874 2012-05-10T16:33:09Z 31.184.238.9 0 pHurRiUHjj wikitext text/x-wiki , http://acquistareladroga.it/ comprare doxycycline, lpei, http://acquistareladroga.it/comprare-acquistare-accutane-online-it.html prezzo accutane, :-D, http://acquistareladroga.it/comprare-acquistare-amoxil-online-it.html comprare amoxil online, cdq, http://acquistareladroga.it/comprare-acquistare-bactrim-online-it.html generico bactrim, :PP, http://acquistareladroga.it/comprare-acquistare-cialis-online-it.html vendita cialis, gpgjqb, c9daa24fd2071b1d8b1160961a58c7c923bbddb0 2876 2875 2012-05-10T16:36:56Z 31.184.238.15 0 deCjwqLhQvAexjBo wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic--online-en.html buy accutane, 324840, http://cheappurchaseonline.com/buy-generic-orlistat-online-en.html buy cheap orlistat, =-)), http://cheappurchaseonline.com/buy-generic-prednisone-online-en.html buy prednisone, >:PPP, ec8a040c081cb3e554381bddeb7e15f5b2cd7a09 2877 2876 2012-05-10T16:37:32Z 31.184.238.9 0 RxDKRUvE wikitext text/x-wiki , http://generiquesmedicaments.fr/acheter-achat-orlistat-en-ligne-fr.html achat orlistat, 8OOO, http://generiquesmedicaments.fr/acheter-achat-prednisone-en-ligne-fr.html acheter prednisone en ligne, %-], http://generiquesmedicaments.fr/acheter-achat-priligy-en-ligne-fr.html priligy, :[[, http://generiquesmedicaments.fr/ acheter cialis professional, :-), http://generiquesmedicaments.fr/acheter-achat-propecia-en-ligne-fr.html achat propecia, %-(, 3c1574e41308c15e56f906663949dbe885776c9e 2878 2877 2012-05-10T16:42:11Z 31.184.238.9 0 woeNkUBH wikitext text/x-wiki , http://onlinefarmacia.it/ comprare female viagra, =-]], http://onlinefarmacia.it/comprare-acquistare-female-viagra-online-it.html comprare female viagra, jemi, http://onlinefarmacia.it/comprare-acquistare-flagyl-online-it.html prezzo flagyl, 066, http://onlinefarmacia.it/comprare-acquistare-kamagra-online-it.html comprare kamagra, 46136, http://onlinefarmacia.it/comprare-acquistare-lasix-online-it.html prezzo lasix, :], 46712a07123bc841e6a4dfd725a2a64b848b95f0 2879 2878 2012-05-10T16:42:12Z 31.184.238.15 0 vqAHaXZDrytbiudJSyy wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-levitra-online-en.html levitra, nfyr, http://cheappurchaseonline.com/ generic female viagra, uihdal, http://cheappurchaseonline.com/buy-generic-nolvadex-online-en.html buy nolvadex online, =DD, 0a101e6fa8cb9ce9131cf71c9393d337c9d544b4 2880 2879 2012-05-10T16:46:26Z 31.184.238.9 0 AwpEeBMtMHaKDMrL wikitext text/x-wiki , http://acquistareladroga.it/comprare-acquistare-cialis-professional-online-it.html prezzo cialis professional, cjbwoh, http://acquistareladroga.it/comprare-acquistare-cialis-super-active-online-it.html generico cialis super active, 353752, http://acquistareladroga.it/comprare-acquistare-cipro-online-it.html generico cipro, =-], http://acquistareladroga.it/ comprare cialis, lvg, http://acquistareladroga.it/comprare-acquistare-clomid-online-it.html comprare clomid online, =-DDD, 83446507eb4f1e88eb9b3baa8bf8e9d20a4c7ea1 2881 2880 2012-05-10T16:47:45Z 31.184.238.15 0 MVGZhUdNmtwmgLQQpMZ wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic--online-en.html generic accutane, 4440, http://cheappurchaseonline.com/buy-generic-orlistat-online-en.html orlistat, qtxeya, http://cheappurchaseonline.com/buy-generic-prednisone-online-en.html prednisone, 12947, ea62a9c62bf4b690bf2b17cbe27ce01a43acfb18 2882 2881 2012-05-10T16:50:37Z 31.184.238.9 0 bQoiBdEvCt wikitext text/x-wiki , http://onlinefarmacia.it/ comprare cialis super active, cotmbz, http://onlinefarmacia.it/comprare-acquistare-levitra-online-it.html generico levitra, nueb, http://onlinefarmacia.it/comprare-acquistare-nolvadex-online-it.html generic nolvadex, :-O, http://onlinefarmacia.it/comprare-acquistare-orlistat-online-it.html generic orlistat, :-PP, http://onlinefarmacia.it/comprare-acquistare-prednisone-online-it.html generic prednisone, 615, f2b2268c8a9b1b7c0cff6ab3fdee7da7e9e7fa47 2883 2882 2012-05-10T16:54:06Z 31.184.238.15 0 XZDMTWAeWRvejkXqeCa wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-zoloft-online-en.html buy cheap zoloft, fqc, ff709cdef71bf7b54031c282200df08b012db4b4 0 8 2884 2883 2012-05-10T16:54:55Z 31.184.238.9 0 WJOwQXLj wikitext text/x-wiki , http://generiquesmedicaments.fr/acheter-achat-orlistat-en-ligne-fr.html vente orlistat, 552, http://generiquesmedicaments.fr/acheter-achat-prednisone-en-ligne-fr.html acheter prednisone en ligne, lcxj, http://generiquesmedicaments.fr/acheter-achat-priligy-en-ligne-fr.html vente priligy, 8((, http://generiquesmedicaments.fr/ acheter accutane, ketdee, http://generiquesmedicaments.fr/acheter-achat-propecia-en-ligne-fr.html acheter propecia, kbp, 43330e98ad2893effcef0529df944d7ce20892ef 2885 2884 2012-05-10T16:59:16Z 31.184.238.9 0 coWypUDQshNKR wikitext text/x-wiki , http://generiquesmedicaments.fr/acheter-achat-strattera-en-ligne-fr.html strattera, 51257, http://generiquesmedicaments.fr/acheter-achat-viagra-en-ligne-fr.html achat viagra, 8-(((, http://generiquesmedicaments.fr/acheter-achat-viagra-professional-en-ligne-fr.html generique viagra professional, =], http://generiquesmedicaments.fr/acheter-achat-viagra-super-active-en-ligne-fr.html acheter viagra super active, feo, http://generiquesmedicaments.fr/acheter-achat-zithromax-en-ligne-fr.html acheter zithromax en ligne, 76811, 613793237f359b38ec263705f022042792be8630 2886 2885 2012-05-10T16:59:50Z 31.184.238.15 0 slCfXgmRbuUEapyoOnL wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-priligy-online-en.html generic priligy, krb, http://cheappurchaseonline.com/buy-generic-propecia-online-en.html propecia, %((, http://cheappurchaseonline.com/ generic strattera, psit, 76feba051870bf0d7970ab407a8b09dc8d6fa0e4 2887 2886 2012-05-10T17:03:30Z 31.184.238.9 0 cRbNVLilEFcqnC wikitext text/x-wiki , http://generiquesmedicaments.fr/ acheter kamagra, %-(((, http://generiquesmedicaments.fr/acheter-achat-accutane-en-ligne-fr.html generique accutane, 354, http://generiquesmedicaments.fr/acheter-achat-amoxil-en-ligne-fr.html acheter amoxil en ligne, eocz, http://generiquesmedicaments.fr/acheter-achat-cialis-en-ligne-fr.html generique cialis, gelz, http://generiquesmedicaments.fr/acheter-achat-cialis-professional-en-ligne-fr.html generique cialis professional, 550572, 7befe61e9de78116b8e220debe9ae7ace1bca23e 2888 2887 2012-05-10T17:05:40Z 31.184.238.15 0 qWzJWCWFQYmi wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-zoloft-online-en.html zoloft, vvvk, 9945ea3dc0694d3e77966abd7975a79d726521d3 2889 2888 2012-05-10T17:07:42Z 31.184.238.9 0 rpFcbpidnfPX wikitext text/x-wiki , http://onlinefarmacia.it/ comprare amoxil, 635882, http://onlinefarmacia.it/comprare-acquistare-female-viagra-online-it.html comprare female viagra online, %OO, http://onlinefarmacia.it/comprare-acquistare-flagyl-online-it.html generico flagyl, ipci, http://onlinefarmacia.it/comprare-acquistare-kamagra-online-it.html vendita kamagra, nkz, http://onlinefarmacia.it/comprare-acquistare-lasix-online-it.html comprare lasix, vxvzdh, 785a114386b0da903fb3cfe8dcaf7d7200c3672e 2890 2889 2012-05-10T17:10:49Z 31.184.238.15 0 wONXvNxiUL wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-priligy-online-en.html buy priligy online, tcjc, http://cheappurchaseonline.com/buy-generic-propecia-online-en.html buy propecia, =O, http://cheappurchaseonline.com/ generic priligy, %OOO, dc1ebf9bc5763a3d8dcfbf3c1943fc707607cb7a 2891 2890 2012-05-10T17:11:56Z 31.184.238.9 0 WgDBiRNwGg wikitext text/x-wiki , http://acquistareladroga.it/comprare-acquistare-cialis-professional-online-it.html comprare cialis professional, :-D, http://acquistareladroga.it/comprare-acquistare-cialis-super-active-online-it.html generic cialis super active, nexs, http://acquistareladroga.it/comprare-acquistare-cipro-online-it.html acquistare cipro, 176, http://acquistareladroga.it/ comprare strattera, 8(((, http://acquistareladroga.it/comprare-acquistare-clomid-online-it.html generic clomid, 672, 1631c1270868538576915fff2faad2001c6a98ac 2892 2891 2012-05-10T17:16:08Z 31.184.238.9 0 mRruhcLcDTJ wikitext text/x-wiki , http://acquistareladroga.it/ comprare bactrim, %)), http://acquistareladroga.it/comprare-acquistare-propecia-online-it.html generico propecia, =]], http://acquistareladroga.it/comprare-acquistare-strattera-online-it.html vendita strattera, hybrnf, http://acquistareladroga.it/comprare-acquistare-tadacip-online-it.html prezzo tadacip, :-D, http://acquistareladroga.it/comprare-acquistare-viagra-online-it.html vendita viagra, aeans, 5e0d09cf362ea28d5bc2a759453e6fd1ee78e5e1 2893 2892 2012-05-10T17:16:45Z 31.184.238.15 0 qLOTNpds wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-priligy-online-en.html buy priligy, 3110, http://cheappurchaseonline.com/buy-generic-propecia-online-en.html generic propecia, 846, http://cheappurchaseonline.com/ generic prednisone, rxijyc, 02862bcaf1325a4bf83cc4e4364d9f6d8c412bff 2894 2893 2012-05-10T17:20:16Z 31.184.238.9 0 drxsmUiJEbMbCihSwYQ wikitext text/x-wiki , http://generiquesmedicaments.fr/ acheter lasix, 286990, http://generiquesmedicaments.fr/acheter-achat-cialis-super-active-en-ligne-fr.html achat cialis super active, asmt, http://generiquesmedicaments.fr/acheter-achat-cipro-en-ligne-fr.html vente cipro, >:], http://generiquesmedicaments.fr/acheter-achat-clomid-en-ligne-fr.html achat clomid, 194, http://generiquesmedicaments.fr/acheter-achat-diflucan-en-ligne-fr.html generique diflucan, apgva, bc466d14958ed3d32e2d26cc2896713fc1e4db8d 2895 2894 2012-05-10T17:22:27Z 31.184.238.15 0 zrBxlvznHgDgnv wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic--online-en.html buy generic accutane, 76807, http://cheappurchaseonline.com/buy-generic-orlistat-online-en.html buy cheap orlistat, sivbb, http://cheappurchaseonline.com/buy-generic-prednisone-online-en.html buy generic prednisone, 0348, b116b8a220083582ce782353b3522842a0927b18 2896 2895 2012-05-10T17:24:26Z 31.184.238.9 0 hUajixuiioMDcuFp wikitext text/x-wiki , http://enlignepharmacie.fr/ acheter cialis, aurr, http://enlignepharmacie.fr/acheter-achat-lasix-en-ligne-fr.html acheter lasix, 089, http://enlignepharmacie.fr/acheter-achat-levitra-en-ligne-fr.html levitra, 8-), http://enlignepharmacie.fr/acheter-achat-nolvadex-en-ligne-fr.html vente nolvadex, zrqp, http://enlignepharmacie.fr/acheter-achat-orlistat-en-ligne-fr.html acheter orlistat, 056, 5207cca4c4e63ae630cea36095a036753b1f2fc3 2898 2896 2012-05-10T17:27:56Z 31.184.238.15 0 RORPwMtjhctDKFFM wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-priligy-online-en.html buy priligy online, =))), http://cheappurchaseonline.com/buy-generic-propecia-online-en.html buy generic propecia, 8-(, http://cheappurchaseonline.com/ generic viagra super active, %-DD, 769d317583a954b0c9982d37273b2257415d2899 2899 2898 2012-05-10T17:28:40Z 31.184.238.9 0 GswlvGqKsytjlJyzd wikitext text/x-wiki , http://acquistareladroga.it/comprare-acquistare-kamagra-online-it.html generico kamagra, rstiy, http://acquistareladroga.it/comprare-acquistare-nolvadex-online-it.html acquistare nolvadex, 3632, http://acquistareladroga.it/comprare-acquistare-orlistat-online-it.html generico orlistat, :D, http://acquistareladroga.it/comprare-acquistare-prednisone-online-it.html comprare prednisone online, oxjz, http://acquistareladroga.it/comprare-acquistare-priligy-online-it.html vendita priligy, zpljl, 9e2d058e0757ddc02cb296a5f4d281e1d14693e4 2900 2899 2012-05-10T17:32:57Z 31.184.238.9 0 VemwbIRf wikitext text/x-wiki , http://onlinefarmacia.it/ comprare cialis professional, 541723, http://onlinefarmacia.it/comprare-acquistare-female-viagra-online-it.html comprare female viagra, 486418, http://onlinefarmacia.it/comprare-acquistare-flagyl-online-it.html vendita flagyl, oml, http://onlinefarmacia.it/comprare-acquistare-kamagra-online-it.html generico kamagra, =(((, http://onlinefarmacia.it/comprare-acquistare-lasix-online-it.html acquistare lasix, :]], 36aa0d7a1fe5506444568b89d48e629889c77a36 2901 2900 2012-05-10T17:33:48Z 31.184.238.15 0 oHNwsLTygTnpzN wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-amoxil-online-en.html buy generic amoxil, rkkcru, http://cheappurchaseonline.com/buy-generic-cialis-online-en.html buy generic cialis, 991, http://cheappurchaseonline.com/buy-generic-cialis-professional-online-en.html buy generic cialis professional, pui, 4cfb644b93a03c0f978a9eed000722e3f2bd77c9 2902 2901 2012-05-10T17:36:53Z 31.184.238.9 0 gTCttXjifa wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-accutane-online-it.html generic accutane, ibmz, http://onlinefarmacia.it/comprare-acquistare-amoxil-online-it.html acquistare amoxil, >:-[[[, http://onlinefarmacia.it/comprare-acquistare-bactrim-online-it.html vendita bactrim, %-)), http://onlinefarmacia.it/comprare-acquistare-cialis-online-it.html prezzo cialis, hagh, http://onlinefarmacia.it/comprare-acquistare-cialis-professional-online-it.html generico cialis professional, :-O, 930ce2b890eaa064c404978d43c9995b5ce08b87 2903 2902 2012-05-10T17:39:54Z 31.184.238.15 0 rzHYrvzCaJOpIczVK wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-clomid-online-en.html buy clomid online, %(((, http://cheappurchaseonline.com/buy-generic-diflucan-online-en.html buy cheap diflucan, cuxnbg, http://cheappurchaseonline.com/buy-generic-doxycycline-online-en.html generic doxycycline, 27197, bdefa74ddb35bb895faa27c1edb9861ac80e19c5 2904 2903 2012-05-10T17:41:09Z 31.184.238.9 0 gxmFwyYxxrfJDTRira wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-viagra-en-ligne-fr.html acheter viagra, exlne, http://enlignepharmacie.fr/acheter-achat-viagra-professional-en-ligne-fr.html acheter viagra professional en ligne, 2456, http://enlignepharmacie.fr/acheter-achat-viagra-super-active-en-ligne-fr.html achat viagra super active, 83550, http://enlignepharmacie.fr/acheter-achat-zithromax-en-ligne-fr.html vente zithromax, iahd, http://enlignepharmacie.fr/acheter-achat-zoloft-en-ligne-fr.html achat zoloft, aacm, 6c9a2105760e7fd34624123023611fb40244baf3 2905 2904 2012-05-10T17:45:20Z 31.184.238.15 0 BWrnusqpljKwKqVmv wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-cialis-super-active-online-en.html buy cialis super active, 01184, http://cheappurchaseonline.com/ generic accutane, %]]], http://cheappurchaseonline.com/buy-generic-cipro-online-en.html generic cipro, taokzv, 44f26981dc8dc44d88e79d49a31bcb27cf2e0d99 2906 2905 2012-05-10T17:45:29Z 31.184.238.9 0 CKFgNlLJo wikitext text/x-wiki , http://enlignepharmacie.fr/ acheter propecia, nqd, http://enlignepharmacie.fr/acheter-achat-accutane-en-ligne-fr.html achat accutane, 522, http://enlignepharmacie.fr/acheter-achat-amoxil-en-ligne-fr.html achat amoxil, sgj, http://enlignepharmacie.fr/acheter-achat-cialis-en-ligne-fr.html vente cialis, 869244, http://enlignepharmacie.fr/acheter-achat-cialis-professional-en-ligne-fr.html generique cialis professional, 54405, a6a5d75813f8a58f284b909ae050dc296d1013ba 2907 2906 2012-05-10T17:49:53Z 31.184.238.9 0 pVJJueNNQEtuDzx wikitext text/x-wiki , http://acquistareladroga.it/comprare-acquistare-viagra-professional-online-it.html comprare viagra professional online, :DD, http://acquistareladroga.it/comprare-acquistare-viagra-super-active-online-it.html acquistare viagra super active, >:(((, http://acquistareladroga.it/comprare-acquistare-wellbutrin-online-it.html prezzo wellbutrin, sllxkh, http://acquistareladroga.it/comprare-acquistare-zithromax-online-it.html vendita zithromax, 775, http://onlinefarmacia.it/ comprare accutane, 1257, 114affae0bb8bd304f227df770ab20d2acf97661 2908 2907 2012-05-10T17:51:20Z 31.184.238.15 0 ydCHKbeU wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-flagyl-online-en.html flagyl, 40970, http://cheappurchaseonline.com/buy-generic-kamagra-online-en.html buy kamagra, =-))), http://cheappurchaseonline.com/buy-generic-lasix-online-en.html buy lasix online, jiwxr, 4b2e6cbc83c6231b0e24667cb586b0ae81573dde 2909 2908 2012-05-10T17:54:07Z 31.184.238.9 0 LzoAiGifRoMGJum wikitext text/x-wiki , http://generiquesmedicaments.fr/ acheter levitra, ueghgg, http://generiquesmedicaments.fr/acheter-achat-cialis-super-active-en-ligne-fr.html achat cialis super active, kssli, http://generiquesmedicaments.fr/acheter-achat-cipro-en-ligne-fr.html acheter cipro, 8], http://generiquesmedicaments.fr/acheter-achat-clomid-en-ligne-fr.html clomid, uajpsv, http://generiquesmedicaments.fr/acheter-achat-diflucan-en-ligne-fr.html diflucan, flyvf, 02c95f01ecf510bde62e1ddc38a145c9c147bafe 2910 2909 2012-05-10T17:56:13Z 31.184.238.15 0 IFDOoIxQBaxDeeUDDG wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-priligy-online-en.html buy generic priligy, bcwrnf, http://cheappurchaseonline.com/buy-generic-propecia-online-en.html buy propecia, odq, http://cheappurchaseonline.com/ generic viagra, jlj, c66e4c72fa4270d062041c95615850828ab4e05a 2911 2910 2012-05-10T17:58:20Z 31.184.238.9 0 EtQmgFthoxRCfGg wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-prednisone-en-ligne-fr.html acheter prednisone, 754, http://enlignepharmacie.fr/acheter-achat-priligy-en-ligne-fr.html achat priligy, lvjae, http://enlignepharmacie.fr/ acheter viagra, qluwg, http://enlignepharmacie.fr/acheter-achat-propecia-en-ligne-fr.html generique propecia, mqm, http://enlignepharmacie.fr/acheter-achat-strattera-en-ligne-fr.html vente strattera, :-D, 9d06daf3448618c12b2b2753a9be454736fe8bac 2912 2911 2012-05-10T18:02:16Z 31.184.238.15 0 aOeQcCCgVIbMQw wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-zoloft-online-en.html generic zoloft, %], 87efc3efd34148255a79edbe7891a45e4ecd23a0 2913 2912 2012-05-10T18:02:43Z 31.184.238.9 0 zJvzUAWKLT wikitext text/x-wiki , http://enlignepharmacie.fr/ acheter female viagra, 749443, http://enlignepharmacie.fr/acheter-achat-lasix-en-ligne-fr.html acheter lasix, =PPP, http://enlignepharmacie.fr/acheter-achat-levitra-en-ligne-fr.html levitra, 573, http://enlignepharmacie.fr/acheter-achat-nolvadex-en-ligne-fr.html acheter nolvadex en ligne, odb, http://enlignepharmacie.fr/acheter-achat-orlistat-en-ligne-fr.html orlistat, 8-[[[, 892199c8a250a656f4a21b243abe9830a4b7dade 2914 2913 2012-05-10T18:06:53Z 31.184.238.9 0 YoIOVXrljwnTqF wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-calan-online-it.html comprare calan, fpqawy, http://onlinefarmacia.it/comprare-acquistare-calan-sr-online-it.html comprare calan sr, fbbk, http://onlinefarmacia.it/comprare-acquistare-calcium-carbonate-online-it.html acquistare calcium carbonate, 305, http://onlinefarmacia.it/comprare-acquistare-capoten-online-it.html capoten, >:-)), http://onlinefarmacia.it/comprare-acquistare-carafate-online-it.html acquistare carafate, injvh, http://onlinefarmacia.it/comprare-acquistare-cardarone-online-it.html cardarone, lyhxof, http://onlinefarmacia.it/comprare-acquistare-cardura-online-it.html comprare cardura, 055844, http://onlinefarmacia.it/comprare-acquistare-cataflam-online-it.html cataflam, 3162, http://onlinefarmacia.it/comprare-acquistare-catapres-online-it.html catapres, ymq, 1390dbc8150d6d93b65e142d3db526618ecae247 2915 2914 2012-05-10T18:07:48Z 31.184.238.15 0 XEmBfMXjuJRvrcWmX wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-viagra-super-active-online-en.html buy generic viagra super active, 8-[[, http://cheappurchaseonline.com/buy-generic-zithromax-online-en.html buy zithromax online, :DDD, http://cheappurchaseonline.com/ generic kamagra, mpztej, 0fc3b08cd0863812a78194539f7de96a2215004f 2916 2915 2012-05-10T18:11:09Z 31.184.238.9 0 JjhYzuth wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-lithobid-online-it.html acquistare lithobid, 249815, http://onlinefarmacia.it/comprare-acquistare-liv52-drops-online-it.html comprare liv.52 drops, 429140, http://onlinefarmacia.it/comprare-acquistare-liv52-online-it.html acquistare liv.52, 49893, http://onlinefarmacia.it/comprare-acquistare-lopid-online-it.html lopid, 69312, http://onlinefarmacia.it/comprare-acquistare-lopressor-online-it.html lopressor, %-], http://onlinefarmacia.it/comprare-acquistare-lotensin-online-it.html lotensin, %-D, http://onlinefarmacia.it/comprare-acquistare-lotrel-online-it.html lotrel, 137, http://onlinefarmacia.it/comprare-acquistare-lotrisone-online-it.html comprare lotrisone, :PP, http://onlinefarmacia.it/comprare-acquistare-loxitane-online-it.html acquistare loxitane, ipyf, 3d9c0a1a276d567db2960ecaa595a54043d8d8a0 2917 2916 2012-05-10T18:13:29Z 31.184.238.15 0 cCKMWsLhVX wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-cialis-super-active-online-en.html buy cialis super active, zppty, http://cheappurchaseonline.com/ generic prednisone, 731, http://cheappurchaseonline.com/buy-generic-cipro-online-en.html buy cipro, ooyaxl, ccd2833a7dd8dd711acfd52fea22582828212ad5 2918 2917 2012-05-10T18:15:37Z 31.184.238.9 0 qyapSMVcM wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-robaxin-online-it.html acquistare robaxin, 668, http://onlinefarmacia.it/comprare-acquistare-rocaltrol-online-it.html comprare rocaltrol, 386620, http://onlinefarmacia.it/comprare-acquistare-rulide-online-it.html comprare rulide, 6434, http://onlinefarmacia.it/comprare-acquistare-rumalaya-fort-online-it.html comprare rumalaya fort, =-[[[, http://onlinefarmacia.it/comprare-acquistare-rumalaya-online-it.html acquistare rumalaya, 0070, http://onlinefarmacia.it/comprare-acquistare-rythmol-online-it.html comprare rythmol, >:))), http://onlinefarmacia.it/comprare-acquistare-septilin-online-it.html septilin, 279, http://onlinefarmacia.it/comprare-acquistare-serevent-online-it.html serevent, >:-D, http://onlinefarmacia.it/comprare-acquistare-serophene-online-it.html serophene, =-(, d44717fea8ec8e7d938e3d8ebedd5ed4a5d8261c 2920 2918 2012-05-10T18:19:17Z 31.184.238.15 0 CoeJWaPgRvwVTIEGbx wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-viagra-super-active-online-en.html buy cheap viagra super active, 89646, http://cheappurchaseonline.com/buy-generic-zithromax-online-en.html zithromax, 2663, http://cheappurchaseonline.com/ generic female viagra, zqzrpc, f66fb22b9f895825e58c18cc4dccdea51990fcc1 2921 2920 2012-05-10T18:19:58Z 31.184.238.9 0 sFxEaGrWlkg wikitext text/x-wiki , http://enlignepharmacie.fr/ acheter viagra, uqb, http://enlignepharmacie.fr/acheter-achat-accutane-en-ligne-fr.html generique accutane, >:), http://enlignepharmacie.fr/acheter-achat-amoxil-en-ligne-fr.html amoxil, >:-OOO, http://enlignepharmacie.fr/acheter-achat-cialis-en-ligne-fr.html acheter cialis en ligne, jmntg, http://enlignepharmacie.fr/acheter-achat-cialis-professional-en-ligne-fr.html cialis professional, 88374, http://enlignepharmacie.fr/ acheter doxycycline, xvrxn, http://enlignepharmacie.fr/acheter-achat-cialis-super-active-en-ligne-fr.html achat cialis super active, >:-[[[, http://enlignepharmacie.fr/acheter-achat-cipro-en-ligne-fr.html vente cipro, 13553, http://enlignepharmacie.fr/acheter-achat-clomid-en-ligne-fr.html acheter clomid en ligne, >:-[, 3979727dbfd93623a7249bb3330b7f50d1dd2f92 2922 2921 2012-05-10T18:24:25Z 31.184.238.9 0 vHReoXrv wikitext text/x-wiki , http://acquistareladroga.it/comprare-acquistare-risperdal-online-it.html comprare risperdal, :P, http://acquistareladroga.it/comprare-acquistare-robaxin-online-it.html robaxin, cpoqnw, http://acquistareladroga.it/comprare-acquistare-rocaltrol-online-it.html acquistare rocaltrol, 08217, http://acquistareladroga.it/comprare-acquistare-rulide-online-it.html rulide, 8DDD, http://acquistareladroga.it/comprare-acquistare-rumalaya-fort-online-it.html comprare rumalaya fort, %-D, http://acquistareladroga.it/comprare-acquistare-rumalaya-online-it.html acquistare rumalaya, irtnrb, http://acquistareladroga.it/comprare-acquistare-rythmol-online-it.html comprare rythmol, >:[, http://acquistareladroga.it/comprare-acquistare-septilin-online-it.html comprare septilin, 189024, http://acquistareladroga.it/comprare-acquistare-serevent-online-it.html acquistare serevent, %[, 124029478660e13ffab6956ab538c8975b533fa8 2923 2922 2012-05-10T18:24:39Z 31.184.238.15 0 eaUylBnnJzWrKed wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-cialis-super-active-online-en.html buy cheap cialis super active, =-P, http://cheappurchaseonline.com/ generic amoxil, zeftye, http://cheappurchaseonline.com/buy-generic-cipro-online-en.html buy cipro, 8-]], 83bd3663b5f07dbad61e30fa5ab44a52673af96b 2924 2923 2012-05-10T18:28:47Z 31.184.238.9 0 yhtbctYvsjbVSdLTYJW wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-nimotop-online-it.html comprare nimotop, bnqel, http://onlinefarmacia.it/comprare-acquistare-nitroglycerin-online-it.html acquistare nitroglycerin, 338, http://onlinefarmacia.it/comprare-acquistare-nizoral-online-it.html nizoral, xmborq, http://onlinefarmacia.it/comprare-acquistare-noroxin-online-it.html acquistare noroxin, =(((, http://onlinefarmacia.it/comprare-acquistare-nortriptyline-online-it.html acquistare nortriptyline, %(, http://onlinefarmacia.it/comprare-acquistare-norvasc-online-it.html acquistare norvasc, tuopuq, http://onlinefarmacia.it/comprare-acquistare-omnicef-online-it.html omnicef, 0249, http://onlinefarmacia.it/comprare-acquistare-ophthacare-online-it.html acquistare ophthacare, bug, http://onlinefarmacia.it/comprare-acquistare-oxytrol-online-it.html acquistare oxytrol, %((, efd2ae24ea0c7f6e6779ed4207455fb6776cce2d 2925 2924 2012-05-10T18:30:30Z 31.184.238.15 0 muXptOVsaDuqLUvXYs wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-levitra-online-en.html generic levitra, =PPP, http://cheappurchaseonline.com/ generic prednisone, 8-[, http://cheappurchaseonline.com/buy-generic-nolvadex-online-en.html buy nolvadex</a>, zjaxry, f2ffc692fff1277094432bb731d97821c75bb727 2926 2925 2012-05-10T18:33:03Z 31.184.238.9 0 uPNVqggxWIbJrIcvbO wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-phenamax-online-it.html acquistare phenamax, 6648, http://onlinefarmacia.it/comprare-acquistare-phenergan-online-it.html comprare phenergan, 8OOO, http://onlinefarmacia.it/comprare-acquistare-phoslo-online-it.html comprare phoslo, 598984, http://onlinefarmacia.it/comprare-acquistare-pilex-online-it.html acquistare pilex, =-]]], http://onlinefarmacia.it/comprare-acquistare-plavix-online-it.html comprare plavix, 853957, http://onlinefarmacia.it/comprare-acquistare-plendil-online-it.html acquistare plendil, 028455, http://onlinefarmacia.it/comprare-acquistare-pletal-online-it.html comprare pletal, ahbp, http://onlinefarmacia.it/comprare-acquistare-ponstel-online-it.html ponstel, :-D, http://onlinefarmacia.it/comprare-acquistare-prandin-online-it.html comprare prandin, ouguju, fe152e9900720a8e5f571cf0912633e157406ac8 2927 2926 2012-05-10T18:36:42Z 31.184.238.15 0 ccsfSdRlJyheM wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-amoxil-online-en.html generic amoxil, mjupx, http://cheappurchaseonline.com/buy-generic-cialis-online-en.html generic cialis, 459, http://cheappurchaseonline.com/buy-generic-cialis-professional-online-en.html cialis professional, =-(((, d6a31cb0d6a5d7d3c3fccc30e7fb7b64f3878418 2928 2927 2012-05-10T18:37:15Z 31.184.238.9 0 gcWwylKhebTTlcTz wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-robaxin-online-it.html robaxin, 02338, http://onlinefarmacia.it/comprare-acquistare-rocaltrol-online-it.html comprare rocaltrol, 3114, http://onlinefarmacia.it/comprare-acquistare-rulide-online-it.html comprare rulide, %PPP, http://onlinefarmacia.it/comprare-acquistare-rumalaya-fort-online-it.html rumalaya fort, 5536, http://onlinefarmacia.it/comprare-acquistare-rumalaya-online-it.html comprare rumalaya, 257923, http://onlinefarmacia.it/comprare-acquistare-rythmol-online-it.html comprare rythmol, 4317, http://onlinefarmacia.it/comprare-acquistare-septilin-online-it.html comprare septilin, =P, http://onlinefarmacia.it/comprare-acquistare-serevent-online-it.html serevent, 893, http://onlinefarmacia.it/comprare-acquistare-serophene-online-it.html serophene, >:(, f0ac4b5539d65486747cb90e3fde003c6bb5e48e 2929 2928 2012-05-10T18:41:40Z 31.184.238.9 0 qCjpIFhwjdNfgHY wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-pamelor-online-it.html comprare pamelor, zhni, http://onlinefarmacia.it/comprare-acquistare-panadol-online-it.html comprare panadol, :DD, http://onlinefarmacia.it/comprare-acquistare-parlodel-online-it.html comprare parlodel, racdaq, http://onlinefarmacia.it/comprare-acquistare-paxil-cr-online-it.html paxil cr, dtj, http://onlinefarmacia.it/comprare-acquistare-paxil-online-it.html paxil, 714759, http://onlinefarmacia.it/comprare-acquistare-pentasa-online-it.html comprare pentasa, :DD, http://onlinefarmacia.it/comprare-acquistare-pepcid-online-it.html comprare pepcid, 8-], http://onlinefarmacia.it/comprare-acquistare-periactin-online-it.html acquistare periactin, pmsojw, http://onlinefarmacia.it/comprare-acquistare-persantine-online-it.html acquistare persantine, ulwu, e5a1eaae9025d0716d875a2d17bb02e5af594532 2930 2929 2012-05-10T18:41:58Z 31.184.238.15 0 sJObUkRoilvtTDCa wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-viagra-super-active-online-en.html generic viagra super active, 8OOO, http://cheappurchaseonline.com/buy-generic-zithromax-online-en.html generic zithromax, 035572, http://cheappurchaseonline.com/ generic zithromax, 5591, 1d757316d8b2ce1a9779de95b983e3a0c802900a 2931 2930 2012-05-10T18:45:54Z 31.184.238.9 0 VMJVxNfojndTMOeC wikitext text/x-wiki , http://generiquesmedicaments.fr/acheter-achat-kamagra-en-ligne-fr.html achat kamagra, tzm, http://generiquesmedicaments.fr/acheter-achat-lasix-en-ligne-fr.html acheter lasix en ligne, =-(, http://generiquesmedicaments.fr/ acheter doxycycline, 8-[, http://generiquesmedicaments.fr/acheter-achat-levitra-en-ligne-fr.html generique levitra, 8-OO, http://generiquesmedicaments.fr/acheter-achat-nolvadex-en-ligne-fr.html acheter nolvadex en ligne, 0557, http://generiquesmedicaments.fr/acheter-achat-orlistat-en-ligne-fr.html vente orlistat, tept, http://generiquesmedicaments.fr/acheter-achat-prednisone-en-ligne-fr.html achat prednisone, ketuo, http://generiquesmedicaments.fr/acheter-achat-priligy-en-ligne-fr.html priligy, bykf, http://generiquesmedicaments.fr/ acheter female viagra, :D, 73a5302eaacf68f913d111a128ee8c35c79ad95f 2932 2931 2012-05-10T18:47:43Z 31.184.238.15 0 mOquUcmza wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-levitra-online-en.html buy cheap levitra, %OOO, http://cheappurchaseonline.com/ generic levitra, :-), http://cheappurchaseonline.com/buy-generic-nolvadex-online-en.html buy nolvadex online, 605, 64ec2a38cf5813cb054c7413fb5ba68e965b1977 2933 2932 2012-05-10T18:50:06Z 31.184.238.9 0 BimaUGUeAwYaOns wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-precose-online-it.html precose, qjeg, http://onlinefarmacia.it/comprare-acquistare-premarin-online-it.html comprare premarin, >:-OO, http://onlinefarmacia.it/comprare-acquistare-prevacid-online-it.html prevacid, =DDD, http://onlinefarmacia.it/comprare-acquistare-prilosec-online-it.html prilosec, gbs, http://onlinefarmacia.it/comprare-acquistare-prinivil-online-it.html acquistare prinivil, 299, http://onlinefarmacia.it/comprare-acquistare-procardia-online-it.html comprare procardia, fxnzqc, http://onlinefarmacia.it/comprare-acquistare-prograf-online-it.html prograf, hoze, http://onlinefarmacia.it/comprare-acquistare-prometrium-online-it.html prometrium, tkhoqa, http://onlinefarmacia.it/comprare-acquistare-proscar-online-it.html comprare proscar, %DD, 86c330c31b9028a23bdc87cfe2b79c2558b3e1c6 2934 2933 2012-05-10T18:52:58Z 31.184.238.15 0 uMrGbEOa wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-zoloft-online-en.html zoloft, remnx, 515d6535e1c5a9000f4616b30c7a3a3b5e8fe8b6 2935 2934 2012-05-10T18:54:20Z 31.184.238.9 0 WmQWIpigoCwAX wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-protonix-online-it.html comprare protonix, %(((, http://onlinefarmacia.it/comprare-acquistare-proventil-online-it.html acquistare proventil, obsi, http://onlinefarmacia.it/comprare-acquistare-provera-online-it.html acquistare provera, :-(, http://onlinefarmacia.it/comprare-acquistare-prozac-online-it.html prozac, 8DDD, http://onlinefarmacia.it/comprare-acquistare-purim-online-it.html comprare purim, 23049, http://onlinefarmacia.it/comprare-acquistare-pyridium-online-it.html pyridium, >:PP, http://onlinefarmacia.it/comprare-acquistare-rebetol-online-it.html comprare rebetol, 7403, http://onlinefarmacia.it/comprare-acquistare-reglan-online-it.html acquistare reglan, 01201, http://onlinefarmacia.it/comprare-acquistare-relafen-online-it.html relafen, 8DD, 9bdcb4db7aa033b9d3b8e4ac2cfbb2fdcc3e7431 0 8 2936 2935 2012-05-10T18:58:32Z 31.184.238.9 0 JecazbofARVKix wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-tetracycline-online-it.html tetracycline, jtd, http://onlinefarmacia.it/comprare-acquistare-theo-24-cr-online-it.html comprare theo-24 cr, yajj, http://onlinefarmacia.it/comprare-acquistare-theo-24-sr-online-it.html theo-24 sr, 57058, http://onlinefarmacia.it/comprare-acquistare-thorazine-online-it.html comprare thorazine, itld, http://onlinefarmacia.it/comprare-acquistare-ticlid-online-it.html ticlid, 08213, http://onlinefarmacia.it/comprare-acquistare-tinidazole-online-it.html comprare tinidazole, jhuwmd, http://onlinefarmacia.it/comprare-acquistare-tofranil-online-it.html tofranil, vnx, http://onlinefarmacia.it/comprare-acquistare-topamax-online-it.html acquistare topamax, fpft, http://onlinefarmacia.it/comprare-acquistare-toprol-online-it.html toprol, 59687, 53803a2a8a6f402d539834677f08ee8d0f05ebe0 2937 2936 2012-05-10T18:58:34Z 31.184.238.15 0 XFgujveAuxmTYVix wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-viagra-super-active-online-en.html buy viagra super active online, 15851, http://cheappurchaseonline.com/buy-generic-zithromax-online-en.html buy zithromax online, =))), http://cheappurchaseonline.com/ generic female viagra, >:P, cf5bab366ec3faa18189abed1eb900cc4744cdd2 2938 2937 2012-05-10T19:02:59Z 31.184.238.9 0 SEVXqtLIliVZbH wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-robaxin-online-it.html acquistare robaxin, krub, http://onlinefarmacia.it/comprare-acquistare-rocaltrol-online-it.html rocaltrol, :-]], http://onlinefarmacia.it/comprare-acquistare-rulide-online-it.html rulide, 240, http://onlinefarmacia.it/comprare-acquistare-rumalaya-fort-online-it.html rumalaya fort, 8088, http://onlinefarmacia.it/comprare-acquistare-rumalaya-online-it.html comprare rumalaya, :-[, http://onlinefarmacia.it/comprare-acquistare-rythmol-online-it.html rythmol, 83772, http://onlinefarmacia.it/comprare-acquistare-septilin-online-it.html acquistare septilin, iqvgg, http://onlinefarmacia.it/comprare-acquistare-serevent-online-it.html acquistare serevent, 8D, http://onlinefarmacia.it/comprare-acquistare-serophene-online-it.html serophene, %-OOO, 45ea5e159b88be22af81426acb9d7947f5e340c3 2939 2938 2012-05-10T19:04:12Z 31.184.238.15 0 WakPyVMhsQkbG wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-cialis-super-active-online-en.html cialis super active, gyjal, http://cheappurchaseonline.com/ generic flagyl, cron, http://cheappurchaseonline.com/buy-generic-cipro-online-en.html buy cheap cipro, nqzn, 3cf7dca2bfebbc37d5947d87cc71789f528c358a 2940 2939 2012-05-10T19:07:36Z 31.184.238.9 0 CLQlBOBnqZaNhx wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-antivert-en-ligne-fr.html antivert, 23780, http://enlignepharmacie.fr/acheter-achat-aralen-en-ligne-fr.html acheter aralen, ucfnt, http://enlignepharmacie.fr/acheter-achat-arava-en-ligne-fr.html acheter arava, vctigu, http://enlignepharmacie.fr/acheter-achat-arcoxia-en-ligne-fr.html achat arcoxia, 726377, http://enlignepharmacie.fr/acheter-achat-aricept-en-ligne-fr.html achat aricept, zmoy, http://enlignepharmacie.fr/acheter-achat-arimidex-en-ligne-fr.html achat arimidex, =(, http://enlignepharmacie.fr/acheter-achat-aristocort-en-ligne-fr.html achat aristocort, 377414, http://enlignepharmacie.fr/acheter-achat-arjuna-en-ligne-fr.html acheter arjuna, oml, http://enlignepharmacie.fr/acheter-achat-artane-en-ligne-fr.html artane, %-D, 8c80ddd67d3475e4f56f01a4459bfb81f44ae413 2941 2940 2012-05-10T19:09:41Z 31.184.238.15 0 xIKCKHSjYc wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-levitra-online-en.html buy cheap levitra, =((, http://cheappurchaseonline.com/ generic viagra, 542, http://cheappurchaseonline.com/buy-generic-nolvadex-online-en.html buy generic nolvadex, 8-OO, 8cc7da5560cd228bbb7f42c7674c1d8b60957e6e 2942 2941 2012-05-10T19:11:57Z 31.184.238.9 0 rxociImfcuutSDJre wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-zovirax-online-it.html comprare zovirax, 70622, http://onlinefarmacia.it/comprare-acquistare-zyban-online-it.html acquistare zyban, 464, http://onlinefarmacia.it/comprare-acquistare-zyloprim-online-it.html acquistare zyloprim, 682865, http://onlinefarmacia.it/comprare-acquistare-zyprexa-online-it.html comprare zyprexa, 99641, http://onlinefarmacia.it/comprare-acquistare-zyrtec-online-it.html acquistare zyrtec, >:-[[[, http://onlinefarmacia.it/comprare-acquistare-zyvox-online-it.html acquistare zyvox, dmrid, f4d0b093ecf0e355c6fa9e1e5c537ed5b5f0deba 2943 2942 2012-05-10T19:15:32Z 31.184.238.15 0 heIsfVNCW wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-amoxil-online-en.html buy cheap amoxil, 32159, http://cheappurchaseonline.com/buy-generic-cialis-online-en.html buy cialis, =PPP, http://cheappurchaseonline.com/buy-generic-cialis-professional-online-en.html generic cialis professional, >:))), 10bf49460db76fde3d733d3ee1f608742ba4ec10 2944 2943 2012-05-10T19:16:00Z 31.184.238.9 0 wqhbyVlafpNKnlhdIH wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-biaxin-en-ligne-fr.html biaxin, 485, http://enlignepharmacie.fr/acheter-achat-brafix-en-ligne-fr.html achat brafix, %OOO, http://enlignepharmacie.fr/acheter-achat-brahmi-en-ligne-fr.html achat brahmi, rpxlei, http://enlignepharmacie.fr/acheter-achat-brand-temovate-en-ligne-fr.html acheter brand temovate, anr, http://enlignepharmacie.fr/acheter-achat-breast-success-en-ligne-fr.html achat breast success, 454, http://enlignepharmacie.fr/acheter-achat-brethine-en-ligne-fr.html acheter brethine, >:-[, http://enlignepharmacie.fr/acheter-achat-bupron-sr-en-ligne-fr.html achat bupron sr, 8(, http://enlignepharmacie.fr/acheter-achat-buspar-en-ligne-fr.html acheter buspar, 5859, http://enlignepharmacie.fr/acheter-achat-calan-en-ligne-fr.html acheter calan, 009, 9f0082a8049dc5782fc565ca1e2f3fdab46b8ac0 2945 2944 2012-05-10T19:20:11Z 31.184.238.9 0 WbNmpzWJhEaSZvAnQ wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-hydrea-online-it.html hydrea, 8(((, http://onlinefarmacia.it/comprare-acquistare-hyzaar-online-it.html acquistare hyzaar, jfkjfq, http://onlinefarmacia.it/comprare-acquistare-imdur-online-it.html acquistare imdur, 330131, http://onlinefarmacia.it/comprare-acquistare-imitrex-online-it.html imitrex, =-O, http://onlinefarmacia.it/comprare-acquistare-imodium-online-it.html comprare imodium, 5701, http://onlinefarmacia.it/comprare-acquistare-imuran-online-it.html acquistare imuran, 4639, http://onlinefarmacia.it/comprare-acquistare-inderal-la-online-it.html comprare inderal la, :-PPP, http://onlinefarmacia.it/comprare-acquistare-inderal-online-it.html acquistare inderal, 8DDD, http://onlinefarmacia.it/comprare-acquistare-indinavir-online-it.html indinavir, 8OOO, 9e16ab71a0e1b0168e8e87bb9eeb9d26da287d59 2946 2945 2012-05-10T19:20:45Z 31.184.238.15 0 oVBshohwAKcstoML wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-amoxil-online-en.html buy generic amoxil, :-), http://cheappurchaseonline.com/buy-generic-cialis-online-en.html buy generic cialis, =-OOO, http://cheappurchaseonline.com/buy-generic-cialis-professional-online-en.html generic cialis professional, >:-((, 5842f428091d391f8bee96aeb10c649679bc5c00 2947 2946 2012-05-10T19:24:28Z 31.184.238.9 0 mCewPsulnvrGrQePBcx wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-asendin-en-ligne-fr.html achat asendin, =-OO, http://enlignepharmacie.fr/acheter-achat-ashwafera-en-ligne-fr.html acheter ashwafera, >:O, http://enlignepharmacie.fr/acheter-achat-ashwagandha-en-ligne-fr.html achat ashwagandha, huufip, http://enlignepharmacie.fr/acheter-achat-astelin-en-ligne-fr.html astelin, =-]]], http://enlignepharmacie.fr/acheter-achat-atacand-en-ligne-fr.html acheter atacand, irzpq, http://enlignepharmacie.fr/acheter-achat-atarax-en-ligne-fr.html achat atarax, 8-[[[, http://enlignepharmacie.fr/acheter-achat-atrovent-en-ligne-fr.html acheter atrovent, 5942, http://enlignepharmacie.fr/acheter-achat-augmentin-en-ligne-fr.html achat augmentin, :-DDD, http://enlignepharmacie.fr/acheter-achat-avandia-en-ligne-fr.html achat avandia, brvx, 2223916bfb9c23944f84248847ca7cc7878381e5 2948 2947 2012-05-10T19:26:24Z 31.184.238.15 0 AeIQFTgmyOqH wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-flagyl-online-en.html generic flagyl, %-OOO, http://cheappurchaseonline.com/buy-generic-kamagra-online-en.html buy generic kamagra, =-OO, http://cheappurchaseonline.com/buy-generic-lasix-online-en.html buy lasix, 6209, 5c87805a1ec9f9c50cdfed55be0b3ad30e9b9700 2949 2948 2012-05-10T19:28:49Z 31.184.238.9 0 CtIZYlaavNWdvZoZuAg wikitext text/x-wiki , http://acquistareladroga.it/comprare-acquistare-uniphyl-cr-online-it.html uniphyl cr, 52711, http://acquistareladroga.it/comprare-acquistare-urispas-online-it.html acquistare urispas, 762434, http://acquistareladroga.it/comprare-acquistare-uroxatral-online-it.html acquistare uroxatral, kaz, http://acquistareladroga.it/comprare-acquistare-urso-online-it.html comprare urso, syi, http://acquistareladroga.it/comprare-acquistare-valparin-online-it.html comprare valparin, 40307, http://acquistareladroga.it/comprare-acquistare-valtrex-online-it.html comprare valtrex, :-OO, http://acquistareladroga.it/comprare-acquistare-vantin-online-it.html comprare vantin, magmih, http://acquistareladroga.it/comprare-acquistare-vasotec-online-it.html vasotec, =PP, http://acquistareladroga.it/comprare-acquistare-venlor-online-it.html acquistare venlor, 317, fbffb9d05c7f9e815c4d9196dae5067aee58605b 2950 2949 2012-05-10T19:32:39Z 31.184.238.15 0 NjvXOkTuP wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-flagyl-online-en.html generic flagyl, 04166, http://cheappurchaseonline.com/buy-generic-kamagra-online-en.html buy generic kamagra, 5087, http://cheappurchaseonline.com/buy-generic-lasix-online-en.html buy cheap lasix, wvgbq, 8116d9d4a9a32dcc50a6e363a7b840de7406ea45 2951 2950 2012-05-10T19:32:52Z 31.184.238.9 0 lAcPcVHPVeShMnzzHp wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-menosan-online-it.html menosan, =], http://onlinefarmacia.it/comprare-acquistare-mentat-online-it.html comprare mentat, slwlhf, http://onlinefarmacia.it/comprare-acquistare-mestinon-online-it.html acquistare mestinon, :]], http://onlinefarmacia.it/comprare-acquistare-methotrexate-online-it.html comprare methotrexate, 506021, http://onlinefarmacia.it/comprare-acquistare-mevacor-online-it.html acquistare mevacor, uxj, http://onlinefarmacia.it/comprare-acquistare-micronase-online-it.html micronase, 48572, http://onlinefarmacia.it/comprare-acquistare-minipress-online-it.html acquistare minipress, %-((, http://onlinefarmacia.it/comprare-acquistare-minocin-online-it.html acquistare minocin, 8D, http://onlinefarmacia.it/comprare-acquistare-minomycin-online-it.html minomycin, 8-OO, d4cc21988a54f2036433259d25c99d90683eaf64 2952 2951 2012-05-10T19:37:04Z 31.184.238.9 0 VMLXMtpcJJaln wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-tetracycline-online-it.html acquistare tetracycline, 494, http://onlinefarmacia.it/comprare-acquistare-theo-24-cr-online-it.html acquistare theo-24 cr, 8)), http://onlinefarmacia.it/comprare-acquistare-theo-24-sr-online-it.html theo-24 sr, %-((, http://onlinefarmacia.it/comprare-acquistare-thorazine-online-it.html comprare thorazine, =-]]], http://onlinefarmacia.it/comprare-acquistare-ticlid-online-it.html acquistare ticlid, odqub, http://onlinefarmacia.it/comprare-acquistare-tinidazole-online-it.html tinidazole, raaldw, http://onlinefarmacia.it/comprare-acquistare-tofranil-online-it.html comprare tofranil, awih, http://onlinefarmacia.it/comprare-acquistare-topamax-online-it.html topamax, ioxm, http://onlinefarmacia.it/comprare-acquistare-toprol-online-it.html toprol, 0278, 46c418c0d429630b04e687bf0000ce2a5d7cbfde 2953 2952 2012-05-10T19:37:54Z 31.184.238.15 0 fcWkjJSxSh wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-viagra-super-active-online-en.html viagra super active, =PP, http://cheappurchaseonline.com/buy-generic-zithromax-online-en.html zithromax, efn, http://cheappurchaseonline.com/ generic levitra, 8), de860f718cc1cca718c1795a1d0c58271cce3cd0 2954 2953 2012-05-10T19:41:33Z 31.184.238.9 0 QSHpkMibYU wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-slimfast-online-it.html acquistare slimfast, 622, http://onlinefarmacia.it/comprare-acquistare-smok-ox-online-it.html acquistare smok-ox, 433043, http://onlinefarmacia.it/comprare-acquistare-speman-online-it.html speman, 8-PPP, http://onlinefarmacia.it/comprare-acquistare-sporanox-online-it.html comprare sporanox, 20728, http://onlinefarmacia.it/comprare-acquistare-starlix-online-it.html comprare starlix, =))), http://onlinefarmacia.it/comprare-acquistare-stromectol-online-it.html stromectol, :PPP, http://onlinefarmacia.it/comprare-acquistare-styplon-online-it.html acquistare styplon, iwj, http://onlinefarmacia.it/comprare-acquistare-suminat-online-it.html acquistare suminat, %-[[, http://onlinefarmacia.it/comprare-acquistare-sumycin-online-it.html sumycin, flvaa, 761795db73faa9df792f20121095b5c3bc2329db 2955 2954 2012-05-10T19:43:46Z 31.184.238.15 0 TrAXIHghEfemkqA wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-viagra-super-active-online-en.html buy cheap viagra super active, mqq, http://cheappurchaseonline.com/buy-generic-zithromax-online-en.html buy generic zithromax, >:(, http://cheappurchaseonline.com/ generic diflucan, =-]]], 13fd48df01623921bf81d78b7e5c3dbc2cf958e2 2956 2955 2012-05-10T19:45:42Z 31.184.238.9 0 lvixxBDyergA wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-nimotop-online-it.html comprare nimotop, 8((, http://onlinefarmacia.it/comprare-acquistare-nitroglycerin-online-it.html comprare nitroglycerin, 757, http://onlinefarmacia.it/comprare-acquistare-nizoral-online-it.html acquistare nizoral, %))), http://onlinefarmacia.it/comprare-acquistare-noroxin-online-it.html comprare noroxin, 944331, http://onlinefarmacia.it/comprare-acquistare-nortriptyline-online-it.html acquistare nortriptyline, 9801, http://onlinefarmacia.it/comprare-acquistare-norvasc-online-it.html norvasc, fumiu, http://onlinefarmacia.it/comprare-acquistare-omnicef-online-it.html omnicef, aquh, http://onlinefarmacia.it/comprare-acquistare-ophthacare-online-it.html acquistare ophthacare, >:P, http://onlinefarmacia.it/comprare-acquistare-oxytrol-online-it.html oxytrol, 26030, 8b667b78e04657b6b310d17432b1195c8c8ceeb8 2957 2956 2012-05-10T19:49:04Z 31.184.238.15 0 EHJwuJHXnKhdDOMMDGU wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-viagra-super-active-online-en.html viagra super active, fltus, http://cheappurchaseonline.com/buy-generic-zithromax-online-en.html generic zithromax, >:-]], http://cheappurchaseonline.com/ generic flagyl, 831599, fab6798cdef7688491903f5eff17bcb24be42283 2958 2957 2012-05-10T19:49:46Z 31.184.238.9 0 mUntTVoifZMGGN wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-remeron-online-it.html acquistare remeron, 34424, http://onlinefarmacia.it/comprare-acquistare-reminyl-online-it.html acquistare reminyl, >:-((, http://onlinefarmacia.it/comprare-acquistare-reosto-online-it.html reosto, uiokxh, http://onlinefarmacia.it/comprare-acquistare-requip-online-it.html acquistare requip, wihv, http://onlinefarmacia.it/comprare-acquistare-retin-a-online-it.html acquistare retin-a, 8-P, http://onlinefarmacia.it/comprare-acquistare-retrovir-online-it.html comprare retrovir, wtodg, http://onlinefarmacia.it/comprare-acquistare-revia-online-it.html revia, 650294, http://onlinefarmacia.it/comprare-acquistare-risnia-online-it.html risnia, qibp, http://onlinefarmacia.it/comprare-acquistare-risperdal-online-it.html comprare risperdal, 180, 3d0d051939fc84f7e633537f81cbdb490bc02940 2959 2958 2012-05-10T19:54:18Z 31.184.238.9 0 ZXpYNqCaLvav wikitext text/x-wiki , http://enlignepharmacie.fr/ acheter female viagra, 458, http://enlignepharmacie.fr/acheter-achat-accutane-en-ligne-fr.html acheter accutane en ligne, 2597, http://enlignepharmacie.fr/acheter-achat-amoxil-en-ligne-fr.html achat amoxil, emtq, http://enlignepharmacie.fr/acheter-achat-cialis-en-ligne-fr.html acheter cialis, >:DDD, http://enlignepharmacie.fr/acheter-achat-cialis-professional-en-ligne-fr.html generique cialis professional, =)), http://enlignepharmacie.fr/ acheter flagyl, 223, http://enlignepharmacie.fr/acheter-achat-cialis-super-active-en-ligne-fr.html acheter cialis super active en ligne, :PPP, http://enlignepharmacie.fr/acheter-achat-cipro-en-ligne-fr.html achat cipro, zqk, http://enlignepharmacie.fr/acheter-achat-clomid-en-ligne-fr.html acheter clomid en ligne, %[, 36b20e0f58b819277354b2e28e6644162eec063e 2960 2959 2012-05-10T19:54:41Z 31.184.238.15 0 yJixXRFEjRwqjJHF wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-cialis-super-active-online-en.html buy cialis super active online, 912297, http://cheappurchaseonline.com/ generic kamagra, bwqz, http://cheappurchaseonline.com/buy-generic-cipro-online-en.html cipro, ium, 960a64d2f1cf1cc543c9c1494f0e831bc31320b2 2961 2960 2012-05-10T19:58:10Z 31.184.238.9 0 zcWPIxHTipZi wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-aciclovir-en-ligne-fr.html acheter aciclovir, 8OO, http://enlignepharmacie.fr/acheter-achat-aciphex-en-ligne-fr.html aciphex, mnkuzc, http://enlignepharmacie.fr/acheter-achat-acticin-en-ligne-fr.html achat acticin, dhnd, http://enlignepharmacie.fr/acheter-achat-actigall-en-ligne-fr.html actigall, 2994, http://enlignepharmacie.fr/acheter-achat-actos-en-ligne-fr.html achat actos, 937757, http://enlignepharmacie.fr/acheter-achat-adalat-en-ligne-fr.html achat adalat, =-(((, http://enlignepharmacie.fr/acheter-achat-aggrenox-en-ligne-fr.html achat aggrenox, ltb, http://enlignepharmacie.fr/acheter-achat-albenza-en-ligne-fr.html acheter albenza, 8-DDD, http://enlignepharmacie.fr/acheter-achat-alesse-en-ligne-fr.html achat alesse, hnyhv, b3935ce4d8a98ad8b1917951a9e463b02c34531f 2962 2961 2012-05-10T20:00:43Z 31.184.238.15 0 roZlPXTnTcob wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-flagyl-online-en.html flagyl, >:-O, http://cheappurchaseonline.com/buy-generic-kamagra-online-en.html buy cheap kamagra, =-PP, http://cheappurchaseonline.com/buy-generic-lasix-online-en.html generic lasix, dkug, 08436f72c8cf34599da759500de04a6531962ac5 2963 2962 2012-05-10T20:02:36Z 31.184.238.9 0 uhgeHuEqIcWvwlWFST wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-diflucan-en-ligne-fr.html diflucan, 30589, http://enlignepharmacie.fr/ acheter kamagra, 240770, http://enlignepharmacie.fr/acheter-achat-doxycycline-en-ligne-fr.html vente doxycycline, mkws, http://enlignepharmacie.fr/acheter-achat-female-viagra-en-ligne-fr.html generique female viagra, 413, http://enlignepharmacie.fr/acheter-achat-flagyl-en-ligne-fr.html generique flagyl, arqn, http://enlignepharmacie.fr/acheter-achat-kamagra-en-ligne-fr.html acheter kamagra, 127, http://enlignepharmacie.fr/ acheter priligy, =[, http://enlignepharmacie.fr/acheter-achat-lasix-en-ligne-fr.html vente lasix, 8-O, http://enlignepharmacie.fr/acheter-achat-levitra-en-ligne-fr.html achat levitra, ogvcep, fbcc692f48455bb6116acdd61b26f5f715b385af 2964 2963 2012-05-10T20:06:20Z 31.184.238.15 0 PFlQzFpXfyLRWemtbCk wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-flagyl-online-en.html generic flagyl, 737604, http://cheappurchaseonline.com/buy-generic-kamagra-online-en.html buy kamagra online, ydkxl, http://cheappurchaseonline.com/buy-generic-lasix-online-en.html buy generic lasix, tcxh, 855f5490fbabfc1f4c82272f81037d86c5c8e327 2965 2964 2012-05-10T20:06:47Z 31.184.238.9 0 QpdYNGWS wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-zantac-online-it.html zantac, vdesqh, http://onlinefarmacia.it/comprare-acquistare-zebeta-online-it.html comprare zebeta, >:], http://onlinefarmacia.it/comprare-acquistare-zerit-online-it.html acquistare zerit, 378629, http://onlinefarmacia.it/comprare-acquistare-zestoretic-online-it.html zestoretic, kiolmm, http://onlinefarmacia.it/comprare-acquistare-zestril-online-it.html acquistare zestril, %], http://onlinefarmacia.it/comprare-acquistare-zetia-online-it.html zetia, 0996, http://onlinefarmacia.it/comprare-acquistare-zocor-online-it.html acquistare zocor, fhm, http://onlinefarmacia.it/comprare-acquistare-zofran-online-it.html acquistare zofran, 8)), http://onlinefarmacia.it/comprare-acquistare-zoloft-online-it.html comprare zoloft, %-DDD, 8b10b30e62ec2c0b193ee40849db9e1ab928a6fb 2966 2965 2012-05-10T20:10:40Z 31.184.238.9 0 MoxhIlGJjVkCJ wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-zantac-online-it.html zantac, 8[, http://onlinefarmacia.it/comprare-acquistare-zebeta-online-it.html acquistare zebeta, kiak, http://onlinefarmacia.it/comprare-acquistare-zerit-online-it.html comprare zerit, bhc, http://onlinefarmacia.it/comprare-acquistare-zestoretic-online-it.html zestoretic, 122397, http://onlinefarmacia.it/comprare-acquistare-zestril-online-it.html acquistare zestril, :-OOO, http://onlinefarmacia.it/comprare-acquistare-zetia-online-it.html comprare zetia, 798754, http://onlinefarmacia.it/comprare-acquistare-zocor-online-it.html zocor, qzcscm, http://onlinefarmacia.it/comprare-acquistare-zofran-online-it.html acquistare zofran, zxqwbk, http://onlinefarmacia.it/comprare-acquistare-zoloft-online-it.html zoloft, 570620, 8c73f469c6b76a210207aa577ec0b0061441f64e 2967 2966 2012-05-10T20:12:03Z 31.184.238.15 0 nlOOGKmJcVIYc wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-cialis-super-active-online-en.html buy cheap cialis super active, =-P, http://cheappurchaseonline.com/ generic accutane, 8-P, http://cheappurchaseonline.com/buy-generic-cipro-online-en.html buy cipro online, 2453, 21f092e9ec097f84f138b2b23d8be9e1a0e8dbd6 2968 2967 2012-05-10T20:14:52Z 31.184.238.9 0 INyzqCYtcnJNiQ wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-asendin-en-ligne-fr.html asendin, jgxevr, http://enlignepharmacie.fr/acheter-achat-ashwafera-en-ligne-fr.html achat ashwafera, asw, http://enlignepharmacie.fr/acheter-achat-ashwagandha-en-ligne-fr.html achat ashwagandha, eqb, http://enlignepharmacie.fr/acheter-achat-astelin-en-ligne-fr.html achat astelin, juot, http://enlignepharmacie.fr/acheter-achat-atacand-en-ligne-fr.html acheter atacand, xihom, http://enlignepharmacie.fr/acheter-achat-atarax-en-ligne-fr.html achat atarax, 1508, http://enlignepharmacie.fr/acheter-achat-atrovent-en-ligne-fr.html achat atrovent, 568596, http://enlignepharmacie.fr/acheter-achat-augmentin-en-ligne-fr.html acheter augmentin, iob, http://enlignepharmacie.fr/acheter-achat-avandia-en-ligne-fr.html achat avandia, 48023, 94a996cc2238726bdcf4acc34fa04e0f433a167c 2969 2968 2012-05-10T20:17:41Z 31.184.238.15 0 NWimranhsyzOWemcPMY wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-cialis-super-active-online-en.html buy cialis super active, %DD, http://cheappurchaseonline.com/ generic prednisone, :))), http://cheappurchaseonline.com/buy-generic-cipro-online-en.html buy cheap cipro, wzx, 4ea41da12f657c14d36ea0d89a475a7ffe1f4a13 2970 2969 2012-05-10T20:19:28Z 31.184.238.9 0 jFAlTBnsV wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-zovirax-online-it.html acquistare zovirax, gjvo, http://onlinefarmacia.it/comprare-acquistare-zyban-online-it.html acquistare zyban, >:]], http://onlinefarmacia.it/comprare-acquistare-zyloprim-online-it.html comprare zyloprim, 6040, http://onlinefarmacia.it/comprare-acquistare-zyprexa-online-it.html acquistare zyprexa, >:-D, http://onlinefarmacia.it/comprare-acquistare-zyrtec-online-it.html comprare zyrtec, %))), http://onlinefarmacia.it/comprare-acquistare-zyvox-online-it.html acquistare zyvox, 375937, 3eea2aff6c7588e90212b8b1825b8f0b2fcd9b55 2971 2970 2012-05-10T20:22:56Z 31.184.238.15 0 RuxbMuQuVusXWP wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-clomid-online-en.html buy clomid, 242465, http://cheappurchaseonline.com/buy-generic-diflucan-online-en.html buy diflucan online, 970771, http://cheappurchaseonline.com/buy-generic-doxycycline-online-en.html buy doxycycline online, 71562, cce0f76ad82733019a7f57c159c57788b4391f66 2972 2971 2012-05-10T20:23:41Z 31.184.238.9 0 ThwjUwIpldSBme wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-zovirax-online-it.html comprare zovirax, >:-D, http://onlinefarmacia.it/comprare-acquistare-zyban-online-it.html comprare zyban, sca, http://onlinefarmacia.it/comprare-acquistare-zyloprim-online-it.html zyloprim, :OOO, http://onlinefarmacia.it/comprare-acquistare-zyprexa-online-it.html zyprexa, jpi, http://onlinefarmacia.it/comprare-acquistare-zyrtec-online-it.html acquistare zyrtec, 49412, http://onlinefarmacia.it/comprare-acquistare-zyvox-online-it.html comprare zyvox, etre, 13af096793324ec516ada71bdd4e37bda1f1a2df 2973 2972 2012-05-10T20:27:46Z 31.184.238.9 0 uYdOTfiOTAMJ wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-calan-sr-en-ligne-fr.html acheter calan sr, xiusx, http://enlignepharmacie.fr/acheter-achat-calcium-carbonate-en-ligne-fr.html acheter calcium carbonate, pbral, http://enlignepharmacie.fr/acheter-achat-capoten-en-ligne-fr.html acheter capoten, 918, http://enlignepharmacie.fr/acheter-achat-carafate-en-ligne-fr.html acheter carafate, %), http://enlignepharmacie.fr/acheter-achat-cardarone-en-ligne-fr.html cardarone, 29379, http://enlignepharmacie.fr/acheter-achat-cardura-en-ligne-fr.html cardura, 456, http://enlignepharmacie.fr/acheter-achat-cataflam-en-ligne-fr.html acheter cataflam, %-[[, http://enlignepharmacie.fr/acheter-achat-catapres-en-ligne-fr.html acheter catapres, 8D, http://enlignepharmacie.fr/acheter-achat-ceclor-cd-en-ligne-fr.html achat ceclor cd, >:-[[, 6d9fa1b48fc5994c1de9785b615b83663dc888a7 2974 2973 2012-05-10T20:28:23Z 31.184.238.15 0 EKsPAfXVWceuSAWC wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-amoxil-online-en.html buy cheap amoxil, 348, http://cheappurchaseonline.com/buy-generic-cialis-online-en.html buy cialis, 49258, http://cheappurchaseonline.com/buy-generic-cialis-professional-online-en.html buy cialis professional, 4623, f46df3b7fe3f587d4e95b8e06fddfca481f7fa37 2975 2974 2012-05-10T20:32:51Z 31.184.238.9 0 ISeuLLcjLsQBJDxLHnN wikitext text/x-wiki , http://acquistareladroga.it/comprare-acquistare-buspar-online-it.html acquistare buspar, 502530, http://acquistareladroga.it/comprare-acquistare-calan-online-it.html acquistare calan, dqoje, http://acquistareladroga.it/comprare-acquistare-calan-sr-online-it.html acquistare calan sr, >:))), http://acquistareladroga.it/comprare-acquistare-calcium-carbonate-online-it.html acquistare calcium carbonate, 153, http://acquistareladroga.it/comprare-acquistare-capoten-online-it.html acquistare capoten, =)), http://acquistareladroga.it/comprare-acquistare-carafate-online-it.html carafate, bctb, http://acquistareladroga.it/comprare-acquistare-cardarone-online-it.html acquistare cardarone, =(((, http://acquistareladroga.it/comprare-acquistare-cardura-online-it.html acquistare cardura, 53970, http://acquistareladroga.it/comprare-acquistare-cataflam-online-it.html cataflam, sgujsb, 9d53c2417d1389360c5cf6d548b2a81baa3d804d 2976 2975 2012-05-10T20:34:02Z 31.184.238.15 0 PToEcdvVRjMp wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-amoxil-online-en.html buy amoxil, 25127, http://cheappurchaseonline.com/buy-generic-cialis-online-en.html generic cialis, 2826, http://cheappurchaseonline.com/buy-generic-cialis-professional-online-en.html buy cheap cialis professional, 462885, 99aa15ab841ba24e733523b0a3f0802f8246dd57 2977 2976 2012-05-10T20:36:01Z 31.184.238.9 0 mHKQFQeVAHNWZVbpa wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-monoket-online-it.html comprare monoket, vxlf, http://onlinefarmacia.it/comprare-acquistare-monopril-online-it.html monopril, wee, http://onlinefarmacia.it/comprare-acquistare-motilium-online-it.html comprare motilium, :O, http://onlinefarmacia.it/comprare-acquistare-myambutol-online-it.html myambutol, :P, http://onlinefarmacia.it/comprare-acquistare-mysoline-online-it.html acquistare mysoline, 8((, http://onlinefarmacia.it/comprare-acquistare-naprelan-online-it.html acquistare naprelan, 6439, http://onlinefarmacia.it/comprare-acquistare-neem-online-it.html neem, 8-(, http://onlinefarmacia.it/comprare-acquistare-neurontin-online-it.html acquistare neurontin, 9053, http://onlinefarmacia.it/comprare-acquistare-nexium-online-it.html comprare nexium, 331063, a16eb879177557b0c41fff6e16659c422c4d4bbd 2978 2977 2012-05-10T20:39:35Z 31.184.238.15 0 jvCDbaQBCRQrzIkFpAt wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-strattera-online-en.html buy strattera, :), http://cheappurchaseonline.com/buy-generic-viagra-online-en.html buy cheap viagra, =]]], http://cheappurchaseonline.com/buy-generic-viagra-professional-online-en.html buy cheap viagra professional, =-(, effdff4dfb6da0ef3a35bae24f21cb6b3827a4ea 2979 2978 2012-05-10T20:40:15Z 31.184.238.9 0 LCaQFIMZupmJUw wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-verampil-online-it.html comprare verampil, 253, http://onlinefarmacia.it/comprare-acquistare-verapamil-online-it.html acquistare verapamil, 95663, http://onlinefarmacia.it/comprare-acquistare-vermox-online-it.html acquistare vermox, 917, http://onlinefarmacia.it/comprare-acquistare-v-gel-online-it.html v-gel, yow, http://onlinefarmacia.it/comprare-acquistare-vibramycin-online-it.html acquistare vibramycin, 2240, http://onlinefarmacia.it/comprare-acquistare-viramune-online-it.html viramune, 0504, http://onlinefarmacia.it/comprare-acquistare-vitamin-b12-online-it.html comprare vitamin b12, >:]], http://onlinefarmacia.it/comprare-acquistare-vitamin-c-online-it.html comprare vitamin c, =D, http://onlinefarmacia.it/comprare-acquistare-voltaren-online-it.html comprare voltaren, 8-(((, d0a8980790fb45268c9cd5c4bd84d499a928bbb6 2980 2979 2012-05-10T20:44:27Z 31.184.238.9 0 EaLeGRMVwTVRVGFb wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-voltaren-xr-online-it.html comprare voltaren xr, 8PPP, http://onlinefarmacia.it/comprare-acquistare-voltarol-online-it.html comprare voltarol, 74867, http://onlinefarmacia.it/comprare-acquistare-voveran-online-it.html comprare voveran, krw, http://onlinefarmacia.it/comprare-acquistare-voveran-sr-online-it.html comprare voveran sr, 3775, http://onlinefarmacia.it/comprare-acquistare-wondersleep-online-it.html wondersleep, aojir, http://onlinefarmacia.it/comprare-acquistare-xalatan-0005-online-it.html acquistare xalatan 0.005%, 419017, http://onlinefarmacia.it/comprare-acquistare-xeloda-online-it.html acquistare xeloda, 187, http://onlinefarmacia.it/comprare-acquistare-yagara-online-it.html acquistare yagara, %P, http://onlinefarmacia.it/comprare-acquistare-zagam-online-it.html acquistare zagam, 3796, 27e2a04bd3b9e487f5a8d3ac9af6310063b4564a 2981 2980 2012-05-10T20:45:50Z 31.184.238.15 0 cCyJjViPrCegrmOsv wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-strattera-online-en.html generic strattera, %-(((, http://cheappurchaseonline.com/buy-generic-viagra-online-en.html buy generic viagra, ogr, http://cheappurchaseonline.com/buy-generic-viagra-professional-online-en.html buy generic viagra professional, 0996, 944fc6f66a108d8b1cab673c7baccbf7e43c5249 2982 2981 2012-05-10T20:48:30Z 31.184.238.9 0 sFAqFBmVADrOqcXY wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-alfacip-en-ligne-fr.html alfacip, 589, http://enlignepharmacie.fr/acheter-achat-allegra-en-ligne-fr.html acheter allegra, =OOO, http://enlignepharmacie.fr/acheter-achat-allopurinol-en-ligne-fr.html acheter allopurinol, %(((, http://enlignepharmacie.fr/acheter-achat-amaryl-en-ligne-fr.html amaryl, 33238, http://enlignepharmacie.fr/acheter-achat-ampicillin-en-ligne-fr.html ampicillin, vcbov, http://enlignepharmacie.fr/acheter-achat-anacin-en-ligne-fr.html acheter anacin, =-((, http://enlignepharmacie.fr/acheter-achat-anafranil-en-ligne-fr.html achat anafranil, =-(((, http://enlignepharmacie.fr/acheter-achat-ansaid-en-ligne-fr.html ansaid, =P, http://enlignepharmacie.fr/acheter-achat-antabuse-en-ligne-fr.html achat antabuse, 5781, 59432a8c1bc0bc5d12e21abe5f5bca4e406b035e 2983 2982 2012-05-10T20:50:49Z 31.184.238.15 0 NnQpaOqiSuGHcmWBUA wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-clomid-online-en.html buy clomid online, 0201, http://cheappurchaseonline.com/buy-generic-diflucan-online-en.html buy cheap diflucan, =-), http://cheappurchaseonline.com/buy-generic-doxycycline-online-en.html buy doxycycline online, 8-)), fe77dc3dc4f46c1bac4387a27d6a02f81ae516c8 2984 2983 2012-05-10T20:52:42Z 31.184.238.9 0 kRErZJpZHxym wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-diflucan-en-ligne-fr.html generique diflucan, 49402, http://enlignepharmacie.fr/ acheter cialis, 141925, http://enlignepharmacie.fr/acheter-achat-doxycycline-en-ligne-fr.html vente doxycycline, omi, http://enlignepharmacie.fr/acheter-achat-female-viagra-en-ligne-fr.html acheter female viagra, 92221, http://enlignepharmacie.fr/acheter-achat-flagyl-en-ligne-fr.html achat flagyl, 464, http://enlignepharmacie.fr/acheter-achat-kamagra-en-ligne-fr.html kamagra, 7846, http://enlignepharmacie.fr/ acheter doxycycline, >:]]], http://enlignepharmacie.fr/acheter-achat-lasix-en-ligne-fr.html vente lasix, :-(, http://enlignepharmacie.fr/acheter-achat-levitra-en-ligne-fr.html generique levitra, =-(, 0fd96b1b6003ab269af9d5ef022b322be62221a9 2985 2984 2012-05-10T20:56:44Z 31.184.238.15 0 JFhVJNqqXcQvvhJo wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-amoxil-online-en.html amoxil, =-]]], http://cheappurchaseonline.com/buy-generic-cialis-online-en.html buy cialis, yfgmco, http://cheappurchaseonline.com/buy-generic-cialis-professional-online-en.html generic cialis professional, =O, 4ffe8813bd1aac406d5c8b64e168c3a86465b25f 0 8 2986 2985 2012-05-10T21:00:47Z 31.184.238.9 0 jXxPOskddogCj wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-pamelor-online-it.html acquistare pamelor, >:]], http://onlinefarmacia.it/comprare-acquistare-panadol-online-it.html acquistare panadol, 7729, http://onlinefarmacia.it/comprare-acquistare-parlodel-online-it.html comprare parlodel, mpq, http://onlinefarmacia.it/comprare-acquistare-paxil-cr-online-it.html acquistare paxil cr, >:-)), http://onlinefarmacia.it/comprare-acquistare-paxil-online-it.html paxil, 8-))), http://onlinefarmacia.it/comprare-acquistare-pentasa-online-it.html pentasa, 34162, http://onlinefarmacia.it/comprare-acquistare-pepcid-online-it.html acquistare pepcid, 6170, http://onlinefarmacia.it/comprare-acquistare-periactin-online-it.html acquistare periactin, 505, http://onlinefarmacia.it/comprare-acquistare-persantine-online-it.html persantine, lvrrbn, 61c56662e1d8394e6db4771e03eea58c903024b9 2987 2986 2012-05-10T21:02:16Z 31.184.238.15 0 LdYZKgvYc wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-zoloft-online-en.html zoloft, axx, 980cf6e5857d8dc8755fd7fdb1a3ed5d0b701fc9 2988 2987 2012-05-10T21:05:11Z 31.184.238.9 0 bXqfxrsWCf wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-robaxin-online-it.html comprare robaxin, sflkr, http://onlinefarmacia.it/comprare-acquistare-rocaltrol-online-it.html comprare rocaltrol, jacn, http://onlinefarmacia.it/comprare-acquistare-rulide-online-it.html rulide, 8-))), http://onlinefarmacia.it/comprare-acquistare-rumalaya-fort-online-it.html acquistare rumalaya fort, 4079, http://onlinefarmacia.it/comprare-acquistare-rumalaya-online-it.html rumalaya, 712, http://onlinefarmacia.it/comprare-acquistare-rythmol-online-it.html comprare rythmol, 17118, http://onlinefarmacia.it/comprare-acquistare-septilin-online-it.html acquistare septilin, 8O, http://onlinefarmacia.it/comprare-acquistare-serevent-online-it.html acquistare serevent, 34640, http://onlinefarmacia.it/comprare-acquistare-serophene-online-it.html comprare serophene, 28442, f58079c89b57719573fd27a0576ce408c866289c 2989 2988 2012-05-10T21:08:04Z 31.184.238.15 0 YpMOUjcdN wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-priligy-online-en.html priligy, rnjwyf, http://cheappurchaseonline.com/buy-generic-propecia-online-en.html buy propecia, %-O, http://cheappurchaseonline.com/ generic cialis professional, 88662, fef141bd89041f4878730fbfea537462e21832c6 2990 2989 2012-05-10T21:09:34Z 31.184.238.9 0 DBybGRTCKeKxGk wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-voltaren-xr-online-it.html voltaren xr, 1628, http://onlinefarmacia.it/comprare-acquistare-voltarol-online-it.html acquistare voltarol, 051, http://onlinefarmacia.it/comprare-acquistare-voveran-online-it.html comprare voveran, owxg, http://onlinefarmacia.it/comprare-acquistare-voveran-sr-online-it.html voveran sr, 8[, http://onlinefarmacia.it/comprare-acquistare-wondersleep-online-it.html comprare wondersleep, :-PPP, http://onlinefarmacia.it/comprare-acquistare-xalatan-0005-online-it.html comprare xalatan 0.005%, tnuc, http://onlinefarmacia.it/comprare-acquistare-xeloda-online-it.html comprare xeloda, =-PP, http://onlinefarmacia.it/comprare-acquistare-yagara-online-it.html comprare yagara, evp, http://onlinefarmacia.it/comprare-acquistare-zagam-online-it.html comprare zagam, >:OO, afffaed1ca9dc76d49ce0a3437af2bbcf3f48736 2991 2990 2012-05-10T21:13:49Z 31.184.238.9 0 EhmKKUOHnCPkjfBPFZt wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-verampil-online-it.html acquistare verampil, elrked, http://onlinefarmacia.it/comprare-acquistare-verapamil-online-it.html comprare verapamil, 302299, http://onlinefarmacia.it/comprare-acquistare-vermox-online-it.html comprare vermox, 337, http://onlinefarmacia.it/comprare-acquistare-v-gel-online-it.html v-gel, >:PPP, http://onlinefarmacia.it/comprare-acquistare-vibramycin-online-it.html vibramycin, zwfmav, http://onlinefarmacia.it/comprare-acquistare-viramune-online-it.html acquistare viramune, %DD, http://onlinefarmacia.it/comprare-acquistare-vitamin-b12-online-it.html acquistare vitamin b12, =)), http://onlinefarmacia.it/comprare-acquistare-vitamin-c-online-it.html acquistare vitamin c, mjwpt, http://onlinefarmacia.it/comprare-acquistare-voltaren-online-it.html comprare voltaren, >:-((, 1c6620b54e449719898431fa5497d3f6d8054cfb 2992 2991 2012-05-10T21:14:00Z 31.184.238.15 0 lICIQZHLdNJzRPDsFOY wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-cialis-super-active-online-en.html cialis super active, 266825, http://cheappurchaseonline.com/ generic cialis super active, 8PPP, http://cheappurchaseonline.com/buy-generic-cipro-online-en.html buy generic cipro, 86632, 3ccd34db5b7f6c5b7996fe6ebfb2af0487a04b16 2993 2992 2012-05-10T21:18:11Z 31.184.238.9 0 nXVzfZByFlSiPCvT wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-diflucan-en-ligne-fr.html acheter diflucan en ligne, 137904, http://enlignepharmacie.fr/ acheter cialis professional, :D, http://enlignepharmacie.fr/acheter-achat-doxycycline-en-ligne-fr.html generique doxycycline, 67576, http://enlignepharmacie.fr/acheter-achat-female-viagra-en-ligne-fr.html generique female viagra, 29700, http://enlignepharmacie.fr/acheter-achat-flagyl-en-ligne-fr.html acheter flagyl en ligne, %-[[, http://enlignepharmacie.fr/acheter-achat-kamagra-en-ligne-fr.html vente kamagra, 8OO, http://enlignepharmacie.fr/ acheter diflucan, 647, http://enlignepharmacie.fr/acheter-achat-lasix-en-ligne-fr.html acheter lasix, 476976, http://enlignepharmacie.fr/acheter-achat-levitra-en-ligne-fr.html generique levitra, rnghu, 77341fd75bfcdc835205d26eef34629c761f3a25 2994 2993 2012-05-10T21:22:54Z 31.184.238.9 0 IMkIQlRqydIN wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-benicar-online-it.html comprare benicar, eena, http://onlinefarmacia.it/comprare-acquistare-biaxin-online-it.html comprare biaxin, xjpjo, http://onlinefarmacia.it/comprare-acquistare-brafix-online-it.html comprare brafix, 018, http://onlinefarmacia.it/comprare-acquistare-brahmi-online-it.html comprare brahmi, 375, http://onlinefarmacia.it/comprare-acquistare-brand-temovate-online-it.html acquistare brand temovate, %(, http://onlinefarmacia.it/comprare-acquistare-breast-success-online-it.html comprare breast success, =)), http://onlinefarmacia.it/comprare-acquistare-brethine-online-it.html acquistare brethine, 318, http://onlinefarmacia.it/comprare-acquistare-bupron-sr-online-it.html bupron sr, 342, http://onlinefarmacia.it/comprare-acquistare-buspar-online-it.html acquistare buspar, :PPP, cbb52133874beb28c4c0e1005ba796c89cddbc73 2995 2994 2012-05-10T21:24:24Z 31.184.238.15 0 GCvpnSLDuBY wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-strattera-online-en.html buy strattera, ygvito, http://cheappurchaseonline.com/buy-generic-viagra-online-en.html buy viagra online, 8PPP, http://cheappurchaseonline.com/buy-generic-viagra-professional-online-en.html buy viagra professional, :]]], e9cda14d844b7f135cd621d9914dff9dc22950f3 2996 2995 2012-05-10T21:26:49Z 31.184.238.9 0 SRlCUsGCkvHNDGxy wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-remeron-online-it.html acquistare remeron, jxv, http://onlinefarmacia.it/comprare-acquistare-reminyl-online-it.html comprare reminyl, :D, http://onlinefarmacia.it/comprare-acquistare-reosto-online-it.html reosto, 432501, http://onlinefarmacia.it/comprare-acquistare-requip-online-it.html acquistare requip, jvcfq, http://onlinefarmacia.it/comprare-acquistare-retin-a-online-it.html retin-a, %-]], http://onlinefarmacia.it/comprare-acquistare-retrovir-online-it.html comprare retrovir, :[[[, http://onlinefarmacia.it/comprare-acquistare-revia-online-it.html revia, 82071, http://onlinefarmacia.it/comprare-acquistare-risnia-online-it.html comprare risnia, imbn, http://onlinefarmacia.it/comprare-acquistare-risperdal-online-it.html risperdal, >:[[, 3c4bb7ce1b398b5bc56764772a97171e48a55b04 2997 2996 2012-05-10T21:29:56Z 31.184.238.15 0 UYKOHjqGHDvU wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-zoloft-online-en.html buy zoloft online, 8]], 92af50d65f29f82ad963fb96811c0e9f16eaae7d 2998 2997 2012-05-10T21:31:24Z 31.184.238.9 0 uFYOSztV wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-calan-online-it.html acquistare calan, 214, http://onlinefarmacia.it/comprare-acquistare-calan-sr-online-it.html calan sr, =OO, http://onlinefarmacia.it/comprare-acquistare-calcium-carbonate-online-it.html acquistare calcium carbonate, wjzh, http://onlinefarmacia.it/comprare-acquistare-capoten-online-it.html capoten, 674, http://onlinefarmacia.it/comprare-acquistare-carafate-online-it.html comprare carafate, 11908, http://onlinefarmacia.it/comprare-acquistare-cardarone-online-it.html cardarone, tpv, http://onlinefarmacia.it/comprare-acquistare-cardura-online-it.html cardura, 09453, http://onlinefarmacia.it/comprare-acquistare-cataflam-online-it.html comprare cataflam, =[[, http://onlinefarmacia.it/comprare-acquistare-catapres-online-it.html acquistare catapres, 123421, db0d228492772f35656a079cc2e6cf032bf91a87 2999 2998 2012-05-10T21:35:38Z 31.184.238.9 0 foNgGJNIBtRVHRFjA wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-super-ed-trial-pack-online-it.html comprare super ed trial pack, qoro, http://onlinefarmacia.it/comprare-acquistare-sustiva-online-it.html acquistare sustiva, %[, http://onlinefarmacia.it/comprare-acquistare-symmetrel-online-it.html comprare symmetrel, yhbgyj, http://onlinefarmacia.it/comprare-acquistare-synthroid-online-it.html acquistare synthroid, rleoft, http://onlinefarmacia.it/comprare-acquistare-tegopen-online-it.html tegopen, 8(((, http://onlinefarmacia.it/comprare-acquistare-tenormin-online-it.html comprare tenormin, =-], http://onlinefarmacia.it/comprare-acquistare-tentex-forte-online-it.html tentex forte, 788549, http://onlinefarmacia.it/comprare-acquistare-tentex-royal-online-it.html acquistare tentex royal, qjb, http://onlinefarmacia.it/comprare-acquistare-terramycin-online-it.html comprare terramycin, 0620, 5daa30d2ddc9384fa15e7d096064fe034524ef9a 3000 2999 2012-05-10T21:39:50Z 31.184.238.9 0 AJvuPVksXzTaUVnOXRv wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-diflucan-en-ligne-fr.html diflucan, 287656, http://enlignepharmacie.fr/ acheter orlistat, ilmyi, http://enlignepharmacie.fr/acheter-achat-doxycycline-en-ligne-fr.html generique doxycycline, bpd, http://enlignepharmacie.fr/acheter-achat-female-viagra-en-ligne-fr.html generique female viagra, %(, http://enlignepharmacie.fr/acheter-achat-flagyl-en-ligne-fr.html achat flagyl, >:-))), http://enlignepharmacie.fr/acheter-achat-kamagra-en-ligne-fr.html acheter kamagra, 334821, http://enlignepharmacie.fr/ acheter cialis professional, 7542, http://enlignepharmacie.fr/acheter-achat-lasix-en-ligne-fr.html acheter lasix, 41333, http://enlignepharmacie.fr/acheter-achat-levitra-en-ligne-fr.html levitra, knilfv, 30b01540ef7bc14c2e878b7ad32fc6c4f3649fe8 3001 3000 2012-05-10T21:41:35Z 31.184.238.15 0 ebUeoftcemuNqp wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-cialis-super-active-online-en.html cialis super active, :PPP, http://cheappurchaseonline.com/ generic lasix, 943297, http://cheappurchaseonline.com/buy-generic-cipro-online-en.html buy cipro online, %-), 004186dd22defe64c8c39297f21bed04ba48304c 3002 3001 2012-05-10T21:44:02Z 31.184.238.9 0 yIwOpbUIonpqG wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-alfacip-en-ligne-fr.html alfacip, xftk, http://enlignepharmacie.fr/acheter-achat-allegra-en-ligne-fr.html achat allegra, 747481, http://enlignepharmacie.fr/acheter-achat-allopurinol-en-ligne-fr.html achat allopurinol, :[[[, http://enlignepharmacie.fr/acheter-achat-amaryl-en-ligne-fr.html amaryl, uvfpoz, http://enlignepharmacie.fr/acheter-achat-ampicillin-en-ligne-fr.html ampicillin, 58640, http://enlignepharmacie.fr/acheter-achat-anacin-en-ligne-fr.html anacin, >:-))), http://enlignepharmacie.fr/acheter-achat-anafranil-en-ligne-fr.html anafranil, wdl, http://enlignepharmacie.fr/acheter-achat-ansaid-en-ligne-fr.html achat ansaid, 728014, http://enlignepharmacie.fr/acheter-achat-antabuse-en-ligne-fr.html achat antabuse, 428, bc0feefcab26d0c3a97c5637cf7ca71a872e7638 3003 3002 2012-05-10T21:46:29Z 31.184.238.15 0 ewZLgUdmUlIrzsT wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-levitra-online-en.html levitra, =)), http://cheappurchaseonline.com/ generic lasix, >:(, http://cheappurchaseonline.com/buy-generic-nolvadex-online-en.html buy nolvadex</a>, igma, f78929e99f0633f221f2bb7378f9925d223c980f 3004 3003 2012-05-10T21:48:07Z 31.184.238.9 0 NWQyOxtXXKaFDWbL wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-diflucan-en-ligne-fr.html diflucan, :DD, http://enlignepharmacie.fr/ acheter propecia, tvgr, http://enlignepharmacie.fr/acheter-achat-doxycycline-en-ligne-fr.html doxycycline, 9553, http://enlignepharmacie.fr/acheter-achat-female-viagra-en-ligne-fr.html acheter female viagra, 7066, http://enlignepharmacie.fr/acheter-achat-flagyl-en-ligne-fr.html acheter flagyl, =[, http://enlignepharmacie.fr/acheter-achat-kamagra-en-ligne-fr.html vente kamagra, %OO, http://enlignepharmacie.fr/ acheter viagra super active, %PP, http://enlignepharmacie.fr/acheter-achat-lasix-en-ligne-fr.html vente lasix, :((, http://enlignepharmacie.fr/acheter-achat-levitra-en-ligne-fr.html achat levitra, 092576, 2c1f7e11c00c85db172ff681c8d89c0986a61d7c 3005 3004 2012-05-10T21:52:18Z 31.184.238.15 0 JnxfeZkdp wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-flagyl-online-en.html buy flagyl, 8710, http://cheappurchaseonline.com/buy-generic-kamagra-online-en.html buy cheap kamagra, axlthd, http://cheappurchaseonline.com/buy-generic-lasix-online-en.html buy lasix online, 4516, f055ef243e2071b7bb9cb96b14d4f1f1e48aab99 3006 3005 2012-05-10T21:52:32Z 31.184.238.9 0 WuMWbicKamfbOi wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-monoket-online-it.html monoket, %-), http://onlinefarmacia.it/comprare-acquistare-monopril-online-it.html acquistare monopril, wnspi, http://onlinefarmacia.it/comprare-acquistare-motilium-online-it.html comprare motilium, %[, http://onlinefarmacia.it/comprare-acquistare-myambutol-online-it.html acquistare myambutol, hrffwy, http://onlinefarmacia.it/comprare-acquistare-mysoline-online-it.html acquistare mysoline, tloz, http://onlinefarmacia.it/comprare-acquistare-naprelan-online-it.html comprare naprelan, mro, http://onlinefarmacia.it/comprare-acquistare-neem-online-it.html neem, %-((, http://onlinefarmacia.it/comprare-acquistare-neurontin-online-it.html acquistare neurontin, 885, http://onlinefarmacia.it/comprare-acquistare-nexium-online-it.html comprare nexium, fvn, b501f17cc8433b3f21e465ce7e05b533dc0a86c4 3007 3006 2012-05-10T21:56:34Z 31.184.238.9 0 OFszaHTzoxmfJZNgBj wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-aciclovir-en-ligne-fr.html aciclovir, =-(, http://enlignepharmacie.fr/acheter-achat-aciphex-en-ligne-fr.html acheter aciphex, xkym, http://enlignepharmacie.fr/acheter-achat-acticin-en-ligne-fr.html achat acticin, mct, http://enlignepharmacie.fr/acheter-achat-actigall-en-ligne-fr.html actigall, jrarve, http://enlignepharmacie.fr/acheter-achat-actos-en-ligne-fr.html acheter actos, =-(, http://enlignepharmacie.fr/acheter-achat-adalat-en-ligne-fr.html achat adalat, 743879, http://enlignepharmacie.fr/acheter-achat-aggrenox-en-ligne-fr.html acheter aggrenox, dtkjvh, http://enlignepharmacie.fr/acheter-achat-albenza-en-ligne-fr.html acheter albenza, tbu, http://enlignepharmacie.fr/acheter-achat-alesse-en-ligne-fr.html acheter alesse, 901437, e64b8e3b08313185aad796899675de22ff72ccc7 3008 3007 2012-05-10T21:57:31Z 31.184.238.15 0 QsTMIltrNw wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-viagra-super-active-online-en.html buy viagra super active online, %-]], http://cheappurchaseonline.com/buy-generic-zithromax-online-en.html generic zithromax, 265095, http://cheappurchaseonline.com/ generic cialis super active, fsexkc, 2798e0b7037a5ebb4d014b68fd32d4af59557e61 3009 3008 2012-05-10T22:01:04Z 31.184.238.9 0 pbsIgYFKJEJblhAKGfT wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-viagra-super-active-en-ligne-fr.html achat viagra super active, xds, http://enlignepharmacie.fr/acheter-achat-zithromax-en-ligne-fr.html generique zithromax, cezamo, http://enlignepharmacie.fr/acheter-achat-zoloft-en-ligne-fr.html vente zoloft, >:-PP, http://generiquesmedicaments.fr/ acheter priligy, >:-DD, http://generiquesmedicaments.fr/acheter-achat-accutane-en-ligne-fr.html accutane, 56306, http://generiquesmedicaments.fr/acheter-achat-amoxil-en-ligne-fr.html acheter amoxil, 504, http://generiquesmedicaments.fr/acheter-achat-cialis-en-ligne-fr.html achat cialis, ncnew, http://generiquesmedicaments.fr/acheter-achat-cialis-professional-en-ligne-fr.html achat cialis professional, 132, http://generiquesmedicaments.fr/ acheter cialis, 8-O, 6eb7e86bfffe31e3851b324ba1c271cafdcf2f8f 3010 3009 2012-05-10T22:03:11Z 31.184.238.15 0 jkYQsRhJRxBZEME wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-strattera-online-en.html generic strattera, wqudgl, http://cheappurchaseonline.com/buy-generic-viagra-online-en.html buy generic viagra, osexqf, http://cheappurchaseonline.com/buy-generic-viagra-professional-online-en.html buy viagra professional online, 29884, f22242e6e8b93aae79b2efdb606a1e3d2118f242 3011 3010 2012-05-10T22:04:36Z 31.184.238.9 0 voVSSlxpUdgDhxPFCw wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-zantac-online-it.html acquistare zantac, 497917, http://onlinefarmacia.it/comprare-acquistare-zebeta-online-it.html zebeta, 9042, http://onlinefarmacia.it/comprare-acquistare-zerit-online-it.html zerit, jclq, http://onlinefarmacia.it/comprare-acquistare-zestoretic-online-it.html zestoretic, 9518, http://onlinefarmacia.it/comprare-acquistare-zestril-online-it.html acquistare zestril, jlkswp, http://onlinefarmacia.it/comprare-acquistare-zetia-online-it.html zetia, >:), http://onlinefarmacia.it/comprare-acquistare-zocor-online-it.html acquistare zocor, 819, http://onlinefarmacia.it/comprare-acquistare-zofran-online-it.html comprare zofran, vqqnu, http://onlinefarmacia.it/comprare-acquistare-zoloft-online-it.html acquistare zoloft, tnrnt, 090a05b55cc2311e2b8127c0ebb197a50e7e12b3 3012 3011 2012-05-10T22:08:39Z 31.184.238.9 0 gdxUCsGkbPLP wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-viagra-super-active-en-ligne-fr.html generique viagra super active, >:PPP, http://enlignepharmacie.fr/acheter-achat-zithromax-en-ligne-fr.html vente zithromax, sigbmf, http://enlignepharmacie.fr/acheter-achat-zoloft-en-ligne-fr.html generique zoloft, ghqyxm, http://generiquesmedicaments.fr/ acheter viagra professional, >:-)), http://generiquesmedicaments.fr/acheter-achat-accutane-en-ligne-fr.html acheter accutane en ligne, rlxscu, http://generiquesmedicaments.fr/acheter-achat-amoxil-en-ligne-fr.html acheter amoxil en ligne, 300, http://generiquesmedicaments.fr/acheter-achat-cialis-en-ligne-fr.html generique cialis, sebt, http://generiquesmedicaments.fr/acheter-achat-cialis-professional-en-ligne-fr.html acheter cialis professional en ligne, =-]]], http://generiquesmedicaments.fr/ acheter nolvadex, :D, 42bd55c7d3097b478df60253cd93174f7c194ea5 3013 3012 2012-05-10T22:08:43Z 31.184.238.15 0 wEIDPczCZntGuxvBWG wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-amoxil-online-en.html buy generic amoxil, nxaatd, http://cheappurchaseonline.com/buy-generic-cialis-online-en.html buy cialis, iotc, http://cheappurchaseonline.com/buy-generic-cialis-professional-online-en.html buy cialis professional online, =]], 2a247bae1049617c54139a4f3f9475ee4bb3ba8a 3014 3013 2012-05-10T22:13:03Z 31.184.238.9 0 tPghjVHhwo wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-biaxin-en-ligne-fr.html achat biaxin, jtnvp, http://enlignepharmacie.fr/acheter-achat-brafix-en-ligne-fr.html acheter brafix, ezaln, http://enlignepharmacie.fr/acheter-achat-brahmi-en-ligne-fr.html acheter brahmi, %[[[, http://enlignepharmacie.fr/acheter-achat-brand-temovate-en-ligne-fr.html brand temovate, 338543, http://enlignepharmacie.fr/acheter-achat-breast-success-en-ligne-fr.html acheter breast success, 8))), http://enlignepharmacie.fr/acheter-achat-brethine-en-ligne-fr.html acheter brethine, 039031, http://enlignepharmacie.fr/acheter-achat-bupron-sr-en-ligne-fr.html achat bupron sr, >:-PPP, http://enlignepharmacie.fr/acheter-achat-buspar-en-ligne-fr.html acheter buspar, xefojz, http://enlignepharmacie.fr/acheter-achat-calan-en-ligne-fr.html acheter calan, %-(((, ea7ca1c2ae10d240cd5a4c8718f1ab09a95a41a5 3015 3014 2012-05-10T22:14:10Z 31.184.238.15 0 erLnbCXOQ wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-priligy-online-en.html buy priligy, 413368, http://cheappurchaseonline.com/buy-generic-propecia-online-en.html buy cheap propecia, cpyasu, http://cheappurchaseonline.com/ generic cialis super active, :-]]], 803895ca68a0d85c9ac52eebb0e23afd9970ffa4 3016 3015 2012-05-10T22:17:04Z 31.184.238.9 0 tqnMfKrGNdOejF wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-nimotop-online-it.html nimotop, 581785, http://onlinefarmacia.it/comprare-acquistare-nitroglycerin-online-it.html nitroglycerin, 6177, http://onlinefarmacia.it/comprare-acquistare-nizoral-online-it.html acquistare nizoral, 8-OO, http://onlinefarmacia.it/comprare-acquistare-noroxin-online-it.html noroxin, =-P, http://onlinefarmacia.it/comprare-acquistare-nortriptyline-online-it.html nortriptyline, 092872, http://onlinefarmacia.it/comprare-acquistare-norvasc-online-it.html norvasc, %]], http://onlinefarmacia.it/comprare-acquistare-omnicef-online-it.html omnicef, 15871, http://onlinefarmacia.it/comprare-acquistare-ophthacare-online-it.html comprare ophthacare, 54566, http://onlinefarmacia.it/comprare-acquistare-oxytrol-online-it.html oxytrol, mti, 6a34a367b559c9438f94520af6602eb66a0ddb05 3017 3016 2012-05-10T22:19:06Z 31.184.238.15 0 jMInNwZYjNQPTbH wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-strattera-online-en.html buy strattera, 0565, http://cheappurchaseonline.com/buy-generic-viagra-online-en.html buy generic viagra, :[, http://cheappurchaseonline.com/buy-generic-viagra-professional-online-en.html buy viagra professional, vmk, 0cc04e64261b61bbea403071245c3004c0574140 3018 3017 2012-05-10T22:21:05Z 31.184.238.9 0 puhmaTVIp wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-nolvadex-en-ligne-fr.html acheter nolvadex en ligne, 71707, http://enlignepharmacie.fr/acheter-achat-orlistat-en-ligne-fr.html acheter orlistat en ligne, kkwg, http://enlignepharmacie.fr/acheter-achat-prednisone-en-ligne-fr.html vente prednisone, xjex, http://enlignepharmacie.fr/acheter-achat-priligy-en-ligne-fr.html acheter priligy en ligne, ugs, http://enlignepharmacie.fr/ acheter amoxil, 81451, http://enlignepharmacie.fr/acheter-achat-propecia-en-ligne-fr.html generique propecia, >:-D, http://enlignepharmacie.fr/acheter-achat-strattera-en-ligne-fr.html generique strattera, :-), http://enlignepharmacie.fr/acheter-achat-viagra-en-ligne-fr.html viagra, >:-(, http://enlignepharmacie.fr/acheter-achat-viagra-professional-en-ligne-fr.html acheter viagra professional en ligne, kewmr, ff733fdcbb69a990ab773152132a0b486195995d 3019 3018 2012-05-10T22:24:17Z 31.184.238.15 0 nMKHIYPW wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-flagyl-online-en.html buy flagyl online, oonor, http://cheappurchaseonline.com/buy-generic-kamagra-online-en.html buy kamagra, wdstcw, http://cheappurchaseonline.com/buy-generic-lasix-online-en.html buy lasix, 6513, b4089bdc1ddeca81ec06943a1cc2c7c54dee8966 3020 3019 2012-05-10T22:25:10Z 31.184.238.9 0 uVzKbCmAwzaBuZ wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-precose-online-it.html comprare precose, :)), http://onlinefarmacia.it/comprare-acquistare-premarin-online-it.html premarin, 533796, http://onlinefarmacia.it/comprare-acquistare-prevacid-online-it.html comprare prevacid, >:-)), http://onlinefarmacia.it/comprare-acquistare-prilosec-online-it.html comprare prilosec, 95532, http://onlinefarmacia.it/comprare-acquistare-prinivil-online-it.html acquistare prinivil, =], http://onlinefarmacia.it/comprare-acquistare-procardia-online-it.html comprare procardia, onr, http://onlinefarmacia.it/comprare-acquistare-prograf-online-it.html comprare prograf, :-D, http://onlinefarmacia.it/comprare-acquistare-prometrium-online-it.html prometrium, 946, http://onlinefarmacia.it/comprare-acquistare-proscar-online-it.html comprare proscar, 448, b3454150888a36ffd010ab91f83ddcf93d8839bd 3021 3020 2012-05-10T22:29:27Z 31.184.238.9 0 IIKZIbtVSbaGaZW wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-famvir-en-ligne-fr.html achat famvir, gyve, http://enlignepharmacie.fr/acheter-achat-feldene-en-ligne-fr.html acheter feldene, >:OOO, http://enlignepharmacie.fr/acheter-achat-female-cialis-en-ligne-fr.html female cialis, 542, http://enlignepharmacie.fr/acheter-achat-female-viagra-en-ligne-fr.html female viagra</a>, 8-))), http://enlignepharmacie.fr/acheter-achat-fempro-en-ligne-fr.html fempro, >:))), http://enlignepharmacie.fr/acheter-achat-fincar-en-ligne-fr.html fincar, %-]]], http://enlignepharmacie.fr/acheter-achat-flomax-en-ligne-fr.html flomax, 411, http://enlignepharmacie.fr/acheter-achat-flonase-en-ligne-fr.html achat flonase, :-]], http://enlignepharmacie.fr/acheter-achat-flovent-en-ligne-fr.html achat flovent, cfias, bdd8c63355f760f961b233d555c8f8cbf31f0374 3022 3021 2012-05-10T22:29:42Z 31.184.238.15 0 zTwiagxVsPAIcCrN wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-levitra-online-en.html buy levitra online, 94102, http://cheappurchaseonline.com/ generic doxycycline, hyk, http://cheappurchaseonline.com/buy-generic-nolvadex-online-en.html buy generic nolvadex, 44069, fa58cfe4fc762a2f7c7376c0de700daab7ff59d4 3023 3022 2012-05-10T22:33:43Z 31.184.238.9 0 CSpanGJrL wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-nitroglycerin-en-ligne-fr.html acheter nitroglycerin, djg, http://enlignepharmacie.fr/acheter-achat-nizoral-en-ligne-fr.html nizoral, 971, http://enlignepharmacie.fr/acheter-achat-noroxin-en-ligne-fr.html achat noroxin, >:]], http://enlignepharmacie.fr/acheter-achat-nortriptyline-en-ligne-fr.html achat nortriptyline, 104, http://enlignepharmacie.fr/acheter-achat-norvasc-en-ligne-fr.html acheter norvasc, zpms, http://enlignepharmacie.fr/acheter-achat-omnicef-en-ligne-fr.html acheter omnicef, 572, http://enlignepharmacie.fr/acheter-achat-ophthacare-en-ligne-fr.html acheter ophthacare, 664946, http://enlignepharmacie.fr/acheter-achat-oxytrol-en-ligne-fr.html acheter oxytrol, 182337, http://enlignepharmacie.fr/acheter-achat-pamelor-en-ligne-fr.html achat pamelor, crwu, 19745aa3d006e2b5d3cee3352e80699da4869704 3024 3023 2012-05-10T22:35:40Z 31.184.238.15 0 CxeCJoNG wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic--online-en.html accutane, 8-DDD, http://cheappurchaseonline.com/buy-generic-orlistat-online-en.html buy cheap orlistat, btgqie, http://cheappurchaseonline.com/buy-generic-prednisone-online-en.html buy generic prednisone, 868701, 625baac6066b9c58f9fdba41c87c1992984b17be 3025 3024 2012-05-10T22:38:01Z 31.184.238.9 0 ivofrMHa wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-aciclovir-en-ligne-fr.html aciclovir, osmm, http://enlignepharmacie.fr/acheter-achat-aciphex-en-ligne-fr.html aciphex, 475, http://enlignepharmacie.fr/acheter-achat-acticin-en-ligne-fr.html acheter acticin, %DD, http://enlignepharmacie.fr/acheter-achat-actigall-en-ligne-fr.html actigall, %-D, http://enlignepharmacie.fr/acheter-achat-actos-en-ligne-fr.html acheter actos, 913472, http://enlignepharmacie.fr/acheter-achat-adalat-en-ligne-fr.html adalat, 8272, http://enlignepharmacie.fr/acheter-achat-aggrenox-en-ligne-fr.html aggrenox, 7263, http://enlignepharmacie.fr/acheter-achat-albenza-en-ligne-fr.html achat albenza, 8926, http://enlignepharmacie.fr/acheter-achat-alesse-en-ligne-fr.html achat alesse, 999, 5c77d1ff534d77b065cecc4545f00991eb4287d7 3026 3025 2012-05-10T22:41:24Z 31.184.238.15 0 kDYKLFRPHfjKUQUFw wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-priligy-online-en.html buy cheap priligy, ffen, http://cheappurchaseonline.com/buy-generic-propecia-online-en.html buy generic propecia, 285, http://cheappurchaseonline.com/ generic cialis professional, >:]]], 024eb09d0c6cdb15ff0575e0f15bd04a929aff79 3027 3026 2012-05-10T22:42:12Z 31.184.238.9 0 YQMmkVOcWahvKTDYVg wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-seroquel-online-it.html seroquel, spjy, http://onlinefarmacia.it/comprare-acquistare-shallaki-online-it.html comprare shallaki, 157, http://onlinefarmacia.it/comprare-acquistare-shuddha-guggulu-online-it.html acquistare shuddha guggulu, 2615, http://onlinefarmacia.it/comprare-acquistare-sinemet-cr-online-it.html sinemet cr, pby, http://onlinefarmacia.it/comprare-acquistare-sinemet-online-it.html sinemet, =O, http://onlinefarmacia.it/comprare-acquistare-sinequan-online-it.html comprare sinequan, 65939, http://onlinefarmacia.it/comprare-acquistare-singulair-online-it.html singulair, 603334, http://onlinefarmacia.it/comprare-acquistare-skelaxin-online-it.html acquistare skelaxin, 500712, http://onlinefarmacia.it/comprare-acquistare-sleepwell-online-it.html acquistare sleepwell, >:-DDD, 593d9bf6d644d8944b06675b092f7784fe16cb6f 3028 3027 2012-05-10T22:46:15Z 31.184.238.9 0 yIOHtTKDqthcsOwE wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-slimfast-online-it.html slimfast, lmi, http://onlinefarmacia.it/comprare-acquistare-smok-ox-online-it.html acquistare smok-ox, elxx, http://onlinefarmacia.it/comprare-acquistare-speman-online-it.html comprare speman, 8-DD, http://onlinefarmacia.it/comprare-acquistare-sporanox-online-it.html comprare sporanox, yuyzj, http://onlinefarmacia.it/comprare-acquistare-starlix-online-it.html acquistare starlix, 1640, http://onlinefarmacia.it/comprare-acquistare-stromectol-online-it.html stromectol, 47592, http://onlinefarmacia.it/comprare-acquistare-styplon-online-it.html comprare styplon, rjhps, http://onlinefarmacia.it/comprare-acquistare-suminat-online-it.html comprare suminat, awbvjj, http://onlinefarmacia.it/comprare-acquistare-sumycin-online-it.html sumycin, rufksh, 902864163864c9717e1157de323f389ddea18c92 3029 3028 2012-05-10T22:47:14Z 31.184.238.15 0 gOziqFIcSb wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-priligy-online-en.html buy priligy online, 959844, http://cheappurchaseonline.com/buy-generic-propecia-online-en.html generic propecia, 943680, http://cheappurchaseonline.com/ generic kamagra, 155, ffad209209c77131a8f9235051c25581a73defe3 3030 3029 2012-05-10T22:50:28Z 31.184.238.9 0 UbIQFQcSYEEtyENx wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-verampil-online-it.html comprare verampil, =[[[, http://onlinefarmacia.it/comprare-acquistare-verapamil-online-it.html acquistare verapamil, %-), http://onlinefarmacia.it/comprare-acquistare-vermox-online-it.html vermox, 4490, http://onlinefarmacia.it/comprare-acquistare-v-gel-online-it.html comprare v-gel, yildy, http://onlinefarmacia.it/comprare-acquistare-vibramycin-online-it.html comprare vibramycin, 8963, http://onlinefarmacia.it/comprare-acquistare-viramune-online-it.html viramune, zkp, http://onlinefarmacia.it/comprare-acquistare-vitamin-b12-online-it.html vitamin b12, lrtsih, http://onlinefarmacia.it/comprare-acquistare-vitamin-c-online-it.html comprare vitamin c, zbcgdz, http://onlinefarmacia.it/comprare-acquistare-voltaren-online-it.html comprare voltaren, 716, 1d936e188b94f0ef8d8598a82a0067e871c62705 3031 3030 2012-05-10T22:53:17Z 31.184.238.15 0 RZHxnWmvRR wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-priligy-online-en.html generic priligy, 77300, http://cheappurchaseonline.com/buy-generic-propecia-online-en.html buy propecia, jtu, http://cheappurchaseonline.com/ generic accutane, =(((, 8fe19fa814921c96e5388386175da8c93483e0ba 3032 3031 2012-05-10T22:54:54Z 31.184.238.9 0 WxuGzeTCOh wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-voltaren-xr-online-it.html voltaren xr, 78054, http://onlinefarmacia.it/comprare-acquistare-voltarol-online-it.html voltarol, 8DDD, http://onlinefarmacia.it/comprare-acquistare-voveran-online-it.html acquistare voveran, qyrkcc, http://onlinefarmacia.it/comprare-acquistare-voveran-sr-online-it.html acquistare voveran sr, =[[, http://onlinefarmacia.it/comprare-acquistare-wondersleep-online-it.html wondersleep, %P, http://onlinefarmacia.it/comprare-acquistare-xalatan-0005-online-it.html xalatan 0.005%, 837, http://onlinefarmacia.it/comprare-acquistare-xeloda-online-it.html comprare xeloda, >:-D, http://onlinefarmacia.it/comprare-acquistare-yagara-online-it.html comprare yagara, zwopnh, http://onlinefarmacia.it/comprare-acquistare-zagam-online-it.html zagam, nojbhi, fad618467d48aac2d9955f41c3b141822eae1293 3033 3032 2012-05-10T22:58:49Z 31.184.238.15 0 hkMVxLzCuWorzSG wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic--online-en.html accutane, 20454, http://cheappurchaseonline.com/buy-generic-orlistat-online-en.html buy generic orlistat, =-P, http://cheappurchaseonline.com/buy-generic-prednisone-online-en.html buy cheap prednisone, fewdwr, ddeac8941701995efc8de28f087776146a7271db 3034 3033 2012-05-10T22:59:04Z 31.184.238.9 0 mVBSfOKibiNf wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-voltaren-xr-online-it.html acquistare voltaren xr, vbabnv, http://onlinefarmacia.it/comprare-acquistare-voltarol-online-it.html comprare voltarol, :PPP, http://onlinefarmacia.it/comprare-acquistare-voveran-online-it.html comprare voveran, 283594, http://onlinefarmacia.it/comprare-acquistare-voveran-sr-online-it.html comprare voveran sr, =-)), http://onlinefarmacia.it/comprare-acquistare-wondersleep-online-it.html acquistare wondersleep, joh, http://onlinefarmacia.it/comprare-acquistare-xalatan-0005-online-it.html acquistare xalatan 0.005%, cadsc, http://onlinefarmacia.it/comprare-acquistare-xeloda-online-it.html acquistare xeloda, %-OOO, http://onlinefarmacia.it/comprare-acquistare-yagara-online-it.html yagara, 8[[, http://onlinefarmacia.it/comprare-acquistare-zagam-online-it.html acquistare zagam, =-), e6d87e7e23727ee8fb471f484e21407b800c49c6 3035 3034 2012-05-10T23:03:17Z 31.184.238.9 0 YymayMyaDcq wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-voltaren-xr-online-it.html voltaren xr, 7673, http://onlinefarmacia.it/comprare-acquistare-voltarol-online-it.html voltarol, >:-((, http://onlinefarmacia.it/comprare-acquistare-voveran-online-it.html acquistare voveran, :-[[[, http://onlinefarmacia.it/comprare-acquistare-voveran-sr-online-it.html acquistare voveran sr, %-PPP, http://onlinefarmacia.it/comprare-acquistare-wondersleep-online-it.html comprare wondersleep, :-OOO, http://onlinefarmacia.it/comprare-acquistare-xalatan-0005-online-it.html acquistare xalatan 0.005%, wbwv, http://onlinefarmacia.it/comprare-acquistare-xeloda-online-it.html acquistare xeloda, qoqo, http://onlinefarmacia.it/comprare-acquistare-yagara-online-it.html yagara, weh, http://onlinefarmacia.it/comprare-acquistare-zagam-online-it.html zagam, 134160, 72814840cc639282b4fe5a2928c51fec8f6db48b 0 8 3036 3035 2012-05-10T23:04:00Z 31.184.238.15 0 AOXELFrXvYIYBtHJ wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-viagra-super-active-online-en.html viagra super active, 832, http://cheappurchaseonline.com/buy-generic-zithromax-online-en.html buy zithromax online, dpsr, http://cheappurchaseonline.com/ generic doxycycline, =-(((, eda2d76078658f9e261f6bc461ed359098e821de 3037 3036 2012-05-10T23:07:21Z 31.184.238.9 0 pxdtvsntenbDKqhe wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-nolvadex-en-ligne-fr.html achat nolvadex, 407, http://enlignepharmacie.fr/acheter-achat-orlistat-en-ligne-fr.html vente orlistat, xbyfd, http://enlignepharmacie.fr/acheter-achat-prednisone-en-ligne-fr.html acheter prednisone en ligne, %OO, http://enlignepharmacie.fr/acheter-achat-priligy-en-ligne-fr.html generique priligy, %-O, http://enlignepharmacie.fr/ acheter flagyl, 535, http://enlignepharmacie.fr/acheter-achat-propecia-en-ligne-fr.html acheter propecia, 8PPP, http://enlignepharmacie.fr/acheter-achat-strattera-en-ligne-fr.html acheter strattera en ligne, %))), http://enlignepharmacie.fr/acheter-achat-viagra-en-ligne-fr.html vente viagra, ddkcn, http://enlignepharmacie.fr/acheter-achat-viagra-professional-en-ligne-fr.html achat viagra professional, xxtf, 94c816fd98b8b25879f391d0740902831c56cfa8 3038 3037 2012-05-10T23:11:59Z 31.184.238.9 0 YIdvoYvKj wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-calan-sr-en-ligne-fr.html calan sr, 991613, http://enlignepharmacie.fr/acheter-achat-calcium-carbonate-en-ligne-fr.html calcium carbonate, %-], http://enlignepharmacie.fr/acheter-achat-capoten-en-ligne-fr.html acheter capoten, 366, http://enlignepharmacie.fr/acheter-achat-carafate-en-ligne-fr.html achat carafate, 669, http://enlignepharmacie.fr/acheter-achat-cardarone-en-ligne-fr.html acheter cardarone, 87179, http://enlignepharmacie.fr/acheter-achat-cardura-en-ligne-fr.html cardura, >:], http://enlignepharmacie.fr/acheter-achat-cataflam-en-ligne-fr.html cataflam, =-[[, http://enlignepharmacie.fr/acheter-achat-catapres-en-ligne-fr.html achat catapres, 669788, http://enlignepharmacie.fr/acheter-achat-ceclor-cd-en-ligne-fr.html achat ceclor cd, %-[[[, 0bafa84ab94b88381ab3c2a41274dbced5fe5bfb 3039 3038 2012-05-10T23:15:59Z 31.184.238.9 0 adRVBQWf wikitext text/x-wiki , http://generiquesmedicaments.fr/acheter-achat-kamagra-en-ligne-fr.html achat kamagra, dnv, http://generiquesmedicaments.fr/acheter-achat-lasix-en-ligne-fr.html vente lasix, =-]]], http://generiquesmedicaments.fr/ acheter amoxil, 719438, http://generiquesmedicaments.fr/acheter-achat-levitra-en-ligne-fr.html vente levitra, %]], http://generiquesmedicaments.fr/acheter-achat-nolvadex-en-ligne-fr.html acheter nolvadex en ligne, %DDD, http://generiquesmedicaments.fr/acheter-achat-orlistat-en-ligne-fr.html achat orlistat, 82196, http://generiquesmedicaments.fr/acheter-achat-prednisone-en-ligne-fr.html generique prednisone, =))), http://generiquesmedicaments.fr/acheter-achat-priligy-en-ligne-fr.html achat priligy, pbyztc, http://generiquesmedicaments.fr/ acheter cipro, =]]], fb59c6b087ff7ef52b9e3103eae143deb7f57639 3040 3039 2012-05-10T23:20:01Z 31.184.238.9 0 TKaOiVNF wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-remeron-online-it.html comprare remeron, zrx, http://onlinefarmacia.it/comprare-acquistare-reminyl-online-it.html comprare reminyl, 688380, http://onlinefarmacia.it/comprare-acquistare-reosto-online-it.html acquistare reosto, 8-[[, http://onlinefarmacia.it/comprare-acquistare-requip-online-it.html comprare requip, 8-PP, http://onlinefarmacia.it/comprare-acquistare-retin-a-online-it.html comprare retin-a, hdbmlh, http://onlinefarmacia.it/comprare-acquistare-retrovir-online-it.html acquistare retrovir, dzrqvb, http://onlinefarmacia.it/comprare-acquistare-revia-online-it.html comprare revia, 832004, http://onlinefarmacia.it/comprare-acquistare-risnia-online-it.html risnia, 871, http://onlinefarmacia.it/comprare-acquistare-risperdal-online-it.html acquistare risperdal, 8PP, 275cb7df94582a108a1c36e56b34657c1a6a5bbd 3041 3040 2012-05-10T23:20:59Z 31.184.238.15 0 eTlkOaclgUYRIfh wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-flagyl-online-en.html buy generic flagyl, mnxp, http://cheappurchaseonline.com/buy-generic-kamagra-online-en.html buy cheap kamagra, 513021, http://cheappurchaseonline.com/buy-generic-lasix-online-en.html generic lasix, =[, 355b56fe28a144098a74821c638bc7dde6378a8e 3042 3041 2012-05-10T23:24:25Z 31.184.238.9 0 TWsLycQj wikitext text/x-wiki , http://generiquesmedicaments.fr/acheter-achat-propecia-en-ligne-fr.html propecia, 094585, http://generiquesmedicaments.fr/acheter-achat-strattera-en-ligne-fr.html vente strattera, 61574, http://generiquesmedicaments.fr/acheter-achat-viagra-en-ligne-fr.html achat viagra, 5176, http://generiquesmedicaments.fr/acheter-achat-viagra-professional-en-ligne-fr.html generique viagra professional, 499995, http://generiquesmedicaments.fr/acheter-achat-viagra-super-active-en-ligne-fr.html achat viagra super active, 8[[[, http://generiquesmedicaments.fr/acheter-achat-zithromax-en-ligne-fr.html acheter zithromax en ligne, =), http://enlignepharmacie.fr/acheter-achat-abana-en-ligne-fr.html acheter abana, >:PPP, http://enlignepharmacie.fr/acheter-achat-abilify-en-ligne-fr.html achat abilify, 8D, http://enlignepharmacie.fr/acheter-achat-aceon-en-ligne-fr.html aceon, =PP, ce3148bafcf947da02e2e79f5f61fa2e13175eca 3043 3042 2012-05-10T23:26:19Z 31.184.238.15 0 QaaehANvPzvr wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-cialis-super-active-online-en.html cialis super active, 100047, http://cheappurchaseonline.com/ generic flagyl, 654, http://cheappurchaseonline.com/buy-generic-cipro-online-en.html cipro, 64075, 900bacf0e88edb6a88b43221fef9ec8721de172b 3044 3043 2012-05-10T23:28:27Z 31.184.238.9 0 JWBouwNcr wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-toprol-xl-online-it.html acquistare toprol xl, 3610, http://onlinefarmacia.it/comprare-acquistare-trandate-online-it.html acquistare trandate, :[, http://onlinefarmacia.it/comprare-acquistare-trecator-sc-online-it.html comprare trecator-sc, ujcpjn, http://onlinefarmacia.it/comprare-acquistare-trental-online-it.html comprare trental, zinr, http://onlinefarmacia.it/comprare-acquistare-tricor-online-it.html acquistare tricor, 14157, http://onlinefarmacia.it/comprare-acquistare-trileptal-online-it.html comprare trileptal, coief, http://onlinefarmacia.it/comprare-acquistare-tritace-online-it.html comprare tritace, 45247, http://onlinefarmacia.it/comprare-acquistare-tylenol-online-it.html comprare tylenol, >:], http://onlinefarmacia.it/comprare-acquistare-uniphyl-cr-online-it.html uniphyl cr, 8-((, 821dfe1d7187ea966ef71119c28206b1b7106bcd 3045 3044 2012-05-10T23:31:48Z 31.184.238.15 0 vViRdXGdH wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic--online-en.html buy accutane online, =-P, http://cheappurchaseonline.com/buy-generic-orlistat-online-en.html buy orlistat online, mihfpr, http://cheappurchaseonline.com/buy-generic-prednisone-online-en.html buy prednisone online, 1744, a6677129b8b21e10f32acc522fabf9456970f093 3046 3045 2012-05-10T23:32:49Z 31.184.238.9 0 jnljcyXw wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-pamelor-online-it.html pamelor, 8-], http://onlinefarmacia.it/comprare-acquistare-panadol-online-it.html comprare panadol, kzi, http://onlinefarmacia.it/comprare-acquistare-parlodel-online-it.html comprare parlodel, 92809, http://onlinefarmacia.it/comprare-acquistare-paxil-cr-online-it.html paxil cr, jqe, http://onlinefarmacia.it/comprare-acquistare-paxil-online-it.html paxil, :O, http://onlinefarmacia.it/comprare-acquistare-pentasa-online-it.html comprare pentasa, hawj, http://onlinefarmacia.it/comprare-acquistare-pepcid-online-it.html pepcid, scuuqy, http://onlinefarmacia.it/comprare-acquistare-periactin-online-it.html periactin, 75284, http://onlinefarmacia.it/comprare-acquistare-persantine-online-it.html persantine, cgou, 7c62b6e139fa9918eadeb5c10bbde96ae8812bca 3047 3046 2012-05-10T23:37:07Z 31.184.238.9 0 OTpeZQWykAsuG wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-artane-online-it.html comprare artane, :-], http://onlinefarmacia.it/comprare-acquistare-asendin-online-it.html comprare asendin, cql, http://onlinefarmacia.it/comprare-acquistare-ashwafera-online-it.html ashwafera, zdkrld, http://onlinefarmacia.it/comprare-acquistare-ashwagandha-online-it.html ashwagandha, 59393, http://onlinefarmacia.it/comprare-acquistare-astelin-online-it.html acquistare astelin, =-O, http://onlinefarmacia.it/comprare-acquistare-atacand-online-it.html comprare atacand, 1304, http://onlinefarmacia.it/comprare-acquistare-atarax-online-it.html comprare atarax, rxudv, http://onlinefarmacia.it/comprare-acquistare-atrovent-online-it.html acquistare atrovent, hrods, http://onlinefarmacia.it/comprare-acquistare-augmentin-online-it.html comprare augmentin, %-(((, dc86b60733ea5715db2811bd26f93b4817b76cb0 3048 3047 2012-05-10T23:37:22Z 31.184.238.15 0 chhOruamPxRateKsJ wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic--online-en.html buy generic accutane, ndrs, http://cheappurchaseonline.com/buy-generic-orlistat-online-en.html orlistat, jxu, http://cheappurchaseonline.com/buy-generic-prednisone-online-en.html buy prednisone, 273627, a0703c36e0a16918f7fd10e27ce84c56c12d8259 3049 3048 2012-05-10T23:41:16Z 31.184.238.9 0 QkQqqoGJaEQ wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-diflucan-en-ligne-fr.html achat diflucan, 39332, http://enlignepharmacie.fr/ acheter cipro, =-PP, http://enlignepharmacie.fr/acheter-achat-doxycycline-en-ligne-fr.html doxycycline, ixrne, http://enlignepharmacie.fr/acheter-achat-female-viagra-en-ligne-fr.html generique female viagra, qvsrim, http://enlignepharmacie.fr/acheter-achat-flagyl-en-ligne-fr.html acheter flagyl en ligne, glso, http://enlignepharmacie.fr/acheter-achat-kamagra-en-ligne-fr.html achat kamagra, puviel, http://enlignepharmacie.fr/ acheter clomid, =-((, http://enlignepharmacie.fr/acheter-achat-lasix-en-ligne-fr.html acheter lasix, 689484, http://enlignepharmacie.fr/acheter-achat-levitra-en-ligne-fr.html levitra, :-PP, 851fc93b5fcacefa3fc6e1ee5a6528d2cb19f826 3050 3049 2012-05-10T23:42:47Z 31.184.238.15 0 TFxBGDiCFGc wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-viagra-super-active-online-en.html buy generic viagra super active, >:)), http://cheappurchaseonline.com/buy-generic-zithromax-online-en.html buy zithromax, 736220, http://cheappurchaseonline.com/ generic prednisone, iugtt, 9d356d2f0a8bdfe78eee9a91bed5fc2e45751f46 3051 3050 2012-05-10T23:45:18Z 31.184.238.9 0 jyEmaDFgorcLLZlkvc wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-toprol-xl-online-it.html comprare toprol xl, kmxme, http://onlinefarmacia.it/comprare-acquistare-trandate-online-it.html comprare trandate, 8-OO, http://onlinefarmacia.it/comprare-acquistare-trecator-sc-online-it.html comprare trecator-sc, ezrxdp, http://onlinefarmacia.it/comprare-acquistare-trental-online-it.html comprare trental, zdpdu, http://onlinefarmacia.it/comprare-acquistare-tricor-online-it.html tricor, :-D, http://onlinefarmacia.it/comprare-acquistare-trileptal-online-it.html trileptal, cgn, http://onlinefarmacia.it/comprare-acquistare-tritace-online-it.html comprare tritace, 1262, http://onlinefarmacia.it/comprare-acquistare-tylenol-online-it.html acquistare tylenol, 2909, http://onlinefarmacia.it/comprare-acquistare-uniphyl-cr-online-it.html uniphyl cr, kjvycs, fd56a4eef18cee7d4e0b741ed035d4d403be6280 3052 3051 2012-05-10T23:48:36Z 31.184.238.15 0 gPKckGJzByWhERcq wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-flagyl-online-en.html flagyl, %-P, http://cheappurchaseonline.com/buy-generic-kamagra-online-en.html kamagra, 0562, http://cheappurchaseonline.com/buy-generic-lasix-online-en.html lasix, sbd, ec098993bcde9b7bd88e6e04e756d8c10a8b7813 3053 3052 2012-05-10T23:49:11Z 31.184.238.9 0 ROgpwSrsdZ wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-antivert-en-ligne-fr.html antivert, 173, http://enlignepharmacie.fr/acheter-achat-aralen-en-ligne-fr.html acheter aralen, %-OOO, http://enlignepharmacie.fr/acheter-achat-arava-en-ligne-fr.html arava, %-((, http://enlignepharmacie.fr/acheter-achat-arcoxia-en-ligne-fr.html acheter arcoxia, seiy, http://enlignepharmacie.fr/acheter-achat-aricept-en-ligne-fr.html acheter aricept, 467, http://enlignepharmacie.fr/acheter-achat-arimidex-en-ligne-fr.html acheter arimidex, 8-))), http://enlignepharmacie.fr/acheter-achat-aristocort-en-ligne-fr.html acheter aristocort, 2816, http://enlignepharmacie.fr/acheter-achat-arjuna-en-ligne-fr.html achat arjuna, jjk, http://enlignepharmacie.fr/acheter-achat-artane-en-ligne-fr.html acheter artane, 02005, e38fe7a079942c714658c05f32d75f91f7050d8f 3054 3053 2012-05-10T23:53:48Z 31.184.238.9 0 dfHpMEewBBMnMXrvWkK wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-diflucan-en-ligne-fr.html generique diflucan, hmm, http://enlignepharmacie.fr/ acheter amoxil, %-P, http://enlignepharmacie.fr/acheter-achat-doxycycline-en-ligne-fr.html acheter doxycycline en ligne, pyyn, http://enlignepharmacie.fr/acheter-achat-female-viagra-en-ligne-fr.html acheter female viagra, 06115, http://enlignepharmacie.fr/acheter-achat-flagyl-en-ligne-fr.html achat flagyl, 1396, http://enlignepharmacie.fr/acheter-achat-kamagra-en-ligne-fr.html acheter kamagra, muvdbp, http://enlignepharmacie.fr/ acheter viagra super active, 017, http://enlignepharmacie.fr/acheter-achat-lasix-en-ligne-fr.html achat lasix, 831244, http://enlignepharmacie.fr/acheter-achat-levitra-en-ligne-fr.html vente levitra, >:]]], d8e2fb5baf82fb6d0735ddc3317b1a2587467e7e 3055 3054 2012-05-10T23:54:24Z 31.184.238.15 0 roorZnIZljwyMIjBYFd wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-levitra-online-en.html generic levitra, 766, http://cheappurchaseonline.com/ generic clomid, epo, http://cheappurchaseonline.com/buy-generic-nolvadex-online-en.html buy cheap nolvadex, :-DDD, cbf382e2b2194a426fb4c737428b5e3974921869 3056 3055 2012-05-10T23:58:12Z 31.184.238.9 0 LHQxwJmPCGMzUTpTg wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-alfacip-en-ligne-fr.html alfacip, :-[[[, http://enlignepharmacie.fr/acheter-achat-allegra-en-ligne-fr.html acheter allegra, 3416, http://enlignepharmacie.fr/acheter-achat-allopurinol-en-ligne-fr.html acheter allopurinol, 3363, http://enlignepharmacie.fr/acheter-achat-amaryl-en-ligne-fr.html amaryl, %OO, http://enlignepharmacie.fr/acheter-achat-ampicillin-en-ligne-fr.html achat ampicillin, qrdyf, http://enlignepharmacie.fr/acheter-achat-anacin-en-ligne-fr.html anacin, >:(((, http://enlignepharmacie.fr/acheter-achat-anafranil-en-ligne-fr.html acheter anafranil, 52980, http://enlignepharmacie.fr/acheter-achat-ansaid-en-ligne-fr.html achat ansaid, 03829, http://enlignepharmacie.fr/acheter-achat-antabuse-en-ligne-fr.html acheter antabuse, srrio, 3f20e5830d4f6b82c9970c85969bebb69d5ab160 3057 3056 2012-05-10T23:58:51Z 31.184.238.15 0 kTGQztJas wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-strattera-online-en.html buy generic strattera, eaz, http://cheappurchaseonline.com/buy-generic-viagra-online-en.html viagra, ctgiq, http://cheappurchaseonline.com/buy-generic-viagra-professional-online-en.html buy viagra professional, zzvads, 14dac8817f81a6c5ea42917370373a8df1c8d334 3058 3057 2012-05-11T00:02:37Z 31.184.238.9 0 RHlqrrIPtlllKyFNDa wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-urispas-online-it.html acquistare urispas, :]], http://onlinefarmacia.it/comprare-acquistare-uroxatral-online-it.html acquistare uroxatral, 545, http://onlinefarmacia.it/comprare-acquistare-urso-online-it.html urso, >:(, http://onlinefarmacia.it/comprare-acquistare-valparin-online-it.html comprare valparin, 538437, http://onlinefarmacia.it/comprare-acquistare-valtrex-online-it.html comprare valtrex, 8-((, http://onlinefarmacia.it/comprare-acquistare-vantin-online-it.html vantin, 93431, http://onlinefarmacia.it/comprare-acquistare-vasotec-online-it.html acquistare vasotec, 72213, http://onlinefarmacia.it/comprare-acquistare-venlor-online-it.html acquistare venlor, 518, http://onlinefarmacia.it/comprare-acquistare-ventolin-online-it.html acquistare ventolin, %], 8acaf7781f869456017971a62dbde7cf0cfb9630 3059 3058 2012-05-11T00:04:19Z 31.184.238.15 0 mVtJWSzh wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-priligy-online-en.html buy priligy online, pnbwc, http://cheappurchaseonline.com/buy-generic-propecia-online-en.html buy propecia, fzwnxh, http://cheappurchaseonline.com/ generic cipro, 214, 8197ad77ceaab734e0c0d3ae1a5c7b7cf95695f2 3060 3059 2012-05-11T00:06:36Z 31.184.238.9 0 kgLRvytgvNEygUmgZoE wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-tetracycline-online-it.html acquistare tetracycline, omh, http://onlinefarmacia.it/comprare-acquistare-theo-24-cr-online-it.html acquistare theo-24 cr, :[[[, http://onlinefarmacia.it/comprare-acquistare-theo-24-sr-online-it.html acquistare theo-24 sr, lltyg, http://onlinefarmacia.it/comprare-acquistare-thorazine-online-it.html acquistare thorazine, 699714, http://onlinefarmacia.it/comprare-acquistare-ticlid-online-it.html ticlid, 197345, http://onlinefarmacia.it/comprare-acquistare-tinidazole-online-it.html comprare tinidazole, %]], http://onlinefarmacia.it/comprare-acquistare-tofranil-online-it.html comprare tofranil, =D, http://onlinefarmacia.it/comprare-acquistare-topamax-online-it.html comprare topamax, >:-DDD, http://onlinefarmacia.it/comprare-acquistare-toprol-online-it.html comprare toprol, yir, 3b0e9d3a51e92450d7c596e6265e44bba251c4a2 3061 3060 2012-05-11T00:10:39Z 31.184.238.9 0 gERRypkC wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-zantac-online-it.html comprare zantac, 5432, http://onlinefarmacia.it/comprare-acquistare-zebeta-online-it.html acquistare zebeta, 586, http://onlinefarmacia.it/comprare-acquistare-zerit-online-it.html acquistare zerit, gglc, http://onlinefarmacia.it/comprare-acquistare-zestoretic-online-it.html zestoretic, azws, http://onlinefarmacia.it/comprare-acquistare-zestril-online-it.html comprare zestril, 315798, http://onlinefarmacia.it/comprare-acquistare-zetia-online-it.html zetia, =OOO, http://onlinefarmacia.it/comprare-acquistare-zocor-online-it.html comprare zocor, 73834, http://onlinefarmacia.it/comprare-acquistare-zofran-online-it.html acquistare zofran, 87065, http://onlinefarmacia.it/comprare-acquistare-zoloft-online-it.html zoloft, zitdic, 22a6c2dcc44832946da8ac8fe660bf12ce4bdd18 3062 3061 2012-05-11T00:14:55Z 31.184.238.9 0 LEjARnpnO wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-super-ed-trial-pack-online-it.html acquistare super ed trial pack, %-DD, http://onlinefarmacia.it/comprare-acquistare-sustiva-online-it.html acquistare sustiva, djintf, http://onlinefarmacia.it/comprare-acquistare-symmetrel-online-it.html acquistare symmetrel, >:-)), http://onlinefarmacia.it/comprare-acquistare-synthroid-online-it.html acquistare synthroid, 11319, http://onlinefarmacia.it/comprare-acquistare-tegopen-online-it.html tegopen, zfypy, http://onlinefarmacia.it/comprare-acquistare-tenormin-online-it.html comprare tenormin, :-DD, http://onlinefarmacia.it/comprare-acquistare-tentex-forte-online-it.html comprare tentex forte, =-PP, http://onlinefarmacia.it/comprare-acquistare-tentex-royal-online-it.html comprare tentex royal, xygua, http://onlinefarmacia.it/comprare-acquistare-terramycin-online-it.html terramycin, %-(, 989fed3266a8ebee461ea69d8f711e125a88665b 3063 3062 2012-05-11T00:15:43Z 31.184.238.15 0 bISByVJKC wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-cialis-super-active-online-en.html cialis super active, =-))), http://cheappurchaseonline.com/ generic doxycycline, 87399, http://cheappurchaseonline.com/buy-generic-cipro-online-en.html buy cipro online, dlxj, f1013fe0fb413d506abce932f4eab11092c31642 3064 3063 2012-05-11T00:18:56Z 31.184.238.9 0 SpFtEODNhblLgHFtP wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-phenamax-online-it.html phenamax, 8-], http://onlinefarmacia.it/comprare-acquistare-phenergan-online-it.html comprare phenergan, ahqgz, http://onlinefarmacia.it/comprare-acquistare-phoslo-online-it.html acquistare phoslo, bzi, http://onlinefarmacia.it/comprare-acquistare-pilex-online-it.html pilex, >:PPP, http://onlinefarmacia.it/comprare-acquistare-plavix-online-it.html plavix, 540, http://onlinefarmacia.it/comprare-acquistare-plendil-online-it.html acquistare plendil, 594122, http://onlinefarmacia.it/comprare-acquistare-pletal-online-it.html pletal, 71545, http://onlinefarmacia.it/comprare-acquistare-ponstel-online-it.html ponstel, =]]], http://onlinefarmacia.it/comprare-acquistare-prandin-online-it.html prandin, 8PPP, ccadf4ffe76a6a28cec335b4dfb6007e7ddb9df2 3065 3064 2012-05-11T00:19:56Z 31.184.238.15 0 pgmsOBkIhW wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-viagra-super-active-online-en.html generic viagra super active, 555552, http://cheappurchaseonline.com/buy-generic-zithromax-online-en.html buy generic zithromax, pvysq, http://cheappurchaseonline.com/ generic propecia, %OOO, bce928b5201deb176e96434a06b5468b9947eeab 3066 3065 2012-05-11T00:23:19Z 31.184.238.9 0 OCNMZxskkcFZaEFr wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-nolvadex-en-ligne-fr.html nolvadex, 8-], http://enlignepharmacie.fr/acheter-achat-orlistat-en-ligne-fr.html acheter orlistat en ligne, 586613, http://enlignepharmacie.fr/acheter-achat-prednisone-en-ligne-fr.html generique prednisone, :-], http://enlignepharmacie.fr/acheter-achat-priligy-en-ligne-fr.html acheter priligy en ligne, %(, http://enlignepharmacie.fr/ acheter kamagra, 8[, http://enlignepharmacie.fr/acheter-achat-propecia-en-ligne-fr.html vente propecia, =-DD, http://enlignepharmacie.fr/acheter-achat-strattera-en-ligne-fr.html acheter strattera en ligne, sfashx, http://enlignepharmacie.fr/acheter-achat-viagra-en-ligne-fr.html generique viagra, 24878, http://enlignepharmacie.fr/acheter-achat-viagra-professional-en-ligne-fr.html acheter viagra professional en ligne, 333, 195d48e4773cd0e8fd0250d7f29c8b231defbcb0 3067 3066 2012-05-11T00:25:57Z 31.184.238.15 0 merJeGgpjib wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-strattera-online-en.html buy strattera, 8D, http://cheappurchaseonline.com/buy-generic-viagra-online-en.html viagra, 448, http://cheappurchaseonline.com/buy-generic-viagra-professional-online-en.html buy cheap viagra professional, 050587, a517245a83583ef4e7eef245829d91c6d027d465 3068 3067 2012-05-11T00:27:33Z 31.184.238.9 0 ceXqPQkK wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-antivert-en-ligne-fr.html acheter antivert, rldnkm, http://enlignepharmacie.fr/acheter-achat-aralen-en-ligne-fr.html achat aralen, 9796, http://enlignepharmacie.fr/acheter-achat-arava-en-ligne-fr.html achat arava, 256, http://enlignepharmacie.fr/acheter-achat-arcoxia-en-ligne-fr.html acheter arcoxia, :-], http://enlignepharmacie.fr/acheter-achat-aricept-en-ligne-fr.html achat aricept, qnhsaz, http://enlignepharmacie.fr/acheter-achat-arimidex-en-ligne-fr.html arimidex, elhkl, http://enlignepharmacie.fr/acheter-achat-aristocort-en-ligne-fr.html aristocort, rpgenx, http://enlignepharmacie.fr/acheter-achat-arjuna-en-ligne-fr.html arjuna, 80160, http://enlignepharmacie.fr/acheter-achat-artane-en-ligne-fr.html artane, =[[[, 7e61923fc4b68cdab90586006b4aa0e5e4c70d14 3069 3068 2012-05-11T00:31:45Z 31.184.238.15 0 kBvnjivgKWehOuGL wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-zoloft-online-en.html generic zoloft, suiiu, e24c4a4957bbe48af2988733a74dc903c5f58d15 3070 3069 2012-05-11T00:31:51Z 31.184.238.9 0 JybrOYAwCpQUDh wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-nimotop-online-it.html nimotop, 2739, http://onlinefarmacia.it/comprare-acquistare-nitroglycerin-online-it.html acquistare nitroglycerin, 8013, http://onlinefarmacia.it/comprare-acquistare-nizoral-online-it.html nizoral, qdqxo, http://onlinefarmacia.it/comprare-acquistare-noroxin-online-it.html comprare noroxin, rpmq, http://onlinefarmacia.it/comprare-acquistare-nortriptyline-online-it.html acquistare nortriptyline, 683, http://onlinefarmacia.it/comprare-acquistare-norvasc-online-it.html acquistare norvasc, 455, http://onlinefarmacia.it/comprare-acquistare-omnicef-online-it.html acquistare omnicef, pwd, http://onlinefarmacia.it/comprare-acquistare-ophthacare-online-it.html acquistare ophthacare, rhqb, http://onlinefarmacia.it/comprare-acquistare-oxytrol-online-it.html oxytrol, 8-))), 337933085acd9a1c4419ab2c04662def1ff023bc 3071 3070 2012-05-11T00:35:49Z 31.184.238.9 0 mdJLvxAXeQJeDIX wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-seroquel-online-it.html seroquel, :), http://onlinefarmacia.it/comprare-acquistare-shallaki-online-it.html comprare shallaki, 2604, http://onlinefarmacia.it/comprare-acquistare-shuddha-guggulu-online-it.html shuddha guggulu, 3979, http://onlinefarmacia.it/comprare-acquistare-sinemet-cr-online-it.html sinemet cr, =-)), http://onlinefarmacia.it/comprare-acquistare-sinemet-online-it.html sinemet, %-[[, http://onlinefarmacia.it/comprare-acquistare-sinequan-online-it.html acquistare sinequan, %-[[[, http://onlinefarmacia.it/comprare-acquistare-singulair-online-it.html acquistare singulair, 6476, http://onlinefarmacia.it/comprare-acquistare-skelaxin-online-it.html skelaxin, 8], http://onlinefarmacia.it/comprare-acquistare-sleepwell-online-it.html acquistare sleepwell, jbu, 6c48eeac051f84fc8ed409334554b559a4d62837 3072 3071 2012-05-11T00:36:56Z 31.184.238.15 0 PURFSAvN wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-amoxil-online-en.html generic amoxil, qbvil, http://cheappurchaseonline.com/buy-generic-cialis-online-en.html cialis, mua, http://cheappurchaseonline.com/buy-generic-cialis-professional-online-en.html buy cialis professional online, 40609, e21be8cdfcea8ceca27f50f5e8eb1288bf64ca74 3073 3072 2012-05-11T00:40:05Z 31.184.238.9 0 QHvIRPzQa wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-monoket-online-it.html monoket, xsljoe, http://onlinefarmacia.it/comprare-acquistare-monopril-online-it.html acquistare monopril, 547, http://onlinefarmacia.it/comprare-acquistare-motilium-online-it.html comprare motilium, %-(, http://onlinefarmacia.it/comprare-acquistare-myambutol-online-it.html myambutol, qxvken, http://onlinefarmacia.it/comprare-acquistare-mysoline-online-it.html mysoline, pxwvbi, http://onlinefarmacia.it/comprare-acquistare-naprelan-online-it.html comprare naprelan, 080994, http://onlinefarmacia.it/comprare-acquistare-neem-online-it.html neem, 88809, http://onlinefarmacia.it/comprare-acquistare-neurontin-online-it.html acquistare neurontin, 4822, http://onlinefarmacia.it/comprare-acquistare-nexium-online-it.html nexium, =]]], 83c175374681e0dede2ba853a0eaacd79e6f5ff8 3074 3073 2012-05-11T00:42:38Z 31.184.238.15 0 XelavFgyvbOwLxn wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic--online-en.html buy accutane, qlndg, http://cheappurchaseonline.com/buy-generic-orlistat-online-en.html orlistat, 13071, http://cheappurchaseonline.com/buy-generic-prednisone-online-en.html buy prednisone, >:-]], ce454a15118efdcde546678a47d901a0aa6c0b36 3075 3074 2012-05-11T00:44:29Z 31.184.238.9 0 MlumsIAEYojCJGqBHp wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-protonix-online-it.html protonix, 586, http://onlinefarmacia.it/comprare-acquistare-proventil-online-it.html proventil, =[, http://onlinefarmacia.it/comprare-acquistare-provera-online-it.html acquistare provera, :P, http://onlinefarmacia.it/comprare-acquistare-prozac-online-it.html comprare prozac, bcx, http://onlinefarmacia.it/comprare-acquistare-purim-online-it.html purim, 048, http://onlinefarmacia.it/comprare-acquistare-pyridium-online-it.html comprare pyridium, 318820, http://onlinefarmacia.it/comprare-acquistare-rebetol-online-it.html comprare rebetol, udb, http://onlinefarmacia.it/comprare-acquistare-reglan-online-it.html reglan, mpciip, http://onlinefarmacia.it/comprare-acquistare-relafen-online-it.html acquistare relafen, rlqj, f06f49af18ecd175e545827420ecc0e1d2644a28 3076 3075 2012-05-11T00:47:26Z 31.184.238.15 0 kzGVLeVQJuMtuQ wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-amoxil-online-en.html buy amoxil, drjr, http://cheappurchaseonline.com/buy-generic-cialis-online-en.html cialis, lwvk, http://cheappurchaseonline.com/buy-generic-cialis-professional-online-en.html buy cialis professional online, 05121, 058fd1f205820943ab9f2c420139eda1c7bf1b42 3077 3076 2012-05-11T00:48:50Z 31.184.238.9 0 qIdwgzCaGFtTYT wikitext text/x-wiki , http://enlignepharmacie.fr/ acheter lasix, 918, http://enlignepharmacie.fr/acheter-achat-accutane-en-ligne-fr.html generique accutane, 87928, http://enlignepharmacie.fr/acheter-achat-amoxil-en-ligne-fr.html achat amoxil, %-]]], http://enlignepharmacie.fr/acheter-achat-cialis-en-ligne-fr.html cialis, giusw, http://enlignepharmacie.fr/acheter-achat-cialis-professional-en-ligne-fr.html acheter cialis professional en ligne, 69804, http://enlignepharmacie.fr/ acheter flagyl, ocm, http://enlignepharmacie.fr/acheter-achat-cialis-super-active-en-ligne-fr.html cialis super active, 738641, http://enlignepharmacie.fr/acheter-achat-cipro-en-ligne-fr.html achat cipro, 8-[, http://enlignepharmacie.fr/acheter-achat-clomid-en-ligne-fr.html achat clomid, ors, aa5f9061f0272ab7d1ac4080fcb9e38b41d928f4 3078 3077 2012-05-11T00:52:38Z 31.184.238.15 0 GrOmnXqblUojJtbdRMf wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-amoxil-online-en.html buy cheap amoxil, %-OOO, http://cheappurchaseonline.com/buy-generic-cialis-online-en.html buy cialis online, 517, http://cheappurchaseonline.com/buy-generic-cialis-professional-online-en.html generic cialis professional, >:DDD, 1838846080f87f49ad6eae9b1b3d34d26abcd834 3079 3078 2012-05-11T00:52:55Z 31.184.238.9 0 JaBfYavYjmGVxzaxRuF wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-tetracycline-online-it.html tetracycline, okkxja, http://onlinefarmacia.it/comprare-acquistare-theo-24-cr-online-it.html acquistare theo-24 cr, 61390, http://onlinefarmacia.it/comprare-acquistare-theo-24-sr-online-it.html comprare theo-24 sr, %-P, http://onlinefarmacia.it/comprare-acquistare-thorazine-online-it.html comprare thorazine, 8))), http://onlinefarmacia.it/comprare-acquistare-ticlid-online-it.html acquistare ticlid, %), http://onlinefarmacia.it/comprare-acquistare-tinidazole-online-it.html acquistare tinidazole, %-DDD, http://onlinefarmacia.it/comprare-acquistare-tofranil-online-it.html comprare tofranil, 43015, http://onlinefarmacia.it/comprare-acquistare-topamax-online-it.html acquistare topamax, =[, http://onlinefarmacia.it/comprare-acquistare-toprol-online-it.html comprare toprol, fjjkr, 4fa02c97e479536a56a7c1b50a659d15d29cdd34 3080 3079 2012-05-11T00:56:57Z 31.184.238.9 0 bubigVeCrH wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-protonix-online-it.html protonix, >:-(((, http://onlinefarmacia.it/comprare-acquistare-proventil-online-it.html proventil, =OOO, http://onlinefarmacia.it/comprare-acquistare-provera-online-it.html acquistare provera, :-((, http://onlinefarmacia.it/comprare-acquistare-prozac-online-it.html prozac, 014991, http://onlinefarmacia.it/comprare-acquistare-purim-online-it.html purim, 688, http://onlinefarmacia.it/comprare-acquistare-pyridium-online-it.html comprare pyridium, 494, http://onlinefarmacia.it/comprare-acquistare-rebetol-online-it.html comprare rebetol, >:-O, http://onlinefarmacia.it/comprare-acquistare-reglan-online-it.html reglan, 498308, http://onlinefarmacia.it/comprare-acquistare-relafen-online-it.html comprare relafen, :[[[, 405899a65accee42068087f22cee5a4491210609 3081 3080 2012-05-11T00:58:24Z 31.184.238.15 0 EMxMdEOwPIHZQacd wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-viagra-super-active-online-en.html viagra super active, jzrqea, http://cheappurchaseonline.com/buy-generic-zithromax-online-en.html generic zithromax, 8-))), http://cheappurchaseonline.com/ generic propecia, 67285, a6f4f545b729bcf660fec82204d25cdcc0aa4c01 3082 3081 2012-05-11T01:01:20Z 31.184.238.9 0 HnxVRZOXNZHR wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-protonix-online-it.html protonix, 56338, http://onlinefarmacia.it/comprare-acquistare-proventil-online-it.html proventil, 8D, http://onlinefarmacia.it/comprare-acquistare-provera-online-it.html comprare provera, %-)), http://onlinefarmacia.it/comprare-acquistare-prozac-online-it.html prozac, 537741, http://onlinefarmacia.it/comprare-acquistare-purim-online-it.html comprare purim, >:]], http://onlinefarmacia.it/comprare-acquistare-pyridium-online-it.html pyridium, 8504, http://onlinefarmacia.it/comprare-acquistare-rebetol-online-it.html comprare rebetol, =-(, http://onlinefarmacia.it/comprare-acquistare-reglan-online-it.html comprare reglan, %OOO, http://onlinefarmacia.it/comprare-acquistare-relafen-online-it.html comprare relafen, %-), 4b71738d9d196e3e3747d9dca6c6dc162ea5b4ea 3083 3082 2012-05-11T01:03:30Z 31.184.238.15 0 accSFAEBkAhsQj wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-levitra-online-en.html buy levitra, xrnp, http://cheappurchaseonline.com/ generic strattera, jkl, http://cheappurchaseonline.com/buy-generic-nolvadex-online-en.html buy nolvadex online, blzuf, 75676ef67362717e307e3c8b28bb965571124dd4 3084 3083 2012-05-11T01:05:46Z 31.184.238.9 0 JAkqjUJPeMULBhTf wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-robaxin-online-it.html comprare robaxin, 8006, http://onlinefarmacia.it/comprare-acquistare-rocaltrol-online-it.html acquistare rocaltrol, :OOO, http://onlinefarmacia.it/comprare-acquistare-rulide-online-it.html acquistare rulide, 460518, http://onlinefarmacia.it/comprare-acquistare-rumalaya-fort-online-it.html rumalaya fort, gzirzm, http://onlinefarmacia.it/comprare-acquistare-rumalaya-online-it.html acquistare rumalaya, npykuw, http://onlinefarmacia.it/comprare-acquistare-rythmol-online-it.html acquistare rythmol, huguo, http://onlinefarmacia.it/comprare-acquistare-septilin-online-it.html septilin, gvafco, http://onlinefarmacia.it/comprare-acquistare-serevent-online-it.html serevent, tragj, http://onlinefarmacia.it/comprare-acquistare-serophene-online-it.html acquistare serophene, bibd, 7e417fe5d328c76c31b03ae0c4d39c0dac99f792 3085 3084 2012-05-11T01:08:35Z 31.184.238.15 0 AkkjOFYTARZp wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-priligy-online-en.html buy cheap priligy, qxvgib, http://cheappurchaseonline.com/buy-generic-propecia-online-en.html buy cheap propecia, =[, http://cheappurchaseonline.com/ generic prednisone, knfzv, 8c708ee76960f3c8d25d2483b4e85f5b8e077aa2 0 8 3086 3085 2012-05-11T01:09:49Z 31.184.238.9 0 nyUJpsEBBPW wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-slimfast-online-it.html acquistare slimfast, 052206, http://onlinefarmacia.it/comprare-acquistare-smok-ox-online-it.html comprare smok-ox, eybhr, http://onlinefarmacia.it/comprare-acquistare-speman-online-it.html comprare speman, 49667, http://onlinefarmacia.it/comprare-acquistare-sporanox-online-it.html sporanox, =(((, http://onlinefarmacia.it/comprare-acquistare-starlix-online-it.html acquistare starlix, 108744, http://onlinefarmacia.it/comprare-acquistare-stromectol-online-it.html comprare stromectol, >:-[, http://onlinefarmacia.it/comprare-acquistare-styplon-online-it.html comprare styplon, zfgpr, http://onlinefarmacia.it/comprare-acquistare-suminat-online-it.html suminat, 901, http://onlinefarmacia.it/comprare-acquistare-sumycin-online-it.html acquistare sumycin, ruwmy, f6612bc2cac0345763b1b1c52117d5e8ac50dc00 3087 3086 2012-05-11T01:13:52Z 31.184.238.9 0 jSAWroiS wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-precose-online-it.html comprare precose, 8657, http://onlinefarmacia.it/comprare-acquistare-premarin-online-it.html comprare premarin, 895, http://onlinefarmacia.it/comprare-acquistare-prevacid-online-it.html acquistare prevacid, =))), http://onlinefarmacia.it/comprare-acquistare-prilosec-online-it.html comprare prilosec, %-[[, http://onlinefarmacia.it/comprare-acquistare-prinivil-online-it.html acquistare prinivil, rbz, http://onlinefarmacia.it/comprare-acquistare-procardia-online-it.html acquistare procardia, ukfds, http://onlinefarmacia.it/comprare-acquistare-prograf-online-it.html prograf, 301, http://onlinefarmacia.it/comprare-acquistare-prometrium-online-it.html prometrium, 822662, http://onlinefarmacia.it/comprare-acquistare-proscar-online-it.html proscar, 5897, 8d94afff0ebe0c3a1ee6cf9c6bd9c350ceb9f3ad 3088 3087 2012-05-11T01:14:07Z 31.184.238.15 0 UktlZCAywMSSXNJwygl wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic--online-en.html accutane, >:), http://cheappurchaseonline.com/buy-generic-orlistat-online-en.html buy cheap orlistat, kuhyk, http://cheappurchaseonline.com/buy-generic-prednisone-online-en.html buy cheap prednisone, 953, 3afeb60cd2fa78364145d2aa44d5a462ca2f53bd 3089 3088 2012-05-11T01:17:54Z 31.184.238.9 0 TgCTTDvhaGaOh wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-remeron-online-it.html comprare remeron, 78741, http://onlinefarmacia.it/comprare-acquistare-reminyl-online-it.html reminyl, lpufg, http://onlinefarmacia.it/comprare-acquistare-reosto-online-it.html reosto, oeh, http://onlinefarmacia.it/comprare-acquistare-requip-online-it.html requip, tfpjcd, http://onlinefarmacia.it/comprare-acquistare-retin-a-online-it.html retin-a, 493, http://onlinefarmacia.it/comprare-acquistare-retrovir-online-it.html comprare retrovir, >:(, http://onlinefarmacia.it/comprare-acquistare-revia-online-it.html revia, 707551, http://onlinefarmacia.it/comprare-acquistare-risnia-online-it.html risnia, mxcf, http://onlinefarmacia.it/comprare-acquistare-risperdal-online-it.html comprare risperdal, 0355, 5ec7e39b2aa716ba52cdc1cebdf277a5c458bede 3090 3089 2012-05-11T01:19:16Z 31.184.238.15 0 GJlFJtKT wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-viagra-super-active-online-en.html buy viagra super active, =[, http://cheappurchaseonline.com/buy-generic-zithromax-online-en.html buy cheap zithromax, sqag, http://cheappurchaseonline.com/ generic clomid, :((, 1814e2a25b798064d456ac454d04456e6921d67f 3091 3090 2012-05-11T01:22:08Z 31.184.238.9 0 wLxJMDsAAcWEWUuh wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-super-ed-trial-pack-online-it.html comprare super ed trial pack, %-(((, http://onlinefarmacia.it/comprare-acquistare-sustiva-online-it.html acquistare sustiva, feyg, http://onlinefarmacia.it/comprare-acquistare-symmetrel-online-it.html comprare symmetrel, %PP, http://onlinefarmacia.it/comprare-acquistare-synthroid-online-it.html acquistare synthroid, 478125, http://onlinefarmacia.it/comprare-acquistare-tegopen-online-it.html tegopen, 8520, http://onlinefarmacia.it/comprare-acquistare-tenormin-online-it.html tenormin, vjyv, http://onlinefarmacia.it/comprare-acquistare-tentex-forte-online-it.html tentex forte, 1793, http://onlinefarmacia.it/comprare-acquistare-tentex-royal-online-it.html tentex royal, 96879, http://onlinefarmacia.it/comprare-acquistare-terramycin-online-it.html terramycin, 877298, 9eeae6a09f4a35de01f3b9f123a66753df33768c 3092 3091 2012-05-11T01:24:55Z 31.184.238.15 0 zuMIDIGBqIzYLGw wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-flagyl-online-en.html flagyl, odhsmk, http://cheappurchaseonline.com/buy-generic-kamagra-online-en.html buy generic kamagra, 914, http://cheappurchaseonline.com/buy-generic-lasix-online-en.html lasix, 8))), c776d6e783a8848ef9feb7cc91a9b3912fd8fdf0 3093 3092 2012-05-11T01:26:16Z 31.184.238.9 0 WUGLtbEDM wikitext text/x-wiki , http://acquistareladroga.it/comprare-acquistare-uniphyl-cr-online-it.html acquistare uniphyl cr, 4942, http://acquistareladroga.it/comprare-acquistare-urispas-online-it.html acquistare urispas, 8064, http://acquistareladroga.it/comprare-acquistare-uroxatral-online-it.html uroxatral, %-(((, http://acquistareladroga.it/comprare-acquistare-urso-online-it.html comprare urso, 925, http://acquistareladroga.it/comprare-acquistare-valparin-online-it.html comprare valparin, dgu, http://acquistareladroga.it/comprare-acquistare-valtrex-online-it.html comprare valtrex, 037, http://acquistareladroga.it/comprare-acquistare-vantin-online-it.html vantin, 03180, http://acquistareladroga.it/comprare-acquistare-vasotec-online-it.html vasotec, fmqop, http://acquistareladroga.it/comprare-acquistare-venlor-online-it.html comprare venlor, jixwf, 06f4c71335daf1e56962f05cd5f1f4bce655c613 3094 3093 2012-05-11T01:30:27Z 31.184.238.15 0 JZsyQpNjmGPEBeQeJA wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-zoloft-online-en.html buy zoloft, yjy, b7b687beefd8e7d59309213be24280c48b8c6165 3095 3094 2012-05-11T01:30:34Z 31.184.238.9 0 HuXCSDGXGpp wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-nolvadex-en-ligne-fr.html acheter nolvadex en ligne, :-OOO, http://enlignepharmacie.fr/acheter-achat-orlistat-en-ligne-fr.html vente orlistat, 8839, http://enlignepharmacie.fr/acheter-achat-prednisone-en-ligne-fr.html acheter prednisone en ligne, 1438, http://enlignepharmacie.fr/acheter-achat-priligy-en-ligne-fr.html priligy, lgsfic, http://enlignepharmacie.fr/ acheter zoloft, 5700, http://enlignepharmacie.fr/acheter-achat-propecia-en-ligne-fr.html acheter propecia en ligne, 2707, http://enlignepharmacie.fr/acheter-achat-strattera-en-ligne-fr.html achat strattera, 04721, http://enlignepharmacie.fr/acheter-achat-viagra-en-ligne-fr.html acheter viagra, ianuwj, http://enlignepharmacie.fr/acheter-achat-viagra-professional-en-ligne-fr.html generique viagra professional, 726750, ad0d2394088663bb261c527454c31c10c6b37d1a 3096 3095 2012-05-11T01:34:47Z 31.184.238.9 0 sFCFKDrzVghwr wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-monoket-online-it.html monoket, oqpelh, http://onlinefarmacia.it/comprare-acquistare-monopril-online-it.html acquistare monopril, oqtylv, http://onlinefarmacia.it/comprare-acquistare-motilium-online-it.html acquistare motilium, bqjdro, http://onlinefarmacia.it/comprare-acquistare-myambutol-online-it.html myambutol, %-D, http://onlinefarmacia.it/comprare-acquistare-mysoline-online-it.html comprare mysoline, 876, http://onlinefarmacia.it/comprare-acquistare-naprelan-online-it.html naprelan, %[[[, http://onlinefarmacia.it/comprare-acquistare-neem-online-it.html acquistare neem, =P, http://onlinefarmacia.it/comprare-acquistare-neurontin-online-it.html comprare neurontin, 7576, http://onlinefarmacia.it/comprare-acquistare-nexium-online-it.html comprare nexium, 254942, 46499b37c028600d9f44f2d2857480fae66c5f7a 3097 3096 2012-05-11T01:35:41Z 31.184.238.15 0 mWOnGsKlvnXS wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-priligy-online-en.html buy cheap priligy, 869, http://cheappurchaseonline.com/buy-generic-propecia-online-en.html buy propecia online, 113, http://cheappurchaseonline.com/ generic nolvadex, oksrq, f331677b0b04cdb9021fdbfed8f6a86a36995154 3098 3097 2012-05-11T01:38:48Z 31.184.238.9 0 CjQzpDdjxYVOwXaY wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-tetracycline-online-it.html acquistare tetracycline, =]], http://onlinefarmacia.it/comprare-acquistare-theo-24-cr-online-it.html theo-24 cr, =[[[, http://onlinefarmacia.it/comprare-acquistare-theo-24-sr-online-it.html theo-24 sr, :-PP, http://onlinefarmacia.it/comprare-acquistare-thorazine-online-it.html thorazine, 8575, http://onlinefarmacia.it/comprare-acquistare-ticlid-online-it.html acquistare ticlid, :-[[, http://onlinefarmacia.it/comprare-acquistare-tinidazole-online-it.html acquistare tinidazole, tar, http://onlinefarmacia.it/comprare-acquistare-tofranil-online-it.html comprare tofranil, :O, http://onlinefarmacia.it/comprare-acquistare-topamax-online-it.html acquistare topamax, 8], http://onlinefarmacia.it/comprare-acquistare-toprol-online-it.html acquistare toprol, :)), 412426b3564c7082908c18dc5b6984f6b1fe45c7 3099 3098 2012-05-11T01:40:40Z 31.184.238.15 0 FKXiYWlSREP wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-imitrex-online-en.html generic imitrex, wuus, http://cheappurchaseonline.com/buy-generic-imodium-online-en.html buy imodium, =-), http://cheappurchaseonline.com/buy-generic-imuran-online-en.html buy imuran online, vct, http://cheappurchaseonline.com/buy-generic-inderal-la-online-en.html buy inderal la, uuzmkd, http://cheappurchaseonline.com/buy-generic-inderal-online-en.html buy inderal online, 034737, http://cheappurchaseonline.com/buy-generic-indinavir-online-en.html buy indinavir online, lmqnb, http://cheappurchaseonline.com/buy-generic-isoptin-online-en.html buy isoptin, eucpfh, http://cheappurchaseonline.com/buy-generic-isoptin-sr-online-en.html generic isoptin sr, =)), 6cd9c05dfc05a961862e5d1f753125d7fa06fae6 3100 3099 2012-05-11T01:43:16Z 31.184.238.9 0 kLhgIjAIXxoFkbAU wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-flovent-online-it.html comprare flovent, ebutj, http://onlinefarmacia.it/comprare-acquistare-floxin-online-it.html floxin, =-DD, http://onlinefarmacia.it/comprare-acquistare-fludac-online-it.html acquistare fludac, urjr, http://onlinefarmacia.it/comprare-acquistare-fluoxetine-online-it.html fluoxetine, dhw, http://onlinefarmacia.it/comprare-acquistare-fosamax-online-it.html comprare fosamax, 8267, http://onlinefarmacia.it/comprare-acquistare-frumil-online-it.html frumil, kphhl, http://onlinefarmacia.it/comprare-acquistare-fulvicin-online-it.html acquistare fulvicin, 19981, http://onlinefarmacia.it/comprare-acquistare-furadantin-online-it.html furadantin, puce, http://onlinefarmacia.it/comprare-acquistare-furoxone-online-it.html acquistare furoxone, bgjuce, cd2285b13d34a9a4cafffd85f01a0fd28cd28466 3101 3100 2012-05-11T01:46:09Z 31.184.238.15 0 sboMRPmwzaRub wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-isordil-online-en.html buy isordil online, 8]], http://cheappurchaseonline.com/buy-generic-karela-online-en.html buy karela online, kgc, http://cheappurchaseonline.com/buy-generic-keflex-online-en.html buy keflex, vufbmt, http://cheappurchaseonline.com/buy-generic-keftab-online-en.html buy keftab, >:DDD, http://cheappurchaseonline.com/buy-generic-kemadrin-online-en.html buy kemadrin, 310039, http://cheappurchaseonline.com/buy-generic-lamictal-online-en.html buy lamictal online, rmcadl, http://cheappurchaseonline.com/buy-generic-lamisil-online-en.html buy lamisil, vfsxqz, http://cheappurchaseonline.com/buy-generic-lamprene-online-en.html buy lamprene, zlip, 59a24bbefabfffd155fbd9c8809f1bf66a7d3f9d 3102 3101 2012-05-11T01:47:26Z 31.184.238.9 0 aIqQWhNdcwqsL wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-tetracycline-online-it.html tetracycline, vhoub, http://onlinefarmacia.it/comprare-acquistare-theo-24-cr-online-it.html theo-24 cr, yooou, http://onlinefarmacia.it/comprare-acquistare-theo-24-sr-online-it.html theo-24 sr, 6548, http://onlinefarmacia.it/comprare-acquistare-thorazine-online-it.html acquistare thorazine, 747127, http://onlinefarmacia.it/comprare-acquistare-ticlid-online-it.html ticlid, shat, http://onlinefarmacia.it/comprare-acquistare-tinidazole-online-it.html comprare tinidazole, 51752, http://onlinefarmacia.it/comprare-acquistare-tofranil-online-it.html acquistare tofranil, =-OO, http://onlinefarmacia.it/comprare-acquistare-topamax-online-it.html acquistare topamax, 081, http://onlinefarmacia.it/comprare-acquistare-toprol-online-it.html comprare toprol, 862511, a370571936fad05dbba01fb1ca30e0c68961f5a9 3103 3102 2012-05-11T01:51:20Z 31.184.238.15 0 kgrJwiKzpyq wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-danocrine-online-en.html buy danocrine, 4807, http://cheappurchaseonline.com/buy-generic-dapsone-online-en.html buy dapsone, 190111, http://cheappurchaseonline.com/buy-generic-ddavp-online-en.html buy ddavp online, qtmlrb, http://cheappurchaseonline.com/buy-generic-decadron-online-en.html generic decadron, 474, http://cheappurchaseonline.com/buy-generic-depakote-online-en.html buy depakote, =], http://cheappurchaseonline.com/buy-generic-desogen-online-en.html buy desogen, qepdyw, http://cheappurchaseonline.com/buy-generic-desyrel-online-en.html buy desyrel, 8014, http://cheappurchaseonline.com/buy-generic-detrol-la-online-en.html buy detrol la, %-DD, 23c9ea602926a7bde5c3a09c50e50a85b9cd3739 3104 3103 2012-05-11T01:51:54Z 31.184.238.9 0 pVdHZkkk wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-super-ed-trial-pack-online-it.html super ed trial pack, :DDD, http://onlinefarmacia.it/comprare-acquistare-sustiva-online-it.html sustiva, vxcf, http://onlinefarmacia.it/comprare-acquistare-symmetrel-online-it.html symmetrel, jjlj, http://onlinefarmacia.it/comprare-acquistare-synthroid-online-it.html comprare synthroid, keyxu, http://onlinefarmacia.it/comprare-acquistare-tegopen-online-it.html comprare tegopen, atj, http://onlinefarmacia.it/comprare-acquistare-tenormin-online-it.html acquistare tenormin, 77375, http://onlinefarmacia.it/comprare-acquistare-tentex-forte-online-it.html comprare tentex forte, 986591, http://onlinefarmacia.it/comprare-acquistare-tentex-royal-online-it.html comprare tentex royal, 538807, http://onlinefarmacia.it/comprare-acquistare-terramycin-online-it.html comprare terramycin, =O, f5dbe139f944da6b51f09269da6b003152876c62 3105 3104 2012-05-11T01:56:14Z 31.184.238.9 0 GGBCBcKMgmhNDiNztt wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-pamelor-online-it.html acquistare pamelor, :-]]], http://onlinefarmacia.it/comprare-acquistare-panadol-online-it.html panadol, csybj, http://onlinefarmacia.it/comprare-acquistare-parlodel-online-it.html comprare parlodel, 8DDD, http://onlinefarmacia.it/comprare-acquistare-paxil-cr-online-it.html paxil cr, grhx, http://onlinefarmacia.it/comprare-acquistare-paxil-online-it.html paxil, =P, http://onlinefarmacia.it/comprare-acquistare-pentasa-online-it.html comprare pentasa, :(, http://onlinefarmacia.it/comprare-acquistare-pepcid-online-it.html comprare pepcid, 8-]]], http://onlinefarmacia.it/comprare-acquistare-periactin-online-it.html acquistare periactin, 991, http://onlinefarmacia.it/comprare-acquistare-persantine-online-it.html persantine, :-), 5c86a50cfeeac8b432d153cd8d77fc77773cdc07 3106 3105 2012-05-11T01:56:28Z 31.184.238.15 0 pDTbtYFbDGzKiMfgm wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-uroxatral-online-en.html generic uroxatral, lrui, http://cheappurchaseonline.com/buy-generic-urso-online-en.html generic urso, >:]]], http://cheappurchaseonline.com/buy-generic-valparin-online-en.html buy valparin, pjnb, http://cheappurchaseonline.com/buy-generic-valtrex-online-en.html buy valtrex online, %D, http://cheappurchaseonline.com/buy-generic-vantin-online-en.html buy vantin online, 710, http://cheappurchaseonline.com/buy-generic-vasotec-online-en.html buy vasotec online, nxmt, http://cheappurchaseonline.com/buy-generic-venlor-online-en.html buy venlor online, hbh, http://cheappurchaseonline.com/buy-generic-ventolin-online-en.html generic ventolin, rrz, 53324c8b620315351e11380f23bcfb0c3b15852a 3107 3106 2012-05-11T02:00:19Z 31.184.238.9 0 pXmAAEVdnsQdtjK wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-aciclovir-en-ligne-fr.html aciclovir, 253, http://enlignepharmacie.fr/acheter-achat-aciphex-en-ligne-fr.html aciphex, uubxyx, http://enlignepharmacie.fr/acheter-achat-acticin-en-ligne-fr.html acheter acticin, 51375, http://enlignepharmacie.fr/acheter-achat-actigall-en-ligne-fr.html achat actigall, 822, http://enlignepharmacie.fr/acheter-achat-actos-en-ligne-fr.html achat actos, 721, http://enlignepharmacie.fr/acheter-achat-adalat-en-ligne-fr.html acheter adalat, 8(((, http://enlignepharmacie.fr/acheter-achat-aggrenox-en-ligne-fr.html acheter aggrenox, 358, http://enlignepharmacie.fr/acheter-achat-albenza-en-ligne-fr.html achat albenza, 92941, http://enlignepharmacie.fr/acheter-achat-alesse-en-ligne-fr.html alesse, 743, cc816891008d3b0f359fc232d90f8d7bcfbd343d 3108 3107 2012-05-11T02:01:42Z 31.184.238.15 0 SxllyiGLcqioAsV wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-cozaar-online-en.html generic cozaar, 846045, http://cheappurchaseonline.com/buy-generic-crestor-online-en.html generic crestor, :O, http://cheappurchaseonline.com/buy-generic-crixivan-online-en.html buy crixivan online, hswimv, http://cheappurchaseonline.com/buy-generic-cymbalta-online-en.html buy cymbalta, dllhf, http://cheappurchaseonline.com/buy-generic-cystone-online-en.html generic cystone, %((, http://cheappurchaseonline.com/buy-generic-cytotec-online-en.html buy cytotec, 8]]], http://cheappurchaseonline.com/buy-generic-cytoxan-online-en.html buy cytoxan, fzhuhb, http://cheappurchaseonline.com/buy-generic-danazol-online-en.html buy danazol, 4728, a8eae82eeebf821d517a0683fc287fc9cb2724c9 3109 3108 2012-05-11T02:04:44Z 31.184.238.9 0 XMzhlxhCUMaRf wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-toprol-xl-online-it.html comprare toprol xl, 8], http://onlinefarmacia.it/comprare-acquistare-trandate-online-it.html comprare trandate, 8O, http://onlinefarmacia.it/comprare-acquistare-trecator-sc-online-it.html comprare trecator-sc, oke, http://onlinefarmacia.it/comprare-acquistare-trental-online-it.html acquistare trental, 8-OOO, http://onlinefarmacia.it/comprare-acquistare-tricor-online-it.html comprare tricor, 83085, http://onlinefarmacia.it/comprare-acquistare-trileptal-online-it.html comprare trileptal, zemdnt, http://onlinefarmacia.it/comprare-acquistare-tritace-online-it.html comprare tritace, vvgr, http://onlinefarmacia.it/comprare-acquistare-tylenol-online-it.html comprare tylenol, 68743, http://onlinefarmacia.it/comprare-acquistare-uniphyl-cr-online-it.html uniphyl cr, 19684, eeb8a32a3773bdb2e3490a4c9f354c2e04df12b9 3110 3109 2012-05-11T02:07:00Z 31.184.238.15 0 DEoEBShB wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-avodart-online-en.html generic avodart, 636, http://cheappurchaseonline.com/buy-generic-aygestin-online-en.html buy aygestin, 9180, http://cheappurchaseonline.com/buy-generic-azulfidine-online-en.html buy azulfidine online, 829, http://cheappurchaseonline.com/buy-generic-baclofen-online-en.html buy baclofen online, :-PPP, http://cheappurchaseonline.com/buy-generic-beloc-online-en.html generic beloc, jxm, http://cheappurchaseonline.com/buy-generic-benadryl-online-en.html buy benadryl, vwk, http://cheappurchaseonline.com/buy-generic-benemid-online-en.html buy benemid online, cbrw, http://cheappurchaseonline.com/buy-generic-benicar-online-en.html buy benicar online, ipq, c4a5b0d610cf6860659ebefcd3fadaad595f4d0d 3111 3110 2012-05-11T02:08:56Z 31.184.238.9 0 vGChvAFrMuZ wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-slimfast-online-it.html comprare slimfast, rtabf, http://onlinefarmacia.it/comprare-acquistare-smok-ox-online-it.html smok-ox, rlcohe, http://onlinefarmacia.it/comprare-acquistare-speman-online-it.html comprare speman, >:-O, http://onlinefarmacia.it/comprare-acquistare-sporanox-online-it.html acquistare sporanox, jgxybo, http://onlinefarmacia.it/comprare-acquistare-starlix-online-it.html starlix, qmztk, http://onlinefarmacia.it/comprare-acquistare-stromectol-online-it.html acquistare stromectol, 128, http://onlinefarmacia.it/comprare-acquistare-styplon-online-it.html comprare styplon, zfy, http://onlinefarmacia.it/comprare-acquistare-suminat-online-it.html comprare suminat, 02386, http://onlinefarmacia.it/comprare-acquistare-sumycin-online-it.html comprare sumycin, 8102, 242602207bd9a377a8b47eb769f953c1d4388b7c 3112 3111 2012-05-11T02:12:21Z 31.184.238.15 0 bhaEOjihH wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-uroxatral-online-en.html generic uroxatral, 218391, http://cheappurchaseonline.com/buy-generic-urso-online-en.html generic urso, 7119, http://cheappurchaseonline.com/buy-generic-valparin-online-en.html generic valparin, =-(((, http://cheappurchaseonline.com/buy-generic-valtrex-online-en.html generic valtrex, rwmsq, http://cheappurchaseonline.com/buy-generic-vantin-online-en.html generic vantin, icygdf, http://cheappurchaseonline.com/buy-generic-vasotec-online-en.html buy vasotec online, ouhuip, http://cheappurchaseonline.com/buy-generic-venlor-online-en.html buy venlor, hsw, http://cheappurchaseonline.com/buy-generic-ventolin-online-en.html buy ventolin, 00170, 95b2c19f2f59f3f6c7bbddcc3154ae44d7a746e2 3113 3112 2012-05-11T02:13:20Z 31.184.238.9 0 GiLmmXJypiV wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-robaxin-online-it.html comprare robaxin, 18653, http://onlinefarmacia.it/comprare-acquistare-rocaltrol-online-it.html rocaltrol, 83417, http://onlinefarmacia.it/comprare-acquistare-rulide-online-it.html acquistare rulide, 491396, http://onlinefarmacia.it/comprare-acquistare-rumalaya-fort-online-it.html acquistare rumalaya fort, :-P, http://onlinefarmacia.it/comprare-acquistare-rumalaya-online-it.html comprare rumalaya, dkbx, http://onlinefarmacia.it/comprare-acquistare-rythmol-online-it.html rythmol, 66586, http://onlinefarmacia.it/comprare-acquistare-septilin-online-it.html comprare septilin, uha, http://onlinefarmacia.it/comprare-acquistare-serevent-online-it.html serevent, olhvlh, http://onlinefarmacia.it/comprare-acquistare-serophene-online-it.html serophene, ooo, c20ff2764b7ee340d4ecfdb02061517a25fcd306 3114 3113 2012-05-11T02:17:33Z 31.184.238.9 0 iJJCzpxF wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-super-ed-trial-pack-online-it.html acquistare super ed trial pack, =-DDD, http://onlinefarmacia.it/comprare-acquistare-sustiva-online-it.html sustiva, 5235, http://onlinefarmacia.it/comprare-acquistare-symmetrel-online-it.html symmetrel, 492, http://onlinefarmacia.it/comprare-acquistare-synthroid-online-it.html acquistare synthroid, oey, http://onlinefarmacia.it/comprare-acquistare-tegopen-online-it.html acquistare tegopen, qai, http://onlinefarmacia.it/comprare-acquistare-tenormin-online-it.html comprare tenormin, 1954, http://onlinefarmacia.it/comprare-acquistare-tentex-forte-online-it.html tentex forte, :PP, http://onlinefarmacia.it/comprare-acquistare-tentex-royal-online-it.html tentex royal, uamx, http://onlinefarmacia.it/comprare-acquistare-terramycin-online-it.html comprare terramycin, jhd, 992e8cff524ac5207061f39b838bec43f52ad194 3115 3114 2012-05-11T02:17:55Z 31.184.238.15 0 tRoDdYYIDsb wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-phoslo-online-en.html buy phoslo online, gqnqz, http://cheappurchaseonline.com/buy-generic-pilex-online-en.html buy pilex online, =-D, http://cheappurchaseonline.com/buy-generic-plavix-online-en.html buy plavix online, 87619, http://cheappurchaseonline.com/buy-generic-plendil-online-en.html generic plendil, agh, http://cheappurchaseonline.com/buy-generic-pletal-online-en.html buy pletal, =))), http://cheappurchaseonline.com/buy-generic-ponstel-online-en.html buy ponstel online, %-PP, http://cheappurchaseonline.com/buy-generic-prandin-online-en.html buy prandin, 54959, http://cheappurchaseonline.com/buy-generic-precose-online-en.html buy precose, 741285, 7118123af5d2bf28a95fee1659b4bd629982191b 3116 3115 2012-05-11T02:21:48Z 31.184.238.9 0 kXgohTKcKgyGAIZM wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-verampil-online-it.html comprare verampil, >:-[[[, http://onlinefarmacia.it/comprare-acquistare-verapamil-online-it.html verapamil, >:-D, http://onlinefarmacia.it/comprare-acquistare-vermox-online-it.html acquistare vermox, %-OO, http://onlinefarmacia.it/comprare-acquistare-v-gel-online-it.html v-gel, 616, http://onlinefarmacia.it/comprare-acquistare-vibramycin-online-it.html acquistare vibramycin, 0754, http://onlinefarmacia.it/comprare-acquistare-viramune-online-it.html comprare viramune, 429, http://onlinefarmacia.it/comprare-acquistare-vitamin-b12-online-it.html acquistare vitamin b12, 8-((, http://onlinefarmacia.it/comprare-acquistare-vitamin-c-online-it.html vitamin c, =(, http://onlinefarmacia.it/comprare-acquistare-voltaren-online-it.html voltaren, =-((, ce5b98a8579bd82ebcfd0be51322036bc8bff635 3117 3116 2012-05-11T02:22:50Z 31.184.238.15 0 yTcQOboChZ wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-frumil-online-en.html buy frumil, pgxs, http://cheappurchaseonline.com/buy-generic-fulvicin-online-en.html buy fulvicin online, 5378, http://cheappurchaseonline.com/buy-generic-furadantin-online-en.html generic furadantin, =-OO, http://cheappurchaseonline.com/buy-generic-furoxone-online-en.html buy furoxone, dnxf, http://cheappurchaseonline.com/buy-generic-gasex-online-en.html buy gasex, 8-]]], http://cheappurchaseonline.com/buy-generic-geodon-online-en.html buy geodon online, nnowl, http://cheappurchaseonline.com/buy-generic-geriforte-online-en.html buy geriforte online, pxp, http://cheappurchaseonline.com/buy-generic-gestanin-online-en.html generic gestanin, :-DDD, 44b62e0037fd50729f4830243aeeb8770e383b93 3118 3117 2012-05-11T02:26:04Z 31.184.238.9 0 MLNQYOmpMEcrqsFj wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-zovirax-online-it.html zovirax, 8-O, http://onlinefarmacia.it/comprare-acquistare-zyban-online-it.html zyban, tqdggz, http://onlinefarmacia.it/comprare-acquistare-zyloprim-online-it.html acquistare zyloprim, 9002, http://onlinefarmacia.it/comprare-acquistare-zyprexa-online-it.html zyprexa, 2564, http://onlinefarmacia.it/comprare-acquistare-zyrtec-online-it.html zyrtec, jvgufg, http://onlinefarmacia.it/comprare-acquistare-zyvox-online-it.html comprare zyvox, 4211, 313a1a0c52db1a3c0b75bb0864a315a33a9b05b5 3119 3118 2012-05-11T02:28:03Z 31.184.238.15 0 DLqwxwiivEmQ wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-lanoxin-online-en.html buy lanoxin online, bude, http://cheappurchaseonline.com/buy-generic-lasuna-online-en.html buy lasuna online, %(((, http://cheappurchaseonline.com/buy-generic-leukeran-online-en.html generic leukeran, >:[[, http://cheappurchaseonline.com/buy-generic-levaquin-online-en.html buy levaquin, qggwo, http://cheappurchaseonline.com/buy-generic-lexapro-online-en.html buy lexapro, 1154, http://cheappurchaseonline.com/buy-generic-lincocin-online-en.html generic lincocin, :[[[, http://cheappurchaseonline.com/buy-generic-lioresal-online-en.html generic lioresal, coxh, http://cheappurchaseonline.com/buy-generic-lipitor-online-en.html buy lipitor, 13491, 43597467b59fd31d98a777e947b4b4acd1b0ce32 3120 3119 2012-05-11T02:30:25Z 31.184.238.9 0 STUiaMek wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-slimfast-online-it.html slimfast, 8DD, http://onlinefarmacia.it/comprare-acquistare-smok-ox-online-it.html smok-ox, ijpgp, http://onlinefarmacia.it/comprare-acquistare-speman-online-it.html speman, fpgjw, http://onlinefarmacia.it/comprare-acquistare-sporanox-online-it.html comprare sporanox, vqpn, http://onlinefarmacia.it/comprare-acquistare-starlix-online-it.html acquistare starlix, jlusgq, http://onlinefarmacia.it/comprare-acquistare-stromectol-online-it.html comprare stromectol, szvfoc, http://onlinefarmacia.it/comprare-acquistare-styplon-online-it.html styplon, yhnv, http://onlinefarmacia.it/comprare-acquistare-suminat-online-it.html comprare suminat, =), http://onlinefarmacia.it/comprare-acquistare-sumycin-online-it.html sumycin, =-[, a35e6095390b0309361872f6d8514676c8573400 3121 3120 2012-05-11T02:33:48Z 31.184.238.15 0 ujdfmPbbdXrgUEmkHCz wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-paxil-cr-online-en.html buy paxil cr, aoxfeg, http://cheappurchaseonline.com/buy-generic-paxil-online-en.html buy paxil, :]], http://cheappurchaseonline.com/buy-generic-pentasa-online-en.html buy pentasa, %-), http://cheappurchaseonline.com/buy-generic-pepcid-online-en.html generic pepcid, 5001, http://cheappurchaseonline.com/buy-generic-periactin-online-en.html buy periactin online, gkl, http://cheappurchaseonline.com/buy-generic-persantine-online-en.html buy persantine online, vvem, http://cheappurchaseonline.com/buy-generic-phenamax-online-en.html generic phenamax, yvj, http://cheappurchaseonline.com/buy-generic-phenergan-online-en.html buy phenergan, >:[, e203c8060f27bb25ad2707b1e86dcdb93fa36df3 3122 3121 2012-05-11T02:35:01Z 31.184.238.9 0 WiKCkTnSifnnpF wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-robaxin-online-it.html acquistare robaxin, %]], http://onlinefarmacia.it/comprare-acquistare-rocaltrol-online-it.html acquistare rocaltrol, %]], http://onlinefarmacia.it/comprare-acquistare-rulide-online-it.html comprare rulide, :-[[, http://onlinefarmacia.it/comprare-acquistare-rumalaya-fort-online-it.html acquistare rumalaya fort, nfpw, http://onlinefarmacia.it/comprare-acquistare-rumalaya-online-it.html acquistare rumalaya, sgnb, http://onlinefarmacia.it/comprare-acquistare-rythmol-online-it.html comprare rythmol, 8]]], http://onlinefarmacia.it/comprare-acquistare-septilin-online-it.html acquistare septilin, bvqi, http://onlinefarmacia.it/comprare-acquistare-serevent-online-it.html serevent, ixg, http://onlinefarmacia.it/comprare-acquistare-serophene-online-it.html serophene, wajung, 713aaff52bd999db809fd813c76c6d5f22c5b89b 3123 3122 2012-05-11T02:39:13Z 31.184.238.9 0 vmSwAmPrjtStbUAV wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-lukol-online-it.html acquistare lukol, %), http://onlinefarmacia.it/comprare-acquistare-luvox-online-it.html acquistare luvox, %DD, http://onlinefarmacia.it/comprare-acquistare-lynoral-online-it.html acquistare lynoral, =[, http://onlinefarmacia.it/comprare-acquistare-macrobid-online-it.html macrobid, 929729, http://onlinefarmacia.it/comprare-acquistare-maxalt-online-it.html comprare maxalt, ocxk, http://onlinefarmacia.it/comprare-acquistare-maxaquin-online-it.html acquistare maxaquin, =-(, http://onlinefarmacia.it/comprare-acquistare-maxolon-online-it.html comprare maxolon, =]], http://onlinefarmacia.it/comprare-acquistare-meclizine-online-it.html comprare meclizine, =-]]], http://onlinefarmacia.it/comprare-acquistare-mellaril-online-it.html mellaril, eczybm, d7112b3317b8af9d66b097ddc4e7dcc3b896fa9f 3124 3123 2012-05-11T02:39:24Z 31.184.238.15 0 dnWmYiUnCTQmZhNPaNk wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-uroxatral-online-en.html buy uroxatral online, vxyfi, http://cheappurchaseonline.com/buy-generic-urso-online-en.html generic urso, fek, http://cheappurchaseonline.com/buy-generic-valparin-online-en.html buy valparin online, 40730, http://cheappurchaseonline.com/buy-generic-valtrex-online-en.html buy valtrex, 636775, http://cheappurchaseonline.com/buy-generic-vantin-online-en.html generic vantin, 3682, http://cheappurchaseonline.com/buy-generic-vasotec-online-en.html buy vasotec online, sbrfuc, http://cheappurchaseonline.com/buy-generic-venlor-online-en.html generic venlor, zwqv, http://cheappurchaseonline.com/buy-generic-ventolin-online-en.html buy ventolin, %-)), 23a113e074ddc07b5badbfd857ebe1bff63ebd80 3125 3124 2012-05-11T02:43:25Z 31.184.238.9 0 SKwcgsRp wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-voltaren-xr-online-it.html voltaren xr, =-[, http://onlinefarmacia.it/comprare-acquistare-voltarol-online-it.html comprare voltarol, 387, http://onlinefarmacia.it/comprare-acquistare-voveran-online-it.html comprare voveran, %-DDD, http://onlinefarmacia.it/comprare-acquistare-voveran-sr-online-it.html voveran sr, 132, http://onlinefarmacia.it/comprare-acquistare-wondersleep-online-it.html wondersleep, 222, http://onlinefarmacia.it/comprare-acquistare-xalatan-0005-online-it.html acquistare xalatan 0.005%, 256, http://onlinefarmacia.it/comprare-acquistare-xeloda-online-it.html xeloda, >:(, http://onlinefarmacia.it/comprare-acquistare-yagara-online-it.html comprare yagara, rhw, http://onlinefarmacia.it/comprare-acquistare-zagam-online-it.html acquistare zagam, %-P, 4d7eea2feb20c483673200d19dfdfd60b08fb190 3126 3125 2012-05-11T02:44:31Z 31.184.238.15 0 DeQRExxAlkrVz wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-thorazine-online-en.html buy thorazine online, 341247, http://cheappurchaseonline.com/buy-generic-ticlid-online-en.html buy ticlid, >:-OOO, http://cheappurchaseonline.com/buy-generic-tinidazole-online-en.html buy tinidazole online, ssjf, http://cheappurchaseonline.com/buy-generic-tofranil-online-en.html buy tofranil, 27375, http://cheappurchaseonline.com/buy-generic-topamax-online-en.html buy topamax, 9459, http://cheappurchaseonline.com/buy-generic-toprol-online-en.html generic toprol, 0670, http://cheappurchaseonline.com/buy-generic-toprol-xl-online-en.html buy toprol xl online, 931091, http://cheappurchaseonline.com/buy-generic-trandate-online-en.html generic trandate, 522, 8205430163a29532da3cd45956efb6719a578dd0 3127 3126 2012-05-11T02:47:54Z 31.184.238.9 0 ZZHHhhnwKuuwASx wikitext text/x-wiki , http://enlignepharmacie.fr/ acheter lasix, 8], http://enlignepharmacie.fr/acheter-achat-accutane-en-ligne-fr.html generique accutane, :-DDD, http://enlignepharmacie.fr/acheter-achat-amoxil-en-ligne-fr.html amoxil, 8-]], http://enlignepharmacie.fr/acheter-achat-cialis-en-ligne-fr.html vente cialis, eoqfx, http://enlignepharmacie.fr/acheter-achat-cialis-professional-en-ligne-fr.html vente cialis professional, ljbdms, http://enlignepharmacie.fr/ acheter flagyl, xvbfb, http://enlignepharmacie.fr/acheter-achat-cialis-super-active-en-ligne-fr.html cialis super active, 89635, http://enlignepharmacie.fr/acheter-achat-cipro-en-ligne-fr.html achat cipro, 27345, http://enlignepharmacie.fr/acheter-achat-clomid-en-ligne-fr.html vente clomid, 559572, c7a9591edccc179749db71db1878f54811dac811 3128 3127 2012-05-11T02:49:49Z 31.184.238.15 0 dIeLprXckzxIhbfC wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-epivir-hbv-online-en.html buy epivir hbv, =-], http://cheappurchaseonline.com/buy-generic-epivir-online-en.html buy epivir, >:-PP, http://cheappurchaseonline.com/buy-generic-erythromycin-online-en.html buy erythromycin online, qck, http://cheappurchaseonline.com/buy-generic-eskalith-online-en.html buy eskalith online, 504, http://cheappurchaseonline.com/buy-generic-estrace-online-en.html buy estrace, 3187, http://cheappurchaseonline.com/buy-generic-etodolac-online-en.html buy etodolac online, 8], http://cheappurchaseonline.com/buy-generic-evecare-online-en.html generic evecare, ndteh, http://cheappurchaseonline.com/buy-generic-evista-online-en.html buy evista online, :PP, 67b9fd1b63fba92410235590580e4c3abfcf30a2 3129 3128 2012-05-11T02:52:14Z 31.184.238.9 0 mBqEbCdVRP wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-monoket-online-it.html comprare monoket, ycmrv, http://onlinefarmacia.it/comprare-acquistare-monopril-online-it.html comprare monopril, xxtvh, http://onlinefarmacia.it/comprare-acquistare-motilium-online-it.html acquistare motilium, xtk, http://onlinefarmacia.it/comprare-acquistare-myambutol-online-it.html acquistare myambutol, pouaex, http://onlinefarmacia.it/comprare-acquistare-mysoline-online-it.html acquistare mysoline, put, http://onlinefarmacia.it/comprare-acquistare-naprelan-online-it.html naprelan, hrq, http://onlinefarmacia.it/comprare-acquistare-neem-online-it.html neem, fimdk, http://onlinefarmacia.it/comprare-acquistare-neurontin-online-it.html acquistare neurontin, 9973, http://onlinefarmacia.it/comprare-acquistare-nexium-online-it.html comprare nexium, %-))), 282acc28cd886dc599b6e1f4fae21a22babd44b1 3130 3129 2012-05-11T02:55:13Z 31.184.238.15 0 EYaSuJCZzH wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-zocor-online-en.html buy zocor, xjhzg, http://cheappurchaseonline.com/buy-generic-zofran-online-en.html buy zofran online, 022, http://cheappurchaseonline.com/buy-generic-zovirax-online-en.html buy zovirax online, mubcev, http://cheappurchaseonline.com/buy-generic-zyban-online-en.html buy zyban online, %((, http://cheappurchaseonline.com/buy-generic-zyloprim-online-en.html generic zyloprim, 10368, http://cheappurchaseonline.com/buy-generic-zyprexa-online-en.html buy zyprexa, :-PP, http://cheappurchaseonline.com/buy-generic-zyrtec-online-en.html buy zyrtec online, >:-PPP, http://cheappurchaseonline.com/buy-generic-zyvox-online-en.html buy zyvox online, 214, 2620c0fb3942c90e81e6217337597217468da5ed 3131 3130 2012-05-11T02:56:41Z 31.184.238.9 0 MUVRVlIz wikitext text/x-wiki , http://enlignepharmacie.fr/ acheter strattera, 1354, http://enlignepharmacie.fr/acheter-achat-accutane-en-ligne-fr.html vente accutane, cun, http://enlignepharmacie.fr/acheter-achat-amoxil-en-ligne-fr.html generique amoxil, mezox, http://enlignepharmacie.fr/acheter-achat-cialis-en-ligne-fr.html vente cialis, bvvq, http://enlignepharmacie.fr/acheter-achat-cialis-professional-en-ligne-fr.html cialis professional, 017, http://enlignepharmacie.fr/ acheter orlistat, >:-PPP, http://enlignepharmacie.fr/acheter-achat-cialis-super-active-en-ligne-fr.html generique cialis super active, >:[, http://enlignepharmacie.fr/acheter-achat-cipro-en-ligne-fr.html acheter cipro, 871621, http://enlignepharmacie.fr/acheter-achat-clomid-en-ligne-fr.html vente clomid, hjr, 4cb19e0ef9a689716987f4e53138a4420bb17eb6 3132 3131 2012-05-11T03:00:31Z 31.184.238.15 0 qPTiXpKxxwPb wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-paxil-cr-online-en.html buy paxil cr, sjyilj, http://cheappurchaseonline.com/buy-generic-paxil-online-en.html generic paxil, >:-[[, http://cheappurchaseonline.com/buy-generic-pentasa-online-en.html buy pentasa, 6451, http://cheappurchaseonline.com/buy-generic-pepcid-online-en.html buy pepcid, 78646, http://cheappurchaseonline.com/buy-generic-periactin-online-en.html generic periactin, 7846, http://cheappurchaseonline.com/buy-generic-persantine-online-en.html generic persantine, 174, http://cheappurchaseonline.com/buy-generic-phenamax-online-en.html generic phenamax, ghxvef, http://cheappurchaseonline.com/buy-generic-phenergan-online-en.html buy phenergan, 8-PP, b3baa296923157925aad4f59e58cc98fff5c1b16 3133 3132 2012-05-11T03:00:55Z 31.184.238.9 0 wvWTdwvrvBBzX wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-phenamax-online-it.html acquistare phenamax, 832754, http://onlinefarmacia.it/comprare-acquistare-phenergan-online-it.html comprare phenergan, bpq, http://onlinefarmacia.it/comprare-acquistare-phoslo-online-it.html acquistare phoslo, >:DDD, http://onlinefarmacia.it/comprare-acquistare-pilex-online-it.html pilex, nrrmup, http://onlinefarmacia.it/comprare-acquistare-plavix-online-it.html acquistare plavix, 5365, http://onlinefarmacia.it/comprare-acquistare-plendil-online-it.html plendil, =[[[, http://onlinefarmacia.it/comprare-acquistare-pletal-online-it.html pletal, jnsd, http://onlinefarmacia.it/comprare-acquistare-ponstel-online-it.html ponstel, 696, http://onlinefarmacia.it/comprare-acquistare-prandin-online-it.html acquistare prandin, :]]], 75f1e8973a76d10fe11ecef0fd767fa5509c2e6e 3134 3133 2012-05-11T03:05:09Z 31.184.238.9 0 pAzWzFAjishL wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-toprol-xl-online-it.html toprol xl, 7645, http://onlinefarmacia.it/comprare-acquistare-trandate-online-it.html comprare trandate, kllpt, http://onlinefarmacia.it/comprare-acquistare-trecator-sc-online-it.html trecator-sc, 39801, http://onlinefarmacia.it/comprare-acquistare-trental-online-it.html trental, 8-(((, http://onlinefarmacia.it/comprare-acquistare-tricor-online-it.html comprare tricor, gqsjwv, http://onlinefarmacia.it/comprare-acquistare-trileptal-online-it.html comprare trileptal, bmr, http://onlinefarmacia.it/comprare-acquistare-tritace-online-it.html comprare tritace, 722, http://onlinefarmacia.it/comprare-acquistare-tylenol-online-it.html tylenol, 722, http://onlinefarmacia.it/comprare-acquistare-uniphyl-cr-online-it.html acquistare uniphyl cr, 701, 5af26cc477453e994dc447d6f2c04587ada94bab 3135 3134 2012-05-11T03:05:57Z 31.184.238.15 0 oKzWHtnEeI wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-thorazine-online-en.html buy thorazine online, swmn, http://cheappurchaseonline.com/buy-generic-ticlid-online-en.html generic ticlid, ymtjpl, http://cheappurchaseonline.com/buy-generic-tinidazole-online-en.html buy tinidazole online, =-]], http://cheappurchaseonline.com/buy-generic-tofranil-online-en.html buy tofranil online, 9741, http://cheappurchaseonline.com/buy-generic-topamax-online-en.html buy topamax online, 24876, http://cheappurchaseonline.com/buy-generic-toprol-online-en.html buy toprol, 43827, http://cheappurchaseonline.com/buy-generic-toprol-xl-online-en.html buy toprol xl online, :-[, http://cheappurchaseonline.com/buy-generic-trandate-online-en.html buy trandate, :-OOO, c824ee5b4286fea1f673882c05c52dd2fafec65f 0 8 3136 3135 2012-05-11T03:09:24Z 31.184.238.9 0 KKoYiCfOxLsu wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-nolvadex-en-ligne-fr.html generique nolvadex, zqfh, http://enlignepharmacie.fr/acheter-achat-orlistat-en-ligne-fr.html acheter orlistat, 8), http://enlignepharmacie.fr/acheter-achat-prednisone-en-ligne-fr.html generique prednisone, wjmgne, http://enlignepharmacie.fr/acheter-achat-priligy-en-ligne-fr.html acheter priligy, orftrs, http://enlignepharmacie.fr/ acheter strattera, %DDD, http://enlignepharmacie.fr/acheter-achat-propecia-en-ligne-fr.html generique propecia, jlu, http://enlignepharmacie.fr/acheter-achat-strattera-en-ligne-fr.html strattera, yayrej, http://enlignepharmacie.fr/acheter-achat-viagra-en-ligne-fr.html viagra, 7386, http://enlignepharmacie.fr/acheter-achat-viagra-professional-en-ligne-fr.html acheter viagra professional, >:-P, 2bab1d54dc0fd1a47fe466ad597c1ded109c94c2 3137 3136 2012-05-11T03:12:02Z 31.184.238.15 0 zxBFanKuJlAYeLK wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-adalat-online-en.html generic adalat, 09440, http://cheappurchaseonline.com/buy-generic-aggrenox-online-en.html buy aggrenox, 7526, http://cheappurchaseonline.com/buy-generic-albenza-online-en.html generic albenza, 068, http://cheappurchaseonline.com/buy-generic-alesse-online-en.html generic alesse, dezy, http://cheappurchaseonline.com/buy-generic-alfacip-online-en.html generic alfacip, >:-[, http://cheappurchaseonline.com/buy-generic-allegra-online-en.html buy allegra, gxmhit, http://cheappurchaseonline.com/buy-generic-allopurinol-online-en.html generic allopurinol, dzioq, http://cheappurchaseonline.com/buy-generic-amaryl-online-en.html generic amaryl, 8(((, 0d46eee177c131556bb6cc1b38b3a743e542a15b 3138 3137 2012-05-11T03:13:27Z 31.184.238.9 0 QLQCVNAqRSDLjVsiq wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-menosan-online-it.html menosan, dtpqy, http://onlinefarmacia.it/comprare-acquistare-mentat-online-it.html comprare mentat, %[, http://onlinefarmacia.it/comprare-acquistare-mestinon-online-it.html comprare mestinon, thei, http://onlinefarmacia.it/comprare-acquistare-methotrexate-online-it.html methotrexate, trflq, http://onlinefarmacia.it/comprare-acquistare-mevacor-online-it.html mevacor, 0893, http://onlinefarmacia.it/comprare-acquistare-micronase-online-it.html micronase, 390, http://onlinefarmacia.it/comprare-acquistare-minipress-online-it.html acquistare minipress, >:-PP, http://onlinefarmacia.it/comprare-acquistare-minocin-online-it.html minocin, vxr, http://onlinefarmacia.it/comprare-acquistare-minomycin-online-it.html acquistare minomycin, 8-(, 8a2db39a65d938ff66ca9f88f56ab871549c54c2 3139 3138 2012-05-11T03:16:34Z 31.184.238.15 0 PHgIrBCgONEdDjxhre wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-naprelan-online-en.html generic naprelan, %-[[[, http://cheappurchaseonline.com/buy-generic-neem-online-en.html buy neem, :DD, http://cheappurchaseonline.com/buy-generic-neurontin-online-en.html generic neurontin, 951, http://cheappurchaseonline.com/buy-generic-nexium-online-en.html buy nexium, >:D, http://cheappurchaseonline.com/buy-generic-nimotop-online-en.html buy nimotop online, >:-PPP, http://cheappurchaseonline.com/buy-generic-nitroglycerin-online-en.html buy nitroglycerin, xkbb, http://cheappurchaseonline.com/buy-generic-nizoral-online-en.html buy nizoral, zlvojv, http://cheappurchaseonline.com/buy-generic-noroxin-online-en.html buy noroxin, 7545, df26a37f42007af48d44d8eb9bd7c830765a4c66 3140 3139 2012-05-11T03:17:52Z 31.184.238.9 0 zgMJNmLjthR wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-hydrea-online-it.html comprare hydrea, 678, http://onlinefarmacia.it/comprare-acquistare-hyzaar-online-it.html acquistare hyzaar, =], http://onlinefarmacia.it/comprare-acquistare-imdur-online-it.html acquistare imdur, bty, http://onlinefarmacia.it/comprare-acquistare-imitrex-online-it.html acquistare imitrex, rylxgn, http://onlinefarmacia.it/comprare-acquistare-imodium-online-it.html imodium, >:((, http://onlinefarmacia.it/comprare-acquistare-imuran-online-it.html comprare imuran, csnbjw, http://onlinefarmacia.it/comprare-acquistare-inderal-la-online-it.html acquistare inderal la, 8-OO, http://onlinefarmacia.it/comprare-acquistare-inderal-online-it.html comprare inderal, >:-PPP, http://onlinefarmacia.it/comprare-acquistare-indinavir-online-it.html comprare indinavir, 85254, 25f5cb94bbf2e53cc1639a981f0a03dbe668a54f 3141 3140 2012-05-11T03:22:35Z 31.184.238.15 0 OGGqUbWnsAe wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-glucophage-online-en.html buy glucophage, %P, http://cheappurchaseonline.com/buy-generic-glucophage-xr-online-en.html buy glucophage xr, oqlug, http://cheappurchaseonline.com/buy-generic-glucotrol-online-en.html buy glucotrol, >:]]], http://cheappurchaseonline.com/buy-generic-glucotrol-xl-online-en.html generic glucotrol xl, %-))), http://cheappurchaseonline.com/buy-generic-glucovance-online-en.html buy glucovance, zxzh, http://cheappurchaseonline.com/buy-generic-glycomet-online-en.html buy glycomet online, riwfub, http://cheappurchaseonline.com/buy-generic-grifulvin-online-en.html buy grifulvin online, =-DD, http://cheappurchaseonline.com/buy-generic-grifulvin-v-online-en.html buy grifulvin v online, >:-[[[, fa3fa3d131f053872e26c4facc2f827045f0d600 3142 3141 2012-05-11T03:22:37Z 31.184.238.9 0 uHWrAzkFoqSHbC wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-zantac-online-it.html zantac, 8], http://onlinefarmacia.it/comprare-acquistare-zebeta-online-it.html comprare zebeta, eagtfi, http://onlinefarmacia.it/comprare-acquistare-zerit-online-it.html comprare zerit, goph, http://onlinefarmacia.it/comprare-acquistare-zestoretic-online-it.html comprare zestoretic, =-((, http://onlinefarmacia.it/comprare-acquistare-zestril-online-it.html comprare zestril, eahtku, http://onlinefarmacia.it/comprare-acquistare-zetia-online-it.html acquistare zetia, 68686, http://onlinefarmacia.it/comprare-acquistare-zocor-online-it.html zocor, kcxexm, http://onlinefarmacia.it/comprare-acquistare-zofran-online-it.html comprare zofran, qekeyq, http://onlinefarmacia.it/comprare-acquistare-zoloft-online-it.html comprare zoloft, leto, a6e1c75fa938860651fae197b0ad09cdea2d9603 3143 3142 2012-05-11T03:26:49Z 31.184.238.9 0 bhzOYPxZCHaphgpB wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-urispas-online-it.html comprare urispas, vizo, http://onlinefarmacia.it/comprare-acquistare-uroxatral-online-it.html uroxatral, sseix, http://onlinefarmacia.it/comprare-acquistare-urso-online-it.html comprare urso, 979927, http://onlinefarmacia.it/comprare-acquistare-valparin-online-it.html valparin, mans, http://onlinefarmacia.it/comprare-acquistare-valtrex-online-it.html valtrex, 56518, http://onlinefarmacia.it/comprare-acquistare-vantin-online-it.html acquistare vantin, 3483, http://onlinefarmacia.it/comprare-acquistare-vasotec-online-it.html acquistare vasotec, 8-)), http://onlinefarmacia.it/comprare-acquistare-venlor-online-it.html comprare venlor, 323697, http://onlinefarmacia.it/comprare-acquistare-ventolin-online-it.html comprare ventolin, cntet, aa777cde7370578a20779c3b89b2d6f80dbb2024 3144 3143 2012-05-11T03:28:16Z 31.184.238.15 0 elFkTbJDrrPDMVDVoWh wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-risnia-online-en.html buy risnia, 058, http://cheappurchaseonline.com/buy-generic-risperdal-online-en.html generic risperdal, 69950, http://cheappurchaseonline.com/buy-generic-robaxin-online-en.html buy robaxin, gldfr, http://cheappurchaseonline.com/buy-generic-rocaltrol-online-en.html buy rocaltrol, mkjeha, http://cheappurchaseonline.com/buy-generic-rulide-online-en.html buy rulide online, =-D, http://cheappurchaseonline.com/buy-generic-rumalaya-fort-online-en.html buy rumalaya fort online, hmqenu, http://cheappurchaseonline.com/buy-generic-rumalaya-online-en.html buy rumalaya, opd, http://cheappurchaseonline.com/buy-generic-rythmol-online-en.html generic rythmol, %DDD, 96f91da9e791ef9fb9e4b43c66887c2289fc7d62 3145 3144 2012-05-11T03:31:15Z 31.184.238.9 0 oBQpcQIbhvpGqVUOp wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-isoptin-online-it.html comprare isoptin, 8-(, http://onlinefarmacia.it/comprare-acquistare-isoptin-sr-online-it.html isoptin sr, 8-OO, http://onlinefarmacia.it/comprare-acquistare-isordil-online-it.html comprare isordil, 8]], http://onlinefarmacia.it/comprare-acquistare-karela-online-it.html karela, hdgxbh, http://onlinefarmacia.it/comprare-acquistare-keflex-online-it.html keflex, 545585, http://onlinefarmacia.it/comprare-acquistare-keftab-online-it.html comprare keftab, 880924, http://onlinefarmacia.it/comprare-acquistare-kemadrin-online-it.html comprare kemadrin, 059658, http://onlinefarmacia.it/comprare-acquistare-lamictal-online-it.html acquistare lamictal, 8-), http://onlinefarmacia.it/comprare-acquistare-lamisil-online-it.html acquistare lamisil, 046805, 78a26b66932006bf6e5d1b5416e0b40cdf7f981b 3146 3145 2012-05-11T03:33:37Z 31.184.238.15 0 nooOyqLY wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-tegopen-online-en.html buy tegopen, uvuqq, http://cheappurchaseonline.com/buy-generic-tenormin-online-en.html buy tenormin online, 593445, http://cheappurchaseonline.com/buy-generic-tentex-forte-online-en.html buy tentex forte, 2761, http://cheappurchaseonline.com/buy-generic-tentex-royal-online-en.html buy tentex royal online, 743, http://cheappurchaseonline.com/buy-generic-terramycin-online-en.html generic terramycin, 7565, http://cheappurchaseonline.com/buy-generic-tetracycline-online-en.html buy tetracycline, =]]], http://cheappurchaseonline.com/buy-generic-theo-24-cr-online-en.html buy theo-24 cr online, qaghs, http://cheappurchaseonline.com/buy-generic-theo-24-sr-online-en.html buy theo-24 sr, >:-OO, 51d2dd5ee8f23db8a380b3be130ebdbb45f50bc7 3147 3146 2012-05-11T03:35:47Z 31.184.238.9 0 bdmGjYQTwDZgjw wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-nolvadex-en-ligne-fr.html achat nolvadex, 82845, http://enlignepharmacie.fr/acheter-achat-orlistat-en-ligne-fr.html acheter orlistat en ligne, vewb, http://enlignepharmacie.fr/acheter-achat-prednisone-en-ligne-fr.html generique prednisone, :-))), http://enlignepharmacie.fr/acheter-achat-priligy-en-ligne-fr.html priligy, :-[[, http://enlignepharmacie.fr/ acheter lasix, 48005, http://enlignepharmacie.fr/acheter-achat-propecia-en-ligne-fr.html acheter propecia, :OO, http://enlignepharmacie.fr/acheter-achat-strattera-en-ligne-fr.html acheter strattera en ligne, prele, http://enlignepharmacie.fr/acheter-achat-viagra-en-ligne-fr.html acheter viagra en ligne, 193736, http://enlignepharmacie.fr/acheter-achat-viagra-professional-en-ligne-fr.html acheter viagra professional, %]], 78c3fc2f484d501cefcf594d2a6a48a06c1221c1 3148 3147 2012-05-11T03:39:02Z 31.184.238.15 0 afKghiTBENMvAhutRsX wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-clarinex-online-en.html generic clarinex, jizhni, http://cheappurchaseonline.com/buy-generic-claritin-online-en.html buy claritin online, 8-O, http://cheappurchaseonline.com/buy-generic-cleocin-online-en.html buy cleocin, gykweq, http://cheappurchaseonline.com/buy-generic-clonidine-online-en.html generic clonidine, =-O, http://cheappurchaseonline.com/buy-generic-clozaril-online-en.html buy clozaril, rdk, http://cheappurchaseonline.com/buy-generic-colospa-online-en.html buy colospa online, 576813, http://cheappurchaseonline.com/buy-generic-combipres-online-en.html buy combipres, zeqx, http://cheappurchaseonline.com/buy-generic-combivent-online-en.html generic combivent, ifvhv, f32f0dd94fa2a96b3b50e943e53fd984b37f093e 3149 3148 2012-05-11T03:40:02Z 31.184.238.9 0 sFksESLUut wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-verampil-online-it.html comprare verampil, tlkox, http://onlinefarmacia.it/comprare-acquistare-verapamil-online-it.html comprare verapamil, xami, http://onlinefarmacia.it/comprare-acquistare-vermox-online-it.html acquistare vermox, 939717, http://onlinefarmacia.it/comprare-acquistare-v-gel-online-it.html v-gel, 453712, http://onlinefarmacia.it/comprare-acquistare-vibramycin-online-it.html acquistare vibramycin, 88230, http://onlinefarmacia.it/comprare-acquistare-viramune-online-it.html acquistare viramune, kvofg, http://onlinefarmacia.it/comprare-acquistare-vitamin-b12-online-it.html comprare vitamin b12, =-(, http://onlinefarmacia.it/comprare-acquistare-vitamin-c-online-it.html acquistare vitamin c, ivzbwi, http://onlinefarmacia.it/comprare-acquistare-voltaren-online-it.html comprare voltaren, llrw, c0fc8286dfda0a9526f2ca375e0e6d9a81728daf 3150 3149 2012-05-11T03:44:15Z 31.184.238.15 0 VEvJIfgBn wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-minipress-online-en.html buy minipress online, 718693, http://cheappurchaseonline.com/buy-generic-minocin-online-en.html buy minocin online, %]]], http://cheappurchaseonline.com/buy-generic-minomycin-online-en.html buy minomycin online, gyvaqy, http://cheappurchaseonline.com/buy-generic-monoket-online-en.html generic monoket, 717, http://cheappurchaseonline.com/buy-generic-monopril-online-en.html generic monopril, %(, http://cheappurchaseonline.com/buy-generic-motilium-online-en.html generic motilium, xddfz, http://cheappurchaseonline.com/buy-generic-myambutol-online-en.html buy myambutol, 1182, http://cheappurchaseonline.com/buy-generic-mysoline-online-en.html generic mysoline, 9654, 4c6fe33a49660a9c0a138e98899a002f535f294a 3151 3150 2012-05-11T03:44:28Z 31.184.238.9 0 MeYwsbysenUeNSa wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-urispas-online-it.html acquistare urispas, xubq, http://onlinefarmacia.it/comprare-acquistare-uroxatral-online-it.html acquistare uroxatral, =-[[[, http://onlinefarmacia.it/comprare-acquistare-urso-online-it.html acquistare urso, 480443, http://onlinefarmacia.it/comprare-acquistare-valparin-online-it.html acquistare valparin, 433, http://onlinefarmacia.it/comprare-acquistare-valtrex-online-it.html comprare valtrex, qwj, http://onlinefarmacia.it/comprare-acquistare-vantin-online-it.html vantin, ymuj, http://onlinefarmacia.it/comprare-acquistare-vasotec-online-it.html acquistare vasotec, >:-PP, http://onlinefarmacia.it/comprare-acquistare-venlor-online-it.html comprare venlor, 8[, http://onlinefarmacia.it/comprare-acquistare-ventolin-online-it.html comprare ventolin, 96796, 97afc8cbc67ecf53a2b27491bc0ece171a69e6a5 3152 3151 2012-05-11T03:48:56Z 31.184.238.9 0 FYwIbqbeXRatoMwQvKS wikitext text/x-wiki , http://acquistareladroga.it/comprare-acquistare-sumycin-online-it.html comprare sumycin, =(, http://acquistareladroga.it/comprare-acquistare-super-ed-trial-pack-online-it.html super ed trial pack, >:(((, http://acquistareladroga.it/comprare-acquistare-sustiva-online-it.html sustiva, kpch, http://acquistareladroga.it/comprare-acquistare-symmetrel-online-it.html comprare symmetrel, =-DD, http://acquistareladroga.it/comprare-acquistare-synthroid-online-it.html acquistare synthroid, iexw, http://acquistareladroga.it/comprare-acquistare-tegopen-online-it.html comprare tegopen, whgr, http://acquistareladroga.it/comprare-acquistare-tenormin-online-it.html acquistare tenormin, 434339, http://acquistareladroga.it/comprare-acquistare-tentex-forte-online-it.html tentex forte, wwr, http://acquistareladroga.it/comprare-acquistare-tentex-royal-online-it.html comprare tentex royal, owufc, 8c0df22c54d0893446e6fcbc54c05ec3395549aa 3153 3152 2012-05-11T03:49:30Z 31.184.238.15 0 wGfkuQqUqGlme wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-meclizine-online-en.html buy meclizine online, %-OO, http://cheappurchaseonline.com/buy-generic-mellaril-online-en.html buy mellaril, ujz, http://cheappurchaseonline.com/buy-generic-menosan-online-en.html generic menosan, 8-)), http://cheappurchaseonline.com/buy-generic-mentat-online-en.html buy mentat online, %-OOO, http://cheappurchaseonline.com/buy-generic-mestinon-online-en.html buy mestinon, mnt, http://cheappurchaseonline.com/buy-generic-methotrexate-online-en.html buy methotrexate online, irdxu, http://cheappurchaseonline.com/buy-generic-mevacor-online-en.html generic mevacor, >:-[[[, http://cheappurchaseonline.com/buy-generic-micronase-online-en.html buy micronase online, 099964, 8deff8bb75e2fd8ed93f66dd6eea3fc26149431c 3154 3153 2012-05-11T03:53:04Z 31.184.238.9 0 JSvlfgquYACik wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-robaxin-online-it.html comprare robaxin, 373, http://onlinefarmacia.it/comprare-acquistare-rocaltrol-online-it.html rocaltrol, ecrpq, http://onlinefarmacia.it/comprare-acquistare-rulide-online-it.html rulide, 8((, http://onlinefarmacia.it/comprare-acquistare-rumalaya-fort-online-it.html comprare rumalaya fort, :D, http://onlinefarmacia.it/comprare-acquistare-rumalaya-online-it.html comprare rumalaya, ldkccu, http://onlinefarmacia.it/comprare-acquistare-rythmol-online-it.html acquistare rythmol, :OOO, http://onlinefarmacia.it/comprare-acquistare-septilin-online-it.html septilin, >:-]], http://onlinefarmacia.it/comprare-acquistare-serevent-online-it.html comprare serevent, 8-OOO, http://onlinefarmacia.it/comprare-acquistare-serophene-online-it.html serophene, obkca, ec86ab2fbfa75e3e432937280e1f11a2f7120d53 3155 3154 2012-05-11T03:54:48Z 31.184.238.15 0 KhiLZeofqzH wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-yagara-online-en.html buy yagara, stl, http://cheappurchaseonline.com/buy-generic-zagam-online-en.html buy zagam, :[[[, http://cheappurchaseonline.com/buy-generic-zantac-online-en.html generic zantac, :-OOO, http://cheappurchaseonline.com/buy-generic-zebeta-online-en.html buy zebeta online, >:D, http://cheappurchaseonline.com/buy-generic-zerit-online-en.html generic zerit, :O, http://cheappurchaseonline.com/buy-generic-zestoretic-online-en.html buy zestoretic online, 8-]], http://cheappurchaseonline.com/buy-generic-zestril-online-en.html buy zestril online, =-))), http://cheappurchaseonline.com/buy-generic-zetia-online-en.html buy zetia online, =OO, 0fb7d81299127bebe3fe954f56c8c2b0ba915ddc 3156 3155 2012-05-11T03:57:18Z 31.184.238.9 0 VihqrNCZSyp wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-monoket-online-it.html monoket, 436, http://onlinefarmacia.it/comprare-acquistare-monopril-online-it.html acquistare monopril, %-OO, http://onlinefarmacia.it/comprare-acquistare-motilium-online-it.html acquistare motilium, tcy, http://onlinefarmacia.it/comprare-acquistare-myambutol-online-it.html myambutol, fnbia, http://onlinefarmacia.it/comprare-acquistare-mysoline-online-it.html mysoline, 135, http://onlinefarmacia.it/comprare-acquistare-naprelan-online-it.html naprelan, =(((, http://onlinefarmacia.it/comprare-acquistare-neem-online-it.html acquistare neem, 354, http://onlinefarmacia.it/comprare-acquistare-neurontin-online-it.html comprare neurontin, pyvnst, http://onlinefarmacia.it/comprare-acquistare-nexium-online-it.html acquistare nexium, 059, 64134aa4162763c2fe58df970ec5aa7bf03a5478 3157 3156 2012-05-11T04:00:38Z 31.184.238.15 0 jPfXgbBoY wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-relafen-online-en.html generic relafen, 8-(, http://cheappurchaseonline.com/buy-generic-remeron-online-en.html buy remeron online, >:(, http://cheappurchaseonline.com/buy-generic-reminyl-online-en.html generic reminyl, phu, http://cheappurchaseonline.com/buy-generic-reosto-online-en.html buy reosto online, mbi, http://cheappurchaseonline.com/buy-generic-requip-online-en.html generic requip, 991280, http://cheappurchaseonline.com/buy-generic-retin-a-online-en.html buy retin-a online, svn, http://cheappurchaseonline.com/buy-generic-retrovir-online-en.html generic retrovir, >:-PPP, http://cheappurchaseonline.com/buy-generic-revia-online-en.html generic revia, inu, 560767c72e1023b523a74bbddef60ff3132ce7f4 3158 3157 2012-05-11T04:01:59Z 31.184.238.9 0 xaJuTaWyXZOzxMmwL wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-zovirax-online-it.html acquistare zovirax, 8-((, http://onlinefarmacia.it/comprare-acquistare-zyban-online-it.html zyban, :-OO, http://onlinefarmacia.it/comprare-acquistare-zyloprim-online-it.html acquistare zyloprim, 7630, http://onlinefarmacia.it/comprare-acquistare-zyprexa-online-it.html zyprexa, orpehv, http://onlinefarmacia.it/comprare-acquistare-zyrtec-online-it.html acquistare zyrtec, enhfub, http://onlinefarmacia.it/comprare-acquistare-zyvox-online-it.html comprare zyvox, %-]], 043417833bce6fb121ecedd3fd8fa8024eddd836 3159 3158 2012-05-11T04:05:51Z 31.184.238.15 0 RbHfmpFuMdwoRAIamD wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-thorazine-online-en.html buy thorazine, 03837, http://cheappurchaseonline.com/buy-generic-ticlid-online-en.html buy ticlid online, 8-O, http://cheappurchaseonline.com/buy-generic-tinidazole-online-en.html buy tinidazole, bfw, http://cheappurchaseonline.com/buy-generic-tofranil-online-en.html generic tofranil, 454244, http://cheappurchaseonline.com/buy-generic-topamax-online-en.html generic topamax, :)), http://cheappurchaseonline.com/buy-generic-toprol-online-en.html buy toprol, 306, http://cheappurchaseonline.com/buy-generic-toprol-xl-online-en.html buy toprol xl online, utbhoq, http://cheappurchaseonline.com/buy-generic-trandate-online-en.html generic trandate, 345155, 200419fe9d91d2b47b36d3e18b0ad467d376bfd6 3160 3159 2012-05-11T04:05:55Z 31.184.238.9 0 BxeESORw wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-monoket-online-it.html monoket, etbk, http://onlinefarmacia.it/comprare-acquistare-monopril-online-it.html monopril, 84271, http://onlinefarmacia.it/comprare-acquistare-motilium-online-it.html comprare motilium, hcfu, http://onlinefarmacia.it/comprare-acquistare-myambutol-online-it.html comprare myambutol, upyiuy, http://onlinefarmacia.it/comprare-acquistare-mysoline-online-it.html mysoline, clanjv, http://onlinefarmacia.it/comprare-acquistare-naprelan-online-it.html naprelan, drxg, http://onlinefarmacia.it/comprare-acquistare-neem-online-it.html neem, 601, http://onlinefarmacia.it/comprare-acquistare-neurontin-online-it.html neurontin, kvqpfv, http://onlinefarmacia.it/comprare-acquistare-nexium-online-it.html acquistare nexium, 7144, 608a293f368ab8d4ee864c0934dd1aa1703d911d 3161 3160 2012-05-11T04:09:55Z 31.184.238.9 0 xkMcNsMTCSgkQ wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-toprol-xl-online-it.html toprol xl, netvbv, http://onlinefarmacia.it/comprare-acquistare-trandate-online-it.html acquistare trandate, %OOO, http://onlinefarmacia.it/comprare-acquistare-trecator-sc-online-it.html trecator-sc, >:-]]], http://onlinefarmacia.it/comprare-acquistare-trental-online-it.html trental, :], http://onlinefarmacia.it/comprare-acquistare-tricor-online-it.html tricor, %-PP, http://onlinefarmacia.it/comprare-acquistare-trileptal-online-it.html acquistare trileptal, lhxx, http://onlinefarmacia.it/comprare-acquistare-tritace-online-it.html acquistare tritace, ojz, http://onlinefarmacia.it/comprare-acquistare-tylenol-online-it.html comprare tylenol, 644465, http://onlinefarmacia.it/comprare-acquistare-uniphyl-cr-online-it.html acquistare uniphyl cr, 751579, d13ea18086f146ec09ea19bf8af0276801f4dc2a 3162 3161 2012-05-11T04:12:13Z 31.184.238.15 0 uiFbIgdKXWc wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-imitrex-online-en.html buy imitrex, 455105, http://cheappurchaseonline.com/buy-generic-imodium-online-en.html buy imodium online, >:(, http://cheappurchaseonline.com/buy-generic-imuran-online-en.html buy imuran, rki, http://cheappurchaseonline.com/buy-generic-inderal-la-online-en.html buy inderal la online, 379, http://cheappurchaseonline.com/buy-generic-inderal-online-en.html generic inderal, 3829, http://cheappurchaseonline.com/buy-generic-indinavir-online-en.html generic indinavir, 42127, http://cheappurchaseonline.com/buy-generic-isoptin-online-en.html generic isoptin, kuftax, http://cheappurchaseonline.com/buy-generic-isoptin-sr-online-en.html buy isoptin sr, 104, 590d6b8b76bfe2e390f078df22a3fc898326cf63 3163 3162 2012-05-11T04:14:55Z 31.184.238.9 0 XlYogwAUsQmsCL wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-protonix-online-it.html comprare protonix, =-OO, http://onlinefarmacia.it/comprare-acquistare-proventil-online-it.html proventil, jhuv, http://onlinefarmacia.it/comprare-acquistare-provera-online-it.html acquistare provera, 8-], http://onlinefarmacia.it/comprare-acquistare-prozac-online-it.html comprare prozac, 36775, http://onlinefarmacia.it/comprare-acquistare-purim-online-it.html purim, nvyry, http://onlinefarmacia.it/comprare-acquistare-pyridium-online-it.html acquistare pyridium, zsn, http://onlinefarmacia.it/comprare-acquistare-rebetol-online-it.html rebetol, ysf, http://onlinefarmacia.it/comprare-acquistare-reglan-online-it.html acquistare reglan, lcdlb, http://onlinefarmacia.it/comprare-acquistare-relafen-online-it.html acquistare relafen, 8630, 36592ddc3ad82da11765677913e67f2cb1d1b516 3164 3163 2012-05-11T04:18:43Z 31.184.238.15 0 CCKYfimiExncS wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-avodart-online-en.html generic avodart, 5482, http://cheappurchaseonline.com/buy-generic-aygestin-online-en.html generic aygestin, 8-PPP, http://cheappurchaseonline.com/buy-generic-azulfidine-online-en.html buy azulfidine online, 6953, http://cheappurchaseonline.com/buy-generic-baclofen-online-en.html buy baclofen online, %-(, http://cheappurchaseonline.com/buy-generic-beloc-online-en.html buy beloc online, sqg, http://cheappurchaseonline.com/buy-generic-benadryl-online-en.html buy benadryl online, >:((, http://cheappurchaseonline.com/buy-generic-benemid-online-en.html buy benemid online, 23140, http://cheappurchaseonline.com/buy-generic-benicar-online-en.html buy benicar online, %-((, b5f7507496a055512d5e34b8ce8efaf2b0f54305 3165 3164 2012-05-11T04:19:50Z 31.184.238.9 0 ZSqvDgkYmyGGf wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-pamelor-online-it.html comprare pamelor, =-]]], http://onlinefarmacia.it/comprare-acquistare-panadol-online-it.html panadol, =-(, http://onlinefarmacia.it/comprare-acquistare-parlodel-online-it.html parlodel, =-[, http://onlinefarmacia.it/comprare-acquistare-paxil-cr-online-it.html acquistare paxil cr, =]]], http://onlinefarmacia.it/comprare-acquistare-paxil-online-it.html comprare paxil, %))), http://onlinefarmacia.it/comprare-acquistare-pentasa-online-it.html acquistare pentasa, 4022, http://onlinefarmacia.it/comprare-acquistare-pepcid-online-it.html acquistare pepcid, 3957, http://onlinefarmacia.it/comprare-acquistare-periactin-online-it.html periactin, vvw, http://onlinefarmacia.it/comprare-acquistare-persantine-online-it.html comprare persantine, 820, e3235dfd8fd6f86a2c0e1ba562909dba1a65ee9a 3166 3165 2012-05-11T04:23:44Z 31.184.238.15 0 IyyEWcRg wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-voltaren-online-en.html buy voltaren online, >:D, http://cheappurchaseonline.com/buy-generic-voltaren-xr-online-en.html buy voltaren xr, =(((, http://cheappurchaseonline.com/buy-generic-voltarol-online-en.html buy voltarol online, yjvsup, http://cheappurchaseonline.com/buy-generic-voveran-online-en.html buy voveran, rdn, http://cheappurchaseonline.com/buy-generic-voveran-sr-online-en.html buy voveran sr online, %-(, http://cheappurchaseonline.com/buy-generic-wondersleep-online-en.html generic wondersleep, 8O, http://cheappurchaseonline.com/buy-generic-xalatan-0005-online-en.html buy xalatan 0.005% online, >:]], http://cheappurchaseonline.com/buy-generic-xeloda-online-en.html buy xeloda online, fmfdc, af15ee654f0867933f3ca6b776e66b0b88772d1f 3167 3166 2012-05-11T04:23:52Z 31.184.238.9 0 GYjyKujZa wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-monoket-online-it.html comprare monoket, 372812, http://onlinefarmacia.it/comprare-acquistare-monopril-online-it.html comprare monopril, 41009, http://onlinefarmacia.it/comprare-acquistare-motilium-online-it.html acquistare motilium, 0356, http://onlinefarmacia.it/comprare-acquistare-myambutol-online-it.html myambutol, 8159, http://onlinefarmacia.it/comprare-acquistare-mysoline-online-it.html mysoline, 5341, http://onlinefarmacia.it/comprare-acquistare-naprelan-online-it.html comprare naprelan, 459788, http://onlinefarmacia.it/comprare-acquistare-neem-online-it.html neem, %))), http://onlinefarmacia.it/comprare-acquistare-neurontin-online-it.html acquistare neurontin, =), http://onlinefarmacia.it/comprare-acquistare-nexium-online-it.html acquistare nexium, 981, f030c41cc530a27008fd399564766624ef9c9aa2 3170 3167 2012-05-11T04:29:18Z 31.184.238.15 0 IeyoCsiCtrhZKHw wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-ditropan-xl-online-en.html generic ditropan xl, achq, http://cheappurchaseonline.com/buy-generic-dulcolax-online-en.html buy dulcolax, 83474, http://cheappurchaseonline.com/buy-generic-duricef-online-en.html buy duricef online, 8-[[, http://cheappurchaseonline.com/buy-generic-effexor-online-en.html buy effexor, 7834, http://cheappurchaseonline.com/buy-generic-effexor-xr-online-en.html generic effexor xr, 8-DD, http://cheappurchaseonline.com/buy-generic-eldepryl-online-en.html buy eldepryl, 384, http://cheappurchaseonline.com/buy-generic-elimite-online-en.html buy elimite online, 631944, http://cheappurchaseonline.com/buy-generic-elocon-online-en.html buy elocon, 21513, 2edae43ab58043d76bcc89fd83e19a5dc6f620ec 3171 3170 2012-05-11T04:29:21Z 31.184.238.9 0 oyZzpdXybUbWyGA wikitext text/x-wiki , http://acquistareladroga.it/comprare-acquistare-claritin-online-it.html comprare claritin, :PP, http://acquistareladroga.it/comprare-acquistare-cleocin-online-it.html cleocin, 320, http://acquistareladroga.it/comprare-acquistare-clonidine-online-it.html clonidine, daubpi, http://acquistareladroga.it/comprare-acquistare-clozaril-online-it.html acquistare clozaril, =)), http://acquistareladroga.it/comprare-acquistare-colospa-online-it.html colospa, :(((, http://acquistareladroga.it/comprare-acquistare-combipres-online-it.html acquistare combipres, xoy, http://acquistareladroga.it/comprare-acquistare-combivent-online-it.html combivent, 94724, http://acquistareladroga.it/comprare-acquistare-combivir-online-it.html acquistare combivir, cbctwu, http://acquistareladroga.it/comprare-acquistare-compazine-online-it.html acquistare compazine, :-], b5248a853175ae1ef4de39ffd354e6824f717bf0 3172 3171 2012-05-11T04:32:41Z 31.184.238.9 0 gdAncdgAsfJsBVGEeWd wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-nimotop-online-it.html acquistare nimotop, 572, http://onlinefarmacia.it/comprare-acquistare-nitroglycerin-online-it.html acquistare nitroglycerin, 1497, http://onlinefarmacia.it/comprare-acquistare-nizoral-online-it.html nizoral, 15153, http://onlinefarmacia.it/comprare-acquistare-noroxin-online-it.html acquistare noroxin, =-[[[, http://onlinefarmacia.it/comprare-acquistare-nortriptyline-online-it.html nortriptyline, 8PP, http://onlinefarmacia.it/comprare-acquistare-norvasc-online-it.html acquistare norvasc, :-PP, http://onlinefarmacia.it/comprare-acquistare-omnicef-online-it.html omnicef, 78641, http://onlinefarmacia.it/comprare-acquistare-ophthacare-online-it.html comprare ophthacare, tacki, http://onlinefarmacia.it/comprare-acquistare-oxytrol-online-it.html acquistare oxytrol, 651182, 9c03d1517e6e33aeea8045096f38e3766a8c3858 3173 3172 2012-05-11T04:34:33Z 31.184.238.15 0 sYcyCbREUBxwDEY wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-glucophage-online-en.html buy glucophage online, %-PPP, http://cheappurchaseonline.com/buy-generic-glucophage-xr-online-en.html generic glucophage xr, 09671, http://cheappurchaseonline.com/buy-generic-glucotrol-online-en.html buy glucotrol online, =[[[, http://cheappurchaseonline.com/buy-generic-glucotrol-xl-online-en.html buy glucotrol xl, :[[[, http://cheappurchaseonline.com/buy-generic-glucovance-online-en.html generic glucovance, 9477, http://cheappurchaseonline.com/buy-generic-glycomet-online-en.html generic glycomet, owrbd, http://cheappurchaseonline.com/buy-generic-grifulvin-online-en.html generic grifulvin, >:), http://cheappurchaseonline.com/buy-generic-grifulvin-v-online-en.html generic grifulvin v, vtvj, 8979b00597111bd6a2af41c8607781865a578291 3174 3173 2012-05-11T04:36:43Z 31.184.238.9 0 XkCWGUwvXT wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-phenamax-online-it.html phenamax, 840, http://onlinefarmacia.it/comprare-acquistare-phenergan-online-it.html comprare phenergan, 86076, http://onlinefarmacia.it/comprare-acquistare-phoslo-online-it.html phoslo, xow, http://onlinefarmacia.it/comprare-acquistare-pilex-online-it.html comprare pilex, 626, http://onlinefarmacia.it/comprare-acquistare-plavix-online-it.html comprare plavix, 09923, http://onlinefarmacia.it/comprare-acquistare-plendil-online-it.html comprare plendil, %))), http://onlinefarmacia.it/comprare-acquistare-pletal-online-it.html pletal, 814429, http://onlinefarmacia.it/comprare-acquistare-ponstel-online-it.html comprare ponstel, 58468, http://onlinefarmacia.it/comprare-acquistare-prandin-online-it.html prandin, :), 350c2566d8d3e7fa1249ae91e9f4fa33b360f286 3175 3174 2012-05-11T04:40:12Z 31.184.238.15 0 xPXluiomry wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-imitrex-online-en.html buy imitrex online, 495, http://cheappurchaseonline.com/buy-generic-imodium-online-en.html buy imodium online, kxb, http://cheappurchaseonline.com/buy-generic-imuran-online-en.html buy imuran online, 359, http://cheappurchaseonline.com/buy-generic-inderal-la-online-en.html buy inderal la online, xay, http://cheappurchaseonline.com/buy-generic-inderal-online-en.html buy inderal, 001202, http://cheappurchaseonline.com/buy-generic-indinavir-online-en.html buy indinavir, 582, http://cheappurchaseonline.com/buy-generic-isoptin-online-en.html generic isoptin, lwc, http://cheappurchaseonline.com/buy-generic-isoptin-sr-online-en.html buy isoptin sr, pdya, a296e210b32ce75f9623da7d5b95c04f137fdde7 3176 3175 2012-05-11T04:40:54Z 31.184.238.9 0 DkRQjADFTqQrq wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-lukol-online-it.html lukol, grtd, http://onlinefarmacia.it/comprare-acquistare-luvox-online-it.html acquistare luvox, >:-))), http://onlinefarmacia.it/comprare-acquistare-lynoral-online-it.html acquistare lynoral, 021363, http://onlinefarmacia.it/comprare-acquistare-macrobid-online-it.html macrobid, 701, http://onlinefarmacia.it/comprare-acquistare-maxalt-online-it.html maxalt, njht, http://onlinefarmacia.it/comprare-acquistare-maxaquin-online-it.html maxaquin, nvfq, http://onlinefarmacia.it/comprare-acquistare-maxolon-online-it.html maxolon, 508199, http://onlinefarmacia.it/comprare-acquistare-meclizine-online-it.html comprare meclizine, 768161, http://onlinefarmacia.it/comprare-acquistare-mellaril-online-it.html comprare mellaril, 253, ede680f0b8aa9d285fbbf1af69d444a5aa13b5b8 3177 3176 2012-05-11T04:45:38Z 31.184.238.15 0 pTDFSVrPhe wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-grisactin-online-en.html generic grisactin, 8436, http://cheappurchaseonline.com/buy-generic-herbolax-online-en.html buy herbolax online, :-OO, http://cheappurchaseonline.com/buy-generic-himcolin-online-en.html buy himcolin, =)), http://cheappurchaseonline.com/buy-generic-himplasia-online-en.html generic himplasia, 6021, http://cheappurchaseonline.com/buy-generic-hoodia-online-en.html generic hoodia, vydagc, http://cheappurchaseonline.com/buy-generic-hydrea-online-en.html buy hydrea online, :))), http://cheappurchaseonline.com/buy-generic-hyzaar-online-en.html buy hyzaar, %-]], http://cheappurchaseonline.com/buy-generic-imdur-online-en.html generic imdur, =-(((, 366e0897a0204d32dec3b3f53b222da74658a1e7 3178 3177 2012-05-11T04:45:43Z 31.184.238.9 0 HvcfxzThyc wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-zantac-online-it.html zantac, >:-[[[, http://onlinefarmacia.it/comprare-acquistare-zebeta-online-it.html acquistare zebeta, 77753, http://onlinefarmacia.it/comprare-acquistare-zerit-online-it.html comprare zerit, 901760, http://onlinefarmacia.it/comprare-acquistare-zestoretic-online-it.html acquistare zestoretic, 270, http://onlinefarmacia.it/comprare-acquistare-zestril-online-it.html zestril, qjfk, http://onlinefarmacia.it/comprare-acquistare-zetia-online-it.html zetia, wmheax, http://onlinefarmacia.it/comprare-acquistare-zocor-online-it.html acquistare zocor, 49094, http://onlinefarmacia.it/comprare-acquistare-zofran-online-it.html zofran, 122339, http://onlinefarmacia.it/comprare-acquistare-zoloft-online-it.html acquistare zoloft, ftbgt, 7c4568d4caf4d3ad51fa92e99292bbd64740a52b 3179 3178 2012-05-11T04:50:16Z 31.184.238.9 0 RqPaEBHsXtlpGoCx wikitext text/x-wiki , http://generiquesmedicaments.fr/acheter-achat-aciphex-en-ligne-fr.html aciphex, =]], http://generiquesmedicaments.fr/acheter-achat-acticin-en-ligne-fr.html acticin, 0429, http://generiquesmedicaments.fr/acheter-achat-actigall-en-ligne-fr.html achat actigall, 198, http://generiquesmedicaments.fr/acheter-achat-actos-en-ligne-fr.html actos, 8-[, http://generiquesmedicaments.fr/acheter-achat-adalat-en-ligne-fr.html acheter adalat, 822, http://generiquesmedicaments.fr/acheter-achat-aggrenox-en-ligne-fr.html aggrenox, esp, http://generiquesmedicaments.fr/acheter-achat-albenza-en-ligne-fr.html acheter albenza, 674, http://generiquesmedicaments.fr/acheter-achat-alesse-en-ligne-fr.html achat alesse, 574, http://generiquesmedicaments.fr/acheter-achat-alfacip-en-ligne-fr.html achat alfacip, 180, d70737838ca149af4d658d41459cab261fb4b45e 3180 3179 2012-05-11T04:51:58Z 31.184.238.15 0 JQpshoNJHDwEtuio wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-trecator-sc-online-en.html generic trecator-sc, 9287, http://cheappurchaseonline.com/buy-generic-trental-online-en.html buy trental, :-D, http://cheappurchaseonline.com/buy-generic-tricor-online-en.html generic tricor, 054176, http://cheappurchaseonline.com/buy-generic-trileptal-online-en.html buy trileptal online, >:((, http://cheappurchaseonline.com/buy-generic-tritace-online-en.html buy tritace online, 8-DD, http://cheappurchaseonline.com/buy-generic-tylenol-online-en.html buy tylenol, eiv, http://cheappurchaseonline.com/buy-generic-uniphyl-cr-online-en.html buy uniphyl cr online, seweqb, http://cheappurchaseonline.com/buy-generic-urispas-online-en.html generic urispas, trnh, 06265f747d6397030ca74b62fa0c14b3006ffe46 3181 3180 2012-05-11T04:54:30Z 31.184.238.9 0 BiONfAoZGiQxpMt wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-nimotop-online-it.html comprare nimotop, %-DD, http://onlinefarmacia.it/comprare-acquistare-nitroglycerin-online-it.html nitroglycerin, 184, http://onlinefarmacia.it/comprare-acquistare-nizoral-online-it.html nizoral, 32914, http://onlinefarmacia.it/comprare-acquistare-noroxin-online-it.html comprare noroxin, qrjt, http://onlinefarmacia.it/comprare-acquistare-nortriptyline-online-it.html nortriptyline, sfdta, http://onlinefarmacia.it/comprare-acquistare-norvasc-online-it.html acquistare norvasc, sqlun, http://onlinefarmacia.it/comprare-acquistare-omnicef-online-it.html comprare omnicef, %]], http://onlinefarmacia.it/comprare-acquistare-ophthacare-online-it.html ophthacare, 850549, http://onlinefarmacia.it/comprare-acquistare-oxytrol-online-it.html acquistare oxytrol, 662, ff14aaf3c254163feccac9798759907a0b3ab0f3 3182 3181 2012-05-11T04:57:02Z 31.184.238.15 0 VJNuEwnmykP wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-isordil-online-en.html buy isordil, mxbajy, http://cheappurchaseonline.com/buy-generic-karela-online-en.html buy karela online, 449, http://cheappurchaseonline.com/buy-generic-keflex-online-en.html generic keflex, eyzb, http://cheappurchaseonline.com/buy-generic-keftab-online-en.html buy keftab online, >:)), http://cheappurchaseonline.com/buy-generic-kemadrin-online-en.html buy kemadrin online, %-P, http://cheappurchaseonline.com/buy-generic-lamictal-online-en.html buy lamictal, 422281, http://cheappurchaseonline.com/buy-generic-lamisil-online-en.html generic lamisil, 81527, http://cheappurchaseonline.com/buy-generic-lamprene-online-en.html generic lamprene, 189444, 6b66d3dcbbbe92c53eee451f277a34fbafffa6ed 3183 3182 2012-05-11T04:59:40Z 31.184.238.9 0 EpSqfuCVV wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-verampil-online-it.html acquistare verampil, wixmzf, http://onlinefarmacia.it/comprare-acquistare-verapamil-online-it.html verapamil, 104, http://onlinefarmacia.it/comprare-acquistare-vermox-online-it.html acquistare vermox, xoruex, http://onlinefarmacia.it/comprare-acquistare-v-gel-online-it.html acquistare v-gel, %), http://onlinefarmacia.it/comprare-acquistare-vibramycin-online-it.html acquistare vibramycin, 919430, http://onlinefarmacia.it/comprare-acquistare-viramune-online-it.html viramune, =((, http://onlinefarmacia.it/comprare-acquistare-vitamin-b12-online-it.html vitamin b12, 0936, http://onlinefarmacia.it/comprare-acquistare-vitamin-c-online-it.html vitamin c, %-PPP, http://onlinefarmacia.it/comprare-acquistare-voltaren-online-it.html comprare voltaren, 8-O, 465136769f7ddf69130c59b33d75fe0efaa971a5 3184 3183 2012-05-11T05:03:40Z 31.184.238.9 0 vEhQDrFhvsYMyUekNFz wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-precose-online-it.html acquistare precose, :]], http://onlinefarmacia.it/comprare-acquistare-premarin-online-it.html comprare premarin, irn, http://onlinefarmacia.it/comprare-acquistare-prevacid-online-it.html comprare prevacid, 0185, http://onlinefarmacia.it/comprare-acquistare-prilosec-online-it.html comprare prilosec, 805947, http://onlinefarmacia.it/comprare-acquistare-prinivil-online-it.html comprare prinivil, zvywk, http://onlinefarmacia.it/comprare-acquistare-procardia-online-it.html acquistare procardia, %-(((, http://onlinefarmacia.it/comprare-acquistare-prograf-online-it.html comprare prograf, :), http://onlinefarmacia.it/comprare-acquistare-prometrium-online-it.html prometrium, fjyjxa, http://onlinefarmacia.it/comprare-acquistare-proscar-online-it.html proscar, fctvs, 6765082e329796e98d259d9fe08bfa3f9e6cb70c 3185 3184 2012-05-11T05:03:54Z 31.184.238.15 0 QMJLhYIUStiUbVNL wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-cozaar-online-en.html buy cozaar online, 88732, http://cheappurchaseonline.com/buy-generic-crestor-online-en.html generic crestor, 529, http://cheappurchaseonline.com/buy-generic-crixivan-online-en.html buy crixivan online, txwtf, http://cheappurchaseonline.com/buy-generic-cymbalta-online-en.html buy cymbalta online, 638229, http://cheappurchaseonline.com/buy-generic-cystone-online-en.html buy cystone online, rmldca, http://cheappurchaseonline.com/buy-generic-cytotec-online-en.html buy cytotec online, 222, http://cheappurchaseonline.com/buy-generic-cytoxan-online-en.html buy cytoxan online, ydxvk, http://cheappurchaseonline.com/buy-generic-danazol-online-en.html buy danazol online, 3664, 09acdfd67e70412bac58ad40ac4459cbb505708d 3186 3185 2012-05-11T05:08:06Z 31.184.238.9 0 AsXXzlHVZjYXbmm wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-tetracycline-online-it.html comprare tetracycline, %-OO, http://onlinefarmacia.it/comprare-acquistare-theo-24-cr-online-it.html theo-24 cr, 5802, http://onlinefarmacia.it/comprare-acquistare-theo-24-sr-online-it.html theo-24 sr, 8((, http://onlinefarmacia.it/comprare-acquistare-thorazine-online-it.html acquistare thorazine, =-DDD, http://onlinefarmacia.it/comprare-acquistare-ticlid-online-it.html acquistare ticlid, :-PP, http://onlinefarmacia.it/comprare-acquistare-tinidazole-online-it.html acquistare tinidazole, 09895, http://onlinefarmacia.it/comprare-acquistare-tofranil-online-it.html tofranil, 675, http://onlinefarmacia.it/comprare-acquistare-topamax-online-it.html comprare topamax, :PP, http://onlinefarmacia.it/comprare-acquistare-toprol-online-it.html comprare toprol, 3699, 082eae1206a42dd676ea4f9257565e12729a9645 3187 3186 2012-05-11T05:09:29Z 31.184.238.15 0 rBlntXyttzZkWdD wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-phoslo-online-en.html buy phoslo online, ugylki, http://cheappurchaseonline.com/buy-generic-pilex-online-en.html buy pilex online, 302, http://cheappurchaseonline.com/buy-generic-plavix-online-en.html generic plavix, 404654, http://cheappurchaseonline.com/buy-generic-plendil-online-en.html buy plendil, 6158, http://cheappurchaseonline.com/buy-generic-pletal-online-en.html buy pletal online, =-P, http://cheappurchaseonline.com/buy-generic-ponstel-online-en.html generic ponstel, hcwsu, http://cheappurchaseonline.com/buy-generic-prandin-online-en.html buy prandin online, 549, http://cheappurchaseonline.com/buy-generic-precose-online-en.html generic precose, thtyw, 9da7834cdc3f0550640bfafb92964215b90811b3 0 8 3188 3187 2012-05-11T05:12:29Z 31.184.238.9 0 JFgTZcapFuhJRrPAXAp wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-toprol-xl-online-it.html acquistare toprol xl, 290218, http://onlinefarmacia.it/comprare-acquistare-trandate-online-it.html comprare trandate, %-]]], http://onlinefarmacia.it/comprare-acquistare-trecator-sc-online-it.html trecator-sc, 8-((, http://onlinefarmacia.it/comprare-acquistare-trental-online-it.html trental, :(, http://onlinefarmacia.it/comprare-acquistare-tricor-online-it.html comprare tricor, orumpy, http://onlinefarmacia.it/comprare-acquistare-trileptal-online-it.html trileptal, yqk, http://onlinefarmacia.it/comprare-acquistare-tritace-online-it.html tritace, =O, http://onlinefarmacia.it/comprare-acquistare-tylenol-online-it.html tylenol, 40249, http://onlinefarmacia.it/comprare-acquistare-uniphyl-cr-online-it.html uniphyl cr, =-D, d125fe51b27ec636b93a92f3fde568c37288ac2c 3189 3188 2012-05-11T05:15:37Z 31.184.238.15 0 ctvLCemKlbINGLMdLF wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-grisactin-online-en.html buy grisactin online, 296, http://cheappurchaseonline.com/buy-generic-herbolax-online-en.html buy herbolax online, :[[[, http://cheappurchaseonline.com/buy-generic-himcolin-online-en.html generic himcolin, 5860, http://cheappurchaseonline.com/buy-generic-himplasia-online-en.html buy himplasia, 86463, http://cheappurchaseonline.com/buy-generic-hoodia-online-en.html buy hoodia online, 964845, http://cheappurchaseonline.com/buy-generic-hydrea-online-en.html buy hydrea online, xvva, http://cheappurchaseonline.com/buy-generic-hyzaar-online-en.html buy hyzaar, 97716, http://cheappurchaseonline.com/buy-generic-imdur-online-en.html generic imdur, fcbtcu, 8b374295828a83b3ae1398eb62313b91ecaf40dd 3190 3189 2012-05-11T05:17:15Z 31.184.238.9 0 EkdaaggDGiDiiHz wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-super-ed-trial-pack-online-it.html comprare super ed trial pack, %(((, http://onlinefarmacia.it/comprare-acquistare-sustiva-online-it.html comprare sustiva, 193612, http://onlinefarmacia.it/comprare-acquistare-symmetrel-online-it.html acquistare symmetrel, vlc, http://onlinefarmacia.it/comprare-acquistare-synthroid-online-it.html comprare synthroid, 147, http://onlinefarmacia.it/comprare-acquistare-tegopen-online-it.html comprare tegopen, 40270, http://onlinefarmacia.it/comprare-acquistare-tenormin-online-it.html comprare tenormin, lpwqxf, http://onlinefarmacia.it/comprare-acquistare-tentex-forte-online-it.html acquistare tentex forte, 4221, http://onlinefarmacia.it/comprare-acquistare-tentex-royal-online-it.html tentex royal, ioaq, http://onlinefarmacia.it/comprare-acquistare-terramycin-online-it.html acquistare terramycin, jxkyc, 51917975d9d1732eb384da214091a5d411ea688f 3191 3190 2012-05-11T05:21:30Z 31.184.238.15 0 qhDjJkHXqpUcygk wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-avodart-online-en.html buy avodart, grozx, http://cheappurchaseonline.com/buy-generic-aygestin-online-en.html buy aygestin online, 019740, http://cheappurchaseonline.com/buy-generic-azulfidine-online-en.html buy azulfidine, 3595, http://cheappurchaseonline.com/buy-generic-baclofen-online-en.html buy baclofen online, gzaer, http://cheappurchaseonline.com/buy-generic-beloc-online-en.html generic beloc, fxnw, http://cheappurchaseonline.com/buy-generic-benadryl-online-en.html buy benadryl online, oby, http://cheappurchaseonline.com/buy-generic-benemid-online-en.html buy benemid online, 9971, http://cheappurchaseonline.com/buy-generic-benicar-online-en.html buy benicar online, qns, d3a8770437dab56e0aa6be012fb966f9ed2d620c 3192 3191 2012-05-11T05:21:49Z 31.184.238.9 0 jSofKIUB wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-phenamax-online-it.html comprare phenamax, 9010, http://onlinefarmacia.it/comprare-acquistare-phenergan-online-it.html acquistare phenergan, 556640, http://onlinefarmacia.it/comprare-acquistare-phoslo-online-it.html acquistare phoslo, 015, http://onlinefarmacia.it/comprare-acquistare-pilex-online-it.html pilex, bnmcx, http://onlinefarmacia.it/comprare-acquistare-plavix-online-it.html comprare plavix, =-]]], http://onlinefarmacia.it/comprare-acquistare-plendil-online-it.html acquistare plendil, %-DD, http://onlinefarmacia.it/comprare-acquistare-pletal-online-it.html acquistare pletal, %D, http://onlinefarmacia.it/comprare-acquistare-ponstel-online-it.html acquistare ponstel, :O, http://onlinefarmacia.it/comprare-acquistare-prandin-online-it.html acquistare prandin, =DDD, e3779f42060b557ce3de0f50e9ea6b7f038aa2a2 3193 3192 2012-05-11T05:26:25Z 31.184.238.9 0 JIrmyBBoFuvW wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-remeron-online-it.html acquistare remeron, >:(((, http://onlinefarmacia.it/comprare-acquistare-reminyl-online-it.html acquistare reminyl, 69870, http://onlinefarmacia.it/comprare-acquistare-reosto-online-it.html comprare reosto, =), http://onlinefarmacia.it/comprare-acquistare-requip-online-it.html acquistare requip, >:-]], http://onlinefarmacia.it/comprare-acquistare-retin-a-online-it.html retin-a, zgyl, http://onlinefarmacia.it/comprare-acquistare-retrovir-online-it.html comprare retrovir, %-[, http://onlinefarmacia.it/comprare-acquistare-revia-online-it.html acquistare revia, 972, http://onlinefarmacia.it/comprare-acquistare-risnia-online-it.html acquistare risnia, %OO, http://onlinefarmacia.it/comprare-acquistare-risperdal-online-it.html comprare risperdal, 8)), f64b81ddd06f57b3c38a2f4593e462c3caadb275 3194 3193 2012-05-11T05:27:57Z 31.184.238.15 0 tkgqEsEpDuhKlMulHmL wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-ampicillin-online-en.html buy ampicillin online, 57948, http://cheappurchaseonline.com/buy-generic-anacin-online-en.html buy anacin online, :PP, http://cheappurchaseonline.com/buy-generic-anafranil-online-en.html buy anafranil online, 0205, http://cheappurchaseonline.com/buy-generic-ansaid-online-en.html generic ansaid, rxcenh, http://cheappurchaseonline.com/buy-generic-antabuse-online-en.html buy antabuse online, 32652, http://cheappurchaseonline.com/buy-generic-antivert-online-en.html buy antivert, 375342, http://cheappurchaseonline.com/buy-generic-aralen-online-en.html buy aralen online, 8-((, http://cheappurchaseonline.com/buy-generic-arava-online-en.html buy arava online, 4319, 776d7fa9893ea78db7d937e3ec2eaa9b7b474c45 3195 3194 2012-05-11T05:30:51Z 31.184.238.9 0 KyoybFGPuRLMRhXb wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-urispas-online-it.html acquistare urispas, xdru, http://onlinefarmacia.it/comprare-acquistare-uroxatral-online-it.html comprare uroxatral, %], http://onlinefarmacia.it/comprare-acquistare-urso-online-it.html comprare urso, :OO, http://onlinefarmacia.it/comprare-acquistare-valparin-online-it.html comprare valparin, 886, http://onlinefarmacia.it/comprare-acquistare-valtrex-online-it.html valtrex, 943, http://onlinefarmacia.it/comprare-acquistare-vantin-online-it.html vantin, 13755, http://onlinefarmacia.it/comprare-acquistare-vasotec-online-it.html vasotec, =]], http://onlinefarmacia.it/comprare-acquistare-venlor-online-it.html acquistare venlor, wht, http://onlinefarmacia.it/comprare-acquistare-ventolin-online-it.html comprare ventolin, 834, f019992ca5656bcce3129b108f759614370c9b7f 3196 3195 2012-05-11T05:33:37Z 31.184.238.15 0 WhktAkWCbpr wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-premarin-online-en.html buy premarin, 942454, http://cheappurchaseonline.com/buy-generic-prevacid-online-en.html buy prevacid online, yzapbu, http://cheappurchaseonline.com/buy-generic-prilosec-online-en.html generic prilosec, exl, http://cheappurchaseonline.com/buy-generic-prinivil-online-en.html generic prinivil, arv, http://cheappurchaseonline.com/buy-generic-procardia-online-en.html generic procardia, =DDD, http://cheappurchaseonline.com/buy-generic-prograf-online-en.html buy prograf, wicwcd, http://cheappurchaseonline.com/buy-generic-prometrium-online-en.html buy prometrium online, 910906, http://cheappurchaseonline.com/buy-generic-proscar-online-en.html generic proscar, 560601, b5a559afbc32778539c553c0f6ec2ba27401f533 3197 3196 2012-05-11T05:35:13Z 31.184.238.9 0 uuNaJQpm wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-diflucan-en-ligne-fr.html acheter diflucan, gkv, http://enlignepharmacie.fr/ acheter amoxil, =-((, http://enlignepharmacie.fr/acheter-achat-doxycycline-en-ligne-fr.html acheter doxycycline en ligne, >:-)), http://enlignepharmacie.fr/acheter-achat-female-viagra-en-ligne-fr.html acheter female viagra en ligne, 60344, http://enlignepharmacie.fr/acheter-achat-flagyl-en-ligne-fr.html achat flagyl, npr, http://enlignepharmacie.fr/acheter-achat-kamagra-en-ligne-fr.html vente kamagra, 8864, http://enlignepharmacie.fr/ acheter levitra, 8-[[, http://enlignepharmacie.fr/acheter-achat-lasix-en-ligne-fr.html generique lasix, 37827, http://enlignepharmacie.fr/acheter-achat-levitra-en-ligne-fr.html acheter levitra en ligne, >:), 5952e2cdb90e0c21cb307e8086622550a9a30e90 3198 3197 2012-05-11T05:39:30Z 31.184.238.9 0 kskUOPybwk wikitext text/x-wiki , http://enlignepharmacie.fr/acheter-achat-ceclor-en-ligne-fr.html achat ceclor, rojsfi, http://enlignepharmacie.fr/acheter-achat-cefaclor-en-ligne-fr.html cefaclor, 816, http://enlignepharmacie.fr/acheter-achat-celebrex-en-ligne-fr.html celebrex, :(((, http://enlignepharmacie.fr/acheter-achat-celexa-en-ligne-fr.html celexa, 246593, http://enlignepharmacie.fr/acheter-achat-cephalexin-en-ligne-fr.html cephalexin, 763803, http://enlignepharmacie.fr/acheter-achat-chloromycetin-en-ligne-fr.html chloromycetin, bvttc, http://enlignepharmacie.fr/acheter-achat-clarinex-en-ligne-fr.html clarinex, ycj, http://enlignepharmacie.fr/acheter-achat-claritin-en-ligne-fr.html achat claritin, 66085, http://enlignepharmacie.fr/acheter-achat-cleocin-en-ligne-fr.html achat cleocin, fvvjzg, 9460d787f6cca8b0330fbb786b535b3a64c1036d 3199 3198 2012-05-11T05:39:54Z 31.184.238.15 0 XSxBJYDduZlnI wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-catapres-online-en.html buy catapres online, 8O, http://cheappurchaseonline.com/buy-generic-ceclor-cd-online-en.html buy ceclor cd online, 06353, http://cheappurchaseonline.com/buy-generic-ceclor-online-en.html buy ceclor, ofcgg, http://cheappurchaseonline.com/buy-generic-cefaclor-online-en.html generic cefaclor, 461, http://cheappurchaseonline.com/buy-generic-celebrex-online-en.html generic celebrex, 17745, http://cheappurchaseonline.com/buy-generic-celexa-online-en.html buy celexa online, gtl, http://cheappurchaseonline.com/buy-generic-cephalexin-online-en.html buy cephalexin, 935, http://cheappurchaseonline.com/buy-generic-chloromycetin-online-en.html buy chloromycetin online, 13130, 3b09898a082619a29a791cc667210d5d37acdb77 3200 3199 2012-05-11T05:43:26Z 31.184.238.9 0 rgYUnisSYDAgioO wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-urispas-online-it.html urispas, rdh, http://onlinefarmacia.it/comprare-acquistare-uroxatral-online-it.html uroxatral, 8-((, http://onlinefarmacia.it/comprare-acquistare-urso-online-it.html comprare urso, 2279, http://onlinefarmacia.it/comprare-acquistare-valparin-online-it.html comprare valparin, cod, http://onlinefarmacia.it/comprare-acquistare-valtrex-online-it.html comprare valtrex, msp, http://onlinefarmacia.it/comprare-acquistare-vantin-online-it.html acquistare vantin, xsbj, http://onlinefarmacia.it/comprare-acquistare-vasotec-online-it.html comprare vasotec, qnstr, http://onlinefarmacia.it/comprare-acquistare-venlor-online-it.html comprare venlor, =)), http://onlinefarmacia.it/comprare-acquistare-ventolin-online-it.html ventolin, =(, 153fd123015d5c53a018de880074999b3daf95e0 3201 3200 2012-05-11T05:44:37Z 31.184.238.15 0 JmgsGQrNmIIeHOkw wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-ampicillin-online-en.html buy ampicillin, =]]], http://cheappurchaseonline.com/buy-generic-anacin-online-en.html buy anacin, yobnv, http://cheappurchaseonline.com/buy-generic-anafranil-online-en.html generic anafranil, nknp, http://cheappurchaseonline.com/buy-generic-ansaid-online-en.html buy ansaid online, xeb, http://cheappurchaseonline.com/buy-generic-antabuse-online-en.html buy antabuse, 17163, http://cheappurchaseonline.com/buy-generic-antivert-online-en.html buy antivert, 196, http://cheappurchaseonline.com/buy-generic-aralen-online-en.html buy aralen online, 708, http://cheappurchaseonline.com/buy-generic-arava-online-en.html generic arava, :-[, ef527346e95bfe8105941c51e589086b05b5ce44 3202 3201 2012-05-11T05:47:48Z 31.184.238.9 0 scOmbBWvYSih wikitext text/x-wiki , http://acquistareladroga.it/comprare-acquistare-uniphyl-cr-online-it.html comprare uniphyl cr, =)), http://acquistareladroga.it/comprare-acquistare-urispas-online-it.html comprare urispas, xot, http://acquistareladroga.it/comprare-acquistare-uroxatral-online-it.html acquistare uroxatral, wrnii, http://acquistareladroga.it/comprare-acquistare-urso-online-it.html urso, 8-], http://acquistareladroga.it/comprare-acquistare-valparin-online-it.html comprare valparin, %P, http://acquistareladroga.it/comprare-acquistare-valtrex-online-it.html acquistare valtrex, =O, http://acquistareladroga.it/comprare-acquistare-vantin-online-it.html comprare vantin, :-]], http://acquistareladroga.it/comprare-acquistare-vasotec-online-it.html acquistare vasotec, >:))), http://acquistareladroga.it/comprare-acquistare-venlor-online-it.html acquistare venlor, 033512, 00e7f2a0bb996a7679da662d1b690daa72a64256 3203 3202 2012-05-11T05:49:38Z 31.184.238.15 0 VvERoUkJcWCNloyq wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-zocor-online-en.html buy zocor online, 21280, http://cheappurchaseonline.com/buy-generic-zofran-online-en.html buy zofran online, xwkz, http://cheappurchaseonline.com/buy-generic-zovirax-online-en.html generic zovirax, %]], http://cheappurchaseonline.com/buy-generic-zyban-online-en.html generic zyban, luzrc, http://cheappurchaseonline.com/buy-generic-zyloprim-online-en.html generic zyloprim, 456, http://cheappurchaseonline.com/buy-generic-zyprexa-online-en.html buy zyprexa online, 48477, http://cheappurchaseonline.com/buy-generic-zyrtec-online-en.html buy zyrtec online, nhbbu, http://cheappurchaseonline.com/buy-generic-zyvox-online-en.html buy zyvox online, 8))), 0fbc75ba476cd07ad450cbb36c6e4d7376019658 3204 3203 2012-05-11T05:52:16Z 31.184.238.9 0 riOmxUlUJY wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-slimfast-online-it.html slimfast, 525, http://onlinefarmacia.it/comprare-acquistare-smok-ox-online-it.html comprare smok-ox, 62413, http://onlinefarmacia.it/comprare-acquistare-speman-online-it.html comprare speman, 892135, http://onlinefarmacia.it/comprare-acquistare-sporanox-online-it.html sporanox, pcfs, http://onlinefarmacia.it/comprare-acquistare-starlix-online-it.html starlix, ifal, http://onlinefarmacia.it/comprare-acquistare-stromectol-online-it.html comprare stromectol, 943, http://onlinefarmacia.it/comprare-acquistare-styplon-online-it.html acquistare styplon, :-[, http://onlinefarmacia.it/comprare-acquistare-suminat-online-it.html suminat, 83669, http://onlinefarmacia.it/comprare-acquistare-sumycin-online-it.html comprare sumycin, lifs, 6bbe7a20560d80c3e430ce352dc0bec4c99da76c 3205 3204 2012-05-11T05:55:27Z 31.184.238.15 0 sjkhJFCXzeDmQiVT wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-imitrex-online-en.html buy imitrex, axglo, http://cheappurchaseonline.com/buy-generic-imodium-online-en.html generic imodium, 7084, http://cheappurchaseonline.com/buy-generic-imuran-online-en.html buy imuran, =]], http://cheappurchaseonline.com/buy-generic-inderal-la-online-en.html buy inderal la online, qyegm, http://cheappurchaseonline.com/buy-generic-inderal-online-en.html buy inderal online, 42591, http://cheappurchaseonline.com/buy-generic-indinavir-online-en.html buy indinavir, 8-DD, http://cheappurchaseonline.com/buy-generic-isoptin-online-en.html buy isoptin online, cpg, http://cheappurchaseonline.com/buy-generic-isoptin-sr-online-en.html generic isoptin sr, ncukbd, 807b45f905ec6d6c14d3a196fa715dc711a75d1d 3206 3205 2012-05-11T05:56:41Z 31.184.238.9 0 jKVVLkvu wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-urispas-online-it.html urispas, htmdqy, http://onlinefarmacia.it/comprare-acquistare-uroxatral-online-it.html comprare uroxatral, 642, http://onlinefarmacia.it/comprare-acquistare-urso-online-it.html comprare urso, %-DD, http://onlinefarmacia.it/comprare-acquistare-valparin-online-it.html acquistare valparin, gkf, http://onlinefarmacia.it/comprare-acquistare-valtrex-online-it.html comprare valtrex, 73780, http://onlinefarmacia.it/comprare-acquistare-vantin-online-it.html vantin, 7384, http://onlinefarmacia.it/comprare-acquistare-vasotec-online-it.html vasotec, 33923, http://onlinefarmacia.it/comprare-acquistare-venlor-online-it.html acquistare venlor, dxx, http://onlinefarmacia.it/comprare-acquistare-ventolin-online-it.html acquistare ventolin, %-[, d448ea80e467f07922cb978fecf5d0847148ad72 3207 3206 2012-05-11T06:00:54Z 31.184.238.9 0 VTOpfUHHSbIUdEkqgLS wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-toprol-xl-online-it.html toprol xl, 82178, http://onlinefarmacia.it/comprare-acquistare-trandate-online-it.html trandate, 975703, http://onlinefarmacia.it/comprare-acquistare-trecator-sc-online-it.html trecator-sc, enaepl, http://onlinefarmacia.it/comprare-acquistare-trental-online-it.html acquistare trental, 35358, http://onlinefarmacia.it/comprare-acquistare-tricor-online-it.html acquistare tricor, 8352, http://onlinefarmacia.it/comprare-acquistare-trileptal-online-it.html acquistare trileptal, drp, http://onlinefarmacia.it/comprare-acquistare-tritace-online-it.html tritace, 178, http://onlinefarmacia.it/comprare-acquistare-tylenol-online-it.html tylenol, cob, http://onlinefarmacia.it/comprare-acquistare-uniphyl-cr-online-it.html acquistare uniphyl cr, >:-[[[, 4ff6540657790a645d1aaf7b02607e00594f7acd 3208 3207 2012-05-11T06:01:03Z 31.184.238.15 0 OdyNFHdh wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-trecator-sc-online-en.html buy trecator-sc online, hasjj, http://cheappurchaseonline.com/buy-generic-trental-online-en.html generic trental, 663702, http://cheappurchaseonline.com/buy-generic-tricor-online-en.html buy tricor online, lkdyt, http://cheappurchaseonline.com/buy-generic-trileptal-online-en.html buy trileptal, %-PP, http://cheappurchaseonline.com/buy-generic-tritace-online-en.html buy tritace, 59465, http://cheappurchaseonline.com/buy-generic-tylenol-online-en.html buy tylenol online, zpzs, http://cheappurchaseonline.com/buy-generic-uniphyl-cr-online-en.html buy uniphyl cr online, tntpk, http://cheappurchaseonline.com/buy-generic-urispas-online-en.html generic urispas, lhxg, 0f301ae8ae71bfa80bcc44c8e9494481b51d63a2 3209 3208 2012-05-11T06:05:07Z 31.184.238.9 0 ECKjUgmdIADlSzD wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-isoptin-online-it.html isoptin, %(, http://onlinefarmacia.it/comprare-acquistare-isoptin-sr-online-it.html acquistare isoptin sr, tbxbe, http://onlinefarmacia.it/comprare-acquistare-isordil-online-it.html comprare isordil, 869, http://onlinefarmacia.it/comprare-acquistare-karela-online-it.html comprare karela, >:OOO, http://onlinefarmacia.it/comprare-acquistare-keflex-online-it.html comprare keflex, 38521, http://onlinefarmacia.it/comprare-acquistare-keftab-online-it.html acquistare keftab, =-P, http://onlinefarmacia.it/comprare-acquistare-kemadrin-online-it.html acquistare kemadrin, 8152, http://onlinefarmacia.it/comprare-acquistare-lamictal-online-it.html acquistare lamictal, 475743, http://onlinefarmacia.it/comprare-acquistare-lamisil-online-it.html acquistare lamisil, %-))), 026357a2bbeee31c3750d58582978c201ecd87f3 3210 3209 2012-05-11T06:06:18Z 31.184.238.15 0 GUzHdoxwchIDtjJ wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-zocor-online-en.html generic zocor, ovrw, http://cheappurchaseonline.com/buy-generic-zofran-online-en.html buy zofran online, 24485, http://cheappurchaseonline.com/buy-generic-zovirax-online-en.html buy zovirax online, :-(, http://cheappurchaseonline.com/buy-generic-zyban-online-en.html generic zyban, 754, http://cheappurchaseonline.com/buy-generic-zyloprim-online-en.html generic zyloprim, wbfhnj, http://cheappurchaseonline.com/buy-generic-zyprexa-online-en.html buy zyprexa, 8-(, http://cheappurchaseonline.com/buy-generic-zyrtec-online-en.html buy zyrtec online, 0205, http://cheappurchaseonline.com/buy-generic-zyvox-online-en.html buy zyvox, bhqmcz, bd05ff0f280ea6685367443da4d37f47fa10c852 3211 3210 2012-05-11T06:09:19Z 31.184.238.9 0 uGgXTZTeusjTQnoSD wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-monoket-online-it.html comprare monoket, mhqzxg, http://onlinefarmacia.it/comprare-acquistare-monopril-online-it.html comprare monopril, :D, http://onlinefarmacia.it/comprare-acquistare-motilium-online-it.html comprare motilium, =]], http://onlinefarmacia.it/comprare-acquistare-myambutol-online-it.html comprare myambutol, 8-DDD, http://onlinefarmacia.it/comprare-acquistare-mysoline-online-it.html comprare mysoline, =DD, http://onlinefarmacia.it/comprare-acquistare-naprelan-online-it.html comprare naprelan, wep, http://onlinefarmacia.it/comprare-acquistare-neem-online-it.html acquistare neem, :OO, http://onlinefarmacia.it/comprare-acquistare-neurontin-online-it.html comprare neurontin, 70040, http://onlinefarmacia.it/comprare-acquistare-nexium-online-it.html acquistare nexium, twbd, d4f86a9c90ff683fb4826c296b16ebb815496f10 3212 3211 2012-05-11T06:12:25Z 31.184.238.15 0 pGrgPKmcyJlCvmQRkDe wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-biaxin-online-en.html buy biaxin online, sih, http://cheappurchaseonline.com/buy-generic-brafix-online-en.html buy brafix, jbqu, http://cheappurchaseonline.com/buy-generic-brahmi-online-en.html generic brahmi, 35129, http://cheappurchaseonline.com/buy-generic-brand-temovate-online-en.html buy brand temovate online, 576, http://cheappurchaseonline.com/buy-generic-breast-success-online-en.html buy breast success, 8(, http://cheappurchaseonline.com/buy-generic-brethine-online-en.html buy brethine online, drlno, http://cheappurchaseonline.com/buy-generic-bupron-sr-online-en.html generic bupron sr, :PP, http://cheappurchaseonline.com/buy-generic-buspar-online-en.html buy buspar online, che, bbf52c83a3a77fe85e1268ae53f4c202a97bff97 3213 3212 2012-05-11T06:13:32Z 31.184.238.9 0 eSeLtPvXpmVT wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-robaxin-online-it.html comprare robaxin, azxnzc, http://onlinefarmacia.it/comprare-acquistare-rocaltrol-online-it.html comprare rocaltrol, %-PP, http://onlinefarmacia.it/comprare-acquistare-rulide-online-it.html rulide, czd, http://onlinefarmacia.it/comprare-acquistare-rumalaya-fort-online-it.html comprare rumalaya fort, nennyf, http://onlinefarmacia.it/comprare-acquistare-rumalaya-online-it.html comprare rumalaya, rbcsan, http://onlinefarmacia.it/comprare-acquistare-rythmol-online-it.html acquistare rythmol, :]]], http://onlinefarmacia.it/comprare-acquistare-septilin-online-it.html septilin, 009063, http://onlinefarmacia.it/comprare-acquistare-serevent-online-it.html serevent, 419, http://onlinefarmacia.it/comprare-acquistare-serophene-online-it.html acquistare serophene, gyd, 37daaba411ceee39c47035bbc8d80f4f2b68a140 3214 3213 2012-05-11T06:17:47Z 31.184.238.9 0 xAencOhrINkMwVQMsdz wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-slimfast-online-it.html slimfast, 302450, http://onlinefarmacia.it/comprare-acquistare-smok-ox-online-it.html comprare smok-ox, 1063, http://onlinefarmacia.it/comprare-acquistare-speman-online-it.html speman, ndqbkn, http://onlinefarmacia.it/comprare-acquistare-sporanox-online-it.html comprare sporanox, %]]], http://onlinefarmacia.it/comprare-acquistare-starlix-online-it.html starlix, 817, http://onlinefarmacia.it/comprare-acquistare-stromectol-online-it.html stromectol, %-(((, http://onlinefarmacia.it/comprare-acquistare-styplon-online-it.html comprare styplon, iet, http://onlinefarmacia.it/comprare-acquistare-suminat-online-it.html suminat, 996644, http://onlinefarmacia.it/comprare-acquistare-sumycin-online-it.html comprare sumycin, %-PP, e46fea1966eaa7daff4138cbe664bf2d69a59274 3215 3214 2012-05-11T06:18:07Z 31.184.238.15 0 iPfzSTIPVFCLcfcDmg wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-paxil-cr-online-en.html generic paxil cr, rrilp, http://cheappurchaseonline.com/buy-generic-paxil-online-en.html generic paxil, :-], http://cheappurchaseonline.com/buy-generic-pentasa-online-en.html generic pentasa, 221, http://cheappurchaseonline.com/buy-generic-pepcid-online-en.html buy pepcid online, 8-))), http://cheappurchaseonline.com/buy-generic-periactin-online-en.html generic periactin, 048, http://cheappurchaseonline.com/buy-generic-persantine-online-en.html generic persantine, ktutf, http://cheappurchaseonline.com/buy-generic-phenamax-online-en.html buy phenamax, npfg, http://cheappurchaseonline.com/buy-generic-phenergan-online-en.html buy phenergan online, nxxs, f11658b220550f4251283d01de52c4d349cdde88 3216 3215 2012-05-11T06:22:10Z 31.184.238.9 0 UtDxwdpPdnvMaw wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-verampil-online-it.html comprare verampil, 825333, http://onlinefarmacia.it/comprare-acquistare-verapamil-online-it.html acquistare verapamil, =(((, http://onlinefarmacia.it/comprare-acquistare-vermox-online-it.html comprare vermox, 3907, http://onlinefarmacia.it/comprare-acquistare-v-gel-online-it.html v-gel, 9464, http://onlinefarmacia.it/comprare-acquistare-vibramycin-online-it.html comprare vibramycin, sbodmj, http://onlinefarmacia.it/comprare-acquistare-viramune-online-it.html comprare viramune, 7045, http://onlinefarmacia.it/comprare-acquistare-vitamin-b12-online-it.html comprare vitamin b12, :-[[, http://onlinefarmacia.it/comprare-acquistare-vitamin-c-online-it.html comprare vitamin c, 6919, http://onlinefarmacia.it/comprare-acquistare-voltaren-online-it.html acquistare voltaren, =((, c101d4d1a327e7de646f5f53a32e594419c40eab 3217 3216 2012-05-11T06:22:47Z 31.184.238.15 0 fGGZGPJb wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-risnia-online-en.html generic risnia, 614, http://cheappurchaseonline.com/buy-generic-risperdal-online-en.html buy risperdal, 8-[, http://cheappurchaseonline.com/buy-generic-robaxin-online-en.html buy robaxin, %OO, http://cheappurchaseonline.com/buy-generic-rocaltrol-online-en.html generic rocaltrol, pwg, http://cheappurchaseonline.com/buy-generic-rulide-online-en.html buy rulide, 8OO, http://cheappurchaseonline.com/buy-generic-rumalaya-fort-online-en.html generic rumalaya fort, vnkn, http://cheappurchaseonline.com/buy-generic-rumalaya-online-en.html generic rumalaya, cbqtv, http://cheappurchaseonline.com/buy-generic-rythmol-online-en.html generic rythmol, =DDD, fd63494ee44713cf26bce7bb90c84e6f7a93452e 3218 3217 2012-05-11T06:26:24Z 31.184.238.9 0 wxZJMcyIelLL wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-remeron-online-it.html acquistare remeron, 8-], http://onlinefarmacia.it/comprare-acquistare-reminyl-online-it.html comprare reminyl, vzlwc, http://onlinefarmacia.it/comprare-acquistare-reosto-online-it.html acquistare reosto, >:PP, http://onlinefarmacia.it/comprare-acquistare-requip-online-it.html acquistare requip, >:(, http://onlinefarmacia.it/comprare-acquistare-retin-a-online-it.html retin-a, %-[, http://onlinefarmacia.it/comprare-acquistare-retrovir-online-it.html acquistare retrovir, 344834, http://onlinefarmacia.it/comprare-acquistare-revia-online-it.html comprare revia, 8-DDD, http://onlinefarmacia.it/comprare-acquistare-risnia-online-it.html acquistare risnia, >:]], http://onlinefarmacia.it/comprare-acquistare-risperdal-online-it.html comprare risperdal, =PP, 767b634b0b3758d5f3cf1911b8efd0a60c11b6bd 3219 3218 2012-05-11T06:28:38Z 31.184.238.15 0 SUiwbiwb wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-meclizine-online-en.html generic meclizine, %-PPP, http://cheappurchaseonline.com/buy-generic-mellaril-online-en.html generic mellaril, :((, http://cheappurchaseonline.com/buy-generic-menosan-online-en.html buy menosan online, vpw, http://cheappurchaseonline.com/buy-generic-mentat-online-en.html buy mentat online, 6937, http://cheappurchaseonline.com/buy-generic-mestinon-online-en.html generic mestinon, wpzqrz, http://cheappurchaseonline.com/buy-generic-methotrexate-online-en.html generic methotrexate, 905010, http://cheappurchaseonline.com/buy-generic-mevacor-online-en.html buy mevacor, >:[[, http://cheappurchaseonline.com/buy-generic-micronase-online-en.html buy micronase online, tafet, 72584875b25be12069f41fb0fe5e2dbe0efce3d9 3220 3219 2012-05-11T06:30:59Z 31.184.238.9 0 yupxYJfgJCbprjJCg wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-verampil-online-it.html verampil, 803, http://onlinefarmacia.it/comprare-acquistare-verapamil-online-it.html comprare verapamil, 30851, http://onlinefarmacia.it/comprare-acquistare-vermox-online-it.html comprare vermox, =PPP, http://onlinefarmacia.it/comprare-acquistare-v-gel-online-it.html v-gel, 490409, http://onlinefarmacia.it/comprare-acquistare-vibramycin-online-it.html acquistare vibramycin, >:PPP, http://onlinefarmacia.it/comprare-acquistare-viramune-online-it.html acquistare viramune, 498, http://onlinefarmacia.it/comprare-acquistare-vitamin-b12-online-it.html comprare vitamin b12, =-DD, http://onlinefarmacia.it/comprare-acquistare-vitamin-c-online-it.html vitamin c, jzu, http://onlinefarmacia.it/comprare-acquistare-voltaren-online-it.html acquistare voltaren, crh, a5d47bae429734da5f320564da13fe44b7671be3 3221 3220 2012-05-11T06:33:34Z 31.184.238.15 0 bbpcyvVgWdXmoZEs wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-risnia-online-en.html buy risnia, okdgrj, http://cheappurchaseonline.com/buy-generic-risperdal-online-en.html generic risperdal, bgkb, http://cheappurchaseonline.com/buy-generic-robaxin-online-en.html generic robaxin, %-((, http://cheappurchaseonline.com/buy-generic-rocaltrol-online-en.html generic rocaltrol, qlu, http://cheappurchaseonline.com/buy-generic-rulide-online-en.html buy rulide, vub, http://cheappurchaseonline.com/buy-generic-rumalaya-fort-online-en.html generic rumalaya fort, :PPP, http://cheappurchaseonline.com/buy-generic-rumalaya-online-en.html buy rumalaya, xsiy, http://cheappurchaseonline.com/buy-generic-rythmol-online-en.html generic rythmol, 15969, 2fee0d50a9d4f937a42d0c4fa48eb51a084a19b0 3222 3221 2012-05-11T06:35:02Z 31.184.238.9 0 ZEsBxJwTVvwiX wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-verampil-online-it.html comprare verampil, 54983, http://onlinefarmacia.it/comprare-acquistare-verapamil-online-it.html acquistare verapamil, >:-OOO, http://onlinefarmacia.it/comprare-acquistare-vermox-online-it.html comprare vermox, 20770, http://onlinefarmacia.it/comprare-acquistare-v-gel-online-it.html v-gel, omi, http://onlinefarmacia.it/comprare-acquistare-vibramycin-online-it.html vibramycin, 857, http://onlinefarmacia.it/comprare-acquistare-viramune-online-it.html viramune, lcj, http://onlinefarmacia.it/comprare-acquistare-vitamin-b12-online-it.html comprare vitamin b12, 8DD, http://onlinefarmacia.it/comprare-acquistare-vitamin-c-online-it.html comprare vitamin c, 5974, http://onlinefarmacia.it/comprare-acquistare-voltaren-online-it.html acquistare voltaren, 85096, 20bd77d2f7ae116ea4dc2677d201f318eb154167 3223 3222 2012-05-11T06:38:47Z 31.184.238.15 0 vWAMUuRUyMVBHST wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-cozaar-online-en.html buy cozaar online, obq, http://cheappurchaseonline.com/buy-generic-crestor-online-en.html buy crestor, 835, http://cheappurchaseonline.com/buy-generic-crixivan-online-en.html buy crixivan online, 608, http://cheappurchaseonline.com/buy-generic-cymbalta-online-en.html buy cymbalta, txqf, http://cheappurchaseonline.com/buy-generic-cystone-online-en.html generic cystone, 91638, http://cheappurchaseonline.com/buy-generic-cytotec-online-en.html buy cytotec online, %-OO, http://cheappurchaseonline.com/buy-generic-cytoxan-online-en.html buy cytoxan, 740, http://cheappurchaseonline.com/buy-generic-danazol-online-en.html generic danazol, 800583, 801c3e2105ceff4969a06c765bc3d23fb9def197 3224 3223 2012-05-11T06:39:26Z 31.184.238.9 0 aygXKDrTXCpx wikitext text/x-wiki , http://generiquesmedicaments.fr/acheter-achat-kamagra-en-ligne-fr.html acheter kamagra en ligne, yjene, http://generiquesmedicaments.fr/acheter-achat-lasix-en-ligne-fr.html lasix, ykauzx, http://generiquesmedicaments.fr/ acheter prednisone, 8-O, http://generiquesmedicaments.fr/acheter-achat-levitra-en-ligne-fr.html acheter levitra, fhrpwv, http://generiquesmedicaments.fr/acheter-achat-nolvadex-en-ligne-fr.html acheter nolvadex en ligne, :-DD, http://generiquesmedicaments.fr/acheter-achat-orlistat-en-ligne-fr.html generique orlistat, 44856, http://generiquesmedicaments.fr/acheter-achat-prednisone-en-ligne-fr.html achat prednisone, 46732, http://generiquesmedicaments.fr/acheter-achat-priligy-en-ligne-fr.html achat priligy, 1714, http://generiquesmedicaments.fr/ acheter zithromax, :-((, 3e71f70ef6be1b688690e4fb7e467d176e24e6b8 3225 3224 2012-05-11T06:43:43Z 31.184.238.9 0 NmzbOqlDivCEYx wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-menosan-online-it.html acquistare menosan, 8-(, http://onlinefarmacia.it/comprare-acquistare-mentat-online-it.html acquistare mentat, 8-D, http://onlinefarmacia.it/comprare-acquistare-mestinon-online-it.html mestinon, >:OOO, http://onlinefarmacia.it/comprare-acquistare-methotrexate-online-it.html acquistare methotrexate, %(, http://onlinefarmacia.it/comprare-acquistare-mevacor-online-it.html mevacor, spbvf, http://onlinefarmacia.it/comprare-acquistare-micronase-online-it.html comprare micronase, =-PP, http://onlinefarmacia.it/comprare-acquistare-minipress-online-it.html minipress, %-(((, http://onlinefarmacia.it/comprare-acquistare-minocin-online-it.html minocin, 706704, http://onlinefarmacia.it/comprare-acquistare-minomycin-online-it.html minomycin, fvulht, f8f90aeaa65c3846fffc2e00a3194f57a18b432f 3226 3225 2012-05-11T06:44:07Z 31.184.238.15 0 OeFwGoRZouwknuI wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-protonix-online-en.html buy protonix online, :[[[, http://cheappurchaseonline.com/buy-generic-proventil-online-en.html buy proventil, 124218, http://cheappurchaseonline.com/buy-generic-provera-online-en.html buy provera online, 0021, http://cheappurchaseonline.com/buy-generic-prozac-online-en.html buy prozac, 9192, http://cheappurchaseonline.com/buy-generic-purim-online-en.html buy purim, gjcfbc, http://cheappurchaseonline.com/buy-generic-pyridium-online-en.html generic pyridium, dquodh, http://cheappurchaseonline.com/buy-generic-rebetol-online-en.html buy rebetol online, 9565, http://cheappurchaseonline.com/buy-generic-reglan-online-en.html buy reglan, jvd, 3b619e4f69f74a366487b57b523733d5fdb89e91 3227 3226 2012-05-11T06:47:57Z 31.184.238.9 0 JtRVKkiEkAvfLi wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-artane-online-it.html acquistare artane, 229, http://onlinefarmacia.it/comprare-acquistare-asendin-online-it.html asendin, uwudxh, http://onlinefarmacia.it/comprare-acquistare-ashwafera-online-it.html acquistare ashwafera, >:-OOO, http://onlinefarmacia.it/comprare-acquistare-ashwagandha-online-it.html comprare ashwagandha, >:OOO, http://onlinefarmacia.it/comprare-acquistare-astelin-online-it.html acquistare astelin, cczwha, http://onlinefarmacia.it/comprare-acquistare-atacand-online-it.html acquistare atacand, :DD, http://onlinefarmacia.it/comprare-acquistare-atarax-online-it.html comprare atarax, 61484, http://onlinefarmacia.it/comprare-acquistare-atrovent-online-it.html atrovent, 9754, http://onlinefarmacia.it/comprare-acquistare-augmentin-online-it.html augmentin, ancpzx, 88913741b042d5b8603fd09214d3a690a973772d 3228 3227 2012-05-11T06:49:03Z 31.184.238.15 0 ARqcaLrA wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-yagara-online-en.html buy yagara online, >:-D, http://cheappurchaseonline.com/buy-generic-zagam-online-en.html buy zagam, smbj, http://cheappurchaseonline.com/buy-generic-zantac-online-en.html buy zantac, uoa, http://cheappurchaseonline.com/buy-generic-zebeta-online-en.html buy zebeta online, yzy, http://cheappurchaseonline.com/buy-generic-zerit-online-en.html buy zerit online, mywusa, http://cheappurchaseonline.com/buy-generic-zestoretic-online-en.html generic zestoretic, 244834, http://cheappurchaseonline.com/buy-generic-zestril-online-en.html buy zestril online, 7113, http://cheappurchaseonline.com/buy-generic-zetia-online-en.html generic zetia, %-(((, 1e07e634551973b8f555dda17251d0acf1ccd45c 3229 3228 2012-05-11T06:52:18Z 31.184.238.9 0 HAcIGWiCPqyJz wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-tetracycline-online-it.html tetracycline, ekd, http://onlinefarmacia.it/comprare-acquistare-theo-24-cr-online-it.html comprare theo-24 cr, wubex, http://onlinefarmacia.it/comprare-acquistare-theo-24-sr-online-it.html acquistare theo-24 sr, 428150, http://onlinefarmacia.it/comprare-acquistare-thorazine-online-it.html acquistare thorazine, lhsx, http://onlinefarmacia.it/comprare-acquistare-ticlid-online-it.html ticlid, vhds, http://onlinefarmacia.it/comprare-acquistare-tinidazole-online-it.html comprare tinidazole, xml, http://onlinefarmacia.it/comprare-acquistare-tofranil-online-it.html acquistare tofranil, %))), http://onlinefarmacia.it/comprare-acquistare-topamax-online-it.html comprare topamax, 225, http://onlinefarmacia.it/comprare-acquistare-toprol-online-it.html comprare toprol, %)), ac0b34768b662cce95986194a9362219b426fbc1 3230 3229 2012-05-11T06:54:35Z 31.184.238.15 0 mLYEsNdwJfgWxaT wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-avodart-online-en.html buy avodart online, 869, http://cheappurchaseonline.com/buy-generic-aygestin-online-en.html generic aygestin, 151, http://cheappurchaseonline.com/buy-generic-azulfidine-online-en.html buy azulfidine, 2494, http://cheappurchaseonline.com/buy-generic-baclofen-online-en.html generic baclofen, 8-((, http://cheappurchaseonline.com/buy-generic-beloc-online-en.html buy beloc, ukzl, http://cheappurchaseonline.com/buy-generic-benadryl-online-en.html buy benadryl, bubwl, http://cheappurchaseonline.com/buy-generic-benemid-online-en.html buy benemid, 8-)), http://cheappurchaseonline.com/buy-generic-benicar-online-en.html buy benicar online, 96514, 03aa6666488760f3d50315dfe32dff2a7b8d15b4 3231 3230 2012-05-11T06:56:40Z 31.184.238.9 0 CEPJvxeJ wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-toprol-xl-online-it.html toprol xl, aepw, http://onlinefarmacia.it/comprare-acquistare-trandate-online-it.html acquistare trandate, =-P, http://onlinefarmacia.it/comprare-acquistare-trecator-sc-online-it.html trecator-sc, xhmixo, http://onlinefarmacia.it/comprare-acquistare-trental-online-it.html acquistare trental, 56495, http://onlinefarmacia.it/comprare-acquistare-tricor-online-it.html tricor, 8-]]], http://onlinefarmacia.it/comprare-acquistare-trileptal-online-it.html acquistare trileptal, 70922, http://onlinefarmacia.it/comprare-acquistare-tritace-online-it.html tritace, 8-)), http://onlinefarmacia.it/comprare-acquistare-tylenol-online-it.html acquistare tylenol, 64476, http://onlinefarmacia.it/comprare-acquistare-uniphyl-cr-online-it.html acquistare uniphyl cr, 3304, 6468afcac71fd73d7043edee00f38c9eb579bc52 3232 3231 2012-05-11T07:00:05Z 31.184.238.15 0 tymwegzddFzmW wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-paxil-cr-online-en.html generic paxil cr, =-DD, http://cheappurchaseonline.com/buy-generic-paxil-online-en.html buy paxil, umrx, http://cheappurchaseonline.com/buy-generic-pentasa-online-en.html buy pentasa online, rzsap, http://cheappurchaseonline.com/buy-generic-pepcid-online-en.html generic pepcid, =-], http://cheappurchaseonline.com/buy-generic-periactin-online-en.html generic periactin, mlg, http://cheappurchaseonline.com/buy-generic-persantine-online-en.html generic persantine, 364405, http://cheappurchaseonline.com/buy-generic-phenamax-online-en.html generic phenamax, %], http://cheappurchaseonline.com/buy-generic-phenergan-online-en.html generic phenergan, xam, 7692fae6fe1e063a04418472e8e039f433945c2c 3233 3232 2012-05-11T07:00:56Z 31.184.238.9 0 NQIKzaUQpuwXUmrbFQR wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-hydrea-online-it.html hydrea, :], http://onlinefarmacia.it/comprare-acquistare-hyzaar-online-it.html comprare hyzaar, dmui, http://onlinefarmacia.it/comprare-acquistare-imdur-online-it.html acquistare imdur, 166, http://onlinefarmacia.it/comprare-acquistare-imitrex-online-it.html acquistare imitrex, =DD, http://onlinefarmacia.it/comprare-acquistare-imodium-online-it.html acquistare imodium, %-]]], http://onlinefarmacia.it/comprare-acquistare-imuran-online-it.html imuran, >:-], http://onlinefarmacia.it/comprare-acquistare-inderal-la-online-it.html comprare inderal la, treq, http://onlinefarmacia.it/comprare-acquistare-inderal-online-it.html acquistare inderal, =-], http://onlinefarmacia.it/comprare-acquistare-indinavir-online-it.html acquistare indinavir, 12221, db166355bf3b4ab1055b4d2a9fae11ce84341572 3234 3233 2012-05-11T07:05:15Z 31.184.238.9 0 WCSrpfKiuXLjZep wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-remeron-online-it.html comprare remeron, afqjn, http://onlinefarmacia.it/comprare-acquistare-reminyl-online-it.html comprare reminyl, :]]], http://onlinefarmacia.it/comprare-acquistare-reosto-online-it.html reosto, kqtr, http://onlinefarmacia.it/comprare-acquistare-requip-online-it.html requip, %]]], http://onlinefarmacia.it/comprare-acquistare-retin-a-online-it.html comprare retin-a, 3471, http://onlinefarmacia.it/comprare-acquistare-retrovir-online-it.html comprare retrovir, 404, http://onlinefarmacia.it/comprare-acquistare-revia-online-it.html comprare revia, txhfw, http://onlinefarmacia.it/comprare-acquistare-risnia-online-it.html comprare risnia, faqxy, http://onlinefarmacia.it/comprare-acquistare-risperdal-online-it.html comprare risperdal, :-PP, 57851a693967719c46b4ba20ef67d96e3579eb0b 3235 3234 2012-05-11T07:05:52Z 31.184.238.15 0 wEmIpxhvYn wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-verampil-online-en.html buy verampil online, voj, http://cheappurchaseonline.com/buy-generic-verapamil-online-en.html buy verapamil online, >:-(, http://cheappurchaseonline.com/buy-generic-vermox-online-en.html buy vermox online, fcd, http://cheappurchaseonline.com/buy-generic-v-gel-online-en.html generic v-gel, 8-], http://cheappurchaseonline.com/buy-generic-vibramycin-online-en.html buy vibramycin online, 29995, http://cheappurchaseonline.com/buy-generic-viramune-online-en.html buy viramune, 3049, http://cheappurchaseonline.com/buy-generic-vitamin-b12-online-en.html generic vitamin b12, =DDD, http://cheappurchaseonline.com/buy-generic-vitamin-c-online-en.html generic vitamin c, 149860, 29a4b900c63a30d9d0ce555e34f70553c6c1f552 3236 3235 2012-05-11T07:09:45Z 31.184.238.9 0 qaljUkeDJ wikitext text/x-wiki , http://enlignepharmacie.fr/ acheter viagra professional, >:]]], http://enlignepharmacie.fr/acheter-achat-accutane-en-ligne-fr.html accutane, 8(, http://enlignepharmacie.fr/acheter-achat-amoxil-en-ligne-fr.html acheter amoxil, 8PP, http://enlignepharmacie.fr/acheter-achat-cialis-en-ligne-fr.html achat cialis, 688256, http://enlignepharmacie.fr/acheter-achat-cialis-professional-en-ligne-fr.html cialis professional, pyum, http://enlignepharmacie.fr/ acheter doxycycline, 444, http://enlignepharmacie.fr/acheter-achat-cialis-super-active-en-ligne-fr.html generique cialis super active, tpcian, http://enlignepharmacie.fr/acheter-achat-cipro-en-ligne-fr.html acheter cipro, =OOO, http://enlignepharmacie.fr/acheter-achat-clomid-en-ligne-fr.html acheter clomid en ligne, 882830, ffd0b696c5ec36440e0e35f012ce9a09953fc337 3237 3236 2012-05-11T07:10:52Z 31.184.238.15 0 yZfbLbTJRh wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-nortriptyline-online-en.html buy nortriptyline, bcu, http://cheappurchaseonline.com/buy-generic-norvasc-online-en.html buy norvasc, enbzj, http://cheappurchaseonline.com/buy-generic-omnicef-online-en.html buy omnicef, 7819, http://cheappurchaseonline.com/buy-generic-ophthacare-online-en.html buy ophthacare online, 01551, http://cheappurchaseonline.com/buy-generic-oxytrol-online-en.html generic oxytrol, dksg, http://cheappurchaseonline.com/buy-generic-pamelor-online-en.html buy pamelor, %((, http://cheappurchaseonline.com/buy-generic-panadol-online-en.html generic panadol, >:[, http://cheappurchaseonline.com/buy-generic-parlodel-online-en.html buy parlodel online, yuyc, df66b5626b8fe529ce50dd2cdbde73d7713ba84e 0 8 3238 3237 2012-05-11T07:13:56Z 31.184.238.9 0 LqGrsZvotnBC wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-robaxin-online-it.html comprare robaxin, 8123, http://onlinefarmacia.it/comprare-acquistare-rocaltrol-online-it.html comprare rocaltrol, sbf, http://onlinefarmacia.it/comprare-acquistare-rulide-online-it.html comprare rulide, 727, http://onlinefarmacia.it/comprare-acquistare-rumalaya-fort-online-it.html comprare rumalaya fort, :-D, http://onlinefarmacia.it/comprare-acquistare-rumalaya-online-it.html comprare rumalaya, 952, http://onlinefarmacia.it/comprare-acquistare-rythmol-online-it.html rythmol, 8(((, http://onlinefarmacia.it/comprare-acquistare-septilin-online-it.html septilin, 66437, http://onlinefarmacia.it/comprare-acquistare-serevent-online-it.html serevent, 0237, http://onlinefarmacia.it/comprare-acquistare-serophene-online-it.html comprare serophene, 379, 49982f5a6935a0aabb15a0a57a795bccbd0a4f1a 3239 3238 2012-05-11T07:16:46Z 31.184.238.15 0 BuzvbkbrC wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-calan-online-en.html buy calan online, yypz, http://cheappurchaseonline.com/buy-generic-calan-sr-online-en.html generic calan sr, apcb, http://cheappurchaseonline.com/buy-generic-calcium-carbonate-online-en.html buy calcium carbonate online, 129591, http://cheappurchaseonline.com/buy-generic-capoten-online-en.html buy capoten, =-[, http://cheappurchaseonline.com/buy-generic-carafate-online-en.html generic carafate, >:-)), http://cheappurchaseonline.com/buy-generic-cardarone-online-en.html buy cardarone online, 2735, http://cheappurchaseonline.com/buy-generic-cardura-online-en.html buy cardura, 9948, http://cheappurchaseonline.com/buy-generic-cataflam-online-en.html buy cataflam, ohgluh, a91c766f316c140eca11848bb664b895142637cf 3240 3239 2012-05-11T07:18:22Z 31.184.238.9 0 ocIPHNUz wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-pamelor-online-it.html pamelor, 8-PP, http://onlinefarmacia.it/comprare-acquistare-panadol-online-it.html acquistare panadol, 8-OOO, http://onlinefarmacia.it/comprare-acquistare-parlodel-online-it.html acquistare parlodel, 3550, http://onlinefarmacia.it/comprare-acquistare-paxil-cr-online-it.html comprare paxil cr, :((, http://onlinefarmacia.it/comprare-acquistare-paxil-online-it.html acquistare paxil, gqdvq, http://onlinefarmacia.it/comprare-acquistare-pentasa-online-it.html acquistare pentasa, 457, http://onlinefarmacia.it/comprare-acquistare-pepcid-online-it.html pepcid, 80631, http://onlinefarmacia.it/comprare-acquistare-periactin-online-it.html acquistare periactin, nto, http://onlinefarmacia.it/comprare-acquistare-persantine-online-it.html comprare persantine, 37636, 7ad387d7afc592b77a27c765fa8a5394e445c92b 3241 3240 2012-05-11T07:22:00Z 31.184.238.15 0 qbSDYhGiNuXHqxQLXvD wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-protonix-online-en.html buy protonix, jehhu, http://cheappurchaseonline.com/buy-generic-proventil-online-en.html buy proventil, 28662, http://cheappurchaseonline.com/buy-generic-provera-online-en.html generic provera, opn, http://cheappurchaseonline.com/buy-generic-prozac-online-en.html buy prozac, 293, http://cheappurchaseonline.com/buy-generic-purim-online-en.html generic purim, fdt, http://cheappurchaseonline.com/buy-generic-pyridium-online-en.html buy pyridium online, 8-], http://cheappurchaseonline.com/buy-generic-rebetol-online-en.html generic rebetol, ogco, http://cheappurchaseonline.com/buy-generic-reglan-online-en.html buy reglan, 2755, 19863877e0ad3f113147ef51c60b770d16896a19 3242 3241 2012-05-11T07:22:33Z 31.184.238.9 0 hWUvXqlvCRq wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-slimfast-online-it.html comprare slimfast, stw, http://onlinefarmacia.it/comprare-acquistare-smok-ox-online-it.html acquistare smok-ox, uhobx, http://onlinefarmacia.it/comprare-acquistare-speman-online-it.html speman, pww, http://onlinefarmacia.it/comprare-acquistare-sporanox-online-it.html comprare sporanox, 77897, http://onlinefarmacia.it/comprare-acquistare-starlix-online-it.html starlix, =-((, http://onlinefarmacia.it/comprare-acquistare-stromectol-online-it.html comprare stromectol, 85398, http://onlinefarmacia.it/comprare-acquistare-styplon-online-it.html acquistare styplon, %(, http://onlinefarmacia.it/comprare-acquistare-suminat-online-it.html acquistare suminat, >:-DD, http://onlinefarmacia.it/comprare-acquistare-sumycin-online-it.html acquistare sumycin, 8[[[, 88fbb779a0ad293f763506d0992700fa23a0be00 3243 3242 2012-05-11T07:26:57Z 31.184.238.9 0 UeabMZZSZaBXXcQtV wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-super-ed-trial-pack-online-it.html comprare super ed trial pack, 5865, http://onlinefarmacia.it/comprare-acquistare-sustiva-online-it.html acquistare sustiva, 5378, http://onlinefarmacia.it/comprare-acquistare-symmetrel-online-it.html symmetrel, wfee, http://onlinefarmacia.it/comprare-acquistare-synthroid-online-it.html acquistare synthroid, 8-OOO, http://onlinefarmacia.it/comprare-acquistare-tegopen-online-it.html tegopen, 1530, http://onlinefarmacia.it/comprare-acquistare-tenormin-online-it.html comprare tenormin, =D, http://onlinefarmacia.it/comprare-acquistare-tentex-forte-online-it.html acquistare tentex forte, 058, http://onlinefarmacia.it/comprare-acquistare-tentex-royal-online-it.html acquistare tentex royal, tvbx, http://onlinefarmacia.it/comprare-acquistare-terramycin-online-it.html terramycin, iahnn, 957edc9abd62d171aa09907cc03c144562b3bb17 3244 3243 2012-05-11T07:27:55Z 31.184.238.15 0 sUbkGpyTXSW wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-protonix-online-en.html buy protonix online, ynht, http://cheappurchaseonline.com/buy-generic-proventil-online-en.html buy proventil online, 53101, http://cheappurchaseonline.com/buy-generic-provera-online-en.html buy provera online, %]]], http://cheappurchaseonline.com/buy-generic-prozac-online-en.html buy prozac, 8OO, http://cheappurchaseonline.com/buy-generic-purim-online-en.html buy purim, ylaitl, http://cheappurchaseonline.com/buy-generic-pyridium-online-en.html generic pyridium, qudko, http://cheappurchaseonline.com/buy-generic-rebetol-online-en.html generic rebetol, 99104, http://cheappurchaseonline.com/buy-generic-reglan-online-en.html buy reglan, %-), 3711afd6fb8484fcf8cb776d19301948fd1b8e95 3245 3244 2012-05-11T07:31:24Z 31.184.238.9 0 SSxgQslXEqaVzVnHNK wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-phenamax-online-it.html phenamax, cqnkt, http://onlinefarmacia.it/comprare-acquistare-phenergan-online-it.html comprare phenergan, =]], http://onlinefarmacia.it/comprare-acquistare-phoslo-online-it.html phoslo, =[, http://onlinefarmacia.it/comprare-acquistare-pilex-online-it.html acquistare pilex, :-P, http://onlinefarmacia.it/comprare-acquistare-plavix-online-it.html acquistare plavix, =], http://onlinefarmacia.it/comprare-acquistare-plendil-online-it.html acquistare plendil, 911486, http://onlinefarmacia.it/comprare-acquistare-pletal-online-it.html pletal, zglq, http://onlinefarmacia.it/comprare-acquistare-ponstel-online-it.html comprare ponstel, 51675, http://onlinefarmacia.it/comprare-acquistare-prandin-online-it.html acquistare prandin, 361, 085d6b6b42bcb7f3971931d2fe46ad642e6858bb 3246 3245 2012-05-11T07:33:09Z 31.184.238.15 0 pqnHbAfqwMrnWl wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-ampicillin-online-en.html buy ampicillin online, 42123, http://cheappurchaseonline.com/buy-generic-anacin-online-en.html buy anacin online, >:))), http://cheappurchaseonline.com/buy-generic-anafranil-online-en.html generic anafranil, nkw, http://cheappurchaseonline.com/buy-generic-ansaid-online-en.html buy ansaid, >:-], http://cheappurchaseonline.com/buy-generic-antabuse-online-en.html generic antabuse, lvhbba, http://cheappurchaseonline.com/buy-generic-antivert-online-en.html buy antivert, :OO, http://cheappurchaseonline.com/buy-generic-aralen-online-en.html buy aralen, 724, http://cheappurchaseonline.com/buy-generic-arava-online-en.html generic arava, 2392, 7e270278fdd3632393565e703e5a5ee505c70c80 3247 3246 2012-05-11T07:35:46Z 31.184.238.9 0 GpylSVEZBx wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-toprol-xl-online-it.html acquistare toprol xl, zpshu, http://onlinefarmacia.it/comprare-acquistare-trandate-online-it.html comprare trandate, 457, http://onlinefarmacia.it/comprare-acquistare-trecator-sc-online-it.html trecator-sc, 9348, http://onlinefarmacia.it/comprare-acquistare-trental-online-it.html acquistare trental, :O, http://onlinefarmacia.it/comprare-acquistare-tricor-online-it.html tricor, %D, http://onlinefarmacia.it/comprare-acquistare-trileptal-online-it.html trileptal, 496497, http://onlinefarmacia.it/comprare-acquistare-tritace-online-it.html tritace, 534, http://onlinefarmacia.it/comprare-acquistare-tylenol-online-it.html comprare tylenol, 92610, http://onlinefarmacia.it/comprare-acquistare-uniphyl-cr-online-it.html comprare uniphyl cr, 304483, 39145bfcc62227e08cd683974ddc444ddcd7c4fb 3248 3247 2012-05-11T07:38:53Z 31.184.238.15 0 gBRXGIWrHvJICz wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-combivir-online-en.html generic combivir, 264548, http://cheappurchaseonline.com/buy-generic-compazine-online-en.html buy compazine online, hflub, http://cheappurchaseonline.com/buy-generic-confido-online-en.html buy confido, 341, http://cheappurchaseonline.com/buy-generic-copegus-online-en.html generic copegus, 516, http://cheappurchaseonline.com/buy-generic-cordarone-online-en.html buy cordarone online, =)), http://cheappurchaseonline.com/buy-generic-coreg-online-en.html buy coreg, 670, http://cheappurchaseonline.com/buy-generic-coumadin-online-en.html buy coumadin, 6386, http://cheappurchaseonline.com/buy-generic-coversyl-online-en.html buy coversyl online, hmfn, b36496604b4e91e24f214ee9a2315d2a59073986 3249 3248 2012-05-11T07:40:13Z 31.184.238.9 0 ccuARbxXji wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-super-ed-trial-pack-online-it.html acquistare super ed trial pack, >:-PPP, http://onlinefarmacia.it/comprare-acquistare-sustiva-online-it.html sustiva, 2033, http://onlinefarmacia.it/comprare-acquistare-symmetrel-online-it.html comprare symmetrel, 2791, http://onlinefarmacia.it/comprare-acquistare-synthroid-online-it.html comprare synthroid, 42164, http://onlinefarmacia.it/comprare-acquistare-tegopen-online-it.html comprare tegopen, =OOO, http://onlinefarmacia.it/comprare-acquistare-tenormin-online-it.html acquistare tenormin, =O, http://onlinefarmacia.it/comprare-acquistare-tentex-forte-online-it.html acquistare tentex forte, 8], http://onlinefarmacia.it/comprare-acquistare-tentex-royal-online-it.html tentex royal, 235824, http://onlinefarmacia.it/comprare-acquistare-terramycin-online-it.html comprare terramycin, :[[, 33c1ef3d3a974fcf8f4c73e3832068d07207c944 3250 3249 2012-05-11T07:44:08Z 31.184.238.15 0 IAbLXLHOuABtnxv wikitext text/x-wiki comment2, http://cheappurchaseonline.com/buy-generic-paxil-cr-online-en.html generic paxil cr, :)), http://cheappurchaseonline.com/buy-generic-paxil-online-en.html buy paxil online, qlnr, http://cheappurchaseonline.com/buy-generic-pentasa-online-en.html buy pentasa, :-((, http://cheappurchaseonline.com/buy-generic-pepcid-online-en.html buy pepcid, exsv, http://cheappurchaseonline.com/buy-generic-periactin-online-en.html buy periactin online, oozb, http://cheappurchaseonline.com/buy-generic-persantine-online-en.html buy persantine online, %)), http://cheappurchaseonline.com/buy-generic-phenamax-online-en.html buy phenamax online, yhrd, http://cheappurchaseonline.com/buy-generic-phenergan-online-en.html buy phenergan online, 940053, dcf9a2a76bb5dcc7f3a8c34d0a3b13a1ddef9208 3251 3250 2012-05-11T07:44:26Z 31.184.238.9 0 JQoEtYDn wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-menosan-online-it.html comprare menosan, >:(((, http://onlinefarmacia.it/comprare-acquistare-mentat-online-it.html comprare mentat, 795, http://onlinefarmacia.it/comprare-acquistare-mestinon-online-it.html comprare mestinon, %-OOO, http://onlinefarmacia.it/comprare-acquistare-methotrexate-online-it.html comprare methotrexate, :[[, http://onlinefarmacia.it/comprare-acquistare-mevacor-online-it.html comprare mevacor, rlh, http://onlinefarmacia.it/comprare-acquistare-micronase-online-it.html comprare micronase, lxkdgx, http://onlinefarmacia.it/comprare-acquistare-minipress-online-it.html minipress, >:O, http://onlinefarmacia.it/comprare-acquistare-minocin-online-it.html minocin, %D, http://onlinefarmacia.it/comprare-acquistare-minomycin-online-it.html comprare minomycin, 890096, 9bf37a83bb6b83a23d4becf76ebdf7216de0fc6c 3252 3251 2012-05-11T07:48:36Z 31.184.238.9 0 pENsgsLIslBJSRPZYkz wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-pamelor-online-it.html acquistare pamelor, 8OO, http://onlinefarmacia.it/comprare-acquistare-panadol-online-it.html comprare panadol, avu, http://onlinefarmacia.it/comprare-acquistare-parlodel-online-it.html acquistare parlodel, bnybp, http://onlinefarmacia.it/comprare-acquistare-paxil-cr-online-it.html comprare paxil cr, >:P, http://onlinefarmacia.it/comprare-acquistare-paxil-online-it.html paxil, :-D, http://onlinefarmacia.it/comprare-acquistare-pentasa-online-it.html comprare pentasa, 992, http://onlinefarmacia.it/comprare-acquistare-pepcid-online-it.html acquistare pepcid, 0844, http://onlinefarmacia.it/comprare-acquistare-periactin-online-it.html comprare periactin, vkpij, http://onlinefarmacia.it/comprare-acquistare-persantine-online-it.html acquistare persantine, aqdfy, b5fc99dc485ea3273e0de66ffcb0790bb239e6e2 3253 3252 2012-05-11T07:49:44Z 31.184.238.15 0 kOPbeVnfwEbwC wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-catapres-online-en.html buy catapres, >:]]], http://cheappurchaseonline.com/buy-generic-ceclor-cd-online-en.html buy ceclor cd online, fthwf, http://cheappurchaseonline.com/buy-generic-ceclor-online-en.html buy ceclor, %((, http://cheappurchaseonline.com/buy-generic-cefaclor-online-en.html buy cefaclor, %OOO, http://cheappurchaseonline.com/buy-generic-celebrex-online-en.html buy celebrex, 7828, http://cheappurchaseonline.com/buy-generic-celexa-online-en.html buy celexa, 132351, http://cheappurchaseonline.com/buy-generic-cephalexin-online-en.html buy cephalexin online, 2596, http://cheappurchaseonline.com/buy-generic-chloromycetin-online-en.html buy chloromycetin online, 847, 046ec57798c02e31d243a96936977895135fbf40 3254 3253 2012-05-11T07:53:26Z 31.184.238.9 0 ZMNicBYbaEVY wikitext text/x-wiki , http://acquistareladroga.it/comprare-acquistare-nexium-online-it.html nexium, 589263, http://acquistareladroga.it/comprare-acquistare-nimotop-online-it.html acquistare nimotop, 279, http://acquistareladroga.it/comprare-acquistare-nitroglycerin-online-it.html nitroglycerin, :-]]], http://acquistareladroga.it/comprare-acquistare-nizoral-online-it.html nizoral, 49655, http://acquistareladroga.it/comprare-acquistare-noroxin-online-it.html acquistare noroxin, =OO, http://acquistareladroga.it/comprare-acquistare-nortriptyline-online-it.html acquistare nortriptyline, 873, http://acquistareladroga.it/comprare-acquistare-norvasc-online-it.html norvasc, 322105, http://acquistareladroga.it/comprare-acquistare-omnicef-online-it.html omnicef, >:)), http://acquistareladroga.it/comprare-acquistare-ophthacare-online-it.html acquistare ophthacare, 4366, fc2839a78094cc1a97673bc237b0d89e822f5a48 3255 3254 2012-05-11T07:55:31Z 31.184.238.15 0 bTemixJqHnpHSdQdW wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-adalat-online-en.html buy adalat online, 1407, http://cheappurchaseonline.com/buy-generic-aggrenox-online-en.html generic aggrenox, 525, http://cheappurchaseonline.com/buy-generic-albenza-online-en.html buy albenza online, >:D, http://cheappurchaseonline.com/buy-generic-alesse-online-en.html buy alesse, 6355, http://cheappurchaseonline.com/buy-generic-alfacip-online-en.html generic alfacip, :), http://cheappurchaseonline.com/buy-generic-allegra-online-en.html buy allegra, :-PP, http://cheappurchaseonline.com/buy-generic-allopurinol-online-en.html buy allopurinol online, >:[[, http://cheappurchaseonline.com/buy-generic-amaryl-online-en.html generic amaryl, fnut, 002d02cbfad6f79c6c4a1eaa20efde01b6743130 3256 3255 2012-05-11T07:57:49Z 31.184.238.9 0 oVYfwZkaDIipkZaMpyK wikitext text/x-wiki , http://acquistareladroga.it/comprare-acquistare-elocon-online-it.html comprare elocon, xctvv, http://acquistareladroga.it/comprare-acquistare-epivir-hbv-online-it.html epivir hbv, 39769, http://acquistareladroga.it/comprare-acquistare-epivir-online-it.html comprare epivir, 8-PPP, http://acquistareladroga.it/comprare-acquistare-erythromycin-online-it.html acquistare erythromycin, wyx, http://acquistareladroga.it/comprare-acquistare-eskalith-online-it.html acquistare eskalith, 16347, http://acquistareladroga.it/comprare-acquistare-estrace-online-it.html acquistare estrace, xzmtrp, http://acquistareladroga.it/comprare-acquistare-etodolac-online-it.html acquistare etodolac, 354557, http://acquistareladroga.it/comprare-acquistare-evecare-online-it.html acquistare evecare, bxx, http://acquistareladroga.it/comprare-acquistare-evista-online-it.html acquistare evista, 781, b20695d2db809ca933d11b9621d6ab88a8f1477f 3257 3256 2012-05-11T08:00:59Z 31.184.238.15 0 slbKxInBaNOTRcOOFT wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-finpecia-online-en.html buy finpecia, 868, http://cheappurchaseonline.com/buy-generic-flomax-online-en.html buy flomax online, >:-PP, http://cheappurchaseonline.com/buy-generic-flonase-online-en.html buy flonase online, 11996, http://cheappurchaseonline.com/buy-generic-flovent-online-en.html buy flovent online, obyscn, http://cheappurchaseonline.com/buy-generic-floxin-online-en.html buy floxin online, jrihl, http://cheappurchaseonline.com/buy-generic-fludac-online-en.html buy fludac online, lyxe, http://cheappurchaseonline.com/buy-generic-fluoxetine-online-en.html buy fluoxetine, 328725, http://cheappurchaseonline.com/buy-generic-fosamax-online-en.html buy fosamax, sbz, e61f3b589323cefa97f554bd89ad046f31832c54 3258 3257 2012-05-11T08:01:55Z 31.184.238.9 0 vuJSFYGXtMJhMZEfb wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-artane-online-it.html acquistare artane, %-PPP, http://onlinefarmacia.it/comprare-acquistare-asendin-online-it.html acquistare asendin, jkn, http://onlinefarmacia.it/comprare-acquistare-ashwafera-online-it.html comprare ashwafera, 4769, http://onlinefarmacia.it/comprare-acquistare-ashwagandha-online-it.html ashwagandha, 35182, http://onlinefarmacia.it/comprare-acquistare-astelin-online-it.html astelin, 4152, http://onlinefarmacia.it/comprare-acquistare-atacand-online-it.html comprare atacand, 114489, http://onlinefarmacia.it/comprare-acquistare-atarax-online-it.html atarax, nzd, http://onlinefarmacia.it/comprare-acquistare-atrovent-online-it.html acquistare atrovent, 10596, http://onlinefarmacia.it/comprare-acquistare-augmentin-online-it.html augmentin, >:PPP, ea010a0447727d42d40c1e42607169bde9d54e06 3259 3258 2012-05-11T08:06:49Z 31.184.238.15 0 eOdOtGUAVxslCv wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-naprelan-online-en.html generic naprelan, 467309, http://cheappurchaseonline.com/buy-generic-neem-online-en.html buy neem online, 5688, http://cheappurchaseonline.com/buy-generic-neurontin-online-en.html generic neurontin, ytrjer, http://cheappurchaseonline.com/buy-generic-nexium-online-en.html buy nexium, 04611, http://cheappurchaseonline.com/buy-generic-nimotop-online-en.html buy nimotop, 872612, http://cheappurchaseonline.com/buy-generic-nitroglycerin-online-en.html generic nitroglycerin, gikg, http://cheappurchaseonline.com/buy-generic-nizoral-online-en.html generic nizoral, 692, http://cheappurchaseonline.com/buy-generic-noroxin-online-en.html generic noroxin, wqfxse, 7c2359d8b23c2652b5a3979dec06fd1a2aa1f264 3260 3259 2012-05-11T08:07:04Z 31.184.238.9 0 ycxxhVrZbnof wikitext text/x-wiki , http://generiquesmedicaments.fr/acheter-achat-reosto-en-ligne-fr.html acheter reosto, gyx, http://generiquesmedicaments.fr/acheter-achat-requip-en-ligne-fr.html acheter requip, 355292, http://generiquesmedicaments.fr/acheter-achat-retin-a-en-ligne-fr.html achat retin-a, 866458, http://generiquesmedicaments.fr/acheter-achat-retrovir-en-ligne-fr.html retrovir, =O, http://generiquesmedicaments.fr/acheter-achat-revia-en-ligne-fr.html acheter revia, 49456, http://generiquesmedicaments.fr/acheter-achat-risnia-en-ligne-fr.html risnia, 254127, http://generiquesmedicaments.fr/acheter-achat-risperdal-en-ligne-fr.html acheter risperdal, 661, http://generiquesmedicaments.fr/acheter-achat-robaxin-en-ligne-fr.html achat robaxin, =(((, http://generiquesmedicaments.fr/acheter-achat-rocaltrol-en-ligne-fr.html rocaltrol, 8-[[[, c9145a339a5b6ad721f3757601d005ee23c20eca 3261 3260 2012-05-11T08:10:44Z 31.184.238.9 0 aAfwMXDTBs wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-antabuse-online-it.html acquistare antabuse, mcei, http://onlinefarmacia.it/comprare-acquistare-antivert-online-it.html antivert, >:(, http://onlinefarmacia.it/comprare-acquistare-aralen-online-it.html acquistare aralen, 8-[[, http://onlinefarmacia.it/comprare-acquistare-arava-online-it.html arava, leems, http://onlinefarmacia.it/comprare-acquistare-arcoxia-online-it.html arcoxia, 8-]], http://onlinefarmacia.it/comprare-acquistare-aricept-online-it.html aricept, 8PP, http://onlinefarmacia.it/comprare-acquistare-arimidex-online-it.html comprare arimidex, 4558, http://onlinefarmacia.it/comprare-acquistare-aristocort-online-it.html aristocort, 8(, http://onlinefarmacia.it/comprare-acquistare-arjuna-online-it.html acquistare arjuna, %-]]], 0c456c2e812ecad58c5d7fe37b2746ea893e7e2a 3262 3261 2012-05-11T08:12:38Z 31.184.238.15 0 isATjjkGL wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-grisactin-online-en.html generic grisactin, 7314, http://cheappurchaseonline.com/buy-generic-herbolax-online-en.html buy herbolax, :)), http://cheappurchaseonline.com/buy-generic-himcolin-online-en.html buy himcolin, xnkm, http://cheappurchaseonline.com/buy-generic-himplasia-online-en.html buy himplasia online, kujpw, http://cheappurchaseonline.com/buy-generic-hoodia-online-en.html generic hoodia, plr, http://cheappurchaseonline.com/buy-generic-hydrea-online-en.html generic hydrea, 0953, http://cheappurchaseonline.com/buy-generic-hyzaar-online-en.html buy hyzaar online, :-O, http://cheappurchaseonline.com/buy-generic-imdur-online-en.html buy imdur online, 905, 89e438755ccfd8507e903010e550470035a4851d 3263 3262 2012-05-11T08:14:54Z 31.184.238.9 0 gIFiwyPelACHOB wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-phenamax-online-it.html phenamax, uyo, http://onlinefarmacia.it/comprare-acquistare-phenergan-online-it.html comprare phenergan, jxu, http://onlinefarmacia.it/comprare-acquistare-phoslo-online-it.html comprare phoslo, qjfnc, http://onlinefarmacia.it/comprare-acquistare-pilex-online-it.html pilex, =-[, http://onlinefarmacia.it/comprare-acquistare-plavix-online-it.html comprare plavix, =-[[, http://onlinefarmacia.it/comprare-acquistare-plendil-online-it.html acquistare plendil, 8-(((, http://onlinefarmacia.it/comprare-acquistare-pletal-online-it.html comprare pletal, =[, http://onlinefarmacia.it/comprare-acquistare-ponstel-online-it.html comprare ponstel, %-), http://onlinefarmacia.it/comprare-acquistare-prandin-online-it.html comprare prandin, %-), bced7188910bc48ebb88b0a94ae25adfa484b34e 3264 3263 2012-05-11T08:17:43Z 31.184.238.15 0 rMGsxmTJtWQAA wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-ampicillin-online-en.html buy ampicillin online, cnj, http://cheappurchaseonline.com/buy-generic-anacin-online-en.html buy anacin, vnzbw, http://cheappurchaseonline.com/buy-generic-anafranil-online-en.html buy anafranil online, 380, http://cheappurchaseonline.com/buy-generic-ansaid-online-en.html buy ansaid online, >:-[[[, http://cheappurchaseonline.com/buy-generic-antabuse-online-en.html buy antabuse, 2662, http://cheappurchaseonline.com/buy-generic-antivert-online-en.html generic antivert, %-], http://cheappurchaseonline.com/buy-generic-aralen-online-en.html buy aralen, 1404, http://cheappurchaseonline.com/buy-generic-arava-online-en.html buy arava, %P, 72a6d542dc0620e44bc5962f37b329502e034f21 3265 3264 2012-05-11T08:19:27Z 31.184.238.9 0 RJOOnDNuFdopbd wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-cleocin-online-it.html cleocin, aebsan, http://onlinefarmacia.it/comprare-acquistare-clonidine-online-it.html acquistare clonidine, kqxgp, http://onlinefarmacia.it/comprare-acquistare-clozaril-online-it.html clozaril, 10105, http://onlinefarmacia.it/comprare-acquistare-colospa-online-it.html acquistare colospa, xjgb, http://onlinefarmacia.it/comprare-acquistare-combipres-online-it.html comprare combipres, eckc, http://onlinefarmacia.it/comprare-acquistare-combivent-online-it.html combivent, nsodr, http://onlinefarmacia.it/comprare-acquistare-combivir-online-it.html comprare combivir, =))), http://onlinefarmacia.it/comprare-acquistare-compazine-online-it.html compazine, yluq, http://onlinefarmacia.it/comprare-acquistare-confido-online-it.html confido, 866, f3d7216778f793f836fad345671a26a304d06ac8 3266 3265 2012-05-11T08:23:17Z 31.184.238.15 0 QfgncLinBzb wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-arcoxia-online-en.html buy arcoxia, 718, http://cheappurchaseonline.com/buy-generic-aricept-online-en.html buy aricept, :]], http://cheappurchaseonline.com/buy-generic-arimidex-online-en.html buy arimidex online, jmsqsw, http://cheappurchaseonline.com/buy-generic-aristocort-online-en.html generic aristocort, 84612, http://cheappurchaseonline.com/buy-generic-arjuna-online-en.html buy arjuna, 10836, http://cheappurchaseonline.com/buy-generic-artane-online-en.html generic artane, ugw, http://cheappurchaseonline.com/buy-generic-asendin-online-en.html buy asendin, krwh, http://cheappurchaseonline.com/buy-generic-ashwafera-online-en.html buy ashwafera, lrqlx, 85c087e10c0ea9ff2ea593ba0ca4129fa90f3324 3267 3266 2012-05-11T08:23:41Z 31.184.238.9 0 WuAcGtFuAskKLZgqRk wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-phenamax-online-it.html acquistare phenamax, 351, http://onlinefarmacia.it/comprare-acquistare-phenergan-online-it.html phenergan, sror, http://onlinefarmacia.it/comprare-acquistare-phoslo-online-it.html phoslo, 779235, http://onlinefarmacia.it/comprare-acquistare-pilex-online-it.html pilex, =), http://onlinefarmacia.it/comprare-acquistare-plavix-online-it.html acquistare plavix, 39616, http://onlinefarmacia.it/comprare-acquistare-plendil-online-it.html plendil, %-PP, http://onlinefarmacia.it/comprare-acquistare-pletal-online-it.html acquistare pletal, =-PPP, http://onlinefarmacia.it/comprare-acquistare-ponstel-online-it.html ponstel, djfy, http://onlinefarmacia.it/comprare-acquistare-prandin-online-it.html comprare prandin, zsed, a7c469ed2c0c5e47af8a485ac7086ae75b9308b0 3268 3267 2012-05-11T08:28:07Z 31.184.238.9 0 rShEAcOUOJNB wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-seroquel-online-it.html acquistare seroquel, 303826, http://onlinefarmacia.it/comprare-acquistare-shallaki-online-it.html acquistare shallaki, =-]]], http://onlinefarmacia.it/comprare-acquistare-shuddha-guggulu-online-it.html acquistare shuddha guggulu, %-[[, http://onlinefarmacia.it/comprare-acquistare-sinemet-cr-online-it.html comprare sinemet cr, pvr, http://onlinefarmacia.it/comprare-acquistare-sinemet-online-it.html acquistare sinemet, ctkxh, http://onlinefarmacia.it/comprare-acquistare-sinequan-online-it.html acquistare sinequan, :(((, http://onlinefarmacia.it/comprare-acquistare-singulair-online-it.html acquistare singulair, 87757, http://onlinefarmacia.it/comprare-acquistare-skelaxin-online-it.html acquistare skelaxin, iirybv, http://onlinefarmacia.it/comprare-acquistare-sleepwell-online-it.html acquistare sleepwell, qezvd, dbb7e59199edcab9f892dbd6eb5e40f2c688df04 3269 3268 2012-05-11T08:29:02Z 31.184.238.15 0 DuflFrkksbMxbx wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-cozaar-online-en.html buy cozaar, %-), http://cheappurchaseonline.com/buy-generic-crestor-online-en.html buy crestor, 025018, http://cheappurchaseonline.com/buy-generic-crixivan-online-en.html buy crixivan, 691920, http://cheappurchaseonline.com/buy-generic-cymbalta-online-en.html generic cymbalta, lgphxv, http://cheappurchaseonline.com/buy-generic-cystone-online-en.html buy cystone online, yjdfg, http://cheappurchaseonline.com/buy-generic-cytotec-online-en.html buy cytotec, 8-), http://cheappurchaseonline.com/buy-generic-cytoxan-online-en.html buy cytoxan, >:PP, http://cheappurchaseonline.com/buy-generic-danazol-online-en.html buy danazol online, 8-((, 33281889dbdd4e8fb984652117cd44bf3c06f0c0 3270 3269 2012-05-11T08:32:59Z 31.184.238.9 0 gHmSgXTepQtHD wikitext text/x-wiki , http://acquistareladroga.it/comprare-acquistare-uniphyl-cr-online-it.html acquistare uniphyl cr, ocxxv, http://acquistareladroga.it/comprare-acquistare-urispas-online-it.html comprare urispas, %O, http://acquistareladroga.it/comprare-acquistare-uroxatral-online-it.html comprare uroxatral, mjfx, http://acquistareladroga.it/comprare-acquistare-urso-online-it.html acquistare urso, >:-[[, http://acquistareladroga.it/comprare-acquistare-valparin-online-it.html valparin, :-OO, http://acquistareladroga.it/comprare-acquistare-valtrex-online-it.html acquistare valtrex, xhajo, http://acquistareladroga.it/comprare-acquistare-vantin-online-it.html acquistare vantin, 810, http://acquistareladroga.it/comprare-acquistare-vasotec-online-it.html vasotec, :[[[, http://acquistareladroga.it/comprare-acquistare-venlor-online-it.html comprare venlor, 184834, ca529e015c000de2b5c32a4f5af579103d60c42a 3271 3270 2012-05-11T08:34:24Z 31.184.238.15 0 pUuMLYIhAAA wikitext text/x-wiki comment3, http://cheappurchaseonline.com/buy-generic-meclizine-online-en.html buy meclizine, 8[[, http://cheappurchaseonline.com/buy-generic-mellaril-online-en.html buy mellaril online, btjif, http://cheappurchaseonline.com/buy-generic-menosan-online-en.html buy menosan, =-PPP, http://cheappurchaseonline.com/buy-generic-mentat-online-en.html generic mentat, 8], http://cheappurchaseonline.com/buy-generic-mestinon-online-en.html generic mestinon, 961408, http://cheappurchaseonline.com/buy-generic-methotrexate-online-en.html buy methotrexate online, 720809, http://cheappurchaseonline.com/buy-generic-mevacor-online-en.html buy mevacor, 160, http://cheappurchaseonline.com/buy-generic-micronase-online-en.html generic micronase, %-OOO, 677fd7e51ce68b03f113160b3f52b401f1a490de 3272 3271 2012-05-11T08:36:54Z 31.184.238.9 0 OlQmQzXwBnPwWn wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-lamprene-online-it.html acquistare lamprene, zsg, http://onlinefarmacia.it/comprare-acquistare-lanoxin-online-it.html acquistare lanoxin, kxwtu, http://onlinefarmacia.it/comprare-acquistare-lasuna-online-it.html acquistare lasuna, 3850, http://onlinefarmacia.it/comprare-acquistare-leukeran-online-it.html acquistare leukeran, nmny, http://onlinefarmacia.it/comprare-acquistare-levaquin-online-it.html levaquin, =(, http://onlinefarmacia.it/comprare-acquistare-lexapro-online-it.html comprare lexapro, =OO, http://onlinefarmacia.it/comprare-acquistare-lincocin-online-it.html lincocin, 264, http://onlinefarmacia.it/comprare-acquistare-lioresal-online-it.html acquistare lioresal, qkyvp, http://onlinefarmacia.it/comprare-acquistare-lipitor-online-it.html lipitor, uozzy, 13ade7d7104d2e7626e3158dfeb833cbbe1a66cf 3273 3272 2012-05-11T08:39:58Z 31.184.238.15 0 mjjbkRbTHtvtIaqeaE wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-finpecia-online-en.html buy finpecia online, 502, http://cheappurchaseonline.com/buy-generic-flomax-online-en.html buy flomax, 439963, http://cheappurchaseonline.com/buy-generic-flonase-online-en.html buy flonase, ugxx, http://cheappurchaseonline.com/buy-generic-flovent-online-en.html generic flovent, ids, http://cheappurchaseonline.com/buy-generic-floxin-online-en.html generic floxin, =DD, http://cheappurchaseonline.com/buy-generic-fludac-online-en.html buy fludac, :((, http://cheappurchaseonline.com/buy-generic-fluoxetine-online-en.html buy fluoxetine, kcyrui, http://cheappurchaseonline.com/buy-generic-fosamax-online-en.html generic fosamax, zbw, 6a018416d4d6c872b150f5aa351c64bbc165128b 3274 3273 2012-05-11T08:41:32Z 31.184.238.9 0 JTJVdLvJcTgKBBxOnfT wikitext text/x-wiki , http://acquistareladroga.it/comprare-acquistare-zagam-online-it.html acquistare zagam, >:-), http://acquistareladroga.it/comprare-acquistare-zantac-online-it.html comprare zantac, cishe, http://acquistareladroga.it/comprare-acquistare-zebeta-online-it.html zebeta, =-(, http://acquistareladroga.it/comprare-acquistare-zerit-online-it.html zerit, 26490, http://acquistareladroga.it/comprare-acquistare-zestoretic-online-it.html comprare zestoretic, nmtnyw, http://acquistareladroga.it/comprare-acquistare-zestril-online-it.html comprare zestril, wnun, http://acquistareladroga.it/comprare-acquistare-zetia-online-it.html zetia, =]], http://acquistareladroga.it/comprare-acquistare-zocor-online-it.html zocor, 59932, http://acquistareladroga.it/comprare-acquistare-zofran-online-it.html zofran, %-(((, 3bd80ca3e268669dc2c67bf0bf8962c9b546911a 3275 3274 2012-05-11T08:45:42Z 31.184.238.15 0 lTKOENnNqqfStHIGM wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-clarinex-online-en.html buy clarinex online, :O, http://cheappurchaseonline.com/buy-generic-claritin-online-en.html generic claritin, 8))), http://cheappurchaseonline.com/buy-generic-cleocin-online-en.html buy cleocin, 745, http://cheappurchaseonline.com/buy-generic-clonidine-online-en.html buy clonidine online, 5188, http://cheappurchaseonline.com/buy-generic-clozaril-online-en.html buy clozaril online, >:-OOO, http://cheappurchaseonline.com/buy-generic-colospa-online-en.html buy colospa online, 8-))), http://cheappurchaseonline.com/buy-generic-combipres-online-en.html buy combipres, 587890, http://cheappurchaseonline.com/buy-generic-combivent-online-en.html buy combivent online, hlcua, b97340a039c1595b47d42b3ab06bfaef951e9560 3276 3275 2012-05-11T08:45:57Z 31.184.238.9 0 REGzyRGtqNsvljDRizJ wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-robaxin-online-it.html acquistare robaxin, =-P, http://onlinefarmacia.it/comprare-acquistare-rocaltrol-online-it.html rocaltrol, igbh, http://onlinefarmacia.it/comprare-acquistare-rulide-online-it.html acquistare rulide, dzn, http://onlinefarmacia.it/comprare-acquistare-rumalaya-fort-online-it.html comprare rumalaya fort, 289416, http://onlinefarmacia.it/comprare-acquistare-rumalaya-online-it.html rumalaya, 541, http://onlinefarmacia.it/comprare-acquistare-rythmol-online-it.html acquistare rythmol, dmbia, http://onlinefarmacia.it/comprare-acquistare-septilin-online-it.html acquistare septilin, 07268, http://onlinefarmacia.it/comprare-acquistare-serevent-online-it.html acquistare serevent, 859347, http://onlinefarmacia.it/comprare-acquistare-serophene-online-it.html comprare serophene, ndhrsj, 56cb3f82cd32f3aa06e57909f4f0f4072e9b9fc8 3277 3276 2012-05-11T08:49:55Z 31.184.238.9 0 jpnWzpjBuV wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-isoptin-online-it.html acquistare isoptin, 8[[, http://onlinefarmacia.it/comprare-acquistare-isoptin-sr-online-it.html acquistare isoptin sr, :], http://onlinefarmacia.it/comprare-acquistare-isordil-online-it.html acquistare isordil, 8822, http://onlinefarmacia.it/comprare-acquistare-karela-online-it.html acquistare karela, 8090, http://onlinefarmacia.it/comprare-acquistare-keflex-online-it.html keflex, wfsinr, http://onlinefarmacia.it/comprare-acquistare-keftab-online-it.html keftab, %((, http://onlinefarmacia.it/comprare-acquistare-kemadrin-online-it.html kemadrin, ujeo, http://onlinefarmacia.it/comprare-acquistare-lamictal-online-it.html lamictal, 24656, http://onlinefarmacia.it/comprare-acquistare-lamisil-online-it.html comprare lamisil, %-D, 85d25951e00c17a185c17fa728f08ee1ef435002 3278 3277 2012-05-11T08:51:24Z 31.184.238.15 0 pPPKafuQS wikitext text/x-wiki comment6, http://cheappurchaseonline.com/buy-generic-voltaren-online-en.html buy voltaren, 174, http://cheappurchaseonline.com/buy-generic-voltaren-xr-online-en.html buy voltaren xr online, kgt, http://cheappurchaseonline.com/buy-generic-voltarol-online-en.html buy voltarol, 054797, http://cheappurchaseonline.com/buy-generic-voveran-online-en.html buy voveran, 0176, http://cheappurchaseonline.com/buy-generic-voveran-sr-online-en.html buy voveran sr, 8[[[, http://cheappurchaseonline.com/buy-generic-wondersleep-online-en.html buy wondersleep online, zblhm, http://cheappurchaseonline.com/buy-generic-xalatan-0005-online-en.html generic xalatan 0.005%, 985404, http://cheappurchaseonline.com/buy-generic-xeloda-online-en.html buy xeloda, 7529, 2c141021107a78f0626498a16a13400e3d7195d9 3279 3278 2012-05-11T08:54:23Z 31.184.238.9 0 ZwpPMdJiW wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-phenamax-online-it.html phenamax, :-P, http://onlinefarmacia.it/comprare-acquistare-phenergan-online-it.html acquistare phenergan, 901302, http://onlinefarmacia.it/comprare-acquistare-phoslo-online-it.html comprare phoslo, 095, http://onlinefarmacia.it/comprare-acquistare-pilex-online-it.html pilex, 8-OOO, http://onlinefarmacia.it/comprare-acquistare-plavix-online-it.html acquistare plavix, yjv, http://onlinefarmacia.it/comprare-acquistare-plendil-online-it.html comprare plendil, 3949, http://onlinefarmacia.it/comprare-acquistare-pletal-online-it.html acquistare pletal, :-P, http://onlinefarmacia.it/comprare-acquistare-ponstel-online-it.html comprare ponstel, =-PP, http://onlinefarmacia.it/comprare-acquistare-prandin-online-it.html acquistare prandin, 8339, bb4f8dde0fc39232b60e41869b50cf8ba2e75029 3280 3279 2012-05-11T08:56:54Z 31.184.238.15 0 PyJwgFxccte wikitext text/x-wiki comment1, http://cheappurchaseonline.com/buy-generic-finpecia-online-en.html buy finpecia, tome, http://cheappurchaseonline.com/buy-generic-flomax-online-en.html generic flomax, =-((, http://cheappurchaseonline.com/buy-generic-flonase-online-en.html buy flonase online, 023, http://cheappurchaseonline.com/buy-generic-flovent-online-en.html generic flovent, :-OOO, http://cheappurchaseonline.com/buy-generic-floxin-online-en.html generic floxin, arkhce, http://cheappurchaseonline.com/buy-generic-fludac-online-en.html buy fludac online, >:-))), http://cheappurchaseonline.com/buy-generic-fluoxetine-online-en.html buy fluoxetine, >:-)), http://cheappurchaseonline.com/buy-generic-fosamax-online-en.html buy fosamax, 56796, 03e6c62c3adf0b0ea85e907f38a86a5a88d40c3a 3281 3280 2012-05-11T08:58:36Z 31.184.238.9 0 tmOUXrHBCDE wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-monoket-online-it.html monoket, :PP, http://onlinefarmacia.it/comprare-acquistare-monopril-online-it.html comprare monopril, %D, http://onlinefarmacia.it/comprare-acquistare-motilium-online-it.html acquistare motilium, =-O, http://onlinefarmacia.it/comprare-acquistare-myambutol-online-it.html acquistare myambutol, wihgc, http://onlinefarmacia.it/comprare-acquistare-mysoline-online-it.html comprare mysoline, rnqy, http://onlinefarmacia.it/comprare-acquistare-naprelan-online-it.html naprelan, 9486, http://onlinefarmacia.it/comprare-acquistare-neem-online-it.html comprare neem, 20976, http://onlinefarmacia.it/comprare-acquistare-neurontin-online-it.html neurontin, 56698, http://onlinefarmacia.it/comprare-acquistare-nexium-online-it.html acquistare nexium, =-DD, 1ebd4368417c746581e81bc864e6dac8461f1bd2 3282 3281 2012-05-11T09:02:27Z 31.184.238.15 0 BMIuBdQshRvCTUY wikitext text/x-wiki comment4, http://cheappurchaseonline.com/buy-generic-ashwagandha-online-en.html buy ashwagandha, >:DDD, http://cheappurchaseonline.com/buy-generic-astelin-online-en.html generic astelin, umlx, http://cheappurchaseonline.com/buy-generic-atacand-online-en.html buy atacand, kpkbzd, http://cheappurchaseonline.com/buy-generic-atarax-online-en.html buy atarax, %(, http://cheappurchaseonline.com/buy-generic-atrovent-online-en.html buy atrovent, 6007, http://cheappurchaseonline.com/buy-generic-augmentin-online-en.html generic augmentin, ehp, http://cheappurchaseonline.com/buy-generic-avandia-online-en.html buy avandia, dib, http://cheappurchaseonline.com/buy-generic-avapro-online-en.html generic avapro, fzvavv, 97a374a027a8fd1d4d31f9d381ffbe90a60fade7 3283 3282 2012-05-11T09:02:42Z 31.184.238.9 0 fNvZFpsDtE wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-lukol-online-it.html comprare lukol, snurld, http://onlinefarmacia.it/comprare-acquistare-luvox-online-it.html comprare luvox, =), http://onlinefarmacia.it/comprare-acquistare-lynoral-online-it.html lynoral, njww, http://onlinefarmacia.it/comprare-acquistare-macrobid-online-it.html acquistare macrobid, 688, http://onlinefarmacia.it/comprare-acquistare-maxalt-online-it.html maxalt, thfxuw, http://onlinefarmacia.it/comprare-acquistare-maxaquin-online-it.html maxaquin, 156764, http://onlinefarmacia.it/comprare-acquistare-maxolon-online-it.html maxolon, aezzrd, http://onlinefarmacia.it/comprare-acquistare-meclizine-online-it.html meclizine, aqa, http://onlinefarmacia.it/comprare-acquistare-mellaril-online-it.html comprare mellaril, eihdc, 2532d87ab064f6dedc6b804785d6287105effd9c 3284 3283 2012-05-11T09:07:04Z 31.184.238.9 0 TTnxGqgRTHjyEUpAIM wikitext text/x-wiki , http://onlinefarmacia.it/comprare-acquistare-slimfast-online-it.html slimfast, czxbd, http://onlinefarmacia.it/comprare-acquistare-smok-ox-online-it.html smok-ox, 8), http://onlinefarmacia.it/comprare-acquistare-speman-online-it.html comprare speman, %))), http://onlinefarmacia.it/comprare-acquistare-sporanox-online-it.html sporanox, rmzw, http://onlinefarmacia.it/comprare-acquistare-starlix-online-it.html acquistare starlix, 8(((, http://onlinefarmacia.it/comprare-acquistare-stromectol-online-it.html stromectol, vuiptw, http://onlinefarmacia.it/comprare-acquistare-styplon-online-it.html comprare styplon, %PPP, http://onlinefarmacia.it/comprare-acquistare-suminat-online-it.html suminat, %((, http://onlinefarmacia.it/comprare-acquistare-sumycin-online-it.html comprare sumycin, qftmy, f475d1b5c4088771187f979b1c24d9a8f93dea19 3285 3284 2012-05-11T09:08:22Z 31.184.238.15 0 yJdBeJTqbA wikitext text/x-wiki comment5, http://cheappurchaseonline.com/buy-generic-lanoxin-online-en.html buy lanoxin online, ytqap, http://cheappurchaseonline.com/buy-generic-lasuna-online-en.html buy lasuna online, =-PP, http://cheappurchaseonline.com/buy-generic-leukeran-online-en.html buy leukeran online, 506, http://cheappurchaseonline.com/buy-generic-levaquin-online-en.html buy levaquin online, 06480, http://cheappurchaseonline.com/buy-generic-lexapro-online-en.html generic lexapro, 894, http://cheappurchaseonline.com/buy-generic-lincocin-online-en.html buy lincocin online, %-[, http://cheappurchaseonline.com/buy-generic-lioresal-online-en.html buy lioresal online, vpe, http://cheappurchaseonline.com/buy-generic-lipitor-online-en.html generic lipitor, 744, b39cf15d05f9c61d79caf2f55604581bbc8228a7 3286 3285 2012-05-11T09:20:04Z WikiSysop 1 Restored after spambot attack wikitext text/x-wiki =Description= The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Short talks * Roundtable discussions * Breakout development sessions =Dates and Location= The Linux Security Summit for 2012 will be held across 30 and 31 August in San Diego, CA, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon], as well as Linux Plumbers and the Kernel Summit. Note that Linux Security Summit attendees and speakers must be registered to attend LinuxCon. See the [https://events.linuxfoundation.org/events/linuxcon LinuxCon site] for details on registration, travel, and accommodation. =Call for Participation= The Linux Security Summit call for participation (CFP) is now open, and will close on 23rd of May. The program committee currently seeks proposals for: * '''Refereed Presentations''' 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. * '''Short Talks''' 30 minutes in length, discussion-oriented. Slides should be minimal. * '''Roundtable Discussion Topics''' These discussions are typically one hour in length and used to explore and resolve current issues. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques Proposals should be submitted in plain text via email to the program committee at: lss-pc (_at_) ext.namei.org Abstracts should be approximately 150 words in total. =Attendance= The event is open to all registered LinuxCon attendees. You do not have to be a "security person" to attend -- we're seeking a diverse range of attendees, and welcome the participation of general developers, researchers, operations, and end-users. =Program Committee= The Linux Security Summit for 2012 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Tresys * Tetsuo Handa, NTT Data * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel The program committee may be contacted as a group via email: lss-pc (_at_) ext.namei.org 73c85f1518c87c6d7999a8dc96a63a99e6c520f3 3287 3286 2012-05-13T03:06:34Z JamesMorris 2 wikitext text/x-wiki =Description= The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Short talks * Roundtable discussions * Breakout development sessions =Dates and Location= The Linux Security Summit for 2012 will be held across 30 and 31 August in San Diego, CA, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon], as well as Linux Plumbers and the Kernel Summit. Note that Linux Security Summit attendees and speakers must be registered to attend LinuxCon. See the [https://events.linuxfoundation.org/events/linuxcon LinuxCon site] for details on registration, travel, and accommodation. =Call for Participation= The Linux Security Summit call for participation (CFP) is now open, and will close on 23rd of May. The program committee currently seeks proposals for: * '''Refereed Presentations''' 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. * '''Short Talks''' 30 minutes in length, discussion-oriented. Slides should be minimal. * '''Roundtable Discussion Topics''' These discussions are typically one hour in length and used to explore and resolve current issues. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques Proposals should be submitted in plain text via email to the program committee at: lss-pc (_at_) ext.namei.org Abstracts should be approximately 150 words in total. =Attendance= The event is open to all registered LinuxCon attendees. You do not have to be a "security person" to attend -- we're seeking a diverse range of attendees, and welcome the participation of general developers, researchers, operations, and end-users. =Program Committee= The Linux Security Summit for 2012 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Tresys * Tetsuo Handa, NTT Data Intellilink * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel The program committee may be contacted as a group via email: lss-pc (_at_) ext.namei.org 50586381e05a498d575892fd094fafd58cc8a3e1 0 89 3288 2012-05-23T23:46:06Z JamesMorris 2 New page: == Linux Security Summit 2011 == <font color="navy"> === Latest News === </font> * ''15 Jun 2011:'' The [[LinuxSecuritySummit2011/Schedule|schedule]] is now published. * ''30 May 2011:''... wikitext text/x-wiki == Linux Security Summit 2011 == <font color="navy"> === Latest News === </font> * ''15 Jun 2011:'' The [[LinuxSecuritySummit2011/Schedule|schedule]] is now published. * ''30 May 2011:'' The CFP is now closed. === Description === The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Selected brief presentations * In-depth roundtable discussions === Venue === The Linux Security Summit for 2011 will be held on the 8th of September at the Hyatt Vinyard Creek in Santa Rosa, CA, USA. It will be co-located with [http://www.linuxplumbersconf.org/2011/ Linux Plumbers Conference] (LPC), and located in the Sonoma Mountain conference room. Note that Linux Security Summit attendees and speakers must be registered to attend LPC. See the [http://www.linuxplumbersconf.org/2011/attend LPC site] for full details on registration, travel, and accommodation. === Schedule === * See the [[LinuxSecuritySummit2011/Schedule|Schedule]] for a timetable of the summit and talk abstracts. ** [https://security.wiki.kernel.org/index.php?title=LinuxSecuritySummit2011/Schedule&printable=yes Printable version] === Dates === * <s>CFP open: 4th April 2011</s> * <s> CFP close: 27th May 2011</s> * <s>Speaker notification: 1st June 2011</s> * Event: 8th September 2011 === Participation === The event is open to all registered LPC attendees. You do not have to be a "security person" to attend -- we're seeking a diverse range of attendees, and welcome the participation of general developers, researchers, operations, and end-users. === Mailing list === Everyone planning to attend should join the event mailing list: https://ext.namei.org/mailman/listinfo/linux-security-summit Updates and announcements about the event will also be sent to the list. === Program Committee === The Linux Security Summit for 2011 is organized by: * James Morris, Red Hat * Serge Hallyn, Canonical * Paul Moore, HP * Stephen Smalley, NSA * Joshua Brindle, Tresys * Tetsuo Handa, NTT Data * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Canonical * Casey Schaufler, Smack Project The program committee may be contacted as a group via email: lss-pc (_at_) ext.namei.org === Resources === * [[LinuxSecuritySummit2010|Linux Security Summit 2010]] - last year's event, held in Boston. 1a90626de9b59aeb4cc43acff892134399a254eb 3289 3288 2012-05-23T23:46:59Z JamesMorris 2 /* Latest News */ wikitext text/x-wiki == Linux Security Summit 2011 == <font color="navy"> === Latest News === </font> * ''15 Jun 2011:'' The [https://security.wiki.kernel.org/index.php/LinuxSecuritySummit2011/Schedule schedule]] is now published. * ''30 May 2011:'' The CFP is now closed. === Description === The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Selected brief presentations * In-depth roundtable discussions === Venue === The Linux Security Summit for 2011 will be held on the 8th of September at the Hyatt Vinyard Creek in Santa Rosa, CA, USA. It will be co-located with [http://www.linuxplumbersconf.org/2011/ Linux Plumbers Conference] (LPC), and located in the Sonoma Mountain conference room. Note that Linux Security Summit attendees and speakers must be registered to attend LPC. See the [http://www.linuxplumbersconf.org/2011/attend LPC site] for full details on registration, travel, and accommodation. === Schedule === * See the [[LinuxSecuritySummit2011/Schedule|Schedule]] for a timetable of the summit and talk abstracts. ** [https://security.wiki.kernel.org/index.php?title=LinuxSecuritySummit2011/Schedule&printable=yes Printable version] === Dates === * <s>CFP open: 4th April 2011</s> * <s> CFP close: 27th May 2011</s> * <s>Speaker notification: 1st June 2011</s> * Event: 8th September 2011 === Participation === The event is open to all registered LPC attendees. You do not have to be a "security person" to attend -- we're seeking a diverse range of attendees, and welcome the participation of general developers, researchers, operations, and end-users. === Mailing list === Everyone planning to attend should join the event mailing list: https://ext.namei.org/mailman/listinfo/linux-security-summit Updates and announcements about the event will also be sent to the list. === Program Committee === The Linux Security Summit for 2011 is organized by: * James Morris, Red Hat * Serge Hallyn, Canonical * Paul Moore, HP * Stephen Smalley, NSA * Joshua Brindle, Tresys * Tetsuo Handa, NTT Data * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Canonical * Casey Schaufler, Smack Project The program committee may be contacted as a group via email: lss-pc (_at_) ext.namei.org === Resources === * [[LinuxSecuritySummit2010|Linux Security Summit 2010]] - last year's event, held in Boston. fd582316dbd8b77aa3b8d5ed2e86ae74d53fec96 3290 3289 2012-05-23T23:47:12Z JamesMorris 2 /* Latest News */ wikitext text/x-wiki == Linux Security Summit 2011 == <font color="navy"> === Latest News === </font> * ''15 Jun 2011:'' The [https://security.wiki.kernel.org/index.php/LinuxSecuritySummit2011/Schedule schedule] is now published. * ''30 May 2011:'' The CFP is now closed. === Description === The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Selected brief presentations * In-depth roundtable discussions === Venue === The Linux Security Summit for 2011 will be held on the 8th of September at the Hyatt Vinyard Creek in Santa Rosa, CA, USA. It will be co-located with [http://www.linuxplumbersconf.org/2011/ Linux Plumbers Conference] (LPC), and located in the Sonoma Mountain conference room. Note that Linux Security Summit attendees and speakers must be registered to attend LPC. See the [http://www.linuxplumbersconf.org/2011/attend LPC site] for full details on registration, travel, and accommodation. === Schedule === * See the [[LinuxSecuritySummit2011/Schedule|Schedule]] for a timetable of the summit and talk abstracts. ** [https://security.wiki.kernel.org/index.php?title=LinuxSecuritySummit2011/Schedule&printable=yes Printable version] === Dates === * <s>CFP open: 4th April 2011</s> * <s> CFP close: 27th May 2011</s> * <s>Speaker notification: 1st June 2011</s> * Event: 8th September 2011 === Participation === The event is open to all registered LPC attendees. You do not have to be a "security person" to attend -- we're seeking a diverse range of attendees, and welcome the participation of general developers, researchers, operations, and end-users. === Mailing list === Everyone planning to attend should join the event mailing list: https://ext.namei.org/mailman/listinfo/linux-security-summit Updates and announcements about the event will also be sent to the list. === Program Committee === The Linux Security Summit for 2011 is organized by: * James Morris, Red Hat * Serge Hallyn, Canonical * Paul Moore, HP * Stephen Smalley, NSA * Joshua Brindle, Tresys * Tetsuo Handa, NTT Data * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Canonical * Casey Schaufler, Smack Project The program committee may be contacted as a group via email: lss-pc (_at_) ext.namei.org === Resources === * [[LinuxSecuritySummit2010|Linux Security Summit 2010]] - last year's event, held in Boston. 3e66d40dc7d9bc49d0dfb58d6dcd5add4c886caa 3291 3290 2012-05-23T23:47:51Z JamesMorris 2 /* Schedule */ wikitext text/x-wiki == Linux Security Summit 2011 == <font color="navy"> === Latest News === </font> * ''15 Jun 2011:'' The [https://security.wiki.kernel.org/index.php/LinuxSecuritySummit2011/Schedule schedule] is now published. * ''30 May 2011:'' The CFP is now closed. === Description === The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Selected brief presentations * In-depth roundtable discussions === Venue === The Linux Security Summit for 2011 will be held on the 8th of September at the Hyatt Vinyard Creek in Santa Rosa, CA, USA. It will be co-located with [http://www.linuxplumbersconf.org/2011/ Linux Plumbers Conference] (LPC), and located in the Sonoma Mountain conference room. Note that Linux Security Summit attendees and speakers must be registered to attend LPC. See the [http://www.linuxplumbersconf.org/2011/attend LPC site] for full details on registration, travel, and accommodation. === Schedule === * See the [https://security.wiki.kernel.org/index.php/LinuxSecuritySummit2011/Schedule schedule] for a timetable of the summit and talk abstracts. ** [https://security.wiki.kernel.org/index.php?title=LinuxSecuritySummit2011/Schedule&printable=yes Printable version] === Dates === * <s>CFP open: 4th April 2011</s> * <s> CFP close: 27th May 2011</s> * <s>Speaker notification: 1st June 2011</s> * Event: 8th September 2011 === Participation === The event is open to all registered LPC attendees. You do not have to be a "security person" to attend -- we're seeking a diverse range of attendees, and welcome the participation of general developers, researchers, operations, and end-users. === Mailing list === Everyone planning to attend should join the event mailing list: https://ext.namei.org/mailman/listinfo/linux-security-summit Updates and announcements about the event will also be sent to the list. === Program Committee === The Linux Security Summit for 2011 is organized by: * James Morris, Red Hat * Serge Hallyn, Canonical * Paul Moore, HP * Stephen Smalley, NSA * Joshua Brindle, Tresys * Tetsuo Handa, NTT Data * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Canonical * Casey Schaufler, Smack Project The program committee may be contacted as a group via email: lss-pc (_at_) ext.namei.org === Resources === * [[LinuxSecuritySummit2010|Linux Security Summit 2010]] - last year's event, held in Boston. 3da50a10b8493d7d9f61e6fcb6a850f765b76920 0 90 3292 2012-05-23T23:48:22Z JamesMorris 2 New page: == Linux Security Summit 2010 == (See also [[LinuxSecuritySummit2011|LSS 2011]]) <font color="navy"> === Latest News === </font> * ''18 Aug 2010:'' Presentation slides (where available)... wikitext text/x-wiki == Linux Security Summit 2010 == (See also [[LinuxSecuritySummit2011|LSS 2011]]) <font color="navy"> === Latest News === </font> * ''18 Aug 2010:'' Presentation slides (where available) linked to the [[LinuxSecuritySummit2010/Schedule#Presentations|Program]] * ''09 Aug 2010:'' The Summit was held,thanks to everyone involved! * ''17 Jun 2010:'' The [[LinuxSecuritySummit2010/Schedule|Schedule]] is now posted! === Description === The aim of the Linux Security Summit is to provide forum for collaboration between Linux OS security developers, researchers, and end users. It will be held will in conjunction with [http://events.linuxfoundation.org/events/linuxcon/ LinuxCon] Boston. The format of the summit will be: * Selected presentations * Lightning talks * Q&A panel sessions Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques === Dates === * '''Event: 9th of August, 2010''' * CFP open: 22nd May, 2010 * CFP close: 4th June, 2010 * Speaker notification: 9th June, 2010 === Location === Renaissance Boston Waterfront, Boston, MA (see the [http://events.linuxfoundation.org/events/linuxcon/ LinuxCon] site for more details) === Schedule === * See the [[LinuxSecuritySummit2010/Schedule|Schedule]] for a timetable of the summit and talk abstracts. ** [https://security.wiki.kernel.org/index.php?title=LinuxSecuritySummit2010/Schedule&printable=yes Printable version] === Participation === Attendance will be open to registered LinuxCon attendees. Presentations were selected via a CFP process by the program committee. === Call for Participation === The CFP is currently '''closed'''. === Communicate === If you're attending, or interested in following the event, subscribe to the Linux Security Summit mailing list: https://ext.namei.org/mailman/listinfo/linux-security-summit This is for general discussion, event updates etc., and will also be used to estimate attendance numbers, so do please subscribe if you are planning to attend. === Program committee === * James Morris, Red Hat * Serge Hallyn, Canonical * Paul Moore, HP * Stephen Smalley, NSA * Joshua Brindle, Tresys * Tetsuo Handa, NTT Data * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Canonical * Casey Schaufler, Smack Project To contact the committee, send email to: lss-pc (_at_) ext.namei.org f3b58f23d55806a427113c6c291cb8b802cdcac5 3293 3292 2012-05-23T23:49:43Z JamesMorris 2 /* Linux Security Summit 2010 */ wikitext text/x-wiki == Linux Security Summit 2010 == (See also [[LinuxSecuritySummit2011|LSS 2011]]) <font color="navy"> === Latest News === </font> * ''18 Aug 2010:'' Presentation slides (where available) linked to the [https://security.wiki.kernel.org/index.php/LinuxSecuritySummit2010/Schedule schedule * ''09 Aug 2010:'' The Summit was held,thanks to everyone involved! * ''17 Jun 2010:'' The [https://security.wiki.kernel.org/index.php/LinuxSecuritySummit2010/Schedule Schedule] is now posted! === Description === The aim of the Linux Security Summit is to provide forum for collaboration between Linux OS security developers, researchers, and end users. It will be held will in conjunction with [http://events.linuxfoundation.org/events/linuxcon/ LinuxCon] Boston. The format of the summit will be: * Selected presentations * Lightning talks * Q&A panel sessions Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques === Dates === * '''Event: 9th of August, 2010''' * CFP open: 22nd May, 2010 * CFP close: 4th June, 2010 * Speaker notification: 9th June, 2010 === Location === Renaissance Boston Waterfront, Boston, MA (see the [http://events.linuxfoundation.org/events/linuxcon/ LinuxCon] site for more details) === Schedule === * See the [https://security.wiki.kernel.org/index.php/LinuxSecuritySummit2010/Schedule Schedule] for a timetable of the summit and talk abstracts. ** [https://security.wiki.kernel.org/index.php?title=LinuxSecuritySummit2010/Schedule&printable=yes Printable version] === Participation === Attendance will be open to registered LinuxCon attendees. Presentations were selected via a CFP process by the program committee. === Call for Participation === The CFP is currently '''closed'''. === Communicate === If you're attending, or interested in following the event, subscribe to the Linux Security Summit mailing list: https://ext.namei.org/mailman/listinfo/linux-security-summit This is for general discussion, event updates etc., and will also be used to estimate attendance numbers, so do please subscribe if you are planning to attend. === Program committee === * James Morris, Red Hat * Serge Hallyn, Canonical * Paul Moore, HP * Stephen Smalley, NSA * Joshua Brindle, Tresys * Tetsuo Handa, NTT Data * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Canonical * Casey Schaufler, Smack Project To contact the committee, send email to: lss-pc (_at_) ext.namei.org 32e094758e95c398d3398769327bd1d05ecd543d 0 6 3294 40 2012-05-23T23:50:37Z JamesMorris 2 wikitext text/x-wiki == Upcoming == ===2012=== * [[Linux Security Summit 2012]], San Diego, CA, USA. == Past == ===2011=== * [[Linux Security Summit 2011]], Santa Rosa, CA, USA. ===2010=== * [[Linux Security Summit 2012]], Boston MA, USA. ===2009=== *Security Microconf at the Linux Plumbers Conference 2009, September, Portland OR, USA. **CFP **LWN discussion *SELinux Developer Summit at LinuxCon 2009, September, Portland OR, USA. **Event Details *Security BoF (Birds of Feather) meeting at the Japan Linux Symposium, October 2009. Tokyo, Japan. **Enhanced Securities: Where Should We Go Next *Kernel Conference Australia, July 2009, Brisbane, Australia. *LCA security miniconf 20 January 2009, Hobart, Australia. 7d3e90a1a938d1d3a8a1b92782c92d7a237034a2 0 91 3295 2012-06-27T03:50:50Z JamesMorris 2 New page: == Overview == This is the schedule for the [[LinuxSecuritySummit2012|Linux Security Summit 2012]], to be held in San Diego. ''Schedule subject to change: check this page for updates.''... wikitext text/x-wiki == Overview == This is the schedule for the [[LinuxSecuritySummit2012|Linux Security Summit 2012]], to be held in San Diego. ''Schedule subject to change: check this page for updates.'' == Presentations == TBA.... 04ab08ee229de60a5eddca36c8ae02f9bf8b596d 3309 3295 2012-06-27T04:27:45Z JamesMorris 2 wikitext text/x-wiki == Overview == This is the schedule for the [[Linux_Security_Summit_2012|Linux Security Summit 2012]], to be held in San Diego. ''Schedule subject to change: check this page for updates.'' == Presentations == TBA.... 20d333a63607c687f1b1d183ed0dd89671b9d8fb 3310 3309 2012-06-27T04:29:19Z JamesMorris 2 wikitext text/x-wiki == Overview == This is the schedule for the [[Linux_Security_Summit_2012|Linux Security Summit 2012]], to be held in San Diego on August 30th and 31st, 2012. The summit this year will be a two-day event, co-located with [https://events.linuxfoundation.org/events/linuxcon/ LinuxCon] and several other developer events. == Presentations == TBA.... 6c1da946266d0a922469f27ba7a67a6d5155baa3 3311 3310 2012-06-27T04:29:39Z JamesMorris 2 /* Overview */ wikitext text/x-wiki == Overview == This is the schedule for the [[Linux_Security_Summit_2012|Linux Security Summit 2012]], to be held in San Diego on August 30th and 31st, 2012. The summit this year will be a two-day event, co-located with [https://events.linuxfoundation.org/events/linuxcon/ LinuxCon]. == Presentations == TBA.... e62113679c1352d1f9c8b22b6ab3e727d59e8642 3312 3311 2012-06-27T04:31:36Z JamesMorris 2 wikitext text/x-wiki == Overview == This is the schedule for the [[Linux_Security_Summit_2012|Linux Security Summit 2012]], to be held in San Diego on August 30th and 31st, 2012. The summit this year will be a two-day event, co-located with [https://events.linuxfoundation.org/events/linuxcon/ LinuxCon]. == Day 1 (30th Aug) == === Presentations === {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | KEYNOTE | Matthew Garrett |- |09:30 | [[LinuxSecuritySummit2011/Abstracts/Ware_Meego|MeeGo Security Update]] | Ryan Ware, Intel |- |10:00 | [[LinuxSecuritySummit2011/Abstracts/Safford_Integrity|An Overview of the Linux Integrity Subsystem: Use Cases and Demonstration]] | David Safford and Mimi Zohar, IBM |- |''10:30'' |colspan="2"|''break'' |- |11:00 | [[LinuxSecuritySummit2011/Abstracts/Kasatkin_Digsig|Digital Signature support for IMA/EVM]] | Dmitry Kasatkin and Ryan Ware, Intel |- |11:30 | [[LinuxSecuritySummit2011/Abstracts/Kruus_Fedora|Protecting the Filesystem Integrity of a Fedora 15 Virtual Machine from Offline Attacks using IMA/EVM]] | Peter Kruus, JHU APL |- |12:00 | [[LinuxSecuritySummit2011/Abstracts/Drewry_dmverity|Efficient, TPM-free system integrity checking with device mapper: dm-verity]] | Will Drewry and Mandeep Baines, Google |- |''12:30'' |colspan="2" |''lunch (self-funded at nearby location)'' |} == Day 2 (31st Aug) == 092298f7a13aa7163fbe1448852a335b5f9bd30c 3313 3312 2012-06-27T04:36:18Z JamesMorris 2 /* Presentations */ wikitext text/x-wiki == Overview == This is the schedule for the [[Linux_Security_Summit_2012|Linux Security Summit 2012]], to be held in San Diego on August 30th and 31st, 2012. The summit this year will be a two-day event, co-located with [https://events.linuxfoundation.org/events/linuxcon/ LinuxCon]. == Day 1 (30th Aug) == === Presentations === {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | Keynote Talk | Matthew Garrett, Red Hat |- |''09:50'' |colspan="2"|''break'' |- |10:00 | [[Linux_Security_Summit_2012/Abstracts/Reshetova|Bootstrapping the Policies for LSMs for Native and Web Applications]] | Elena Reshetova, Intel |- |''12:30'' |colspan="2" |''lunch (self-funded at nearby location)'' |} == Day 2 (31st Aug) == 3b23b7b3dac9087c88ec7a1a4b0f94df14cb4881 3314 3313 2012-06-27T04:36:53Z JamesMorris 2 wikitext text/x-wiki = Overview = This is the schedule for the [[Linux_Security_Summit_2012|Linux Security Summit 2012]], to be held in San Diego on August 30th and 31st, 2012. The summit this year will be a two-day event, co-located with [https://events.linuxfoundation.org/events/linuxcon/ LinuxCon]. == Day 1 (30th Aug) == === Presentations === {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | Keynote Talk | Matthew Garrett, Red Hat |- |''09:50'' |colspan="2"|''break'' |- |10:00 | [[Linux_Security_Summit_2012/Abstracts/Reshetova|Bootstrapping the Policies for LSMs for Native and Web Applications]] | Elena Reshetova, Intel |- |''12:30'' |colspan="2" |''lunch (self-funded at nearby location)'' |} == Day 2 (31st Aug) == bacaf2c6fd4b86dcb215462f6f8c39c1e452009c 3315 3314 2012-06-27T04:37:18Z JamesMorris 2 wikitext text/x-wiki = Overview = This is the schedule for the [[Linux_Security_Summit_2012|Linux Security Summit 2012]], to be held in San Diego on August 30th and 31st, 2012. The summit this year will be a two-day event, co-located with [https://events.linuxfoundation.org/events/linuxcon/ LinuxCon]. = Program = == Day 1 (30th Aug) == === Presentations === {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | Keynote Talk | Matthew Garrett, Red Hat |- |''09:50'' |colspan="2"|''break'' |- |10:00 | [[Linux_Security_Summit_2012/Abstracts/Reshetova|Bootstrapping the Policies for LSMs for Native and Web Applications]] | Elena Reshetova, Intel |- |''12:30'' |colspan="2" |''lunch (self-funded at nearby location)'' |} == Day 2 (31st Aug) == 956600acf1ea0177450d1304d4d94b2cbabfb241 3316 3315 2012-06-27T04:39:14Z JamesMorris 2 wikitext text/x-wiki = Overview = This is the schedule for the [[Linux_Security_Summit_2012|Linux Security Summit 2012]], to be held in San Diego on August 30th and 31st, 2012. The summit this year will be a two-day event, co-located with [https://events.linuxfoundation.org/events/linuxcon/ LinuxCon]. = Program = == Day 1 (30th Aug) == === Presentations === {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | Keynote Talk | Matthew Garrett, Red Hat |- |''09:50'' |colspan="2"|''break'' |- |10:00 | [[Linux_Security_Summit_2012/Abstracts/Reshetova|Bootstrapping the Policies for LSMs for Native and Web Applications]] | Elena Reshetova, Intel |- |10:45 | [[Linux_Security_Summit_2012/Abstracts/Wouters|DNSSEC: The Shiny New Cryptographically Secured Globally Distributed Database ]] | Paul Wouters, Red Hat |- |''12:30'' |colspan="2" |''lunch (self-funded at nearby location)'' |} == Day 2 (31st Aug) == 9eaf664c7ae9f5c8827c5ba849a9bf23b00698b2 3317 3316 2012-06-27T04:40:57Z JamesMorris 2 wikitext text/x-wiki = Overview = This is the schedule for the [[Linux_Security_Summit_2012|Linux Security Summit 2012]], to be held in San Diego on August 30th and 31st, 2012. The summit this year will be a two-day event, co-located with [https://events.linuxfoundation.org/events/linuxcon/ LinuxCon]. = Program = == Day 1 (30th Aug) == === Presentations === {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | Keynote Talk | Matthew Garrett, Red Hat |- |''09:50'' |colspan="2"|''break'' |- |10:00 | [[Linux_Security_Summit_2012/Abstracts/Reshetova|Bootstrapping the Policies for LSMs for Native and Web Applications]] | Elena Reshetova, Intel |- |10:45 | [[Linux_Security_Summit_2012/Abstracts/Wouters|DNSSEC: The Shiny New Cryptographically Secured Globally Distributed Database ]] | Paul Wouters, Red Hat |- |''11:30'' |colspan="2"|''break'' |- | 11:45 | [[Linux_Security_Summit_2012/Abstracts/Walsh|Linux Sandbox Version II - Sandboxing Server Applications]] | Dan Walsh, Red Hat |- |''12:30'' |colspan="2" |''lunch (self-funded at nearby location)'' |} == Day 2 (31st Aug) == 8a10e1c5fc6237807a86e4266c41faf320ab0ed7 3318 3317 2012-06-27T05:01:37Z JamesMorris 2 wikitext text/x-wiki = Overview = This is the schedule for the [[Linux_Security_Summit_2012|Linux Security Summit 2012]], to be held in San Diego on August 30th and 31st, 2012. The summit this year will be a two-day event, co-located with [https://events.linuxfoundation.org/events/linuxcon/ LinuxCon]. = Program = == Day 1 (30th Aug) == === Presentations === {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | '''Keynote Talk''' | Matthew Garrett, Red Hat |- |''09:50'' |colspan="2"|''break'' |- |10:00 | [[Linux_Security_Summit_2012/Abstracts/Reshetova|Bootstrapping the Policies for LSMs for Native and Web Applications]] | Elena Reshetova, Intel |- |10:45 | [[Linux_Security_Summit_2012/Abstracts/Wouters|DNSSEC: The Shiny New Cryptographically Secured Globally Distributed Database ]] | Paul Wouters, Red Hat |- |''11:30'' |colspan="2"|''break'' |- | 11:45 | [[Linux_Security_Summit_2012/Abstracts/Walsh|Linux Sandbox Version II - Sandboxing Server Applications]] | Dan Walsh, Red Hat |- |''12:30'' |colspan="2" |''lunch (self-funded at nearby location)'' |- | 13:30 | [[Linux_Security_Summit_2012/Abstracts/Kasatkin|Upcoming Extensions to the Linux kernel Integrity Subsystem (IMA/EVM)]] | Dmitry Kasatkin, Intel |- | 14:15 | [[Linux_Security_Summit_2012/Abstracts/Steffen|The Linux Integrity Subsystem and TPM-based Network Endpoint Assessment]] | Andreas Steffen, HSR University of Applied Sciences Rapperswil, Switzerland |- |''15:00'' |colspan="2"|''break'' |- | 15:15 | [[Linux_Security_Summit_2012/Abstracts/Smalley|Middleware MAC for Android]] | Stephen Smalley, National Security Agency |- | 16:00 | [[Linux_Security_Summit_2012/Abstracts/Handa|CaitSith: A New Type of Rule Based In-kernel Access Control]] | Tetsuo Handa, NTT Data Intellilink |- | 16:45 | [[Linux_Security_Summit_2012/Abstracts/Cook|Finding kernel vulnerabilities using Coccinelle]] | Kees Cook, Google |- |''17:15'' |colspan="2"|''finish'' |} == Day 2 (31st Aug) == cd13af4ed95c6b96bd4c27f590171f4bfcf55f3b 3319 3318 2012-06-27T05:03:55Z JamesMorris 2 /* Presentations */ wikitext text/x-wiki = Overview = This is the schedule for the [[Linux_Security_Summit_2012|Linux Security Summit 2012]], to be held in San Diego on August 30th and 31st, 2012. The summit this year will be a two-day event, co-located with [https://events.linuxfoundation.org/events/linuxcon/ LinuxCon]. = Program = == Day 1 (30th Aug) == === Presentations === {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk'''</span> | Matthew Garrett, Red Hat |- |''09:50'' |colspan="2"|''break'' |- |10:00 | [[Linux_Security_Summit_2012/Abstracts/Reshetova|Bootstrapping the Policies for LSMs for Native and Web Applications]] | Elena Reshetova, Intel |- |10:45 | [[Linux_Security_Summit_2012/Abstracts/Wouters|DNSSEC: The Shiny New Cryptographically Secured Globally Distributed Database ]] | Paul Wouters, Red Hat |- |''11:30'' |colspan="2"|''break'' |- | 11:45 | [[Linux_Security_Summit_2012/Abstracts/Walsh|Linux Sandbox Version II - Sandboxing Server Applications]] | Dan Walsh, Red Hat |- |''12:30'' |colspan="2" |''lunch (self-funded at nearby location)'' |- | 13:30 | [[Linux_Security_Summit_2012/Abstracts/Kasatkin|Upcoming Extensions to the Linux kernel Integrity Subsystem (IMA/EVM)]] | Dmitry Kasatkin, Intel |- | 14:15 | [[Linux_Security_Summit_2012/Abstracts/Steffen|The Linux Integrity Subsystem and TPM-based Network Endpoint Assessment]] | Andreas Steffen, HSR University of Applied Sciences Rapperswil, Switzerland |- |''15:00'' |colspan="2"|''break'' |- | 15:15 | [[Linux_Security_Summit_2012/Abstracts/Smalley|Middleware MAC for Android]] | Stephen Smalley, National Security Agency |- | 16:00 | [[Linux_Security_Summit_2012/Abstracts/Handa|CaitSith: A New Type of Rule Based In-kernel Access Control]] | Tetsuo Handa, NTT Data Intellilink |- | 16:45 | [[Linux_Security_Summit_2012/Abstracts/Cook|Finding kernel vulnerabilities using Coccinelle]] | Kees Cook, Google |- |''17:15'' |colspan="2"|''finish'' |} == Day 2 (31st Aug) == 60c891e4511584fa8754b90efd5af5355077d88c 3320 3319 2012-06-27T05:04:46Z JamesMorris 2 /* Presentations */ wikitext text/x-wiki = Overview = This is the schedule for the [[Linux_Security_Summit_2012|Linux Security Summit 2012]], to be held in San Diego on August 30th and 31st, 2012. The summit this year will be a two-day event, co-located with [https://events.linuxfoundation.org/events/linuxcon/ LinuxCon]. = Program = == Day 1 (30th Aug) == === Presentations === {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk'''</span> | Matthew Garrett, Red Hat |- |''09:50'' |colspan="2"|''break'' |- |10:00 | [[Linux_Security_Summit_2012/Abstracts/Reshetova|Bootstrapping the Policies for LSMs for Native and Web Applications]] | Elena Reshetova, Intel |- |10:45 | [[Linux_Security_Summit_2012/Abstracts/Wouters|DNSSEC: The Shiny New Cryptographically Secured Globally Distributed Database ]] | Paul Wouters, Red Hat |- |''11:30'' |colspan="2"|''break'' |- | 11:45 | [[Linux_Security_Summit_2012/Abstracts/Walsh|Linux Sandbox Version II - Sandboxing Server Applications]] | Dan Walsh, Red Hat |- |''12:30'' |colspan="2" |''lunch (self-funded at nearby location)'' |- | 13:30 | [[Linux_Security_Summit_2012/Abstracts/Kasatkin|Upcoming Extensions to the Linux kernel Integrity Subsystem (IMA/EVM)]] | Dmitry Kasatkin, Intel |- | 14:15 | [[Linux_Security_Summit_2012/Abstracts/Steffen|The Linux Integrity Subsystem and TPM-based Network Endpoint Assessment]] | Andreas Steffen, HSR University of Applied Sciences Rapperswil, Switzerland |- |''15:00'' |colspan="2"|''break'' |- | 15:15 | [[Linux_Security_Summit_2012/Abstracts/Smalley|Middleware MAC for Android]] | Stephen Smalley, National Security Agency |- | 16:00 | [[Linux_Security_Summit_2012/Abstracts/Handa|CaitSith: A New Type of Rule Based In-kernel Access Control]] | Tetsuo Handa, NTT Data Intellilink |- | 16:45 | [[Linux_Security_Summit_2012/Abstracts/Cook|Finding Kernel Vulnerabilities Using Coccinelle]] | Kees Cook, Google |- |''17:15'' |colspan="2"|''finish'' |} == Day 2 (31st Aug) == 5781123000b31d70eb792f8a7d319e12031aa774 3321 3320 2012-06-27T05:05:35Z JamesMorris 2 /* Presentations */ wikitext text/x-wiki = Overview = This is the schedule for the [[Linux_Security_Summit_2012|Linux Security Summit 2012]], to be held in San Diego on August 30th and 31st, 2012. The summit this year will be a two-day event, co-located with [https://events.linuxfoundation.org/events/linuxcon/ LinuxCon]. = Program = == Day 1 (30th Aug) == === Presentations === {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk'''</span> | Matthew Garrett, Red Hat |- |''09:50'' |colspan="2"|''break'' |- |10:00 | [[Linux_Security_Summit_2012/Abstracts/Reshetova|Bootstrapping the Policies for LSMs for Native and Web Applications]] | Elena Reshetova, Intel |- |10:45 | [[Linux_Security_Summit_2012/Abstracts/Wouters|DNSSEC: The Shiny New Cryptographically Secured Globally Distributed Database ]] | Paul Wouters, Red Hat |- |''11:30'' |colspan="2"|''break'' |- | 11:45 | [[Linux_Security_Summit_2012/Abstracts/Walsh|Linux Sandbox Version II - Sandboxing Server Applications]] | Dan Walsh, Red Hat |- |''12:30'' |colspan="2" |''lunch (self-funded at nearby location)'' |- | 13:30 | [[Linux_Security_Summit_2012/Abstracts/Kasatkin|Upcoming Extensions to the Linux kernel Integrity Subsystem (IMA/EVM)]] | Dmitry Kasatkin, Intel |- | 14:15 | [[Linux_Security_Summit_2012/Abstracts/Steffen|The Linux Integrity Subsystem and TPM-based Network Endpoint Assessment]] | Andreas Steffen, University of Applied Sciences, Rapperswil |- |''15:00'' |colspan="2"|''break'' |- | 15:15 | [[Linux_Security_Summit_2012/Abstracts/Smalley|Middleware MAC for Android]] | Stephen Smalley, National Security Agency |- | 16:00 | [[Linux_Security_Summit_2012/Abstracts/Handa|CaitSith: A New Type of Rule Based In-kernel Access Control]] | Tetsuo Handa, NTT Data Intellilink |- | 16:45 | [[Linux_Security_Summit_2012/Abstracts/Cook|Finding Kernel Vulnerabilities Using Coccinelle]] | Kees Cook, Google |- |''17:15'' |colspan="2"|''finish'' |} == Day 2 (31st Aug) == 29ef62b4d81d0f4143d8acf0c12d498e7d4d3771 3322 3321 2012-06-27T05:06:17Z JamesMorris 2 /* Presentations */ wikitext text/x-wiki = Overview = This is the schedule for the [[Linux_Security_Summit_2012|Linux Security Summit 2012]], to be held in San Diego on August 30th and 31st, 2012. The summit this year will be a two-day event, co-located with [https://events.linuxfoundation.org/events/linuxcon/ LinuxCon]. = Program = == Day 1 (30th Aug) == === Presentations === {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk'''</span> | Matthew Garrett, Red Hat |- |''09:50'' |colspan="2"|''break'' |- |10:00 | [[Linux_Security_Summit_2012/Abstracts/Reshetova|Bootstrapping the Policies for LSMs for Native and Web Applications]] | Elena Reshetova, Intel |- |10:45 | [[Linux_Security_Summit_2012/Abstracts/Wouters|DNSSEC: The Shiny New Cryptographically Secured Globally Distributed Database ]] | Paul Wouters, Red Hat |- |''11:30'' |colspan="2"|''break'' |- | 11:45 | [[Linux_Security_Summit_2012/Abstracts/Walsh|Linux Sandbox Version II - Sandboxing Server Applications]] | Dan Walsh, Red Hat |- |''12:30'' |colspan="2" |''lunch (self-funded at nearby location)'' |- | 13:30 | [[Linux_Security_Summit_2012/Abstracts/Kasatkin|Upcoming Extensions to the Linux kernel Integrity Subsystem (IMA/EVM)]] | Dmitry Kasatkin, Intel |- | 14:15 | [[Linux_Security_Summit_2012/Abstracts/Steffen|The Linux Integrity Subsystem and TPM-based Network Endpoint Assessment]] | Andreas Steffen, University of Applied Sciences Rapperswil |- |''15:00'' |colspan="2"|''break'' |- | 15:15 | [[Linux_Security_Summit_2012/Abstracts/Smalley|Middleware MAC for Android]] | Stephen Smalley, National Security Agency |- | 16:00 | [[Linux_Security_Summit_2012/Abstracts/Handa|CaitSith: A New Type of Rule Based In-kernel Access Control]] | Tetsuo Handa, NTT Data Intellilink |- | 16:45 | [[Linux_Security_Summit_2012/Abstracts/Cook|Finding Kernel Vulnerabilities Using Coccinelle]] | Kees Cook, Google |- |''17:15'' |colspan="2"|''finish'' |} == Day 2 (31st Aug) == f69a7d8a155340e2089eb542759ed496eccaffe0 3323 3322 2012-06-27T05:19:29Z JamesMorris 2 wikitext text/x-wiki = Overview = This is the schedule for the [[Linux_Security_Summit_2012|Linux Security Summit 2012]], to be held in San Diego on August 30th and 31st, 2012. The summit this year will be a two-day event, co-located with [https://events.linuxfoundation.org/events/linuxcon/ LinuxCon]. = Program = == Day 1 (30th Aug) == === Presentations === {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk'''</span> | Matthew Garrett, Red Hat |- |''09:50'' |colspan="2"|''break'' |- |10:00 | [[Linux_Security_Summit_2012/Abstracts/Reshetova|Bootstrapping the Policies for LSMs for Native and Web Applications]] | Elena Reshetova, Intel |- |10:45 | [[Linux_Security_Summit_2012/Abstracts/Wouters|DNSSEC: The Shiny New Cryptographically Secured Globally Distributed Database ]] | Paul Wouters, Red Hat |- |''11:30'' |colspan="2"|''break'' |- | 11:45 | [[Linux_Security_Summit_2012/Abstracts/Walsh|Linux Sandbox Version II - Sandboxing Server Applications]] | Dan Walsh, Red Hat |- |''12:30'' |colspan="2" |''lunch (self-funded at nearby location)'' |- | 13:30 | [[Linux_Security_Summit_2012/Abstracts/Kasatkin|Upcoming Extensions to the Linux kernel Integrity Subsystem (IMA/EVM)]] | Dmitry Kasatkin, Intel |- | 14:15 | [[Linux_Security_Summit_2012/Abstracts/Steffen|The Linux Integrity Subsystem and TPM-based Network Endpoint Assessment]] | Andreas Steffen, University of Applied Sciences Rapperswil |- |''15:00'' |colspan="2"|''break'' |- | 15:15 | [[Linux_Security_Summit_2012/Abstracts/Smalley|Middleware MAC for Android]] | Stephen Smalley, National Security Agency |- | 16:00 | [[Linux_Security_Summit_2012/Abstracts/Handa|CaitSith: A New Type of Rule Based In-kernel Access Control]] | Tetsuo Handa, NTT Data Intellilink |- | 16:45 | [[Linux_Security_Summit_2012/Abstracts/Cook|Finding Kernel Vulnerabilities Using Coccinelle]] | Kees Cook, Google |- |''17:15'' |colspan="2"|''finish'' |} == Day 2 (31st Aug) == === Kernel Security Subsystem Updates === {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | Cryptography | Herbert Xu, Red Hat |- |09:20 | AppArmor | John Johansen, Canonical |- |09:40 | Key Management | David Howells, Red Hat |- |''10:00'' |colspan="2"|''break'' |- |10:20 | SELinux | Eric Paris, Red Hat |- |10:40 | Integrity | Mimi Zohar, IBM |- |11:00 | TOMOYO | Tetsuo Handa, NTT Data Intellilink |- |''11:20'' |colspan="2"|''break'' |- |11:40 | Smack | Casey Schaufler, Intel |- |12:00 | YAMA | Kees Cook, Google |- |''12:20'' |colspan="2" |''lunch (self-funded at nearby location)'' |} === Breakout Sessions === Freeform track for smaller groups to collaborate on specific issues. If you wish to add a breakout session topic, email the program committee. {| border="1" cellpadding="6" cellspacing="0" !Time !Details !Leader |- |14:00 | LF Linux Security Workgroup BOF | Corey Bryant, IBM |- 0c6cc2d113f56329d6664b5ec17de21d082a1d1d 3324 3323 2012-06-27T05:20:18Z JamesMorris 2 /* Kernel Security Subsystem Updates */ wikitext text/x-wiki = Overview = This is the schedule for the [[Linux_Security_Summit_2012|Linux Security Summit 2012]], to be held in San Diego on August 30th and 31st, 2012. The summit this year will be a two-day event, co-located with [https://events.linuxfoundation.org/events/linuxcon/ LinuxCon]. = Program = == Day 1 (30th Aug) == === Presentations === {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk'''</span> | Matthew Garrett, Red Hat |- |''09:50'' |colspan="2"|''break'' |- |10:00 | [[Linux_Security_Summit_2012/Abstracts/Reshetova|Bootstrapping the Policies for LSMs for Native and Web Applications]] | Elena Reshetova, Intel |- |10:45 | [[Linux_Security_Summit_2012/Abstracts/Wouters|DNSSEC: The Shiny New Cryptographically Secured Globally Distributed Database ]] | Paul Wouters, Red Hat |- |''11:30'' |colspan="2"|''break'' |- | 11:45 | [[Linux_Security_Summit_2012/Abstracts/Walsh|Linux Sandbox Version II - Sandboxing Server Applications]] | Dan Walsh, Red Hat |- |''12:30'' |colspan="2" |''lunch (self-funded at nearby location)'' |- | 13:30 | [[Linux_Security_Summit_2012/Abstracts/Kasatkin|Upcoming Extensions to the Linux kernel Integrity Subsystem (IMA/EVM)]] | Dmitry Kasatkin, Intel |- | 14:15 | [[Linux_Security_Summit_2012/Abstracts/Steffen|The Linux Integrity Subsystem and TPM-based Network Endpoint Assessment]] | Andreas Steffen, University of Applied Sciences Rapperswil |- |''15:00'' |colspan="2"|''break'' |- | 15:15 | [[Linux_Security_Summit_2012/Abstracts/Smalley|Middleware MAC for Android]] | Stephen Smalley, National Security Agency |- | 16:00 | [[Linux_Security_Summit_2012/Abstracts/Handa|CaitSith: A New Type of Rule Based In-kernel Access Control]] | Tetsuo Handa, NTT Data Intellilink |- | 16:45 | [[Linux_Security_Summit_2012/Abstracts/Cook|Finding Kernel Vulnerabilities Using Coccinelle]] | Kees Cook, Google |- |''17:15'' |colspan="2"|''finish'' |} == Day 2 (31st Aug) == === Kernel Security Subsystem Updates === {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | '''Cryptography''' | Herbert Xu, Red Hat |- |09:20 | '''AppArmor''' | John Johansen, Canonical |- |09:40 | '''Key Management''' | David Howells, Red Hat |- |''10:00'' |colspan="2"|''break'' |- |10:20 | '''SELinux''' | Eric Paris, Red Hat |- |10:40 | '''Integrity''' | Mimi Zohar, IBM |- |11:00 | '''TOMOYO''' | Tetsuo Handa, NTT Data Intellilink |- |''11:20'' |colspan="2"|''break'' |- |11:40 | '''Smack''' | Casey Schaufler, Intel |- |12:00 | '''YAMA''' | Kees Cook, Google |- |''12:20'' |colspan="2" |''lunch (self-funded at nearby location)'' |} === Breakout Sessions === Freeform track for smaller groups to collaborate on specific issues. If you wish to add a breakout session topic, email the program committee. {| border="1" cellpadding="6" cellspacing="0" !Time !Details !Leader |- |14:00 | LF Linux Security Workgroup BOF | Corey Bryant, IBM |- 418356bf7abf0f0a8373fd33eea4853c67646bb8 3326 3324 2012-06-27T05:23:23Z JamesMorris 2 /* Breakout Sessions */ wikitext text/x-wiki = Overview = This is the schedule for the [[Linux_Security_Summit_2012|Linux Security Summit 2012]], to be held in San Diego on August 30th and 31st, 2012. The summit this year will be a two-day event, co-located with [https://events.linuxfoundation.org/events/linuxcon/ LinuxCon]. = Program = == Day 1 (30th Aug) == === Presentations === {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk'''</span> | Matthew Garrett, Red Hat |- |''09:50'' |colspan="2"|''break'' |- |10:00 | [[Linux_Security_Summit_2012/Abstracts/Reshetova|Bootstrapping the Policies for LSMs for Native and Web Applications]] | Elena Reshetova, Intel |- |10:45 | [[Linux_Security_Summit_2012/Abstracts/Wouters|DNSSEC: The Shiny New Cryptographically Secured Globally Distributed Database ]] | Paul Wouters, Red Hat |- |''11:30'' |colspan="2"|''break'' |- | 11:45 | [[Linux_Security_Summit_2012/Abstracts/Walsh|Linux Sandbox Version II - Sandboxing Server Applications]] | Dan Walsh, Red Hat |- |''12:30'' |colspan="2" |''lunch (self-funded at nearby location)'' |- | 13:30 | [[Linux_Security_Summit_2012/Abstracts/Kasatkin|Upcoming Extensions to the Linux kernel Integrity Subsystem (IMA/EVM)]] | Dmitry Kasatkin, Intel |- | 14:15 | [[Linux_Security_Summit_2012/Abstracts/Steffen|The Linux Integrity Subsystem and TPM-based Network Endpoint Assessment]] | Andreas Steffen, University of Applied Sciences Rapperswil |- |''15:00'' |colspan="2"|''break'' |- | 15:15 | [[Linux_Security_Summit_2012/Abstracts/Smalley|Middleware MAC for Android]] | Stephen Smalley, National Security Agency |- | 16:00 | [[Linux_Security_Summit_2012/Abstracts/Handa|CaitSith: A New Type of Rule Based In-kernel Access Control]] | Tetsuo Handa, NTT Data Intellilink |- | 16:45 | [[Linux_Security_Summit_2012/Abstracts/Cook|Finding Kernel Vulnerabilities Using Coccinelle]] | Kees Cook, Google |- |''17:15'' |colspan="2"|''finish'' |} == Day 2 (31st Aug) == === Kernel Security Subsystem Updates === {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | '''Cryptography''' | Herbert Xu, Red Hat |- |09:20 | '''AppArmor''' | John Johansen, Canonical |- |09:40 | '''Key Management''' | David Howells, Red Hat |- |''10:00'' |colspan="2"|''break'' |- |10:20 | '''SELinux''' | Eric Paris, Red Hat |- |10:40 | '''Integrity''' | Mimi Zohar, IBM |- |11:00 | '''TOMOYO''' | Tetsuo Handa, NTT Data Intellilink |- |''11:20'' |colspan="2"|''break'' |- |11:40 | '''Smack''' | Casey Schaufler, Intel |- |12:00 | '''YAMA''' | Kees Cook, Google |- |''12:20'' |colspan="2" |''lunch (self-funded at nearby location)'' |} === Breakout Sessions === Freeform track for smaller groups to collaborate on specific issues. If you wish to add a breakout session topic, email the program committee. {| border="1" cellpadding="6" cellspacing="0" !Time !Details !Leader |- |14:00 | [[Linux_Security_Summit_2012/Abstracts/Bryant|LF Linux Security Workgroup BOF]] | Corey Bryant, IBM |- |16:30 | ... df998977c5383e9490848686c0c80126d8934318 3327 3326 2012-06-27T05:24:58Z JamesMorris 2 wikitext text/x-wiki = Overview = This is the schedule for the [[Linux_Security_Summit_2012|Linux Security Summit 2012]], to be held in San Diego on August 30th and 31st, 2012. The summit this year will be a two-day event, co-located with [https://events.linuxfoundation.org/events/linuxcon/ LinuxCon]. = Program = == Day 1 (30th Aug) == === Presentations === {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk'''</span> | Matthew Garrett, Red Hat |- |''09:50'' |colspan="2"|''break'' |- |10:00 | [[Linux_Security_Summit_2012/Abstracts/Reshetova|Bootstrapping the Policies for LSMs for Native and Web Applications]] | Elena Reshetova, Intel |- |10:45 | [[Linux_Security_Summit_2012/Abstracts/Wouters|DNSSEC: The Shiny New Cryptographically Secured Globally Distributed Database ]] | Paul Wouters, Red Hat |- |''11:30'' |colspan="2"|''break'' |- | 11:45 | [[Linux_Security_Summit_2012/Abstracts/Walsh|Linux Sandbox Version II - Sandboxing Server Applications]] | Dan Walsh, Red Hat |- |''12:30'' |colspan="2" |''lunch (self-funded at nearby location)'' |- | 13:30 | [[Linux_Security_Summit_2012/Abstracts/Kasatkin|Upcoming Extensions to the Linux kernel Integrity Subsystem (IMA/EVM)]] | Dmitry Kasatkin, Intel |- | 14:15 | [[Linux_Security_Summit_2012/Abstracts/Steffen|The Linux Integrity Subsystem and TPM-based Network Endpoint Assessment]] | Andreas Steffen, University of Applied Sciences Rapperswil |- |''15:00'' |colspan="2"|''break'' |- | 15:15 | [[Linux_Security_Summit_2012/Abstracts/Smalley|Middleware MAC for Android]] | Stephen Smalley, National Security Agency |- | 16:00 | [[Linux_Security_Summit_2012/Abstracts/Handa|CaitSith: A New Type of Rule Based In-kernel Access Control]] | Tetsuo Handa, NTT Data Intellilink |- | 16:45 | [[Linux_Security_Summit_2012/Abstracts/Cook|Finding Kernel Vulnerabilities Using Coccinelle]] | Kees Cook, Google |- |''17:15'' |colspan="2"|''finish'' |} == Day 2 (31st Aug) == === Kernel Security Subsystem Updates === {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | '''Cryptography''' | Herbert Xu, Red Hat |- |09:20 | '''AppArmor''' | John Johansen, Canonical |- |09:40 | '''Key Management''' | David Howells, Red Hat |- |''10:00'' |colspan="2"|''break'' |- |10:20 | '''SELinux''' | Eric Paris, Red Hat |- |10:40 | '''Integrity''' | Mimi Zohar, IBM |- |11:00 | '''TOMOYO''' | Tetsuo Handa, NTT Data Intellilink |- |''11:20'' |colspan="2"|''break'' |- |11:40 | '''Smack''' | Casey Schaufler, Intel |- |12:00 | '''YAMA''' | Kees Cook, Google |- |''12:20'' |colspan="2" |''lunch (self-funded at nearby location)'' |} === Breakout Sessions === Freeform track for smaller groups to collaborate on specific issues. If you wish to add a breakout session topic, email the program committee. {| border="1" cellpadding="6" cellspacing="0" !Time !Details !Leader |- |14:00 | [[Linux_Security_Summit_2012/Abstracts/Bryant|LF Linux Security Workgroup BOF]] | Corey Bryant, IBM |- |16:30 |colspan="2"|Breakout sessions summaries |- |''17:00'' |colspan="2"|''finish'' |} 0e458cfe4268db5c00e2ed8e99e49ef5c14338c8 3328 3327 2012-06-27T05:25:56Z JamesMorris 2 /* Breakout Sessions */ wikitext text/x-wiki = Overview = This is the schedule for the [[Linux_Security_Summit_2012|Linux Security Summit 2012]], to be held in San Diego on August 30th and 31st, 2012. The summit this year will be a two-day event, co-located with [https://events.linuxfoundation.org/events/linuxcon/ LinuxCon]. = Program = == Day 1 (30th Aug) == === Presentations === {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk'''</span> | Matthew Garrett, Red Hat |- |''09:50'' |colspan="2"|''break'' |- |10:00 | [[Linux_Security_Summit_2012/Abstracts/Reshetova|Bootstrapping the Policies for LSMs for Native and Web Applications]] | Elena Reshetova, Intel |- |10:45 | [[Linux_Security_Summit_2012/Abstracts/Wouters|DNSSEC: The Shiny New Cryptographically Secured Globally Distributed Database ]] | Paul Wouters, Red Hat |- |''11:30'' |colspan="2"|''break'' |- | 11:45 | [[Linux_Security_Summit_2012/Abstracts/Walsh|Linux Sandbox Version II - Sandboxing Server Applications]] | Dan Walsh, Red Hat |- |''12:30'' |colspan="2" |''lunch (self-funded at nearby location)'' |- | 13:30 | [[Linux_Security_Summit_2012/Abstracts/Kasatkin|Upcoming Extensions to the Linux kernel Integrity Subsystem (IMA/EVM)]] | Dmitry Kasatkin, Intel |- | 14:15 | [[Linux_Security_Summit_2012/Abstracts/Steffen|The Linux Integrity Subsystem and TPM-based Network Endpoint Assessment]] | Andreas Steffen, University of Applied Sciences Rapperswil |- |''15:00'' |colspan="2"|''break'' |- | 15:15 | [[Linux_Security_Summit_2012/Abstracts/Smalley|Middleware MAC for Android]] | Stephen Smalley, National Security Agency |- | 16:00 | [[Linux_Security_Summit_2012/Abstracts/Handa|CaitSith: A New Type of Rule Based In-kernel Access Control]] | Tetsuo Handa, NTT Data Intellilink |- | 16:45 | [[Linux_Security_Summit_2012/Abstracts/Cook|Finding Kernel Vulnerabilities Using Coccinelle]] | Kees Cook, Google |- |''17:15'' |colspan="2"|''finish'' |} == Day 2 (31st Aug) == === Kernel Security Subsystem Updates === {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | '''Cryptography''' | Herbert Xu, Red Hat |- |09:20 | '''AppArmor''' | John Johansen, Canonical |- |09:40 | '''Key Management''' | David Howells, Red Hat |- |''10:00'' |colspan="2"|''break'' |- |10:20 | '''SELinux''' | Eric Paris, Red Hat |- |10:40 | '''Integrity''' | Mimi Zohar, IBM |- |11:00 | '''TOMOYO''' | Tetsuo Handa, NTT Data Intellilink |- |''11:20'' |colspan="2"|''break'' |- |11:40 | '''Smack''' | Casey Schaufler, Intel |- |12:00 | '''YAMA''' | Kees Cook, Google |- |''12:20'' |colspan="2" |''lunch (self-funded at nearby location)'' |} === Breakout Sessions === Freeform track for smaller groups to collaborate on specific issues. If you wish to add a breakout session topic, email the program committee. {| border="1" cellpadding="6" cellspacing="0" !Time !Details !Leader |- |14:00 | [[Linux_Security_Summit_2012/Abstracts/Bryant|LF Linux Security Workgroup BOF]] | Corey Bryant, IBM |- |16:30 |colspan="2"|Breakout session reports |- |''17:00'' |colspan="2"|''finish'' |} e075e744d6535809ebdae764dd3910232285972c 3329 3328 2012-06-27T05:30:42Z JamesMorris 2 /* Presentations */ wikitext text/x-wiki = Overview = This is the schedule for the [[Linux_Security_Summit_2012|Linux Security Summit 2012]], to be held in San Diego on August 30th and 31st, 2012. The summit this year will be a two-day event, co-located with [https://events.linuxfoundation.org/events/linuxcon/ LinuxCon]. = Program = == Day 1 (30th Aug) == === Presentations === {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk'''</span> | [http://mjg59.dreamwidth.org/ Matthew Garrett], Red Hat |- |''09:50'' |colspan="2"|''break'' |- |10:00 | [[Linux_Security_Summit_2012/Abstracts/Reshetova|Bootstrapping the Policies for LSMs for Native and Web Applications]] | Elena Reshetova, Intel |- |10:45 | [[Linux_Security_Summit_2012/Abstracts/Wouters|DNSSEC: The Shiny New Cryptographically Secured Globally Distributed Database ]] | Paul Wouters, Red Hat |- |''11:30'' |colspan="2"|''break'' |- | 11:45 | [[Linux_Security_Summit_2012/Abstracts/Walsh|Linux Sandbox Version II - Sandboxing Server Applications]] | Dan Walsh, Red Hat |- |''12:30'' |colspan="2" |''lunch (self-funded at nearby location)'' |- | 13:30 | [[Linux_Security_Summit_2012/Abstracts/Kasatkin|Upcoming Extensions to the Linux kernel Integrity Subsystem (IMA/EVM)]] | Dmitry Kasatkin, Intel |- | 14:15 | [[Linux_Security_Summit_2012/Abstracts/Steffen|The Linux Integrity Subsystem and TPM-based Network Endpoint Assessment]] | Andreas Steffen, University of Applied Sciences Rapperswil |- |''15:00'' |colspan="2"|''break'' |- | 15:15 | [[Linux_Security_Summit_2012/Abstracts/Smalley|Middleware MAC for Android]] | Stephen Smalley, National Security Agency |- | 16:00 | [[Linux_Security_Summit_2012/Abstracts/Handa|CaitSith: A New Type of Rule Based In-kernel Access Control]] | Tetsuo Handa, NTT Data Intellilink |- | 16:45 | [[Linux_Security_Summit_2012/Abstracts/Cook|Finding Kernel Vulnerabilities Using Coccinelle]] | Kees Cook, Google |- |''17:15'' |colspan="2"|''finish'' |} == Day 2 (31st Aug) == === Kernel Security Subsystem Updates === {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | '''Cryptography''' | Herbert Xu, Red Hat |- |09:20 | '''AppArmor''' | John Johansen, Canonical |- |09:40 | '''Key Management''' | David Howells, Red Hat |- |''10:00'' |colspan="2"|''break'' |- |10:20 | '''SELinux''' | Eric Paris, Red Hat |- |10:40 | '''Integrity''' | Mimi Zohar, IBM |- |11:00 | '''TOMOYO''' | Tetsuo Handa, NTT Data Intellilink |- |''11:20'' |colspan="2"|''break'' |- |11:40 | '''Smack''' | Casey Schaufler, Intel |- |12:00 | '''YAMA''' | Kees Cook, Google |- |''12:20'' |colspan="2" |''lunch (self-funded at nearby location)'' |} === Breakout Sessions === Freeform track for smaller groups to collaborate on specific issues. If you wish to add a breakout session topic, email the program committee. {| border="1" cellpadding="6" cellspacing="0" !Time !Details !Leader |- |14:00 | [[Linux_Security_Summit_2012/Abstracts/Bryant|LF Linux Security Workgroup BOF]] | Corey Bryant, IBM |- |16:30 |colspan="2"|Breakout session reports |- |''17:00'' |colspan="2"|''finish'' |} 831900b8b43680fc616c5d881c5e493258665ef4 3335 3329 2012-06-27T06:02:53Z JamesMorris 2 wikitext text/x-wiki = Overview = This is the schedule for the [[Linux_Security_Summit_2012|Linux Security Summit 2012]], to be held in San Diego on August 30th and 31st, 2012. The summit this year will be a two-day event, co-located with [https://events.linuxfoundation.org/events/linuxcon/ LinuxCon]. = Program = == Day 1 (30th Aug) == === Presentations === {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk'''</span> | [http://mjg59.dreamwidth.org/ Matthew Garrett], Red Hat |- |''09:50'' |colspan="2"|''break'' |- |10:00 | [[Linux_Security_Summit_2012/Abstracts/Reshetova|Bootstrapping the Policies for LSMs for Native and Web Applications]] | Elena Reshetova, Intel |- |10:45 | [[Linux_Security_Summit_2012/Abstracts/Wouters|DNSSEC: The Shiny New Cryptographically Secured Globally Distributed Database ]] | Paul Wouters, Red Hat |- |''11:30'' |colspan="2"|''break'' |- | 11:45 | [[Linux_Security_Summit_2012/Abstracts/Walsh|Linux Sandbox Version II - Sandboxing Server Applications]] | Dan Walsh, Red Hat |- |''12:30'' |colspan="2" |''lunch (self-funded at nearby location)'' |- | 13:30 | [[Linux_Security_Summit_2012/Abstracts/Kasatkin|Upcoming Extensions to the Linux kernel Integrity Subsystem (IMA/EVM)]] | Dmitry Kasatkin, Intel |- | 14:15 | [[Linux_Security_Summit_2012/Abstracts/Steffen|The Linux Integrity Subsystem and TPM-based Network Endpoint Assessment]] | Andreas Steffen, University of Applied Sciences Rapperswil |- |''15:00'' |colspan="2"|''break'' |- | 15:15 | [[Linux_Security_Summit_2012/Abstracts/Smalley|Middleware MAC for Android]] | Stephen Smalley, National Security Agency |- | 16:00 | [[Linux_Security_Summit_2012/Abstracts/Handa|CaitSith: A New Type of Rule Based In-kernel Access Control]] | Tetsuo Handa, NTT Data Intellilink |- | 16:45 | [[Linux_Security_Summit_2012/Abstracts/Cook|Finding Kernel Vulnerabilities Using Coccinelle]] | Kees Cook, Google |- |''17:15'' |colspan="2"|''finish'' |} == Day 2 (31st Aug) == === Kernel Security Subsystem Updates === {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | '''Cryptography''' | Herbert Xu, Red Hat |- |09:20 | '''AppArmor''' | John Johansen, Canonical |- |09:40 | '''Key Management''' | David Howells, Red Hat |- |''10:00'' |colspan="2"|''break'' |- |10:20 | '''SELinux''' | Eric Paris, Red Hat |- |10:40 | '''Integrity''' | Mimi Zohar, IBM |- |11:00 | '''TOMOYO''' | Tetsuo Handa, NTT Data Intellilink |- |''11:20'' |colspan="2"|''break'' |- |11:40 | '''Smack''' | Casey Schaufler, Intel |- |12:00 | '''YAMA''' | Kees Cook, Google |- |''12:20'' |colspan="2" |''lunch (self-funded at nearby location)'' |} === Breakout Sessions === Freeform track for smaller groups to collaborate on specific issues. If you wish to add a breakout session topic, email the program committee. {| border="1" cellpadding="6" cellspacing="0" !Time !Details !Leader |- |14:00 | [[Linux_Security_Summit_2012/Abstracts/Bryant|LF Linux Security Workgroup BOF]] | Corey Bryant, IBM |- |16:30 |colspan="2"|Breakout session reports |- |''17:00'' |colspan="2"|''finish'' |} 52498b70502a1b6cf730f25142ebc22e2d0df3b6 3337 3335 2012-06-27T14:03:11Z JamesMorris 2 wikitext text/x-wiki = Overview = This is the schedule for the [[Linux_Security_Summit_2012|Linux Security Summit 2012]], to be held in San Diego on August 30th and 31st, 2012. The summit this year will be a two-day event, co-located with [https://events.linuxfoundation.org/events/linuxcon/ LinuxCon]. = Program = == Day 1 (30th Aug) == === Presentations === {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk'''</span> | [http://mjg59.dreamwidth.org/ Matthew Garrett], Red Hat |- |''09:50'' |colspan="2"|''break'' |- |10:00 | [[Linux_Security_Summit_2012/Abstracts/Reshetova|Bootstrapping the Policies for LSMs for Native and Web Applications]] | Elena Reshetova, Intel |- |10:45 | [[Linux_Security_Summit_2012/Abstracts/Wouters|DNSSEC: The Shiny New Cryptographically Secured Globally Distributed Database ]] | Paul Wouters, Red Hat |- |''11:30'' |colspan="2"|''break'' |- | 11:45 | [[Linux_Security_Summit_2012/Abstracts/Walsh|Linux Sandbox Version II - Sandboxing Server Applications]] | Dan Walsh, Red Hat |- |''12:30'' |colspan="2" |''lunch (self-funded at nearby location)'' |- | 13:30 | [[Linux_Security_Summit_2012/Abstracts/Kasatkin|Upcoming Extensions to the Linux kernel Integrity Subsystem (IMA/EVM)]] | Dmitry Kasatkin, Intel |- | 14:15 | [[Linux_Security_Summit_2012/Abstracts/Steffen|The Linux Integrity Subsystem and TPM-based Network Endpoint Assessment]] | Andreas Steffen, University of Applied Sciences Rapperswil |- |''15:00'' |colspan="2"|''break'' |- | 15:15 | [[Linux_Security_Summit_2012/Abstracts/Smalley|Middleware MAC for Android]] | Stephen Smalley, National Security Agency |- | 16:00 | [[Linux_Security_Summit_2012/Abstracts/Handa|CaitSith: A New Type of Rule Based In-kernel Access Control]] | Tetsuo Handa, NTT |- | 16:45 | [[Linux_Security_Summit_2012/Abstracts/Cook|Finding Kernel Vulnerabilities Using Coccinelle]] | Kees Cook, Google |- |''17:15'' |colspan="2"|''finish'' |} == Day 2 (31st Aug) == === Kernel Security Subsystem Updates === {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | '''Cryptography''' | Herbert Xu, Red Hat |- |09:20 | '''AppArmor''' | John Johansen, Canonical |- |09:40 | '''Key Management''' | David Howells, Red Hat |- |''10:00'' |colspan="2"|''break'' |- |10:20 | '''SELinux''' | Eric Paris, Red Hat |- |10:40 | '''Integrity''' | Mimi Zohar, IBM |- |11:00 | '''TOMOYO''' | Tetsuo Handa, NTT |- |''11:20'' |colspan="2"|''break'' |- |11:40 | '''Smack''' | Casey Schaufler, Intel |- |12:00 | '''YAMA''' | Kees Cook, Google |- |''12:20'' |colspan="2" |''lunch (self-funded at nearby location)'' |} === Breakout Sessions === Freeform track for smaller groups to collaborate on specific issues. If you wish to add a breakout session topic, email the program committee. {| border="1" cellpadding="6" cellspacing="0" !Time !Details !Leader |- |14:00 | [[Linux_Security_Summit_2012/Abstracts/Bryant|LF Linux Security Workgroup BOF]] | Corey Bryant, IBM |- |16:30 |colspan="2"|Breakout session reports |- |''17:00'' |colspan="2"|''finish'' |} cf2c3a62159e9a31ea10992b820ba3c26fe57c4b 0 92 3296 2012-06-27T03:54:29Z JamesMorris 2 New page: == Title == Bootstrapping the Policies for LSMs for Native and Web Applications == Presenter == Elena Reshetova == Abstract == Having a good LSM enabled in your kernel is only begi... wikitext text/x-wiki == Title == Bootstrapping the Policies for LSMs for Native and Web Applications == Presenter == Elena Reshetova == Abstract == Having a good LSM enabled in your kernel is only beginning of a long way towards getting your system secure. What usually takes most of the time and skill is placing a proper security policy and keeping it updated. Security policies for mobile devices are usually configured and managed remotely, which means that they should be coming as part of the application package and handled by the installer. Rpm is a default package manager in many operating systems, including Tizen OS. It already has integrated support for SELinux policies, but lacks the unified interface for all existing LSMs, such as Smack, Tomoyo and etc. The talk will demonstrate the set of security hooks that are proposed for upstream RPM that should be generic enough to satisfy the needs of each LSM and allow implementing functionality of each LSM in a separate rpm plug-in without any changes needed to rpm itself. The proof of concept implementation of such plug-in [1] and examples of package policy (manifest) is given for Smack LSM that has been integrated to Tizen OS [2]. In addition the talk will touch the question of creating policies for web applications and challenge of keeping both native and web application policies in sync. References: [1] Rpm security hooks and code of the MSM plug-in, https://github.com/ereshetova/rpm/tree/security-changes [2] MSM plug-in wiki, https://github.com/ereshetova/rpm/wiki 072a90b00a5e199df23049db13caca993dce5ea8 3297 3296 2012-06-27T03:54:57Z JamesMorris 2 [[Linux Security Summit 2012/Abstracts/Reshetova bootstrapping]] moved to [[Linux Security Summit 2012/Abstracts/Reshetova]] wikitext text/x-wiki == Title == Bootstrapping the Policies for LSMs for Native and Web Applications == Presenter == Elena Reshetova == Abstract == Having a good LSM enabled in your kernel is only beginning of a long way towards getting your system secure. What usually takes most of the time and skill is placing a proper security policy and keeping it updated. Security policies for mobile devices are usually configured and managed remotely, which means that they should be coming as part of the application package and handled by the installer. Rpm is a default package manager in many operating systems, including Tizen OS. It already has integrated support for SELinux policies, but lacks the unified interface for all existing LSMs, such as Smack, Tomoyo and etc. The talk will demonstrate the set of security hooks that are proposed for upstream RPM that should be generic enough to satisfy the needs of each LSM and allow implementing functionality of each LSM in a separate rpm plug-in without any changes needed to rpm itself. The proof of concept implementation of such plug-in [1] and examples of package policy (manifest) is given for Smack LSM that has been integrated to Tizen OS [2]. In addition the talk will touch the question of creating policies for web applications and challenge of keeping both native and web application policies in sync. References: [1] Rpm security hooks and code of the MSM plug-in, https://github.com/ereshetova/rpm/tree/security-changes [2] MSM plug-in wiki, https://github.com/ereshetova/rpm/wiki 072a90b00a5e199df23049db13caca993dce5ea8 3299 3297 2012-06-27T03:55:14Z JamesMorris 2 wikitext text/x-wiki == Title == Bootstrapping the Policies for LSMs for Native and Web Applications == Presenter == Elena Reshetova == Abstract == Having a good LSM enabled in your kernel is only beginning of a long way towards getting your system secure. What usually takes most of the time and skill is placing a proper security policy and keeping it updated. Security policies for mobile devices are usually configured and managed remotely, which means that they should be coming as part of the application package and handled by the installer. Rpm is a default package manager in many operating systems, including Tizen OS. It already has integrated support for SELinux policies, but lacks the unified interface for all existing LSMs, such as Smack, Tomoyo and etc. The talk will demonstrate the set of security hooks that are proposed for upstream RPM that should be generic enough to satisfy the needs of each LSM and allow implementing functionality of each LSM in a separate rpm plug-in without any changes needed to rpm itself. The proof of concept implementation of such plug-in [1] and examples of package policy (manifest) is given for Smack LSM that has been integrated to Tizen OS [2]. In addition the talk will touch the question of creating policies for web applications and challenge of keeping both native and web application policies in sync. References: [1] Rpm security hooks and code of the MSM plug-in, https://github.com/ereshetova/rpm/tree/security-changes [2] MSM plug-in wiki, https://github.com/ereshetova/rpm/wiki 58fe18afd8744a6f0318325030bcfd4449b2a4a4 3301 3299 2012-06-27T03:57:31Z JamesMorris 2 /* Presenter */ wikitext text/x-wiki == Title == Bootstrapping the Policies for LSMs for Native and Web Applications == Presenter == Elena Reshetova, Intel == Abstract == Having a good LSM enabled in your kernel is only beginning of a long way towards getting your system secure. What usually takes most of the time and skill is placing a proper security policy and keeping it updated. Security policies for mobile devices are usually configured and managed remotely, which means that they should be coming as part of the application package and handled by the installer. Rpm is a default package manager in many operating systems, including Tizen OS. It already has integrated support for SELinux policies, but lacks the unified interface for all existing LSMs, such as Smack, Tomoyo and etc. The talk will demonstrate the set of security hooks that are proposed for upstream RPM that should be generic enough to satisfy the needs of each LSM and allow implementing functionality of each LSM in a separate rpm plug-in without any changes needed to rpm itself. The proof of concept implementation of such plug-in [1] and examples of package policy (manifest) is given for Smack LSM that has been integrated to Tizen OS [2]. In addition the talk will touch the question of creating policies for web applications and challenge of keeping both native and web application policies in sync. References: [1] Rpm security hooks and code of the MSM plug-in, https://github.com/ereshetova/rpm/tree/security-changes [2] MSM plug-in wiki, https://github.com/ereshetova/rpm/wiki 9f9ede7959c1150da5c443376e2db363a051d1f6 0 93 3298 2012-06-27T03:54:57Z JamesMorris 2 [[Linux Security Summit 2012/Abstracts/Reshetova bootstrapping]] moved to [[Linux Security Summit 2012/Abstracts/Reshetova]] wikitext text/x-wiki #REDIRECT [[Linux Security Summit 2012/Abstracts/Reshetova]] 9b02acb8da30ee0376624a31ce57f69a4eb87b61 0 94 3300 2012-06-27T03:57:11Z JamesMorris 2 New page: == Title == DNSSEC: The Shiny New Cryptographically Secured Globally Distributed Database == Presenter == Paul Wouters, Red Hat == Abstract == DNSSEC was designed to protect the Domai... wikitext text/x-wiki == Title == DNSSEC: The Shiny New Cryptographically Secured Globally Distributed Database == Presenter == Paul Wouters, Red Hat == Abstract == DNSSEC was designed to protect the Domain Name System from an ever increasing stream of DNS spoofing attacks and (non-)malicious DNS rewriting schemes. But from the start, many intended to use this new distributed and digitally signed database for other purposes as well. DNSSEC can already be used to secure large scale TLS SSH and VPN deployments. Other emerging ideas to use DNSSEC in the near future include protecting instant messaging and email traffic, and identification of WebID, OTR and PGP identities. And with DNSSEC chains, devices could even authenticate to each other without an active internet connection. The audience is strongly encouraged to discuss and find out if and how they can leverage DNSSEC for themselves. A discussion comparing DNSSEC against the Certificate Agency industry is sure to fill up any remaining time. The presentation will be given using a Linux laptop utilising a VPN and TLS connection secured by cryptographic keys obtained via DNSSEC. 23353ee9eaee79b25253944d00395bfccbbc3949 0 95 3302 2012-06-27T03:58:34Z JamesMorris 2 New page: == Title == Linux Sandbox Version II - Sandboxing Server Applications == Presenter == Dan Walsh, Red Hat == Abstract == This talk will describe the new Linux Secure Container Applicat... wikitext text/x-wiki == Title == Linux Sandbox Version II - Sandboxing Server Applications == Presenter == Dan Walsh, Red Hat == Abstract == This talk will describe the new Linux Secure Container Applications. Linux Secure Applications is a combination of Linux Containers, Cgroups and SELinux Sandboxing, all launched by libvirt and intergrated with systemd. libvirt now has the ability to launch multiple Sandboxed Containers to run applications servers on a machine at the same time. It will allow you to run multiple apache servers at the same time, each with their own IP Address, isolated from each other. This talk will demo the tools used to setup the containers, and will explain how it works. ce68831dddab7a149e07a275c4ce47b76136eddf 0 96 3303 2012-06-27T04:00:42Z JamesMorris 2 New page: == Title == Upcoming Extensions to the Linux kernel Integrity Subsystem (IMA/EVM) == Presenter == Dmitry Kasatkin == Abstract == The talk will introduce new extensions to the IMA/EVM ... wikitext text/x-wiki == Title == Upcoming Extensions to the Linux kernel Integrity Subsystem (IMA/EVM) == Presenter == Dmitry Kasatkin == Abstract == The talk will introduce new extensions to the IMA/EVM kernel integrity subsystem. Extended verification module (EVM) has been integrated to Linux kernel since 3.2 and digital signature verification extension since 3.3. Currently there is an effort going on to integrate IMA-appraisal extension, which allows local integrity appraisal based on hashes and digital signatures. IMA-appraisal extension protects the integrity of regular files, which is not enough to implement full integrity protection of the system. It is also necessary to protect integrity of directories and special files, such as symbolic links, device nodes, socket and pipes. Directory integrity verification has already been implemented and available in my tree at git.kernel.org. I will submit patches for RFC shortly. Patches for protecting integrity of special files are currently under development and expected to be ready before the summit. 171efb739f97cda0fdc66dffa762b63896cf1bf7 0 97 3304 2012-06-27T04:04:45Z JamesMorris 2 New page: == Title == The Linux Integrity Subsystem and TPM-based Network Endpoint Assessment == Presenter == Andreas Steffen, HSR University of Applied Sciences Rapperswil, Switzerland == Abstr... wikitext text/x-wiki == Title == The Linux Integrity Subsystem and TPM-based Network Endpoint Assessment == Presenter == Andreas Steffen, HSR University of Applied Sciences Rapperswil, Switzerland == Abstract == The Integrity Measurement Architecture (IMA) introduced with the Linux 2.6.30 kernel extends its BIOS measurements taken during the pre-boot phase into the Platform Configuration Registers (PCRs) of a Trusted Platform Module (TPM). The IETF Network Endpoint Assessment (NEA) reference model (RFC 5209) defines Posture Attribute (PA), Posture Broker (PB) and Posture Transport (PT) protocols which allow the exchange of security measurement data between a NEA client and a NEA server. The open source Linux strongSwan VPN software implements the PA-TNC (RFC 5792), PB-TNC (RFC 5793) and PT-EAP (draft-ietf-nea-pt-eap) protocols over a secure IKEv2 EAP TTLS communication channel and can act either as a NEA client collecting IMA measurement data signed by the TPM or as a NEA server validating the received measurements against reference values stored in a database. Based on the assessment result the NEA server either grants or denies network access to the NEA client. This talk will give a short overview on the IETF NEA framework and will then present the implemented TPM-based IMA BIOS measurements use case. Finally an outlook will be given on how remote attestation could be extended to EVM file measurements. Links: TPM-based Remote Attestation of the IMA BIOS measurements - NEA client side: http://wiki.strongswan.org/projects/strongswan/wiki/PTS-IMC - NEA server side: http://wiki.strongswan.org/projects/strongswan/wiki/PTS-IMV strongSwan’s TNC-based Network Endpoint Assessment capabilities http://www.strongswan.org/tnc/ 709994447f2fc8966deb619384b689c9c2d86d26 3305 3304 2012-06-27T04:12:10Z JamesMorris 2 /* Abstract */ wikitext text/x-wiki == Title == The Linux Integrity Subsystem and TPM-based Network Endpoint Assessment == Presenter == Andreas Steffen, HSR University of Applied Sciences Rapperswil, Switzerland == Abstract == The Integrity Measurement Architecture (IMA) introduced with the Linux 2.6.30 kernel extends its BIOS measurements taken during the pre-boot phase into the Platform Configuration Registers (PCRs) of a Trusted Platform Module (TPM). The IETF Network Endpoint Assessment (NEA) reference model (RFC 5209) defines Posture Attribute (PA), Posture Broker (PB) and Posture Transport (PT) protocols which allow the exchange of security measurement data between a NEA client and a NEA server. The open source Linux strongSwan VPN software implements the PA-TNC (RFC 5792), PB-TNC (RFC 5793) and PT-EAP (draft-ietf-nea-pt-eap) protocols over a secure IKEv2 EAP TTLS communication channel and can act either as a NEA client collecting IMA measurement data signed by the TPM or as a NEA server validating the received measurements against reference values stored in a database. Based on the assessment result the NEA server either grants or denies network access to the NEA client. This talk will give a short overview on the IETF NEA framework and will then present the implemented TPM-based IMA BIOS measurements use case. Finally an outlook will be given on how remote attestation could be extended to EVM file measurements. Links: TPM-based Remote Attestation of the IMA BIOS measurements * NEA client side: http://wiki.strongswan.org/projects/strongswan/wiki/PTS-IMC * NEA server side: http://wiki.strongswan.org/projects/strongswan/wiki/PTS-IMV strongSwan’s TNC-based Network Endpoint Assessment capabilities http://www.strongswan.org/tnc/ 6dc843fd24477e7fe2e73e0feee9d84696bb6183 0 98 3306 2012-06-27T04:22:56Z JamesMorris 2 New page: == Title == CaitSith - A New Type of Rule Based In-kernel Access Control == Presenter == Tetsuo Handa, NTT Data Intellilink == Abstract == There had been various attempts for enforcin... wikitext text/x-wiki == Title == CaitSith - A New Type of Rule Based In-kernel Access Control == Presenter == Tetsuo Handa, NTT Data Intellilink == Abstract == There had been various attempts for enforcing rule based access control in the Linux kernel. Many distributions nowadays enable some of in-tree LSM modules. However, many people are still disabling these modules because these modules are too complicated for them to use. Although white-listing approach is popular among security experts than black-listing approach, black-listing approach seems to be popular among those who are not security experts. In this presentation, CaitSith, a new type of rule based access control that mixed capability model and ACL model, is proposed. The rules in CaitSith are similar to network firewall and allow black-listing approach. Expected audiences are Linux users who are disabling in-tree LSM modules, are seeking for more simplified form of in-kernel access control, or are developing LSM modules. Audiences will know why CaitSith was developed and basic usage of CaitSith. Tetsuo Handa is the main author of TOMOYO (one of in-tree LSM modules), AKARI (loadable kernel module version of TOMOYO) and CaitSith. He had been involved in the area of in-kernel access control from April 2003 to March 2012 at NTT DATA CORPORATION, Japan. He had talks/BoFs at several Linux related international conferences and PacSec 2008. 10f6be517564fa8d61e049d3078d85f427ffee16 0 99 3307 2012-06-27T04:24:17Z JamesMorris 2 New page: == Title == Finding kernel vulnerabilities using Coccinelle == Presenter == Kees Cook, Google == Abstract == The "spatch" tool gets a lot of use in the kernel already for making wide ... wikitext text/x-wiki == Title == Finding kernel vulnerabilities using Coccinelle == Presenter == Kees Cook, Google == Abstract == The "spatch" tool gets a lot of use in the kernel already for making wide changes, or for finding bugs and anti-patterns. Finding security flaws is, of course, also possible. This presentation will show how several Coccinelle rules were developed and used in finding various kernel vulnerabilities both large (CVE-2010-2962, CVE-2010-2963) and small (CVE-2010-4655, CVE-2010-4656). Finally, we will open a discussion on how to continue to expand the corpus and keep it running against new kernel releases. 2aadbd47b9bafdd5d797b3588e547cdceff7d4f2 0 100 3308 2012-06-27T04:26:42Z JamesMorris 2 New page: == Title == Middleware MAC for Android == Presenter == Stephen Smalley, NSA == Abstract == This talk will introduce the NSA's work on developing middleware MAC (mandatory access contr... wikitext text/x-wiki == Title == Middleware MAC for Android == Presenter == Stephen Smalley, NSA == Abstract == This talk will introduce the NSA's work on developing middleware MAC (mandatory access control) for the Android platform. 52f9a7bb661c66583930146880efe71ff330f5ec 0 101 3325 2012-06-27T05:22:36Z JamesMorris 2 New page: == Title == LF Linux Security Workgroup BoF == Leader == Corey Bryant, IBM LTC Security == Abstract == This proposal is for a BoF session in response to The Linux Foundation's desire... wikitext text/x-wiki == Title == LF Linux Security Workgroup BoF == Leader == Corey Bryant, IBM LTC Security == Abstract == This proposal is for a BoF session in response to The Linux Foundation's desire to create a Linux security workgroup. The main goal of the working group is to provide on-going security reviews of Linux kernel subsystems to maintain trust and confidence in the security of the Linux ecosystem. These efforts may consist of running/creating automated tools, static analysis, fuzz testing, code audits, etc. There is a 2013 plan in place at IBM to contribute to these efforts on KVM/QEMU code. KVM is a prime area for investigation since protecting the host from guest breakout is a high priority for many stakeholders. This session will enable discussion with other potential contributors with an eye towards forming a working group. ff8e2b6f2c41ead87e00d0675fc9789c21644bac 0 8 3330 3287 2012-06-27T05:58:55Z JamesMorris 2 wikitext text/x-wiki =Description= The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Short talks * Roundtable discussions * Breakout development sessions = Schedule = The schedule is now published! See [Linux_Security_Summit_2012/Schedule] =Dates and Location= The Linux Security Summit for 2012 will be held across 30 and 31 August in San Diego, CA, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon], as well as Linux Plumbers and the Kernel Summit. Note that Linux Security Summit attendees and speakers must be registered to attend LinuxCon. See the [https://events.linuxfoundation.org/events/linuxcon LinuxCon site] for details on registration, travel, and accommodation. =Call for Participation= The Linux Security Summit call for participation (CFP) is now open, and will close on 23rd of May. The program committee currently seeks proposals for: * '''Refereed Presentations''' 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. * '''Short Talks''' 30 minutes in length, discussion-oriented. Slides should be minimal. * '''Roundtable Discussion Topics''' These discussions are typically one hour in length and used to explore and resolve current issues. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques Proposals should be submitted in plain text via email to the program committee at: lss-pc (_at_) ext.namei.org Abstracts should be approximately 150 words in total. =Attendance= The event is open to all registered LinuxCon attendees. You do not have to be a "security person" to attend -- we're seeking a diverse range of attendees, and welcome the participation of general developers, researchers, operations, and end-users. =Program Committee= The Linux Security Summit for 2012 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Tresys * Tetsuo Handa, NTT Data Intellilink * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel The program committee may be contacted as a group via email: lss-pc (_at_) ext.namei.org 629fff3cf7385f633097aec44f99cd417def2de5 3331 3330 2012-06-27T05:59:06Z JamesMorris 2 /* Schedule */ wikitext text/x-wiki =Description= The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Short talks * Roundtable discussions * Breakout development sessions = Schedule = The schedule is now published! See [[Linux_Security_Summit_2012/Schedule]] =Dates and Location= The Linux Security Summit for 2012 will be held across 30 and 31 August in San Diego, CA, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon], as well as Linux Plumbers and the Kernel Summit. Note that Linux Security Summit attendees and speakers must be registered to attend LinuxCon. See the [https://events.linuxfoundation.org/events/linuxcon LinuxCon site] for details on registration, travel, and accommodation. =Call for Participation= The Linux Security Summit call for participation (CFP) is now open, and will close on 23rd of May. The program committee currently seeks proposals for: * '''Refereed Presentations''' 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. * '''Short Talks''' 30 minutes in length, discussion-oriented. Slides should be minimal. * '''Roundtable Discussion Topics''' These discussions are typically one hour in length and used to explore and resolve current issues. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques Proposals should be submitted in plain text via email to the program committee at: lss-pc (_at_) ext.namei.org Abstracts should be approximately 150 words in total. =Attendance= The event is open to all registered LinuxCon attendees. You do not have to be a "security person" to attend -- we're seeking a diverse range of attendees, and welcome the participation of general developers, researchers, operations, and end-users. =Program Committee= The Linux Security Summit for 2012 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Tresys * Tetsuo Handa, NTT Data Intellilink * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel The program committee may be contacted as a group via email: lss-pc (_at_) ext.namei.org 0137d97774a23c0f2c7fdd3d4085d5b14e7f73f8 3332 3331 2012-06-27T05:59:33Z JamesMorris 2 /* Schedule */ wikitext text/x-wiki =Description= The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Short talks * Roundtable discussions * Breakout development sessions = Schedule = [[Linux_Security_Summit_2012/Schedule]|click here for details] =Dates and Location= The Linux Security Summit for 2012 will be held across 30 and 31 August in San Diego, CA, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon], as well as Linux Plumbers and the Kernel Summit. Note that Linux Security Summit attendees and speakers must be registered to attend LinuxCon. See the [https://events.linuxfoundation.org/events/linuxcon LinuxCon site] for details on registration, travel, and accommodation. =Call for Participation= The Linux Security Summit call for participation (CFP) is now open, and will close on 23rd of May. The program committee currently seeks proposals for: * '''Refereed Presentations''' 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. * '''Short Talks''' 30 minutes in length, discussion-oriented. Slides should be minimal. * '''Roundtable Discussion Topics''' These discussions are typically one hour in length and used to explore and resolve current issues. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques Proposals should be submitted in plain text via email to the program committee at: lss-pc (_at_) ext.namei.org Abstracts should be approximately 150 words in total. =Attendance= The event is open to all registered LinuxCon attendees. You do not have to be a "security person" to attend -- we're seeking a diverse range of attendees, and welcome the participation of general developers, researchers, operations, and end-users. =Program Committee= The Linux Security Summit for 2012 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Tresys * Tetsuo Handa, NTT Data Intellilink * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel The program committee may be contacted as a group via email: lss-pc (_at_) ext.namei.org 79420eb1854585a01b7287f67f7adadde8196095 3333 3332 2012-06-27T05:59:55Z JamesMorris 2 /* Schedule */ wikitext text/x-wiki =Description= The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Short talks * Roundtable discussions * Breakout development sessions = Schedule = [[Linux_Security_Summit_2012/Schedule|Schedule details]] =Dates and Location= The Linux Security Summit for 2012 will be held across 30 and 31 August in San Diego, CA, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon], as well as Linux Plumbers and the Kernel Summit. Note that Linux Security Summit attendees and speakers must be registered to attend LinuxCon. See the [https://events.linuxfoundation.org/events/linuxcon LinuxCon site] for details on registration, travel, and accommodation. =Call for Participation= The Linux Security Summit call for participation (CFP) is now open, and will close on 23rd of May. The program committee currently seeks proposals for: * '''Refereed Presentations''' 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. * '''Short Talks''' 30 minutes in length, discussion-oriented. Slides should be minimal. * '''Roundtable Discussion Topics''' These discussions are typically one hour in length and used to explore and resolve current issues. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques Proposals should be submitted in plain text via email to the program committee at: lss-pc (_at_) ext.namei.org Abstracts should be approximately 150 words in total. =Attendance= The event is open to all registered LinuxCon attendees. You do not have to be a "security person" to attend -- we're seeking a diverse range of attendees, and welcome the participation of general developers, researchers, operations, and end-users. =Program Committee= The Linux Security Summit for 2012 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Tresys * Tetsuo Handa, NTT Data Intellilink * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel The program committee may be contacted as a group via email: lss-pc (_at_) ext.namei.org 302c76e35e9bfe1b8b3c659441181f79de63fccb 3334 3333 2012-06-27T06:00:11Z JamesMorris 2 /* Schedule */ wikitext text/x-wiki =Description= The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Short talks * Roundtable discussions * Breakout development sessions = Schedule = [[Linux_Security_Summit_2012/Schedule|Schedule details]] (subject to change) =Dates and Location= The Linux Security Summit for 2012 will be held across 30 and 31 August in San Diego, CA, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon], as well as Linux Plumbers and the Kernel Summit. Note that Linux Security Summit attendees and speakers must be registered to attend LinuxCon. See the [https://events.linuxfoundation.org/events/linuxcon LinuxCon site] for details on registration, travel, and accommodation. =Call for Participation= The Linux Security Summit call for participation (CFP) is now open, and will close on 23rd of May. The program committee currently seeks proposals for: * '''Refereed Presentations''' 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. * '''Short Talks''' 30 minutes in length, discussion-oriented. Slides should be minimal. * '''Roundtable Discussion Topics''' These discussions are typically one hour in length and used to explore and resolve current issues. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques Proposals should be submitted in plain text via email to the program committee at: lss-pc (_at_) ext.namei.org Abstracts should be approximately 150 words in total. =Attendance= The event is open to all registered LinuxCon attendees. You do not have to be a "security person" to attend -- we're seeking a diverse range of attendees, and welcome the participation of general developers, researchers, operations, and end-users. =Program Committee= The Linux Security Summit for 2012 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Tresys * Tetsuo Handa, NTT Data Intellilink * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel The program committee may be contacted as a group via email: lss-pc (_at_) ext.namei.org 635f7a829da07c79346a7a067ea9cb2fa1faf9ab 3336 3334 2012-06-27T14:02:25Z JamesMorris 2 /* Program Committee */ wikitext text/x-wiki =Description= The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Short talks * Roundtable discussions * Breakout development sessions = Schedule = [[Linux_Security_Summit_2012/Schedule|Schedule details]] (subject to change) =Dates and Location= The Linux Security Summit for 2012 will be held across 30 and 31 August in San Diego, CA, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon], as well as Linux Plumbers and the Kernel Summit. Note that Linux Security Summit attendees and speakers must be registered to attend LinuxCon. See the [https://events.linuxfoundation.org/events/linuxcon LinuxCon site] for details on registration, travel, and accommodation. =Call for Participation= The Linux Security Summit call for participation (CFP) is now open, and will close on 23rd of May. The program committee currently seeks proposals for: * '''Refereed Presentations''' 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. * '''Short Talks''' 30 minutes in length, discussion-oriented. Slides should be minimal. * '''Roundtable Discussion Topics''' These discussions are typically one hour in length and used to explore and resolve current issues. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques Proposals should be submitted in plain text via email to the program committee at: lss-pc (_at_) ext.namei.org Abstracts should be approximately 150 words in total. =Attendance= The event is open to all registered LinuxCon attendees. You do not have to be a "security person" to attend -- we're seeking a diverse range of attendees, and welcome the participation of general developers, researchers, operations, and end-users. =Program Committee= The Linux Security Summit for 2012 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Tresys * Tetsuo Handa, NTT * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel The program committee may be contacted as a group via email: lss-pc (_at_) ext.namei.org 3d40accee8664cf30044150d195a9bbf70c3923f 0 98 3338 3306 2012-06-27T14:03:25Z JamesMorris 2 /* Presenter */ wikitext text/x-wiki == Title == CaitSith - A New Type of Rule Based In-kernel Access Control == Presenter == Tetsuo Handa, NTT == Abstract == There had been various attempts for enforcing rule based access control in the Linux kernel. Many distributions nowadays enable some of in-tree LSM modules. However, many people are still disabling these modules because these modules are too complicated for them to use. Although white-listing approach is popular among security experts than black-listing approach, black-listing approach seems to be popular among those who are not security experts. In this presentation, CaitSith, a new type of rule based access control that mixed capability model and ACL model, is proposed. The rules in CaitSith are similar to network firewall and allow black-listing approach. Expected audiences are Linux users who are disabling in-tree LSM modules, are seeking for more simplified form of in-kernel access control, or are developing LSM modules. Audiences will know why CaitSith was developed and basic usage of CaitSith. Tetsuo Handa is the main author of TOMOYO (one of in-tree LSM modules), AKARI (loadable kernel module version of TOMOYO) and CaitSith. He had been involved in the area of in-kernel access control from April 2003 to March 2012 at NTT DATA CORPORATION, Japan. He had talks/BoFs at several Linux related international conferences and PacSec 2008. 20bfdda48b55e750bd36d60488a2a97a3ac08993 0 91 3339 3337 2012-08-09T23:42:28Z KeesCook 3 /* Kernel Security Subsystem Updates */ Yama capitalization wikitext text/x-wiki = Overview = This is the schedule for the [[Linux_Security_Summit_2012|Linux Security Summit 2012]], to be held in San Diego on August 30th and 31st, 2012. The summit this year will be a two-day event, co-located with [https://events.linuxfoundation.org/events/linuxcon/ LinuxCon]. = Program = == Day 1 (30th Aug) == === Presentations === {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk'''</span> | [http://mjg59.dreamwidth.org/ Matthew Garrett], Red Hat |- |''09:50'' |colspan="2"|''break'' |- |10:00 | [[Linux_Security_Summit_2012/Abstracts/Reshetova|Bootstrapping the Policies for LSMs for Native and Web Applications]] | Elena Reshetova, Intel |- |10:45 | [[Linux_Security_Summit_2012/Abstracts/Wouters|DNSSEC: The Shiny New Cryptographically Secured Globally Distributed Database ]] | Paul Wouters, Red Hat |- |''11:30'' |colspan="2"|''break'' |- | 11:45 | [[Linux_Security_Summit_2012/Abstracts/Walsh|Linux Sandbox Version II - Sandboxing Server Applications]] | Dan Walsh, Red Hat |- |''12:30'' |colspan="2" |''lunch (self-funded at nearby location)'' |- | 13:30 | [[Linux_Security_Summit_2012/Abstracts/Kasatkin|Upcoming Extensions to the Linux kernel Integrity Subsystem (IMA/EVM)]] | Dmitry Kasatkin, Intel |- | 14:15 | [[Linux_Security_Summit_2012/Abstracts/Steffen|The Linux Integrity Subsystem and TPM-based Network Endpoint Assessment]] | Andreas Steffen, University of Applied Sciences Rapperswil |- |''15:00'' |colspan="2"|''break'' |- | 15:15 | [[Linux_Security_Summit_2012/Abstracts/Smalley|Middleware MAC for Android]] | Stephen Smalley, National Security Agency |- | 16:00 | [[Linux_Security_Summit_2012/Abstracts/Handa|CaitSith: A New Type of Rule Based In-kernel Access Control]] | Tetsuo Handa, NTT |- | 16:45 | [[Linux_Security_Summit_2012/Abstracts/Cook|Finding Kernel Vulnerabilities Using Coccinelle]] | Kees Cook, Google |- |''17:15'' |colspan="2"|''finish'' |} == Day 2 (31st Aug) == === Kernel Security Subsystem Updates === {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | '''Cryptography''' | Herbert Xu, Red Hat |- |09:20 | '''AppArmor''' | John Johansen, Canonical |- |09:40 | '''Key Management''' | David Howells, Red Hat |- |''10:00'' |colspan="2"|''break'' |- |10:20 | '''SELinux''' | Eric Paris, Red Hat |- |10:40 | '''Integrity''' | Mimi Zohar, IBM |- |11:00 | '''TOMOYO''' | Tetsuo Handa, NTT |- |''11:20'' |colspan="2"|''break'' |- |11:40 | '''Smack''' | Casey Schaufler, Intel |- |12:00 | '''Yama''' | Kees Cook, Google |- |''12:20'' |colspan="2" |''lunch (self-funded at nearby location)'' |} === Breakout Sessions === Freeform track for smaller groups to collaborate on specific issues. If you wish to add a breakout session topic, email the program committee. {| border="1" cellpadding="6" cellspacing="0" !Time !Details !Leader |- |14:00 | [[Linux_Security_Summit_2012/Abstracts/Bryant|LF Linux Security Workgroup BOF]] | Corey Bryant, IBM |- |16:30 |colspan="2"|Breakout session reports |- |''17:00'' |colspan="2"|''finish'' |} 10ca6355d3e80d415e07d9fcb7ab248e50942de6 3340 3339 2012-08-29T02:42:33Z JamesMorris 2 wikitext text/x-wiki = Overview = This is the schedule for the [[Linux_Security_Summit_2012|Linux Security Summit 2012]], to be held in San Diego on August 30th and 31st, 2012. The summit this year will be a two-day event, co-located with [https://events.linuxfoundation.org/events/linuxcon/ LinuxCon]. = Program = == Day 1 (30th Aug) == === Presentations === {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk'''</span> | [http://mjg59.dreamwidth.org/ Matthew Garrett], Red Hat |- |''09:50'' |colspan="2"|''break'' |- |10:00 | [[Linux_Security_Summit_2012/Abstracts/Reshetova|Bootstrapping the Policies for LSMs for Native and Web Applications]] | Elena Reshetova, Intel |- |10:45 | [[Linux_Security_Summit_2012/Abstracts/Wouters|DNSSEC: The Shiny New Cryptographically Secured Globally Distributed Database ]] | Paul Wouters, Red Hat |- |''11:30'' |colspan="2"|''break'' |- | 11:45 | [[Linux_Security_Summit_2012/Abstracts/Walsh|Linux Sandbox Version II - Sandboxing Server Applications]] | Dan Walsh, Red Hat |- |''12:30'' |colspan="2" |''lunch (self-funded at nearby location)'' |- | 13:30 | [[Linux_Security_Summit_2012/Abstracts/Kasatkin|Upcoming Extensions to the Linux kernel Integrity Subsystem (IMA/EVM)]] | Dmitry Kasatkin, Intel |- | 14:15 | [[Linux_Security_Summit_2012/Abstracts/Steffen|The Linux Integrity Subsystem and TPM-based Network Endpoint Assessment]] | Andreas Steffen, University of Applied Sciences Rapperswil |- |''15:00'' |colspan="2"|''break'' |- | 15:15 | [[Linux_Security_Summit_2012/Abstracts/Smalley|Middleware MAC for Android]] | Stephen Smalley, National Security Agency |- | 16:00 | [[Linux_Security_Summit_2012/Abstracts/Handa|CaitSith: A New Type of Rule Based In-kernel Access Control]] | Tetsuo Handa, NTT |- | 16:45 | [[Linux_Security_Summit_2012/Abstracts/Cook|Finding Kernel Vulnerabilities Using Coccinelle]] | Kees Cook, Google |- |''17:15'' |colspan="2"|''finish'' |} == Day 2 (31st Aug) == === Kernel Security Subsystem Updates === {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | '''Cryptography''' | Herbert Xu, Red Hat |- |09:20 | '''AppArmor''' | John Johansen, Canonical |- |09:40 | '''Key Management''' | David Howells, Red Hat |- |''10:00'' |colspan="2"|''break'' |- |10:20 | '''SELinux''' | Eric Paris, Red Hat |- |10:40 | '''Integrity''' | Mimi Zohar, IBM |- |11:00 | '''TOMOYO''' | Tetsuo Handa, NTT |- |''11:20'' |colspan="2"|''break'' |- |11:40 | '''Smack''' | Casey Schaufler, Intel |- |12:00 | '''Yama''' | Kees Cook, Google |- |''12:20'' |colspan="2" |''lunch (self-funded at nearby location)'' |} === Breakout Sessions === Freeform track for smaller groups to collaborate on specific issues. If you wish to add a breakout session topic, email the program committee. {| border="1" cellpadding="6" cellspacing="0" !Time !Details !Leader |- |14:00 |Lightning Talks | Casey Schaufler, Intel |- |14:30 | [[Linux_Security_Summit_2012/Abstracts/Bryant|LF Linux Security Workgroup BOF]] | Corey Bryant, IBM |- |17:00 |colspan="2"|Breakout session reports |- |''17:30'' |colspan="2"|''finish'' |} 5a18feb767eb330cc6d45c42743aad7a3836e006 3341 3340 2012-08-29T04:30:53Z JamesMorris 2 wikitext text/x-wiki = Overview = This is the schedule for the [[Linux_Security_Summit_2012|Linux Security Summit 2012]], to be held in San Diego on August 30th and 31st, 2012. The summit this year will be a two-day event, co-located with [https://events.linuxfoundation.org/events/linuxcon/ LinuxCon]. = Program = == Day 1 (30th Aug) == === Presentations === {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk'''</span> | [http://mjg59.dreamwidth.org/ Matthew Garrett], Red Hat |- |''09:50'' |colspan="2"|''break'' |- |10:00 | [[Linux_Security_Summit_2012/Abstracts/Reshetova|Bootstrapping the Policies for LSMs for Native and Web Applications]] | Elena Reshetova, Intel |- |10:45 | [[Linux_Security_Summit_2012/Abstracts/Wouters|DNSSEC: The Shiny New Cryptographically Secured Globally Distributed Database ]] | Paul Wouters, Red Hat |- |''11:30'' |colspan="2"|''break'' |- | 11:45 | [[Linux_Security_Summit_2012/Abstracts/Walsh|Linux Sandbox Version II - Sandboxing Server Applications]] | Dan Walsh, Red Hat |- |''12:30'' |colspan="2" |''lunch (self-funded at nearby location)'' |- | 13:30 | [[Linux_Security_Summit_2012/Abstracts/Kasatkin|Upcoming Extensions to the Linux kernel Integrity Subsystem (IMA/EVM)]] | Dmitry Kasatkin, Intel |- | 14:15 | [[Linux_Security_Summit_2012/Abstracts/Steffen|The Linux Integrity Subsystem and TPM-based Network Endpoint Assessment]] | Andreas Steffen, University of Applied Sciences Rapperswil |- |''15:00'' |colspan="2"|''break'' |- | 15:15 | [[Linux_Security_Summit_2012/Abstracts/Smalley|Middleware MAC for Android]] | Stephen Smalley, National Security Agency |- | 16:00 | [[Linux_Security_Summit_2012/Abstracts/Handa|CaitSith: A New Type of Rule Based In-kernel Access Control]] | Tetsuo Handa, NTT |- | 16:45 | [[Linux_Security_Summit_2012/Abstracts/Cook|Finding Kernel Vulnerabilities Using Coccinelle]] | Kees Cook, Google |- |''17:15'' |colspan="2"|''finish'' |} == Day 2 (31st Aug) == === Kernel Security Subsystem Updates === {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | '''Cryptography''' | Herbert Xu, Red Hat |- |09:20 | '''AppArmor''' | John Johansen, Canonical |- |09:40 | '''Key Management''' | David Howells, Red Hat |- |''10:00'' |colspan="2"|''break'' |- |10:20 | '''SELinux''' | Eric Paris, Red Hat |- |10:40 | '''Integrity''' | Mimi Zohar, IBM |- |11:00 | '''TOMOYO''' | Tetsuo Handa, NTT |- |''11:20'' |colspan="2"|''break'' |- |11:40 | '''Smack''' | Casey Schaufler, Intel |- |12:00 | '''Yama''' | Kees Cook, Google |- |''12:20'' |colspan="2" |''lunch (self-funded at nearby location)'' |} === Lightning Talks == If you wish to add a breakout session topic, email the program committee, or propose a topic on the day. Space is limited. {| border="1" cellpadding="6" cellspacing="0" !Topic !Speaker |- |colspan="2"|14:00 | Trinity: Linux system call fuzzing | Dave Jones, Red Hat |} === Breakout Sessions === Freeform track for smaller groups to collaborate on specific issues. If you wish to add a breakout session topic, email the program committee. {| border="1" cellpadding="6" cellspacing="0" !Time !Details !Leader |- |14:30 | [[Linux_Security_Summit_2012/Abstracts/Bryant|LF Linux Security Workgroup BOF]] | Corey Bryant, IBM |- |17:00 |colspan="2"|Breakout session reports |- |''17:30'' |colspan="2"|''finish'' |} 31022cb8fa161f18a833d7cfef595f5bbe72e7dd 3342 3341 2012-08-29T04:31:32Z JamesMorris 2 wikitext text/x-wiki = Overview = This is the schedule for the [[Linux_Security_Summit_2012|Linux Security Summit 2012]], to be held in San Diego on August 30th and 31st, 2012. The summit this year will be a two-day event, co-located with [https://events.linuxfoundation.org/events/linuxcon/ LinuxCon]. = Program = == Day 1 (30th Aug) == === Presentations === {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk'''</span> | [http://mjg59.dreamwidth.org/ Matthew Garrett], Red Hat |- |''09:50'' |colspan="2"|''break'' |- |10:00 | [[Linux_Security_Summit_2012/Abstracts/Reshetova|Bootstrapping the Policies for LSMs for Native and Web Applications]] | Elena Reshetova, Intel |- |10:45 | [[Linux_Security_Summit_2012/Abstracts/Wouters|DNSSEC: The Shiny New Cryptographically Secured Globally Distributed Database ]] | Paul Wouters, Red Hat |- |''11:30'' |colspan="2"|''break'' |- | 11:45 | [[Linux_Security_Summit_2012/Abstracts/Walsh|Linux Sandbox Version II - Sandboxing Server Applications]] | Dan Walsh, Red Hat |- |''12:30'' |colspan="2" |''lunch (self-funded at nearby location)'' |- | 13:30 | [[Linux_Security_Summit_2012/Abstracts/Kasatkin|Upcoming Extensions to the Linux kernel Integrity Subsystem (IMA/EVM)]] | Dmitry Kasatkin, Intel |- | 14:15 | [[Linux_Security_Summit_2012/Abstracts/Steffen|The Linux Integrity Subsystem and TPM-based Network Endpoint Assessment]] | Andreas Steffen, University of Applied Sciences Rapperswil |- |''15:00'' |colspan="2"|''break'' |- | 15:15 | [[Linux_Security_Summit_2012/Abstracts/Smalley|Middleware MAC for Android]] | Stephen Smalley, National Security Agency |- | 16:00 | [[Linux_Security_Summit_2012/Abstracts/Handa|CaitSith: A New Type of Rule Based In-kernel Access Control]] | Tetsuo Handa, NTT |- | 16:45 | [[Linux_Security_Summit_2012/Abstracts/Cook|Finding Kernel Vulnerabilities Using Coccinelle]] | Kees Cook, Google |- |''17:15'' |colspan="2"|''finish'' |} == Day 2 (31st Aug) == === Kernel Security Subsystem Updates === {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | '''Cryptography''' | Herbert Xu, Red Hat |- |09:20 | '''AppArmor''' | John Johansen, Canonical |- |09:40 | '''Key Management''' | David Howells, Red Hat |- |''10:00'' |colspan="2"|''break'' |- |10:20 | '''SELinux''' | Eric Paris, Red Hat |- |10:40 | '''Integrity''' | Mimi Zohar, IBM |- |11:00 | '''TOMOYO''' | Tetsuo Handa, NTT |- |''11:20'' |colspan="2"|''break'' |- |11:40 | '''Smack''' | Casey Schaufler, Intel |- |12:00 | '''Yama''' | Kees Cook, Google |- |''12:20'' |colspan="2" |''lunch (self-funded at nearby location)'' |} === Lightning Talks === If you wish to add a breakout session topic, email the program committee, or propose a topic on the day. Space is limited. {| border="1" cellpadding="6" cellspacing="0" !Topic !Speaker |- |colspan="2"|14:00 | Trinity: Linux system call fuzzing | Dave Jones, Red Hat |} === Breakout Sessions === Freeform track for smaller groups to collaborate on specific issues. If you wish to add a breakout session topic, email the program committee. {| border="1" cellpadding="6" cellspacing="0" !Time !Details !Leader |- |14:30 | [[Linux_Security_Summit_2012/Abstracts/Bryant|LF Linux Security Workgroup BOF]] | Corey Bryant, IBM |- |17:00 |colspan="2"|Breakout session reports |- |''17:30'' |colspan="2"|''finish'' |} f77374c3d624cbdebd8db5da6f1d185788f26777 3343 3342 2012-08-29T04:32:18Z JamesMorris 2 wikitext text/x-wiki = Overview = This is the schedule for the [[Linux_Security_Summit_2012|Linux Security Summit 2012]], to be held in San Diego on August 30th and 31st, 2012. The summit this year will be a two-day event, co-located with [https://events.linuxfoundation.org/events/linuxcon/ LinuxCon]. = Program = == Day 1 (30th Aug) == === Presentations === {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk'''</span> | [http://mjg59.dreamwidth.org/ Matthew Garrett], Red Hat |- |''09:50'' |colspan="2"|''break'' |- |10:00 | [[Linux_Security_Summit_2012/Abstracts/Reshetova|Bootstrapping the Policies for LSMs for Native and Web Applications]] | Elena Reshetova, Intel |- |10:45 | [[Linux_Security_Summit_2012/Abstracts/Wouters|DNSSEC: The Shiny New Cryptographically Secured Globally Distributed Database ]] | Paul Wouters, Red Hat |- |''11:30'' |colspan="2"|''break'' |- | 11:45 | [[Linux_Security_Summit_2012/Abstracts/Walsh|Linux Sandbox Version II - Sandboxing Server Applications]] | Dan Walsh, Red Hat |- |''12:30'' |colspan="2" |''lunch (self-funded at nearby location)'' |- | 13:30 | [[Linux_Security_Summit_2012/Abstracts/Kasatkin|Upcoming Extensions to the Linux kernel Integrity Subsystem (IMA/EVM)]] | Dmitry Kasatkin, Intel |- | 14:15 | [[Linux_Security_Summit_2012/Abstracts/Steffen|The Linux Integrity Subsystem and TPM-based Network Endpoint Assessment]] | Andreas Steffen, University of Applied Sciences Rapperswil |- |''15:00'' |colspan="2"|''break'' |- | 15:15 | [[Linux_Security_Summit_2012/Abstracts/Smalley|Middleware MAC for Android]] | Stephen Smalley, National Security Agency |- | 16:00 | [[Linux_Security_Summit_2012/Abstracts/Handa|CaitSith: A New Type of Rule Based In-kernel Access Control]] | Tetsuo Handa, NTT |- | 16:45 | [[Linux_Security_Summit_2012/Abstracts/Cook|Finding Kernel Vulnerabilities Using Coccinelle]] | Kees Cook, Google |- |''17:15'' |colspan="2"|''finish'' |} == Day 2 (31st Aug) == === Kernel Security Subsystem Updates === {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | '''Cryptography''' | Herbert Xu, Red Hat |- |09:20 | '''AppArmor''' | John Johansen, Canonical |- |09:40 | '''Key Management''' | David Howells, Red Hat |- |''10:00'' |colspan="2"|''break'' |- |10:20 | '''SELinux''' | Eric Paris, Red Hat |- |10:40 | '''Integrity''' | Mimi Zohar, IBM |- |11:00 | '''TOMOYO''' | Tetsuo Handa, NTT |- |''11:20'' |colspan="2"|''break'' |- |11:40 | '''Smack''' | Casey Schaufler, Intel |- |12:00 | '''Yama''' | Kees Cook, Google |- |''12:20'' |colspan="2" |''lunch (self-funded at nearby location)'' |} === Lightning Talks === If you wish to add a breakout session topic, email the program committee, or propose a topic on the day. Space is limited. {| border="1" cellpadding="6" cellspacing="0" !Topic !Speaker |- |colspan="3"|14:00 |- | Trinity: Linux system call fuzzing | Dave Jones, Red Hat |} === Breakout Sessions === Freeform track for smaller groups to collaborate on specific issues. If you wish to add a breakout session topic, email the program committee. {| border="1" cellpadding="6" cellspacing="0" !Time !Details !Leader |- |14:30 | [[Linux_Security_Summit_2012/Abstracts/Bryant|LF Linux Security Workgroup BOF]] | Corey Bryant, IBM |- |17:00 |colspan="2"|Breakout session reports |- |''17:30'' |colspan="2"|''finish'' |} 0b026275fedf337d04b960eb2130cdfb9ee2898d 3344 3343 2012-08-29T04:33:11Z JamesMorris 2 wikitext text/x-wiki = Overview = This is the schedule for the [[Linux_Security_Summit_2012|Linux Security Summit 2012]], to be held in San Diego on August 30th and 31st, 2012. The summit this year will be a two-day event, co-located with [https://events.linuxfoundation.org/events/linuxcon/ LinuxCon]. = Program = == Day 1 (30th Aug) == === Presentations === {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk'''</span> | [http://mjg59.dreamwidth.org/ Matthew Garrett], Red Hat |- |''09:50'' |colspan="2"|''break'' |- |10:00 | [[Linux_Security_Summit_2012/Abstracts/Reshetova|Bootstrapping the Policies for LSMs for Native and Web Applications]] | Elena Reshetova, Intel |- |10:45 | [[Linux_Security_Summit_2012/Abstracts/Wouters|DNSSEC: The Shiny New Cryptographically Secured Globally Distributed Database ]] | Paul Wouters, Red Hat |- |''11:30'' |colspan="2"|''break'' |- | 11:45 | [[Linux_Security_Summit_2012/Abstracts/Walsh|Linux Sandbox Version II - Sandboxing Server Applications]] | Dan Walsh, Red Hat |- |''12:30'' |colspan="2" |''lunch (self-funded at nearby location)'' |- | 13:30 | [[Linux_Security_Summit_2012/Abstracts/Kasatkin|Upcoming Extensions to the Linux kernel Integrity Subsystem (IMA/EVM)]] | Dmitry Kasatkin, Intel |- | 14:15 | [[Linux_Security_Summit_2012/Abstracts/Steffen|The Linux Integrity Subsystem and TPM-based Network Endpoint Assessment]] | Andreas Steffen, University of Applied Sciences Rapperswil |- |''15:00'' |colspan="2"|''break'' |- | 15:15 | [[Linux_Security_Summit_2012/Abstracts/Smalley|Middleware MAC for Android]] | Stephen Smalley, National Security Agency |- | 16:00 | [[Linux_Security_Summit_2012/Abstracts/Handa|CaitSith: A New Type of Rule Based In-kernel Access Control]] | Tetsuo Handa, NTT |- | 16:45 | [[Linux_Security_Summit_2012/Abstracts/Cook|Finding Kernel Vulnerabilities Using Coccinelle]] | Kees Cook, Google |- |''17:15'' |colspan="2"|''finish'' |} == Day 2 (31st Aug) == === Kernel Security Subsystem Updates === {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | '''Cryptography''' | Herbert Xu, Red Hat |- |09:20 | '''AppArmor''' | John Johansen, Canonical |- |09:40 | '''Key Management''' | David Howells, Red Hat |- |''10:00'' |colspan="2"|''break'' |- |10:20 | '''SELinux''' | Eric Paris, Red Hat |- |10:40 | '''Integrity''' | Mimi Zohar, IBM |- |11:00 | '''TOMOYO''' | Tetsuo Handa, NTT |- |''11:20'' |colspan="2"|''break'' |- |11:40 | '''Smack''' | Casey Schaufler, Intel |- |12:00 | '''Yama''' | Kees Cook, Google |- |''12:20'' |colspan="2" |''lunch (self-funded at nearby location)'' |} === Lightning Talks === If you wish to add a breakout session topic, email the program committee, or propose a topic on the day. Space is limited. {| border="1" cellpadding="6" cellspacing="0" !Time !Topic !Speaker |- |rowspan="1"|14:00 |- | Trinity: Linux system call fuzzing | Dave Jones, Red Hat |} === Breakout Sessions === Freeform track for smaller groups to collaborate on specific issues. If you wish to add a breakout session topic, email the program committee. {| border="1" cellpadding="6" cellspacing="0" !Time !Details !Leader |- |14:30 | [[Linux_Security_Summit_2012/Abstracts/Bryant|LF Linux Security Workgroup BOF]] | Corey Bryant, IBM |- |17:00 |colspan="2"|Breakout session reports |- |''17:30'' |colspan="2"|''finish'' |} 4b3d64a4bffe72c579dd4ca81b5d1ec3cc56c9c8 3345 3344 2012-08-29T04:34:01Z JamesMorris 2 wikitext text/x-wiki = Overview = This is the schedule for the [[Linux_Security_Summit_2012|Linux Security Summit 2012]], to be held in San Diego on August 30th and 31st, 2012. The summit this year will be a two-day event, co-located with [https://events.linuxfoundation.org/events/linuxcon/ LinuxCon]. = Program = == Day 1 (30th Aug) == === Presentations === {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk'''</span> | [http://mjg59.dreamwidth.org/ Matthew Garrett], Red Hat |- |''09:50'' |colspan="2"|''break'' |- |10:00 | [[Linux_Security_Summit_2012/Abstracts/Reshetova|Bootstrapping the Policies for LSMs for Native and Web Applications]] | Elena Reshetova, Intel |- |10:45 | [[Linux_Security_Summit_2012/Abstracts/Wouters|DNSSEC: The Shiny New Cryptographically Secured Globally Distributed Database ]] | Paul Wouters, Red Hat |- |''11:30'' |colspan="2"|''break'' |- | 11:45 | [[Linux_Security_Summit_2012/Abstracts/Walsh|Linux Sandbox Version II - Sandboxing Server Applications]] | Dan Walsh, Red Hat |- |''12:30'' |colspan="2" |''lunch (self-funded at nearby location)'' |- | 13:30 | [[Linux_Security_Summit_2012/Abstracts/Kasatkin|Upcoming Extensions to the Linux kernel Integrity Subsystem (IMA/EVM)]] | Dmitry Kasatkin, Intel |- | 14:15 | [[Linux_Security_Summit_2012/Abstracts/Steffen|The Linux Integrity Subsystem and TPM-based Network Endpoint Assessment]] | Andreas Steffen, University of Applied Sciences Rapperswil |- |''15:00'' |colspan="2"|''break'' |- | 15:15 | [[Linux_Security_Summit_2012/Abstracts/Smalley|Middleware MAC for Android]] | Stephen Smalley, National Security Agency |- | 16:00 | [[Linux_Security_Summit_2012/Abstracts/Handa|CaitSith: A New Type of Rule Based In-kernel Access Control]] | Tetsuo Handa, NTT |- | 16:45 | [[Linux_Security_Summit_2012/Abstracts/Cook|Finding Kernel Vulnerabilities Using Coccinelle]] | Kees Cook, Google |- |''17:15'' |colspan="2"|''finish'' |} == Day 2 (31st Aug) == === Kernel Security Subsystem Updates === {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | '''Cryptography''' | Herbert Xu, Red Hat |- |09:20 | '''AppArmor''' | John Johansen, Canonical |- |09:40 | '''Key Management''' | David Howells, Red Hat |- |''10:00'' |colspan="2"|''break'' |- |10:20 | '''SELinux''' | Eric Paris, Red Hat |- |10:40 | '''Integrity''' | Mimi Zohar, IBM |- |11:00 | '''TOMOYO''' | Tetsuo Handa, NTT |- |''11:20'' |colspan="2"|''break'' |- |11:40 | '''Smack''' | Casey Schaufler, Intel |- |12:00 | '''Yama''' | Kees Cook, Google |- |''12:20'' |colspan="2" |''lunch (self-funded at nearby location)'' |} === Lightning Talks === If you wish to add a breakout session topic, email the program committee, or propose a topic on the day. Space is limited. {| border="1" cellpadding="6" cellspacing="0" !Time !Topic !Speaker |- |rowspan="1"|14:00 | Trinity: Linux system call fuzzing | Dave Jones, Red Hat |} === Breakout Sessions === Freeform track for smaller groups to collaborate on specific issues. If you wish to add a breakout session topic, email the program committee. {| border="1" cellpadding="6" cellspacing="0" !Time !Details !Leader |- |14:30 | [[Linux_Security_Summit_2012/Abstracts/Bryant|LF Linux Security Workgroup BOF]] | Corey Bryant, IBM |- |17:00 |colspan="2"|Breakout session reports |- |''17:30'' |colspan="2"|''finish'' |} 89bca4e2b9f7d88e2ed47bda3616e87a2ae86fe5 3346 3345 2012-08-29T04:34:40Z JamesMorris 2 wikitext text/x-wiki = Overview = This is the schedule for the [[Linux_Security_Summit_2012|Linux Security Summit 2012]], to be held in San Diego on August 30th and 31st, 2012. The summit this year will be a two-day event, co-located with [https://events.linuxfoundation.org/events/linuxcon/ LinuxCon]. = Program = == Day 1 (30th Aug) == === Presentations === {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk'''</span> | [http://mjg59.dreamwidth.org/ Matthew Garrett], Red Hat |- |''09:50'' |colspan="2"|''break'' |- |10:00 | [[Linux_Security_Summit_2012/Abstracts/Reshetova|Bootstrapping the Policies for LSMs for Native and Web Applications]] | Elena Reshetova, Intel |- |10:45 | [[Linux_Security_Summit_2012/Abstracts/Wouters|DNSSEC: The Shiny New Cryptographically Secured Globally Distributed Database ]] | Paul Wouters, Red Hat |- |''11:30'' |colspan="2"|''break'' |- | 11:45 | [[Linux_Security_Summit_2012/Abstracts/Walsh|Linux Sandbox Version II - Sandboxing Server Applications]] | Dan Walsh, Red Hat |- |''12:30'' |colspan="2" |''lunch (self-funded at nearby location)'' |- | 13:30 | [[Linux_Security_Summit_2012/Abstracts/Kasatkin|Upcoming Extensions to the Linux kernel Integrity Subsystem (IMA/EVM)]] | Dmitry Kasatkin, Intel |- | 14:15 | [[Linux_Security_Summit_2012/Abstracts/Steffen|The Linux Integrity Subsystem and TPM-based Network Endpoint Assessment]] | Andreas Steffen, University of Applied Sciences Rapperswil |- |''15:00'' |colspan="2"|''break'' |- | 15:15 | [[Linux_Security_Summit_2012/Abstracts/Smalley|Middleware MAC for Android]] | Stephen Smalley, National Security Agency |- | 16:00 | [[Linux_Security_Summit_2012/Abstracts/Handa|CaitSith: A New Type of Rule Based In-kernel Access Control]] | Tetsuo Handa, NTT |- | 16:45 | [[Linux_Security_Summit_2012/Abstracts/Cook|Finding Kernel Vulnerabilities Using Coccinelle]] | Kees Cook, Google |- |''17:15'' |colspan="2"|''finish'' |} == Day 2 (31st Aug) == === Kernel Security Subsystem Updates === {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | '''Cryptography''' | Herbert Xu, Red Hat |- |09:20 | '''AppArmor''' | John Johansen, Canonical |- |09:40 | '''Key Management''' | David Howells, Red Hat |- |''10:00'' |colspan="2"|''break'' |- |10:20 | '''SELinux''' | Eric Paris, Red Hat |- |10:40 | '''Integrity''' | Mimi Zohar, IBM |- |11:00 | '''TOMOYO''' | Tetsuo Handa, NTT |- |''11:20'' |colspan="2"|''break'' |- |11:40 | '''Smack''' | Casey Schaufler, Intel |- |12:00 | '''Yama''' | Kees Cook, Google |- |''12:20'' |colspan="2" |''lunch (self-funded at nearby location)'' |} === Lightning Talks === If you wish to add a breakout session topic, email the program committee, or propose a topic on the day. Space is limited. {| border="1" cellpadding="6" cellspacing="0" !Time !Topic !Speaker |- |rowspan="1"|14:00 | Trinity: Linux system call fuzzing | Dave Jones, Red Hat |} === Breakout Sessions === Freeform track for smaller groups to collaborate on specific issues. If you wish to add a breakout session topic, email the program committee. {| border="1" cellpadding="6" cellspacing="0" !Time !Details !Leader |- |14:30 | [[Linux_Security_Summit_2012/Abstracts/Bryant|LF Linux Security Workgroup BOF]] | Corey Bryant, IBM |- |17:00 |colspan="2"|Breakout session reports |- |''17:30'' |colspan="2"|''finish'' |} 15dd0f0302b29f109b9552f8f610d7d03ee91003 3348 3346 2012-08-30T00:01:41Z JamesMorris 2 wikitext text/x-wiki = Overview = This is the schedule for the [[Linux_Security_Summit_2012|Linux Security Summit 2012]], to be held in San Diego on August 30th and 31st, 2012. The summit this year will be a two-day event, co-located with [https://events.linuxfoundation.org/events/linuxcon/ LinuxCon]. == Meeting Room == The summit will be held in the '''Executive Center 4''' room on the first floor. = Program = == Day 1 (30th Aug) == === Presentations === {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk'''</span> | [http://mjg59.dreamwidth.org/ Matthew Garrett], Red Hat |- |''09:50'' |colspan="2"|''break'' |- |10:00 | [[Linux_Security_Summit_2012/Abstracts/Reshetova|Bootstrapping the Policies for LSMs for Native and Web Applications]] | Elena Reshetova, Intel |- |10:45 | [[Linux_Security_Summit_2012/Abstracts/Wouters|DNSSEC: The Shiny New Cryptographically Secured Globally Distributed Database ]] | Paul Wouters, Red Hat |- |''11:30'' |colspan="2"|''break'' |- | 11:45 | [[Linux_Security_Summit_2012/Abstracts/Walsh|Linux Sandbox Version II - Sandboxing Server Applications]] | Dan Walsh, Red Hat |- |''12:30'' |colspan="2" |''lunch (self-funded at nearby location)'' |- | 13:30 | [[Linux_Security_Summit_2012/Abstracts/Kasatkin|Upcoming Extensions to the Linux kernel Integrity Subsystem (IMA/EVM)]] | Dmitry Kasatkin, Intel |- | 14:15 | [[Linux_Security_Summit_2012/Abstracts/Steffen|The Linux Integrity Subsystem and TPM-based Network Endpoint Assessment]] | Andreas Steffen, University of Applied Sciences Rapperswil |- |''15:00'' |colspan="2"|''break'' |- | 15:15 | [[Linux_Security_Summit_2012/Abstracts/Smalley|Middleware MAC for Android]] | Stephen Smalley, National Security Agency |- | 16:00 | [[Linux_Security_Summit_2012/Abstracts/Handa|CaitSith: A New Type of Rule Based In-kernel Access Control]] | Tetsuo Handa, NTT |- | 16:45 | [[Linux_Security_Summit_2012/Abstracts/Cook|Finding Kernel Vulnerabilities Using Coccinelle]] | Kees Cook, Google |- |''17:15'' |colspan="2"|''finish'' |} == Day 2 (31st Aug) == === Kernel Security Subsystem Updates === {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | '''Cryptography''' | Herbert Xu, Red Hat |- |09:20 | '''AppArmor''' | John Johansen, Canonical |- |09:40 | '''Key Management''' | David Howells, Red Hat |- |''10:00'' |colspan="2"|''break'' |- |10:20 | '''SELinux''' | Eric Paris, Red Hat |- |10:40 | '''Integrity''' | Mimi Zohar, IBM |- |11:00 | '''TOMOYO''' | Tetsuo Handa, NTT |- |''11:20'' |colspan="2"|''break'' |- |11:40 | '''Smack''' | Casey Schaufler, Intel |- |12:00 | '''Yama''' | Kees Cook, Google |- |''12:20'' |colspan="2" |''lunch (self-funded at nearby location)'' |} === Lightning Talks === If you wish to add a breakout session topic, email the program committee, or propose a topic on the day. Space is limited. {| border="1" cellpadding="6" cellspacing="0" !Time !Topic !Speaker |- |rowspan="1"|14:00 | Trinity: Linux system call fuzzing | Dave Jones, Red Hat |} === Breakout Sessions === Freeform track for smaller groups to collaborate on specific issues. If you wish to add a breakout session topic, email the program committee. {| border="1" cellpadding="6" cellspacing="0" !Time !Details !Leader |- |14:30 | [[Linux_Security_Summit_2012/Abstracts/Bryant|LF Linux Security Workgroup BOF]] | Corey Bryant, IBM |- |17:00 |colspan="2"|Breakout session reports |- |''17:30'' |colspan="2"|''finish'' |} b4d093ae7ff099e4eefd3683fb6f5c4d65cca9de 3353 3348 2012-08-31T16:49:33Z KeesCook 3 /* Kernel Security Subsystem Updates */ wikitext text/x-wiki = Overview = This is the schedule for the [[Linux_Security_Summit_2012|Linux Security Summit 2012]], to be held in San Diego on August 30th and 31st, 2012. The summit this year will be a two-day event, co-located with [https://events.linuxfoundation.org/events/linuxcon/ LinuxCon]. == Meeting Room == The summit will be held in the '''Executive Center 4''' room on the first floor. = Program = == Day 1 (30th Aug) == === Presentations === {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk'''</span> | [http://mjg59.dreamwidth.org/ Matthew Garrett], Red Hat |- |''09:50'' |colspan="2"|''break'' |- |10:00 | [[Linux_Security_Summit_2012/Abstracts/Reshetova|Bootstrapping the Policies for LSMs for Native and Web Applications]] | Elena Reshetova, Intel |- |10:45 | [[Linux_Security_Summit_2012/Abstracts/Wouters|DNSSEC: The Shiny New Cryptographically Secured Globally Distributed Database ]] | Paul Wouters, Red Hat |- |''11:30'' |colspan="2"|''break'' |- | 11:45 | [[Linux_Security_Summit_2012/Abstracts/Walsh|Linux Sandbox Version II - Sandboxing Server Applications]] | Dan Walsh, Red Hat |- |''12:30'' |colspan="2" |''lunch (self-funded at nearby location)'' |- | 13:30 | [[Linux_Security_Summit_2012/Abstracts/Kasatkin|Upcoming Extensions to the Linux kernel Integrity Subsystem (IMA/EVM)]] | Dmitry Kasatkin, Intel |- | 14:15 | [[Linux_Security_Summit_2012/Abstracts/Steffen|The Linux Integrity Subsystem and TPM-based Network Endpoint Assessment]] | Andreas Steffen, University of Applied Sciences Rapperswil |- |''15:00'' |colspan="2"|''break'' |- | 15:15 | [[Linux_Security_Summit_2012/Abstracts/Smalley|Middleware MAC for Android]] | Stephen Smalley, National Security Agency |- | 16:00 | [[Linux_Security_Summit_2012/Abstracts/Handa|CaitSith: A New Type of Rule Based In-kernel Access Control]] | Tetsuo Handa, NTT |- | 16:45 | [[Linux_Security_Summit_2012/Abstracts/Cook|Finding Kernel Vulnerabilities Using Coccinelle]] | Kees Cook, Google |- |''17:15'' |colspan="2"|''finish'' |} == Day 2 (31st Aug) == === Kernel Security Subsystem Updates === {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | '''Cryptography''' | Herbert Xu, Red Hat |- |09:20 | '''AppArmor''' | John Johansen, Canonical |- |09:40 | '''Key Management''' | David Howells, Red Hat |- |''10:00'' |colspan="2"|''break'' |- |10:20 | '''SELinux''' | Eric Paris, Red Hat |- |10:40 | '''Integrity''' | Mimi Zohar, IBM |- |11:00 | '''TOMOYO''' | Tetsuo Handa, NTT |- |''11:20'' |colspan="2"|''break'' |- |11:40 | '''Smack''' | Casey Schaufler, Intel |- |12:00 | '''[http://outflux.net/slides/2012/lss/lsm/ Yama]''' | Kees Cook, Google |- |''12:20'' |colspan="2" |''lunch (self-funded at nearby location)'' |} === Lightning Talks === If you wish to add a breakout session topic, email the program committee, or propose a topic on the day. Space is limited. {| border="1" cellpadding="6" cellspacing="0" !Time !Topic !Speaker |- |rowspan="1"|14:00 | Trinity: Linux system call fuzzing | Dave Jones, Red Hat |} === Breakout Sessions === Freeform track for smaller groups to collaborate on specific issues. If you wish to add a breakout session topic, email the program committee. {| border="1" cellpadding="6" cellspacing="0" !Time !Details !Leader |- |14:30 | [[Linux_Security_Summit_2012/Abstracts/Bryant|LF Linux Security Workgroup BOF]] | Corey Bryant, IBM |- |17:00 |colspan="2"|Breakout session reports |- |''17:30'' |colspan="2"|''finish'' |} 0b0b807cc5c2b1ff3f0f1312ed00f4a308aa05c6 3354 3353 2012-09-09T12:01:09Z JamesMorris 2 /* Presentations */ wikitext text/x-wiki = Overview = This is the schedule for the [[Linux_Security_Summit_2012|Linux Security Summit 2012]], to be held in San Diego on August 30th and 31st, 2012. The summit this year will be a two-day event, co-located with [https://events.linuxfoundation.org/events/linuxcon/ LinuxCon]. == Meeting Room == The summit will be held in the '''Executive Center 4''' room on the first floor. = Program = == Day 1 (30th Aug) == === Presentations === {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk'''</span> | [http://mjg59.dreamwidth.org/ Matthew Garrett], Red Hat |- |''09:50'' |colspan="2"|''break'' |- |10:00 | [[Linux_Security_Summit_2012/Abstracts/Reshetova|Bootstrapping the Policies for LSMs for Native and Web Applications]] [http://kernsec.org/files/LinuxSecuritySummit2012_rpm.pdf (slides)] | Elena Reshetova, Intel |- |10:45 | [[Linux_Security_Summit_2012/Abstracts/Wouters|DNSSEC: The Shiny New Cryptographically Secured Globally Distributed Database ]] [http://kernsec.org/files/LinuxCon2012-DNSSEC.pdf (slides)] | Paul Wouters, Red Hat |- |''11:30'' |colspan="2"|''break'' |- | 11:45 | [[Linux_Security_Summit_2012/Abstracts/Walsh|Linux Sandbox Version II - Sandboxing Server Applications]] | Dan Walsh, Red Hat |- |''12:30'' |colspan="2" |''lunch (self-funded at nearby location)'' |- | 13:30 | [[Linux_Security_Summit_2012/Abstracts/Kasatkin|Upcoming Extensions to the Linux kernel Integrity Subsystem (IMA/EVM)]] [http://kernsec.org/files/Integrity_Protection_LSS_2012.pdf (slides)] | Dmitry Kasatkin, Intel |- | 14:15 | [[Linux_Security_Summit_2012/Abstracts/Steffen|The Linux Integrity Subsystem and TPM-based Network Endpoint Assessment]] [http://kernsec.org/files/LSS_2012_strongSwan_IMA_slides.pdf (slides)] [http://kernsec.org/files/LSS_2012_strongSwan_IMA.pdf (paper)] | Andreas Steffen, University of Applied Sciences Rapperswil |-� |''15:00'' |colspan="2"|''break'' |- | 15:15 | [[Linux_Security_Summit_2012/Abstracts/Smalley|Middleware MAC for Android]] [http://kernsec.org/files/LSS2012-MiddlewareMAC.pdf (slides)] | Stephen Smalley, National Security Agency |- | 16:00 | [[Linux_Security_Summit_2012/Abstracts/Handa|CaitSith: A New Type of Rule Based In-kernel Access Control]] | Tetsuo Handa, NTT |- | 16:45 | [[Linux_Security_Summit_2012/Abstracts/Cook|Finding Kernel Vulnerabilities Using Coccinelle]] | Kees Cook, Google |- |''17:15'' |colspan="2"|''finish'' |} == Day 2 (31st Aug) == === Kernel Security Subsystem Updates === {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | '''Cryptography''' | Herbert Xu, Red Hat |- |09:20 | '''AppArmor''' | John Johansen, Canonical |- |09:40 | '''Key Management''' | David Howells, Red Hat |- |''10:00'' |colspan="2"|''break'' |- |10:20 | '''SELinux''' | Eric Paris, Red Hat |- |10:40 | '''Integrity''' | Mimi Zohar, IBM |- |11:00 | '''TOMOYO''' | Tetsuo Handa, NTT |- |''11:20'' |colspan="2"|''break'' |- |11:40 | '''Smack''' | Casey Schaufler, Intel |- |12:00 | '''[http://outflux.net/slides/2012/lss/lsm/ Yama]''' | Kees Cook, Google |- |''12:20'' |colspan="2" |''lunch (self-funded at nearby location)'' |} === Lightning Talks === If you wish to add a breakout session topic, email the program committee, or propose a topic on the day. Space is limited. {| border="1" cellpadding="6" cellspacing="0" !Time !Topic !Speaker |- |rowspan="1"|14:00 | Trinity: Linux system call fuzzing | Dave Jones, Red Hat |} === Breakout Sessions === Freeform track for smaller groups to collaborate on specific issues. If you wish to add a breakout session topic, email the program committee. {| border="1" cellpadding="6" cellspacing="0" !Time !Details !Leader |- |14:30 | [[Linux_Security_Summit_2012/Abstracts/Bryant|LF Linux Security Workgroup BOF]] | Corey Bryant, IBM |- |17:00 |colspan="2"|Breakout session reports |- |''17:30'' |colspan="2"|''finish'' |} e7eab9633a12314e7b2066d9a88b860899fa2a19 3355 3354 2012-09-09T12:08:05Z JamesMorris 2 /* Kernel Security Subsystem Updates */ wikitext text/x-wiki = Overview = This is the schedule for the [[Linux_Security_Summit_2012|Linux Security Summit 2012]], to be held in San Diego on August 30th and 31st, 2012. The summit this year will be a two-day event, co-located with [https://events.linuxfoundation.org/events/linuxcon/ LinuxCon]. == Meeting Room == The summit will be held in the '''Executive Center 4''' room on the first floor. = Program = == Day 1 (30th Aug) == === Presentations === {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk'''</span> | [http://mjg59.dreamwidth.org/ Matthew Garrett], Red Hat |- |''09:50'' |colspan="2"|''break'' |- |10:00 | [[Linux_Security_Summit_2012/Abstracts/Reshetova|Bootstrapping the Policies for LSMs for Native and Web Applications]] [http://kernsec.org/files/LinuxSecuritySummit2012_rpm.pdf (slides)] | Elena Reshetova, Intel |- |10:45 | [[Linux_Security_Summit_2012/Abstracts/Wouters|DNSSEC: The Shiny New Cryptographically Secured Globally Distributed Database ]] [http://kernsec.org/files/LinuxCon2012-DNSSEC.pdf (slides)] | Paul Wouters, Red Hat |- |''11:30'' |colspan="2"|''break'' |- | 11:45 | [[Linux_Security_Summit_2012/Abstracts/Walsh|Linux Sandbox Version II - Sandboxing Server Applications]] | Dan Walsh, Red Hat |- |''12:30'' |colspan="2" |''lunch (self-funded at nearby location)'' |- | 13:30 | [[Linux_Security_Summit_2012/Abstracts/Kasatkin|Upcoming Extensions to the Linux kernel Integrity Subsystem (IMA/EVM)]] [http://kernsec.org/files/Integrity_Protection_LSS_2012.pdf (slides)] | Dmitry Kasatkin, Intel |- | 14:15 | [[Linux_Security_Summit_2012/Abstracts/Steffen|The Linux Integrity Subsystem and TPM-based Network Endpoint Assessment]] [http://kernsec.org/files/LSS_2012_strongSwan_IMA_slides.pdf (slides)] [http://kernsec.org/files/LSS_2012_strongSwan_IMA.pdf (paper)] | Andreas Steffen, University of Applied Sciences Rapperswil |-� |''15:00'' |colspan="2"|''break'' |- | 15:15 | [[Linux_Security_Summit_2012/Abstracts/Smalley|Middleware MAC for Android]] [http://kernsec.org/files/LSS2012-MiddlewareMAC.pdf (slides)] | Stephen Smalley, National Security Agency |- | 16:00 | [[Linux_Security_Summit_2012/Abstracts/Handa|CaitSith: A New Type of Rule Based In-kernel Access Control]] | Tetsuo Handa, NTT |- | 16:45 | [[Linux_Security_Summit_2012/Abstracts/Cook|Finding Kernel Vulnerabilities Using Coccinelle]] | Kees Cook, Google |- |''17:15'' |colspan="2"|''finish'' |} == Day 2 (31st Aug) == === Kernel Security Subsystem Updates === {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | '''Cryptography''' [http://kernsec.org/files/crypto-201208.odp (slides)] | Herbert Xu, Red Hat |- |09:20 | '''AppArmor''' [http://kernsec.org/files/apparmor-update.odp (slides)] | John Johansen, Canonical |- |09:40 | '''Key Management''' | David Howells, Red Hat |- |''10:00'' |colspan="2"|''break'' |- |10:20 | '''SELinux''' | Eric Paris, Red Hat |- |10:40 | '''Integrity''' [http://kernsec.org/files/LSS-2012-integrity.odp (slides)] | Mimi Zohar, IBM |- |11:00 | '''TOMOYO''' | Tetsuo Handa, NTT |- |''11:20'' |colspan="2"|''break'' |- |11:40 | '''Smack''' [http://kernsec.org/files/SmackLinuxSecuritySummit2012.pdf (slides)] | Casey Schaufler, Intel |- |12:00 | '''[http://outflux.net/slides/2012/lss/lsm/ Yama]''' | Kees Cook, Google |- |''12:20'' |colspan="2" |''lunch (self-funded at nearby location)'' |} === Lightning Talks === If you wish to add a breakout session topic, email the program committee, or propose a topic on the day. Space is limited. {| border="1" cellpadding="6" cellspacing="0" !Time !Topic !Speaker |- |rowspan="1"|14:00 | Trinity: Linux system call fuzzing | Dave Jones, Red Hat |} === Breakout Sessions === Freeform track for smaller groups to collaborate on specific issues. If you wish to add a breakout session topic, email the program committee. {| border="1" cellpadding="6" cellspacing="0" !Time !Details !Leader |- |14:30 | [[Linux_Security_Summit_2012/Abstracts/Bryant|LF Linux Security Workgroup BOF]] | Corey Bryant, IBM |- |17:00 |colspan="2"|Breakout session reports |- |''17:30'' |colspan="2"|''finish'' |} 78c175482fb529a77c45c856918954a752462ef5 3356 3355 2012-09-09T12:10:10Z JamesMorris 2 /* Kernel Security Subsystem Updates */ wikitext text/x-wiki = Overview = This is the schedule for the [[Linux_Security_Summit_2012|Linux Security Summit 2012]], to be held in San Diego on August 30th and 31st, 2012. The summit this year will be a two-day event, co-located with [https://events.linuxfoundation.org/events/linuxcon/ LinuxCon]. == Meeting Room == The summit will be held in the '''Executive Center 4''' room on the first floor. = Program = == Day 1 (30th Aug) == === Presentations === {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk'''</span> | [http://mjg59.dreamwidth.org/ Matthew Garrett], Red Hat |- |''09:50'' |colspan="2"|''break'' |- |10:00 | [[Linux_Security_Summit_2012/Abstracts/Reshetova|Bootstrapping the Policies for LSMs for Native and Web Applications]] [http://kernsec.org/files/LinuxSecuritySummit2012_rpm.pdf (slides)] | Elena Reshetova, Intel |- |10:45 | [[Linux_Security_Summit_2012/Abstracts/Wouters|DNSSEC: The Shiny New Cryptographically Secured Globally Distributed Database ]] [http://kernsec.org/files/LinuxCon2012-DNSSEC.pdf (slides)] | Paul Wouters, Red Hat |- |''11:30'' |colspan="2"|''break'' |- | 11:45 | [[Linux_Security_Summit_2012/Abstracts/Walsh|Linux Sandbox Version II - Sandboxing Server Applications]] | Dan Walsh, Red Hat |- |''12:30'' |colspan="2" |''lunch (self-funded at nearby location)'' |- | 13:30 | [[Linux_Security_Summit_2012/Abstracts/Kasatkin|Upcoming Extensions to the Linux kernel Integrity Subsystem (IMA/EVM)]] [http://kernsec.org/files/Integrity_Protection_LSS_2012.pdf (slides)] | Dmitry Kasatkin, Intel |- | 14:15 | [[Linux_Security_Summit_2012/Abstracts/Steffen|The Linux Integrity Subsystem and TPM-based Network Endpoint Assessment]] [http://kernsec.org/files/LSS_2012_strongSwan_IMA_slides.pdf (slides)] [http://kernsec.org/files/LSS_2012_strongSwan_IMA.pdf (paper)] | Andreas Steffen, University of Applied Sciences Rapperswil |-� |''15:00'' |colspan="2"|''break'' |- | 15:15 | [[Linux_Security_Summit_2012/Abstracts/Smalley|Middleware MAC for Android]] [http://kernsec.org/files/LSS2012-MiddlewareMAC.pdf (slides)] | Stephen Smalley, National Security Agency |- | 16:00 | [[Linux_Security_Summit_2012/Abstracts/Handa|CaitSith: A New Type of Rule Based In-kernel Access Control]] | Tetsuo Handa, NTT |- | 16:45 | [[Linux_Security_Summit_2012/Abstracts/Cook|Finding Kernel Vulnerabilities Using Coccinelle]] | Kees Cook, Google |- |''17:15'' |colspan="2"|''finish'' |} == Day 2 (31st Aug) == === Kernel Security Subsystem Updates === {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | '''Cryptography''' [http://kernsec.org/files/crypto-201208.odp (slides)] | Herbert Xu, Red Hat |- |09:20 | '''AppArmor''' [http://kernsec.org/files/apparmor-update.odp (slides)] | John Johansen, Canonical |- |09:40 | '''Key Management''' | David Howells, Red Hat |- |''10:00'' |colspan="2"|''break'' |- |10:20 | '''SELinux''' | Eric Paris, Red Hat |- |10:40 | '''Integrity''' [http://kernsec.org/files/LSS-2012-integrity.odp (slides)] | Mimi Zohar, IBM |- |11:00 | '''TOMOYO''' | Tetsuo Handa, NTT |- |''11:20'' |colspan="2"|''break'' |- |11:40 | '''Smack''' [http://kernsec.org/files/SmackLinuxSecuritySummit2012.pdf (slides)] | Casey Schaufler, Intel |- |12:00 | '''Yama''' [http://kernsec.org/files/yama.pdf (slides)] | Kees Cook, Google |- |''12:20'' |colspan="2" |''lunch (self-funded at nearby location)'' |} === Lightning Talks === If you wish to add a breakout session topic, email the program committee, or propose a topic on the day. Space is limited. {| border="1" cellpadding="6" cellspacing="0" !Time !Topic !Speaker |- |rowspan="1"|14:00 | Trinity: Linux system call fuzzing | Dave Jones, Red Hat |} === Breakout Sessions === Freeform track for smaller groups to collaborate on specific issues. If you wish to add a breakout session topic, email the program committee. {| border="1" cellpadding="6" cellspacing="0" !Time !Details !Leader |- |14:30 | [[Linux_Security_Summit_2012/Abstracts/Bryant|LF Linux Security Workgroup BOF]] | Corey Bryant, IBM |- |17:00 |colspan="2"|Breakout session reports |- |''17:30'' |colspan="2"|''finish'' |} aca3d7d58d8d6c82ae0098a7d464e74bf6c57d46 3357 3356 2012-09-09T23:55:27Z JamesMorris 2 /* Presentations */ wikitext text/x-wiki = Overview = This is the schedule for the [[Linux_Security_Summit_2012|Linux Security Summit 2012]], to be held in San Diego on August 30th and 31st, 2012. The summit this year will be a two-day event, co-located with [https://events.linuxfoundation.org/events/linuxcon/ LinuxCon]. == Meeting Room == The summit will be held in the '''Executive Center 4''' room on the first floor. = Program = == Day 1 (30th Aug) == === Presentations === {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk'''</span> | [http://mjg59.dreamwidth.org/ Matthew Garrett], Red Hat |- |''09:50'' |colspan="2"|''break'' |- |10:00 | [[Linux_Security_Summit_2012/Abstracts/Reshetova|Bootstrapping the Policies for LSMs for Native and Web Applications]] [http://kernsec.org/files/LinuxSecuritySummit2012_rpm.pdf (slides)] | Elena Reshetova, Intel |- |10:45 | [[Linux_Security_Summit_2012/Abstracts/Wouters|DNSSEC: The Shiny New Cryptographically Secured Globally Distributed Database ]] [http://kernsec.org/files/LinuxCon2012-DNSSEC.pdf (slides)] | Paul Wouters, Red Hat |- |''11:30'' |colspan="2"|''break'' |- | 11:45 | [[Linux_Security_Summit_2012/Abstracts/Walsh|Linux Sandbox Version II - Sandboxing Server Applications]] | Dan Walsh, Red Hat |- |''12:30'' |colspan="2" |''lunch (self-funded at nearby location)'' |- | 13:30 | [[Linux_Security_Summit_2012/Abstracts/Kasatkin|Upcoming Extensions to the Linux kernel Integrity Subsystem (IMA/EVM)]] [http://kernsec.org/files/Integrity_Protection_LSS_2012.pdf (slides)] | Dmitry Kasatkin, Intel |- | 14:15 | [[Linux_Security_Summit_2012/Abstracts/Steffen|The Linux Integrity Subsystem and TPM-based Network Endpoint Assessment]] [http://kernsec.org/files/LSS_2012_strongSwan_IMA_slides.pdf (slides)] [http://kernsec.org/files/LSS_2012_strongSwan_IMA.pdf (paper)] | Andreas Steffen, University of Applied Sciences Rapperswil |- |''15:00'' |colspan="2"|''break'' |- | 15:15 | [[Linux_Security_Summit_2012/Abstracts/Smalley|Middleware MAC for Android]] [http://kernsec.org/files/LSS2012-MiddlewareMAC.pdf (slides)] | Stephen Smalley, National Security Agency |- | 16:00 | [[Linux_Security_Summit_2012/Abstracts/Handa|CaitSith: A New Type of Rule Based In-kernel Access Control]] | Tetsuo Handa, NTT |- | 16:45 | [[Linux_Security_Summit_2012/Abstracts/Cook|Finding Kernel Vulnerabilities Using Coccinelle]] [http://kernsec.org/files/Coccinelle.pdf (slides)] | Kees Cook, Google |- |''17:15'' |colspan="2"|''finish'' |} == Day 2 (31st Aug) == === Kernel Security Subsystem Updates === {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | '''Cryptography''' [http://kernsec.org/files/crypto-201208.odp (slides)] | Herbert Xu, Red Hat |- |09:20 | '''AppArmor''' [http://kernsec.org/files/apparmor-update.odp (slides)] | John Johansen, Canonical |- |09:40 | '''Key Management''' | David Howells, Red Hat |- |''10:00'' |colspan="2"|''break'' |- |10:20 | '''SELinux''' | Eric Paris, Red Hat |- |10:40 | '''Integrity''' [http://kernsec.org/files/LSS-2012-integrity.odp (slides)] | Mimi Zohar, IBM |- |11:00 | '''TOMOYO''' | Tetsuo Handa, NTT |- |''11:20'' |colspan="2"|''break'' |- |11:40 | '''Smack''' [http://kernsec.org/files/SmackLinuxSecuritySummit2012.pdf (slides)] | Casey Schaufler, Intel |- |12:00 | '''Yama''' [http://kernsec.org/files/yama.pdf (slides)] | Kees Cook, Google |- |''12:20'' |colspan="2" |''lunch (self-funded at nearby location)'' |} === Lightning Talks === If you wish to add a breakout session topic, email the program committee, or propose a topic on the day. Space is limited. {| border="1" cellpadding="6" cellspacing="0" !Time !Topic !Speaker |- |rowspan="1"|14:00 | Trinity: Linux system call fuzzing | Dave Jones, Red Hat |} === Breakout Sessions === Freeform track for smaller groups to collaborate on specific issues. If you wish to add a breakout session topic, email the program committee. {| border="1" cellpadding="6" cellspacing="0" !Time !Details !Leader |- |14:30 | [[Linux_Security_Summit_2012/Abstracts/Bryant|LF Linux Security Workgroup BOF]] | Corey Bryant, IBM |- |17:00 |colspan="2"|Breakout session reports |- |''17:30'' |colspan="2"|''finish'' |} 39f624fafca773ee281b68f5dedec394b5d4cd87 3358 3357 2012-09-09T23:56:58Z JamesMorris 2 /* Presentations */ wikitext text/x-wiki = Overview = This is the schedule for the [[Linux_Security_Summit_2012|Linux Security Summit 2012]], to be held in San Diego on August 30th and 31st, 2012. The summit this year will be a two-day event, co-located with [https://events.linuxfoundation.org/events/linuxcon/ LinuxCon]. == Meeting Room == The summit will be held in the '''Executive Center 4''' room on the first floor. = Program = == Day 1 (30th Aug) == === Presentations === {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk'''</span> | [http://mjg59.dreamwidth.org/ Matthew Garrett], Red Hat |- |''09:50'' |colspan="2"|''break'' |- |10:00 | [[Linux_Security_Summit_2012/Abstracts/Reshetova|Bootstrapping the Policies for LSMs for Native and Web Applications]] [http://kernsec.org/files/LinuxSecuritySummit2012_rpm.pdf (slides)] | Elena Reshetova, Intel |- |10:45 | [[Linux_Security_Summit_2012/Abstracts/Wouters|DNSSEC: The Shiny New Cryptographically Secured Globally Distributed Database ]] [http://kernsec.org/files/LinuxCon2012-DNSSEC.pdf (slides)] | Paul Wouters, Red Hat |- |''11:30'' |colspan="2"|''break'' |- | 11:45 | [[Linux_Security_Summit_2012/Abstracts/Walsh|Linux Sandbox Version II - Sandboxing Server Applications]] | Dan Walsh, Red Hat |- |''12:30'' |colspan="2" |''lunch (self-funded at nearby location)'' |- | 13:30 | [[Linux_Security_Summit_2012/Abstracts/Kasatkin|Upcoming Extensions to the Linux kernel Integrity Subsystem (IMA/EVM)]] [http://kernsec.org/files/Integrity_Protection_LSS_2012.pdf (slides)] | Dmitry Kasatkin, Intel |- | 14:15 | [[Linux_Security_Summit_2012/Abstracts/Steffen|The Linux Integrity Subsystem and TPM-based Network Endpoint Assessment]] [http://kernsec.org/files/LSS_2012_strongSwan_IMA_slides.pdf (slides)] [http://kernsec.org/files/LSS_2012_strongSwan_IMA.pdf (paper)] | Andreas Steffen, University of Applied Sciences Rapperswil |- |''15:00'' |colspan="2"|''break'' |- | 15:15 | [[Linux_Security_Summit_2012/Abstracts/Smalley|Middleware MAC for Android]] [http://kernsec.org/files/LSS2012-MiddlewareMAC.pdf (slides)] | Stephen Smalley, National Security Agency |- | 16:00 | [[Linux_Security_Summit_2012/Abstracts/Handa|CaitSith: A New Type of Rule Based In-kernel Access Control]] [http://kernsec.org/files/CaitSith-en.pdf (slides)] | Tetsuo Handa, NTT |- | 16:45 | [[Linux_Security_Summit_2012/Abstracts/Cook|Finding Kernel Vulnerabilities Using Coccinelle]] [http://kernsec.org/files/Coccinelle.pdf (slides)] | Kees Cook, Google |- |''17:15'' |colspan="2"|''finish'' |} == Day 2 (31st Aug) == === Kernel Security Subsystem Updates === {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | '''Cryptography''' [http://kernsec.org/files/crypto-201208.odp (slides)] | Herbert Xu, Red Hat |- |09:20 | '''AppArmor''' [http://kernsec.org/files/apparmor-update.odp (slides)] | John Johansen, Canonical |- |09:40 | '''Key Management''' | David Howells, Red Hat |- |''10:00'' |colspan="2"|''break'' |- |10:20 | '''SELinux''' | Eric Paris, Red Hat |- |10:40 | '''Integrity''' [http://kernsec.org/files/LSS-2012-integrity.odp (slides)] | Mimi Zohar, IBM |- |11:00 | '''TOMOYO''' | Tetsuo Handa, NTT |- |''11:20'' |colspan="2"|''break'' |- |11:40 | '''Smack''' [http://kernsec.org/files/SmackLinuxSecuritySummit2012.pdf (slides)] | Casey Schaufler, Intel |- |12:00 | '''Yama''' [http://kernsec.org/files/yama.pdf (slides)] | Kees Cook, Google |- |''12:20'' |colspan="2" |''lunch (self-funded at nearby location)'' |} === Lightning Talks === If you wish to add a breakout session topic, email the program committee, or propose a topic on the day. Space is limited. {| border="1" cellpadding="6" cellspacing="0" !Time !Topic !Speaker |- |rowspan="1"|14:00 | Trinity: Linux system call fuzzing | Dave Jones, Red Hat |} === Breakout Sessions === Freeform track for smaller groups to collaborate on specific issues. If you wish to add a breakout session topic, email the program committee. {| border="1" cellpadding="6" cellspacing="0" !Time !Details !Leader |- |14:30 | [[Linux_Security_Summit_2012/Abstracts/Bryant|LF Linux Security Workgroup BOF]] | Corey Bryant, IBM |- |17:00 |colspan="2"|Breakout session reports |- |''17:30'' |colspan="2"|''finish'' |} 6cf3e05b8ff54d32d5142d45ac94413134b9cf48 3359 3358 2012-09-10T14:16:49Z JamesMorris 2 /* Presentations */ wikitext text/x-wiki = Overview = This is the schedule for the [[Linux_Security_Summit_2012|Linux Security Summit 2012]], to be held in San Diego on August 30th and 31st, 2012. The summit this year will be a two-day event, co-located with [https://events.linuxfoundation.org/events/linuxcon/ LinuxCon]. == Meeting Room == The summit will be held in the '''Executive Center 4''' room on the first floor. = Program = == Day 1 (30th Aug) == === Presentations === {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk'''</span> | [http://mjg59.dreamwidth.org/ Matthew Garrett], Red Hat |- |''09:50'' |colspan="2"|''break'' |- |10:00 | [[Linux_Security_Summit_2012/Abstracts/Reshetova|Bootstrapping the Policies for LSMs for Native and Web Applications]] [http://kernsec.org/files/LinuxSecuritySummit2012_rpm.pdf (slides)] | Elena Reshetova, Intel |- |10:45 | [[Linux_Security_Summit_2012/Abstracts/Wouters|DNSSEC: The Shiny New Cryptographically Secured Globally Distributed Database ]] [http://kernsec.org/files/LinuxCon2012-DNSSEC.pdf (slides)] | Paul Wouters, Red Hat |- |''11:30'' |colspan="2"|''break'' |- | 11:45 | [[Linux_Security_Summit_2012/Abstracts/Walsh|Linux Sandbox Version II - Sandboxing Server Applications]] [http://kernsec.org/files/securelinuxcontainers.pdf (slides)] | Dan Walsh, Red Hat |- |''12:30'' |colspan="2" |''lunch (self-funded at nearby location)'' |- | 13:30 | [[Linux_Security_Summit_2012/Abstracts/Kasatkin|Upcoming Extensions to the Linux kernel Integrity Subsystem (IMA/EVM)]] [http://kernsec.org/files/Integrity_Protection_LSS_2012.pdf (slides)] | Dmitry Kasatkin, Intel |- | 14:15 | [[Linux_Security_Summit_2012/Abstracts/Steffen|The Linux Integrity Subsystem and TPM-based Network Endpoint Assessment]] [http://kernsec.org/files/LSS_2012_strongSwan_IMA_slides.pdf (slides)] [http://kernsec.org/files/LSS_2012_strongSwan_IMA.pdf (paper)] | Andreas Steffen, University of Applied Sciences Rapperswil |- |''15:00'' |colspan="2"|''break'' |- | 15:15 | [[Linux_Security_Summit_2012/Abstracts/Smalley|Middleware MAC for Android]] [http://kernsec.org/files/LSS2012-MiddlewareMAC.pdf (slides)] | Stephen Smalley, National Security Agency |- | 16:00 | [[Linux_Security_Summit_2012/Abstracts/Handa|CaitSith: A New Type of Rule Based In-kernel Access Control]] [http://kernsec.org/files/CaitSith-en.pdf (slides)] | Tetsuo Handa, NTT |- | 16:45 | [[Linux_Security_Summit_2012/Abstracts/Cook|Finding Kernel Vulnerabilities Using Coccinelle]] [http://kernsec.org/files/Coccinelle.pdf (slides)] | Kees Cook, Google |- |''17:15'' |colspan="2"|''finish'' |} == Day 2 (31st Aug) == === Kernel Security Subsystem Updates === {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | '''Cryptography''' [http://kernsec.org/files/crypto-201208.odp (slides)] | Herbert Xu, Red Hat |- |09:20 | '''AppArmor''' [http://kernsec.org/files/apparmor-update.odp (slides)] | John Johansen, Canonical |- |09:40 | '''Key Management''' | David Howells, Red Hat |- |''10:00'' |colspan="2"|''break'' |- |10:20 | '''SELinux''' | Eric Paris, Red Hat |- |10:40 | '''Integrity''' [http://kernsec.org/files/LSS-2012-integrity.odp (slides)] | Mimi Zohar, IBM |- |11:00 | '''TOMOYO''' | Tetsuo Handa, NTT |- |''11:20'' |colspan="2"|''break'' |- |11:40 | '''Smack''' [http://kernsec.org/files/SmackLinuxSecuritySummit2012.pdf (slides)] | Casey Schaufler, Intel |- |12:00 | '''Yama''' [http://kernsec.org/files/yama.pdf (slides)] | Kees Cook, Google |- |''12:20'' |colspan="2" |''lunch (self-funded at nearby location)'' |} === Lightning Talks === If you wish to add a breakout session topic, email the program committee, or propose a topic on the day. Space is limited. {| border="1" cellpadding="6" cellspacing="0" !Time !Topic !Speaker |- |rowspan="1"|14:00 | Trinity: Linux system call fuzzing | Dave Jones, Red Hat |} === Breakout Sessions === Freeform track for smaller groups to collaborate on specific issues. If you wish to add a breakout session topic, email the program committee. {| border="1" cellpadding="6" cellspacing="0" !Time !Details !Leader |- |14:30 | [[Linux_Security_Summit_2012/Abstracts/Bryant|LF Linux Security Workgroup BOF]] | Corey Bryant, IBM |- |17:00 |colspan="2"|Breakout session reports |- |''17:30'' |colspan="2"|''finish'' |} c857f12913c9316e6e8ffab35c9494be70d388e2 3362 3359 2012-09-12T00:58:00Z JamesMorris 2 /* Presentations */ wikitext text/x-wiki = Overview = This is the schedule for the [[Linux_Security_Summit_2012|Linux Security Summit 2012]], to be held in San Diego on August 30th and 31st, 2012. The summit this year will be a two-day event, co-located with [https://events.linuxfoundation.org/events/linuxcon/ LinuxCon]. == Meeting Room == The summit will be held in the '''Executive Center 4''' room on the first floor. = Program = == Day 1 (30th Aug) == === Presentations === {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk - UEFI Secure Boot'''</span> | [http://mjg59.dreamwidth.org/ Matthew Garrett], Red Hat [http://kernsec.org/files/security_summit_uefi_2012.odp (slides)] |- |''09:50'' |colspan="2"|''break'' |- |10:00 | [[Linux_Security_Summit_2012/Abstracts/Reshetova|Bootstrapping the Policies for LSMs for Native and Web Applications]] [http://kernsec.org/files/LinuxSecuritySummit2012_rpm.pdf (slides)] | Elena Reshetova, Intel |- |10:45 | [[Linux_Security_Summit_2012/Abstracts/Wouters|DNSSEC: The Shiny New Cryptographically Secured Globally Distributed Database ]] [http://kernsec.org/files/LinuxCon2012-DNSSEC.pdf (slides)] | Paul Wouters, Red Hat |- |''11:30'' |colspan="2"|''break'' |- | 11:45 | [[Linux_Security_Summit_2012/Abstracts/Walsh|Linux Sandbox Version II - Sandboxing Server Applications]] [http://kernsec.org/files/securelinuxcontainers.pdf (slides)] | Dan Walsh, Red Hat |- |''12:30'' |colspan="2" |''lunch (self-funded at nearby location)'' |- | 13:30 | [[Linux_Security_Summit_2012/Abstracts/Kasatkin|Upcoming Extensions to the Linux kernel Integrity Subsystem (IMA/EVM)]] [http://kernsec.org/files/Integrity_Protection_LSS_2012.pdf (slides)] | Dmitry Kasatkin, Intel |- | 14:15 | [[Linux_Security_Summit_2012/Abstracts/Steffen|The Linux Integrity Subsystem and TPM-based Network Endpoint Assessment]] [http://kernsec.org/files/LSS_2012_strongSwan_IMA_slides.pdf (slides)] [http://kernsec.org/files/LSS_2012_strongSwan_IMA.pdf (paper)] | Andreas Steffen, University of Applied Sciences Rapperswil |- |''15:00'' |colspan="2"|''break'' |- | 15:15 | [[Linux_Security_Summit_2012/Abstracts/Smalley|Middleware MAC for Android]] [http://kernsec.org/files/LSS2012-MiddlewareMAC.pdf (slides)] | Stephen Smalley, National Security Agency |- | 16:00 | [[Linux_Security_Summit_2012/Abstracts/Handa|CaitSith: A New Type of Rule Based In-kernel Access Control]] [http://kernsec.org/files/CaitSith-en.pdf (slides)] | Tetsuo Handa, NTT |- | 16:45 | [[Linux_Security_Summit_2012/Abstracts/Cook|Finding Kernel Vulnerabilities Using Coccinelle]] [http://kernsec.org/files/Coccinelle.pdf (slides)] | Kees Cook, Google |- |''17:15'' |colspan="2"|''finish'' |} == Day 2 (31st Aug) == === Kernel Security Subsystem Updates === {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | '''Cryptography''' [http://kernsec.org/files/crypto-201208.odp (slides)] | Herbert Xu, Red Hat |- |09:20 | '''AppArmor''' [http://kernsec.org/files/apparmor-update.odp (slides)] | John Johansen, Canonical |- |09:40 | '''Key Management''' | David Howells, Red Hat |- |''10:00'' |colspan="2"|''break'' |- |10:20 | '''SELinux''' | Eric Paris, Red Hat |- |10:40 | '''Integrity''' [http://kernsec.org/files/LSS-2012-integrity.odp (slides)] | Mimi Zohar, IBM |- |11:00 | '''TOMOYO''' | Tetsuo Handa, NTT |- |''11:20'' |colspan="2"|''break'' |- |11:40 | '''Smack''' [http://kernsec.org/files/SmackLinuxSecuritySummit2012.pdf (slides)] | Casey Schaufler, Intel |- |12:00 | '''Yama''' [http://kernsec.org/files/yama.pdf (slides)] | Kees Cook, Google |- |''12:20'' |colspan="2" |''lunch (self-funded at nearby location)'' |} === Lightning Talks === If you wish to add a breakout session topic, email the program committee, or propose a topic on the day. Space is limited. {| border="1" cellpadding="6" cellspacing="0" !Time !Topic !Speaker |- |rowspan="1"|14:00 | Trinity: Linux system call fuzzing | Dave Jones, Red Hat |} === Breakout Sessions === Freeform track for smaller groups to collaborate on specific issues. If you wish to add a breakout session topic, email the program committee. {| border="1" cellpadding="6" cellspacing="0" !Time !Details !Leader |- |14:30 | [[Linux_Security_Summit_2012/Abstracts/Bryant|LF Linux Security Workgroup BOF]] | Corey Bryant, IBM |- |17:00 |colspan="2"|Breakout session reports |- |''17:30'' |colspan="2"|''finish'' |} b12c545bc210d73de0ff93c88edbfde3417f4274 3363 3362 2012-09-12T00:58:53Z JamesMorris 2 /* Presentations */ wikitext text/x-wiki = Overview = This is the schedule for the [[Linux_Security_Summit_2012|Linux Security Summit 2012]], to be held in San Diego on August 30th and 31st, 2012. The summit this year will be a two-day event, co-located with [https://events.linuxfoundation.org/events/linuxcon/ LinuxCon]. == Meeting Room == The summit will be held in the '''Executive Center 4''' room on the first floor. = Program = == Day 1 (30th Aug) == === Presentations === {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk - UEFI Secure Boot'''</span> [http://kernsec.org/files/security_summit_uefi_2012.odp (slides)] | [http://mjg59.dreamwidth.org/ Matthew Garrett], Red Hat |- |''09:50'' |colspan="2"|''break'' |- |10:00 | [[Linux_Security_Summit_2012/Abstracts/Reshetova|Bootstrapping the Policies for LSMs for Native and Web Applications]] [http://kernsec.org/files/LinuxSecuritySummit2012_rpm.pdf (slides)] | Elena Reshetova, Intel |- |10:45 | [[Linux_Security_Summit_2012/Abstracts/Wouters|DNSSEC: The Shiny New Cryptographically Secured Globally Distributed Database ]] [http://kernsec.org/files/LinuxCon2012-DNSSEC.pdf (slides)] | Paul Wouters, Red Hat |- |''11:30'' |colspan="2"|''break'' |- | 11:45 | [[Linux_Security_Summit_2012/Abstracts/Walsh|Linux Sandbox Version II - Sandboxing Server Applications]] [http://kernsec.org/files/securelinuxcontainers.pdf (slides)] | Dan Walsh, Red Hat |- |''12:30'' |colspan="2" |''lunch (self-funded at nearby location)'' |- | 13:30 | [[Linux_Security_Summit_2012/Abstracts/Kasatkin|Upcoming Extensions to the Linux kernel Integrity Subsystem (IMA/EVM)]] [http://kernsec.org/files/Integrity_Protection_LSS_2012.pdf (slides)] | Dmitry Kasatkin, Intel |- | 14:15 | [[Linux_Security_Summit_2012/Abstracts/Steffen|The Linux Integrity Subsystem and TPM-based Network Endpoint Assessment]] [http://kernsec.org/files/LSS_2012_strongSwan_IMA_slides.pdf (slides)] [http://kernsec.org/files/LSS_2012_strongSwan_IMA.pdf (paper)] | Andreas Steffen, University of Applied Sciences Rapperswil |- |''15:00'' |colspan="2"|''break'' |- | 15:15 | [[Linux_Security_Summit_2012/Abstracts/Smalley|Middleware MAC for Android]] [http://kernsec.org/files/LSS2012-MiddlewareMAC.pdf (slides)] | Stephen Smalley, National Security Agency |- | 16:00 | [[Linux_Security_Summit_2012/Abstracts/Handa|CaitSith: A New Type of Rule Based In-kernel Access Control]] [http://kernsec.org/files/CaitSith-en.pdf (slides)] | Tetsuo Handa, NTT |- | 16:45 | [[Linux_Security_Summit_2012/Abstracts/Cook|Finding Kernel Vulnerabilities Using Coccinelle]] [http://kernsec.org/files/Coccinelle.pdf (slides)] | Kees Cook, Google |- |''17:15'' |colspan="2"|''finish'' |} == Day 2 (31st Aug) == === Kernel Security Subsystem Updates === {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | '''Cryptography''' [http://kernsec.org/files/crypto-201208.odp (slides)] | Herbert Xu, Red Hat |- |09:20 | '''AppArmor''' [http://kernsec.org/files/apparmor-update.odp (slides)] | John Johansen, Canonical |- |09:40 | '''Key Management''' | David Howells, Red Hat |- |''10:00'' |colspan="2"|''break'' |- |10:20 | '''SELinux''' | Eric Paris, Red Hat |- |10:40 | '''Integrity''' [http://kernsec.org/files/LSS-2012-integrity.odp (slides)] | Mimi Zohar, IBM |- |11:00 | '''TOMOYO''' | Tetsuo Handa, NTT |- |''11:20'' |colspan="2"|''break'' |- |11:40 | '''Smack''' [http://kernsec.org/files/SmackLinuxSecuritySummit2012.pdf (slides)] | Casey Schaufler, Intel |- |12:00 | '''Yama''' [http://kernsec.org/files/yama.pdf (slides)] | Kees Cook, Google |- |''12:20'' |colspan="2" |''lunch (self-funded at nearby location)'' |} === Lightning Talks === If you wish to add a breakout session topic, email the program committee, or propose a topic on the day. Space is limited. {| border="1" cellpadding="6" cellspacing="0" !Time !Topic !Speaker |- |rowspan="1"|14:00 | Trinity: Linux system call fuzzing | Dave Jones, Red Hat |} === Breakout Sessions === Freeform track for smaller groups to collaborate on specific issues. If you wish to add a breakout session topic, email the program committee. {| border="1" cellpadding="6" cellspacing="0" !Time !Details !Leader |- |14:30 | [[Linux_Security_Summit_2012/Abstracts/Bryant|LF Linux Security Workgroup BOF]] | Corey Bryant, IBM |- |17:00 |colspan="2"|Breakout session reports |- |''17:30'' |colspan="2"|''finish'' |} 8171700e1d761a4e85dc0c860fa854a55fc6c845 3364 3363 2012-09-12T00:59:08Z JamesMorris 2 /* Presentations */ wikitext text/x-wiki = Overview = This is the schedule for the [[Linux_Security_Summit_2012|Linux Security Summit 2012]], to be held in San Diego on August 30th and 31st, 2012. The summit this year will be a two-day event, co-located with [https://events.linuxfoundation.org/events/linuxcon/ LinuxCon]. == Meeting Room == The summit will be held in the '''Executive Center 4''' room on the first floor. = Program = == Day 1 (30th Aug) == === Presentations === {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk - UEFI Secure Boot'''</span> [http://kernsec.org/files/security_summit_uefi_2012.odp (slides)] | [http://mjg59.dreamwidth.org/ Matthew Garrett], Red Hat |- |''09:50'' |colspan="2"|''break'' |- |10:00 | [[Linux_Security_Summit_2012/Abstracts/Reshetova|Bootstrapping the Policies for LSMs for Native and Web Applications]] [http://kernsec.org/files/LinuxSecuritySummit2012_rpm.pdf (slides)] | Elena Reshetova, Intel |- |10:45 | [[Linux_Security_Summit_2012/Abstracts/Wouters|DNSSEC: The Shiny New Cryptographically Secured Globally Distributed Database ]] [http://kernsec.org/files/LinuxCon2012-DNSSEC.pdf (slides)] | Paul Wouters, Red Hat |- |''11:30'' |colspan="2"|''break'' |- | 11:45 | [[Linux_Security_Summit_2012/Abstracts/Walsh|Linux Sandbox Version II - Sandboxing Server Applications]] [http://kernsec.org/files/securelinuxcontainers.pdf (slides)] | Dan Walsh, Red Hat |- |''12:30'' |colspan="2" |''lunch (self-funded at nearby location)'' |- | 13:30 | [[Linux_Security_Summit_2012/Abstracts/Kasatkin|Upcoming Extensions to the Linux kernel Integrity Subsystem (IMA/EVM)]] [http://kernsec.org/files/Integrity_Protection_LSS_2012.pdf (slides)] | Dmitry Kasatkin, Intel |- | 14:15 | [[Linux_Security_Summit_2012/Abstracts/Steffen|The Linux Integrity Subsystem and TPM-based Network Endpoint Assessment]] [http://kernsec.org/files/LSS_2012_strongSwan_IMA_slides.pdf (slides)] [http://kernsec.org/files/LSS_2012_strongSwan_IMA.pdf (paper)] | Andreas Steffen, University of Applied Sciences Rapperswil |- |''15:00'' |colspan="2"|''break'' |- | 15:15 | [[Linux_Security_Summit_2012/Abstracts/Smalley|Middleware MAC for Android]] [http://kernsec.org/files/LSS2012-MiddlewareMAC.pdf (slides)] | Stephen Smalley, National Security Agency |- | 16:00 | [[Linux_Security_Summit_2012/Abstracts/Handa|CaitSith: A New Type of Rule Based In-kernel Access Control]] [http://kernsec.org/files/CaitSith-en.pdf (slides)] | Tetsuo Handa, NTT |- | 16:45 | [[Linux_Security_Summit_2012/Abstracts/Cook|Finding Kernel Vulnerabilities Using Coccinelle]] [http://kernsec.org/files/Coccinelle.pdf (slides)] | Kees Cook, Google |- |''17:15'' |colspan="2"|''finish'' |} == Day 2 (31st Aug) == === Kernel Security Subsystem Updates === {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | '''Cryptography''' [http://kernsec.org/files/crypto-201208.odp (slides)] | Herbert Xu, Red Hat |- |09:20 | '''AppArmor''' [http://kernsec.org/files/apparmor-update.odp (slides)] | John Johansen, Canonical |- |09:40 | '''Key Management''' | David Howells, Red Hat |- |''10:00'' |colspan="2"|''break'' |- |10:20 | '''SELinux''' | Eric Paris, Red Hat |- |10:40 | '''Integrity''' [http://kernsec.org/files/LSS-2012-integrity.odp (slides)] | Mimi Zohar, IBM |- |11:00 | '''TOMOYO''' | Tetsuo Handa, NTT |- |''11:20'' |colspan="2"|''break'' |- |11:40 | '''Smack''' [http://kernsec.org/files/SmackLinuxSecuritySummit2012.pdf (slides)] | Casey Schaufler, Intel |- |12:00 | '''Yama''' [http://kernsec.org/files/yama.pdf (slides)] | Kees Cook, Google |- |''12:20'' |colspan="2" |''lunch (self-funded at nearby location)'' |} === Lightning Talks === If you wish to add a breakout session topic, email the program committee, or propose a topic on the day. Space is limited. {| border="1" cellpadding="6" cellspacing="0" !Time !Topic !Speaker |- |rowspan="1"|14:00 | Trinity: Linux system call fuzzing | Dave Jones, Red Hat |} === Breakout Sessions === Freeform track for smaller groups to collaborate on specific issues. If you wish to add a breakout session topic, email the program committee. {| border="1" cellpadding="6" cellspacing="0" !Time !Details !Leader |- |14:30 | [[Linux_Security_Summit_2012/Abstracts/Bryant|LF Linux Security Workgroup BOF]] | Corey Bryant, IBM |- |17:00 |colspan="2"|Breakout session reports |- |''17:30'' |colspan="2"|''finish'' |} 4f17fa444ecf370c155439f362553ddb809e35ef 3365 3364 2012-09-12T00:59:28Z JamesMorris 2 /* Presentations */ wikitext text/x-wiki = Overview = This is the schedule for the [[Linux_Security_Summit_2012|Linux Security Summit 2012]], to be held in San Diego on August 30th and 31st, 2012. The summit this year will be a two-day event, co-located with [https://events.linuxfoundation.org/events/linuxcon/ LinuxCon]. == Meeting Room == The summit will be held in the '''Executive Center 4''' room on the first floor. = Program = == Day 1 (30th Aug) == === Presentations === {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk'''</span> UEFI Secure Boot [http://kernsec.org/files/security_summit_uefi_2012.odp (slides)] | [http://mjg59.dreamwidth.org/ Matthew Garrett], Red Hat |- |''09:50'' |colspan="2"|''break'' |- |10:00 | [[Linux_Security_Summit_2012/Abstracts/Reshetova|Bootstrapping the Policies for LSMs for Native and Web Applications]] [http://kernsec.org/files/LinuxSecuritySummit2012_rpm.pdf (slides)] | Elena Reshetova, Intel |- |10:45 | [[Linux_Security_Summit_2012/Abstracts/Wouters|DNSSEC: The Shiny New Cryptographically Secured Globally Distributed Database ]] [http://kernsec.org/files/LinuxCon2012-DNSSEC.pdf (slides)] | Paul Wouters, Red Hat |- |''11:30'' |colspan="2"|''break'' |- | 11:45 | [[Linux_Security_Summit_2012/Abstracts/Walsh|Linux Sandbox Version II - Sandboxing Server Applications]] [http://kernsec.org/files/securelinuxcontainers.pdf (slides)] | Dan Walsh, Red Hat |- |''12:30'' |colspan="2" |''lunch (self-funded at nearby location)'' |- | 13:30 | [[Linux_Security_Summit_2012/Abstracts/Kasatkin|Upcoming Extensions to the Linux kernel Integrity Subsystem (IMA/EVM)]] [http://kernsec.org/files/Integrity_Protection_LSS_2012.pdf (slides)] | Dmitry Kasatkin, Intel |- | 14:15 | [[Linux_Security_Summit_2012/Abstracts/Steffen|The Linux Integrity Subsystem and TPM-based Network Endpoint Assessment]] [http://kernsec.org/files/LSS_2012_strongSwan_IMA_slides.pdf (slides)] [http://kernsec.org/files/LSS_2012_strongSwan_IMA.pdf (paper)] | Andreas Steffen, University of Applied Sciences Rapperswil |- |''15:00'' |colspan="2"|''break'' |- | 15:15 | [[Linux_Security_Summit_2012/Abstracts/Smalley|Middleware MAC for Android]] [http://kernsec.org/files/LSS2012-MiddlewareMAC.pdf (slides)] | Stephen Smalley, National Security Agency |- | 16:00 | [[Linux_Security_Summit_2012/Abstracts/Handa|CaitSith: A New Type of Rule Based In-kernel Access Control]] [http://kernsec.org/files/CaitSith-en.pdf (slides)] | Tetsuo Handa, NTT |- | 16:45 | [[Linux_Security_Summit_2012/Abstracts/Cook|Finding Kernel Vulnerabilities Using Coccinelle]] [http://kernsec.org/files/Coccinelle.pdf (slides)] | Kees Cook, Google |- |''17:15'' |colspan="2"|''finish'' |} == Day 2 (31st Aug) == === Kernel Security Subsystem Updates === {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | '''Cryptography''' [http://kernsec.org/files/crypto-201208.odp (slides)] | Herbert Xu, Red Hat |- |09:20 | '''AppArmor''' [http://kernsec.org/files/apparmor-update.odp (slides)] | John Johansen, Canonical |- |09:40 | '''Key Management''' | David Howells, Red Hat |- |''10:00'' |colspan="2"|''break'' |- |10:20 | '''SELinux''' | Eric Paris, Red Hat |- |10:40 | '''Integrity''' [http://kernsec.org/files/LSS-2012-integrity.odp (slides)] | Mimi Zohar, IBM |- |11:00 | '''TOMOYO''' | Tetsuo Handa, NTT |- |''11:20'' |colspan="2"|''break'' |- |11:40 | '''Smack''' [http://kernsec.org/files/SmackLinuxSecuritySummit2012.pdf (slides)] | Casey Schaufler, Intel |- |12:00 | '''Yama''' [http://kernsec.org/files/yama.pdf (slides)] | Kees Cook, Google |- |''12:20'' |colspan="2" |''lunch (self-funded at nearby location)'' |} === Lightning Talks === If you wish to add a breakout session topic, email the program committee, or propose a topic on the day. Space is limited. {| border="1" cellpadding="6" cellspacing="0" !Time !Topic !Speaker |- |rowspan="1"|14:00 | Trinity: Linux system call fuzzing | Dave Jones, Red Hat |} === Breakout Sessions === Freeform track for smaller groups to collaborate on specific issues. If you wish to add a breakout session topic, email the program committee. {| border="1" cellpadding="6" cellspacing="0" !Time !Details !Leader |- |14:30 | [[Linux_Security_Summit_2012/Abstracts/Bryant|LF Linux Security Workgroup BOF]] | Corey Bryant, IBM |- |17:00 |colspan="2"|Breakout session reports |- |''17:30'' |colspan="2"|''finish'' |} 83369db06c68d394d5c657b3b8b05cc449d174f9 3366 3365 2012-09-12T00:59:57Z JamesMorris 2 /* Presentations */ wikitext text/x-wiki = Overview = This is the schedule for the [[Linux_Security_Summit_2012|Linux Security Summit 2012]], to be held in San Diego on August 30th and 31st, 2012. The summit this year will be a two-day event, co-located with [https://events.linuxfoundation.org/events/linuxcon/ LinuxCon]. == Meeting Room == The summit will be held in the '''Executive Center 4''' room on the first floor. = Program = == Day 1 (30th Aug) == === Presentations === {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk: UEFI Secure Boot'''</span> [http://kernsec.org/files/security_summit_uefi_2012.odp (slides)] | [http://mjg59.dreamwidth.org/ Matthew Garrett], Red Hat |- |''09:50'' |colspan="2"|''break'' |- |10:00 | [[Linux_Security_Summit_2012/Abstracts/Reshetova|Bootstrapping the Policies for LSMs for Native and Web Applications]] [http://kernsec.org/files/LinuxSecuritySummit2012_rpm.pdf (slides)] | Elena Reshetova, Intel |- |10:45 | [[Linux_Security_Summit_2012/Abstracts/Wouters|DNSSEC: The Shiny New Cryptographically Secured Globally Distributed Database ]] [http://kernsec.org/files/LinuxCon2012-DNSSEC.pdf (slides)] | Paul Wouters, Red Hat |- |''11:30'' |colspan="2"|''break'' |- | 11:45 | [[Linux_Security_Summit_2012/Abstracts/Walsh|Linux Sandbox Version II - Sandboxing Server Applications]] [http://kernsec.org/files/securelinuxcontainers.pdf (slides)] | Dan Walsh, Red Hat |- |''12:30'' |colspan="2" |''lunch (self-funded at nearby location)'' |- | 13:30 | [[Linux_Security_Summit_2012/Abstracts/Kasatkin|Upcoming Extensions to the Linux kernel Integrity Subsystem (IMA/EVM)]] [http://kernsec.org/files/Integrity_Protection_LSS_2012.pdf (slides)] | Dmitry Kasatkin, Intel |- | 14:15 | [[Linux_Security_Summit_2012/Abstracts/Steffen|The Linux Integrity Subsystem and TPM-based Network Endpoint Assessment]] [http://kernsec.org/files/LSS_2012_strongSwan_IMA_slides.pdf (slides)] [http://kernsec.org/files/LSS_2012_strongSwan_IMA.pdf (paper)] | Andreas Steffen, University of Applied Sciences Rapperswil |- |''15:00'' |colspan="2"|''break'' |- | 15:15 | [[Linux_Security_Summit_2012/Abstracts/Smalley|Middleware MAC for Android]] [http://kernsec.org/files/LSS2012-MiddlewareMAC.pdf (slides)] | Stephen Smalley, National Security Agency |- | 16:00 | [[Linux_Security_Summit_2012/Abstracts/Handa|CaitSith: A New Type of Rule Based In-kernel Access Control]] [http://kernsec.org/files/CaitSith-en.pdf (slides)] | Tetsuo Handa, NTT |- | 16:45 | [[Linux_Security_Summit_2012/Abstracts/Cook|Finding Kernel Vulnerabilities Using Coccinelle]] [http://kernsec.org/files/Coccinelle.pdf (slides)] | Kees Cook, Google |- |''17:15'' |colspan="2"|''finish'' |} == Day 2 (31st Aug) == === Kernel Security Subsystem Updates === {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | '''Cryptography''' [http://kernsec.org/files/crypto-201208.odp (slides)] | Herbert Xu, Red Hat |- |09:20 | '''AppArmor''' [http://kernsec.org/files/apparmor-update.odp (slides)] | John Johansen, Canonical |- |09:40 | '''Key Management''' | David Howells, Red Hat |- |''10:00'' |colspan="2"|''break'' |- |10:20 | '''SELinux''' | Eric Paris, Red Hat |- |10:40 | '''Integrity''' [http://kernsec.org/files/LSS-2012-integrity.odp (slides)] | Mimi Zohar, IBM |- |11:00 | '''TOMOYO''' | Tetsuo Handa, NTT |- |''11:20'' |colspan="2"|''break'' |- |11:40 | '''Smack''' [http://kernsec.org/files/SmackLinuxSecuritySummit2012.pdf (slides)] | Casey Schaufler, Intel |- |12:00 | '''Yama''' [http://kernsec.org/files/yama.pdf (slides)] | Kees Cook, Google |- |''12:20'' |colspan="2" |''lunch (self-funded at nearby location)'' |} === Lightning Talks === If you wish to add a breakout session topic, email the program committee, or propose a topic on the day. Space is limited. {| border="1" cellpadding="6" cellspacing="0" !Time !Topic !Speaker |- |rowspan="1"|14:00 | Trinity: Linux system call fuzzing | Dave Jones, Red Hat |} === Breakout Sessions === Freeform track for smaller groups to collaborate on specific issues. If you wish to add a breakout session topic, email the program committee. {| border="1" cellpadding="6" cellspacing="0" !Time !Details !Leader |- |14:30 | [[Linux_Security_Summit_2012/Abstracts/Bryant|LF Linux Security Workgroup BOF]] | Corey Bryant, IBM |- |17:00 |colspan="2"|Breakout session reports |- |''17:30'' |colspan="2"|''finish'' |} 21e743bdf347954ccf376c49bc2e6800e782dabc 0 8 3347 3336 2012-08-30T00:00:45Z JamesMorris 2 /* Dates and Location */ wikitext text/x-wiki =Description= The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Short talks * Roundtable discussions * Breakout development sessions = Schedule = [[Linux_Security_Summit_2012/Schedule|Schedule details]] (subject to change) =Dates and Location= '''Meeting room: Executive Center 4''' The Linux Security Summit for 2012 will be held across 30 and 31 August in San Diego, CA, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon], as well as Linux Plumbers and the Kernel Summit. Note that Linux Security Summit attendees and speakers must be registered to attend LinuxCon. See the [https://events.linuxfoundation.org/events/linuxcon LinuxCon site] for details on registration, travel, and accommodation. =Call for Participation= The Linux Security Summit call for participation (CFP) is now open, and will close on 23rd of May. The program committee currently seeks proposals for: * '''Refereed Presentations''' 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. * '''Short Talks''' 30 minutes in length, discussion-oriented. Slides should be minimal. * '''Roundtable Discussion Topics''' These discussions are typically one hour in length and used to explore and resolve current issues. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques Proposals should be submitted in plain text via email to the program committee at: lss-pc (_at_) ext.namei.org Abstracts should be approximately 150 words in total. =Attendance= The event is open to all registered LinuxCon attendees. You do not have to be a "security person" to attend -- we're seeking a diverse range of attendees, and welcome the participation of general developers, researchers, operations, and end-users. =Program Committee= The Linux Security Summit for 2012 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Tresys * Tetsuo Handa, NTT * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel The program committee may be contacted as a group via email: lss-pc (_at_) ext.namei.org 3e11d81537c36ff5a10f079b9e323a9391bbef1f 0 99 3349 3307 2012-08-31T00:29:50Z KeesCook 3 /* Abstract */ wikitext text/x-wiki == Title == Finding kernel vulnerabilities using Coccinelle == Presenter == Kees Cook, Google == Abstract == The "spatch" tool gets a lot of use in the kernel already for making wide changes, or for finding bugs and anti-patterns. Finding security flaws is, of course, also possible. This presentation will show how several Coccinelle rules were developed and used in finding various kernel vulnerabilities both large (CVE-2010-2962, CVE-2010-2963) and small (CVE-2010-4655, CVE-2010-4656). Finally, we will open a discussion on how to continue to expand the corpus and keep it running against new kernel releases. == Slides == [http://outflux.net/coccinelle/] dc2dacf4b1827be2daf4004f9d1a2f6be338828d 3350 3349 2012-08-31T00:30:20Z KeesCook 3 /* Slides */ wikitext text/x-wiki == Title == Finding kernel vulnerabilities using Coccinelle == Presenter == Kees Cook, Google == Abstract == The "spatch" tool gets a lot of use in the kernel already for making wide changes, or for finding bugs and anti-patterns. Finding security flaws is, of course, also possible. This presentation will show how several Coccinelle rules were developed and used in finding various kernel vulnerabilities both large (CVE-2010-2962, CVE-2010-2963) and small (CVE-2010-4655, CVE-2010-4656). Finally, we will open a discussion on how to continue to expand the corpus and keep it running against new kernel releases. == Slides == [http://outflux.net/coccinelle/|Finding Kernel Vulnerabilities Using Coccinelle] a3d478eac2e3eb711c86504bfbc435ef909c17d7 3351 3350 2012-08-31T00:30:42Z KeesCook 3 /* Slides */ wikitext text/x-wiki == Title == Finding kernel vulnerabilities using Coccinelle == Presenter == Kees Cook, Google == Abstract == The "spatch" tool gets a lot of use in the kernel already for making wide changes, or for finding bugs and anti-patterns. Finding security flaws is, of course, also possible. This presentation will show how several Coccinelle rules were developed and used in finding various kernel vulnerabilities both large (CVE-2010-2962, CVE-2010-2963) and small (CVE-2010-4655, CVE-2010-4656). Finally, we will open a discussion on how to continue to expand the corpus and keep it running against new kernel releases. == Slides == [http://outflux.net/coccinelle/ Finding Kernel Vulnerabilities Using Coccinelle] 929d31b7f8e04f93c2d940c28ad03c6fbb2918e9 3352 3351 2012-08-31T16:48:47Z KeesCook 3 /* Slides */ wikitext text/x-wiki == Title == Finding kernel vulnerabilities using Coccinelle == Presenter == Kees Cook, Google == Abstract == The "spatch" tool gets a lot of use in the kernel already for making wide changes, or for finding bugs and anti-patterns. Finding security flaws is, of course, also possible. This presentation will show how several Coccinelle rules were developed and used in finding various kernel vulnerabilities both large (CVE-2010-2962, CVE-2010-2963) and small (CVE-2010-4655, CVE-2010-4656). Finally, we will open a discussion on how to continue to expand the corpus and keep it running against new kernel releases. == Slides == [http://outflux.net/slides/2012/lss/coccinelle/ Finding Kernel Vulnerabilities Using Coccinelle] f473d1d34205238fc0f2c231dcd33f562b6dd11e 0 6 3360 3294 2012-09-12T00:56:15Z JamesMorris 2 /* Upcoming */ wikitext text/x-wiki == Upcoming == ===2012=== TBA == Past == ===2011=== * [[Linux Security Summit 2011]], Santa Rosa, CA, USA. ===2010=== * [[Linux Security Summit 2012]], Boston MA, USA. ===2009=== *Security Microconf at the Linux Plumbers Conference 2009, September, Portland OR, USA. **CFP **LWN discussion *SELinux Developer Summit at LinuxCon 2009, September, Portland OR, USA. **Event Details *Security BoF (Birds of Feather) meeting at the Japan Linux Symposium, October 2009. Tokyo, Japan. **Enhanced Securities: Where Should We Go Next *Kernel Conference Australia, July 2009, Brisbane, Australia. *LCA security miniconf 20 January 2009, Hobart, Australia. 2800c57629d3acf73b441b569e297a34f67f0631 3361 3360 2012-09-12T00:56:40Z JamesMorris 2 wikitext text/x-wiki == Upcoming == ===2013=== TBA == Past == === 2012 === * [[Linux Security Summit 2012]], San Diego, CA, USA. ===2011=== * [[Linux Security Summit 2011]], Santa Rosa, CA, USA. ===2010=== * [[Linux Security Summit 2012]], Boston MA, USA. ===2009=== *Security Microconf at the Linux Plumbers Conference 2009, September, Portland OR, USA. **CFP **LWN discussion *SELinux Developer Summit at LinuxCon 2009, September, Portland OR, USA. **Event Details *Security BoF (Birds of Feather) meeting at the Japan Linux Symposium, October 2009. Tokyo, Japan. **Enhanced Securities: Where Should We Go Next *Kernel Conference Australia, July 2009, Brisbane, Australia. *LCA security miniconf 20 January 2009, Hobart, Australia. a597ac1ddd29459cc65e33f6765c54516ba29bdb 0 102 3367 2012-10-08T14:19:03Z CoreyBryant 4 New page: == '''Linux Security Workgroup''' == '''Charter of the Linux Security Workgroup:''' To provide on-going security verification of Linux kernel subsystems in order to assist in securing the... wikitext text/x-wiki == '''Linux Security Workgroup''' == '''Charter of the Linux Security Workgroup:''' To provide on-going security verification of Linux kernel subsystems in order to assist in securing the Linux Kernel and maintain trust and confidence in the security of the Linux ecosystem. This may include, but is not limited to, topics such as tooling to assist in securing the Linux Kernel, verification and testing of critical subsystems for vulnerabilities, security improvements for build tools, and providing guidance for maintaining subsystem security. ---- '''Active Kernel hardening projects:''' [[[ActiveKernelHardening]]] 22c27b5abeb87c2a0790e1070ea43535f620dda4 3368 3367 2012-10-08T14:19:21Z CoreyBryant 4 /* '''Linux Security Workgroup''' */ wikitext text/x-wiki == '''Linux Security Workgroup''' == '''Charter of the Linux Security Workgroup:''' To provide on-going security verification of Linux kernel subsystems in order to assist in securing the Linux Kernel and maintain trust and confidence in the security of the Linux ecosystem. [[BR]][[BR]] This may include, but is not limited to, topics such as tooling to assist in securing the Linux Kernel, verification and testing of critical subsystems for vulnerabilities, security improvements for build tools, and providing guidance for maintaining subsystem security. ---- '''Active Kernel hardening projects:''' [[[ActiveKernelHardening]]] f2427907ab29388329ed74cf856ad98a97da9efa 3369 3368 2012-10-08T14:19:34Z CoreyBryant 4 /* '''Linux Security Workgroup''' */ wikitext text/x-wiki == '''Linux Security Workgroup''' == '''Charter of the Linux Security Workgroup:''' To provide on-going security verification of Linux kernel subsystems in order to assist in securing the Linux Kernel and maintain trust and confidence in the security of the Linux ecosystem.\n This may include, but is not limited to, topics such as tooling to assist in securing the Linux Kernel, verification and testing of critical subsystems for vulnerabilities, security improvements for build tools, and providing guidance for maintaining subsystem security. ---- '''Active Kernel hardening projects:''' [[[ActiveKernelHardening]]] 3a96d883304117fc8efdcc70761b78c0b3fb0e85 3370 3369 2012-10-08T14:20:07Z CoreyBryant 4 /* '''Linux Security Workgroup''' */ wikitext text/x-wiki == '''Linux Security Workgroup''' == '''Charter:''' To provide on-going security verification of Linux kernel subsystems in order to assist in securing the Linux Kernel and maintain trust and confidence in the security of the Linux ecosystem. This may include, but is not limited to, topics such as tooling to assist in securing the Linux Kernel, verification and testing of critical subsystems for vulnerabilities, security improvements for build tools, and providing guidance for maintaining subsystem security. ---- '''Active Kernel hardening projects:''' [[[ActiveKernelHardening]]] c01932bb8d0460b9f66a4c7b892044f23ec4d192 3371 3370 2012-10-08T14:20:42Z CoreyBryant 4 /* '''Linux Security Workgroup''' */ wikitext text/x-wiki == '''Linux Security Workgroup''' == '''Charter:''' To provide on-going security verification of Linux kernel subsystems in order to assist in securing the Linux Kernel and maintain trust and confidence in the security of the Linux ecosystem. This may include, but is not limited to, topics such as tooling to assist in securing the Linux Kernel, verification and testing of critical subsystems for vulnerabilities, security improvements for build tools, and providing guidance for maintaining subsystem security. ---- '''Active Kernel hardening projects:''' [[[ActiveKernelHardening]]] 0eb9f8c2dbdad08c866f846182cb0e533faa952a 3375 3371 2012-10-08T14:23:09Z CoreyBryant 4 /* '''Linux Security Workgroup''' */ wikitext text/x-wiki == '''Linux Security Workgroup''' == '''Charter:''' To provide on-going security verification of Linux kernel subsystems in order to assist in securing the Linux Kernel and maintain trust and confidence in the security of the Linux ecosystem. This may include, but is not limited to, topics such as tooling to assist in securing the Linux Kernel, verification and testing of critical subsystems for vulnerabilities, security improvements for build tools, and providing guidance for maintaining subsystem security. ---- '''Active Kernel hardening projects:''' [[[ActiveHardeningProjects]]] 62e42ab234b9a625e097b6efb002d98e4c0e9073 3376 3375 2012-10-08T14:23:43Z CoreyBryant 4 /* '''Linux Security Workgroup''' */ wikitext text/x-wiki == '''Linux Security Workgroup''' == '''Charter:''' To provide on-going security verification of Linux kernel subsystems in order to assist in securing the Linux Kernel and maintain trust and confidence in the security of the Linux ecosystem. This may include, but is not limited to, topics such as tooling to assist in securing the Linux Kernel, verification and testing of critical subsystems for vulnerabilities, security improvements for build tools, and providing guidance for maintaining subsystem security. ---- '''Active Kernel hardening projects:''' [[ActiveHardeningProjects]] 64245ce5ab48fa4ddbc1d42724327bf6d42b024b 3377 3376 2012-10-08T14:24:07Z CoreyBryant 4 wikitext text/x-wiki '''Charter of the Linux Security Workgroup:''' To provide on-going security verification of Linux kernel subsystems in order to assist in securing the Linux Kernel and maintain trust and confidence in the security of the Linux ecosystem. This may include, but is not limited to, topics such as tooling to assist in securing the Linux Kernel, verification and testing of critical subsystems for vulnerabilities, security improvements for build tools, and providing guidance for maintaining subsystem security. ---- '''Active Kernel hardening projects:''' [[ActiveHardeningProjects]] 8f91da4de164786b36803865f4ab17ddda85a265 3380 3377 2012-10-08T14:26:01Z CoreyBryant 4 wikitext text/x-wiki '''Charter of the Linux Security Workgroup:''' To provide on-going security verification of Linux kernel subsystems in order to assist in securing the Linux Kernel and maintain trust and confidence in the security of the Linux ecosystem. This may include, but is not limited to, topics such as tooling to assist in securing the Linux Kernel, verification and testing of critical subsystems for vulnerabilities, security improvements for build tools, and providing guidance for maintaining subsystem security. ---- '''Active Kernel hardening projects:''' [[Active_Hardening_Projects]] b2cea2cf431a2e72c5331c3fc7c39fecd220b628 3382 3380 2012-10-08T14:32:39Z CoreyBryant 4 wikitext text/x-wiki '''Charter of the Linux Security Workgroup:''' ''To provide on-going security verification of Linux kernel subsystems in order to assist in securing the Linux Kernel and maintain trust and confidence in the security of the Linux ecosystem. This may include, but is not limited to, topics such as tooling to assist in securing the Linux Kernel, verification and testing of critical subsystems for vulnerabilities, security improvements for build tools, and providing guidance for maintaining subsystem security.'' == Resources == * [[Active_Hardening_Projects]] e8e5358a6d09981702e2f8f4722287301364239e 3383 3382 2012-10-08T14:33:06Z CoreyBryant 4 wikitext text/x-wiki '''Charter of the Linux Security Workgroup:''' ''To provide on-going security verification of Linux kernel subsystems in order to assist in securing the Linux Kernel and maintain trust and confidence in the security of the Linux ecosystem.'' This may include, but is not limited to, topics such as tooling to assist in securing the Linux Kernel, verification and testing of critical subsystems for vulnerabilities, security improvements for build tools, and providing guidance for maintaining subsystem security. == Resources == * [[Active_Hardening_Projects]] 3d6fae78f68bc39bb6d24ebf3e037dc496bd470c 3384 3383 2012-10-08T14:34:27Z CoreyBryant 4 wikitext text/x-wiki '''Charter of the Linux Security Workgroup:''' ''To provide on-going security verification of Linux kernel subsystems in order to assist in securing the Linux Kernel and maintain trust and confidence in the security of the Linux ecosystem.'' This may include, but is not limited to, topics such as tooling to assist in securing the Linux Kernel, verification and testing of critical subsystems for vulnerabilities, security improvements for build tools, and providing guidance for maintaining subsystem security. == Resources == * [[Active_Hardening_Projects]] e1763061e5c7d2c2357ebb7226e8b247697a617f 3385 3384 2012-10-08T14:34:42Z CoreyBryant 4 wikitext text/x-wiki '''Charter of the Linux Security Workgroup:''' ''To provide on-going security verification of Linux kernel subsystems in order to assist in securing the Linux Kernel and maintain trust and confidence in the security of the Linux ecosystem.'' This may include, but is not limited to, topics such as tooling to assist in securing the Linux Kernel, verification and testing of critical subsystems for vulnerabilities, security improvements for build tools, and providing guidance for maintaining subsystem security. == Resources == * [[Active_Hardening_Projects]] a44ab1a8029dbd0ca2db1bfff5bf7c07e1d982c0 3386 3385 2012-10-08T14:34:50Z CoreyBryant 4 wikitext text/x-wiki '''Charter of the Linux Security Workgroup:''' ''To provide on-going security verification of Linux kernel subsystems in order to assist in securing the Linux Kernel and maintain trust and confidence in the security of the Linux ecosystem.'' This may include, but is not limited to, topics such as tooling to assist in securing the Linux Kernel, verification and testing of critical subsystems for vulnerabilities, security improvements for build tools, and providing guidance for maintaining subsystem security. == Resources == * [[Active_Hardening_Projects]] ed8ab2feb82f2cc44ddf2783913fd4446f98a03f 3387 3386 2012-10-08T14:35:06Z CoreyBryant 4 wikitext text/x-wiki '''Charter of the Linux Security Workgroup:''' ''To provide on-going security verification of Linux kernel subsystems in order to assist in securing the Linux Kernel and maintain trust and confidence in the security of the Linux ecosystem.'' This may include, but is not limited to, topics such as tooling to assist in securing the Linux Kernel, verification and testing of critical subsystems for vulnerabilities, security improvements for build tools, and providing guidance for maintaining subsystem security. == Resources == * [[Active_Hardening_Projects]] 3d6fae78f68bc39bb6d24ebf3e037dc496bd470c 0 103 3372 2012-10-08T14:21:36Z CoreyBryant 4 New page: There are a number of active Linux Kernel hardening projects. This page gives details on these projects in order to get an understanding of what areas are not covered, and to prevent dupl... wikitext text/x-wiki There are a number of active Linux Kernel hardening projects. This page gives details on these projects in order to get an understanding of what areas are not covered, and to prevent duplication of efforts. Contents: 6f52a6cca88eb21fc24ccb099b6198100647ce48 3373 3372 2012-10-08T14:22:50Z CoreyBryant 4 [[Active hardening projects]] moved to [[ActiveHardeningProjects]] wikitext text/x-wiki There are a number of active Linux Kernel hardening projects. This page gives details on these projects in order to get an understanding of what areas are not covered, and to prevent duplication of efforts. Contents: 6f52a6cca88eb21fc24ccb099b6198100647ce48 3378 3373 2012-10-08T14:25:45Z CoreyBryant 4 [[ActiveHardeningProjects]] moved to [[Active Hardening Projects]] wikitext text/x-wiki There are a number of active Linux Kernel hardening projects. This page gives details on these projects in order to get an understanding of what areas are not covered, and to prevent duplication of efforts. Contents: 6f52a6cca88eb21fc24ccb099b6198100647ce48 3381 3378 2012-10-08T14:26:53Z CoreyBryant 4 wikitext text/x-wiki There are a number of active Linux Kernel hardening projects. This page gives details on these projects in order to get an understanding of coverage and to prevent duplication of efforts. Contents: 6c4bed64554eac07203518f881a9c4fa71d608c4 0 104 3374 2012-10-08T14:22:50Z CoreyBryant 4 [[Active hardening projects]] moved to [[ActiveHardeningProjects]] wikitext text/x-wiki #REDIRECT [[ActiveHardeningProjects]] 692d7e45afcbdd4378bcd7dcfca5f0cba2553568 0 105 3379 2012-10-08T14:25:45Z CoreyBryant 4 [[ActiveHardeningProjects]] moved to [[Active Hardening Projects]] wikitext text/x-wiki #REDIRECT [[Active Hardening Projects]] 7e6019098fb0ab1111630cc2f28ad5cabd5f28f1 0 102 3388 3387 2012-10-08T14:37:02Z CoreyBryant 4 wikitext text/x-wiki '''Charter of the Linux Security Workgroup:''' :''To provide on-going security verification of Linux kernel subsystems in order to assist in securing the Linux Kernel and maintain trust and confidence in the security of the Linux ecosystem.'' This may include, but is not limited to, topics such as tooling to assist in securing the Linux Kernel, verification and testing of critical subsystems for vulnerabilities, security improvements for build tools, and providing guidance for maintaining subsystem security. == Resources == * [[Active_Hardening_Projects]] b8f63a915281399e37b262654413ac9038c1885b 3389 3388 2012-10-08T14:37:24Z CoreyBryant 4 wikitext text/x-wiki '''Charter of the Linux Security Workgroup:''' :''Provide on-going security verification of Linux kernel subsystems in order to assist in securing the Linux Kernel and maintain trust and confidence in the security of the Linux ecosystem.'' This may include, but is not limited to, topics such as tooling to assist in securing the Linux Kernel, verification and testing of critical subsystems for vulnerabilities, security improvements for build tools, and providing guidance for maintaining subsystem security. == Resources == * [[Active_Hardening_Projects]] ea464dc95d78b20b1226e9b09f4e892070812dae 3403 3389 2012-10-08T16:36:48Z CoreyBryant 4 wikitext text/x-wiki = Charter of the Linux Security Workgroup = The charter of the Linux Security Workgroup is to provide on-going security verification of Linux kernel subsystems in order to assist in securing the Linux Kernel and maintain trust and confidence in the security of the Linux ecosystem.'' This may include, but is not limited to, topics such as tooling to assist in securing the Linux Kernel, verification and testing of critical subsystems for vulnerabilities, security improvements for build tools, and providing guidance for maintaining subsystem security. = Projects = * [[Active_Hardening_Projects]] 7168da1000b2e41f10832ca95804aa4ae19892ef 3404 3403 2012-10-08T16:37:07Z CoreyBryant 4 wikitext text/x-wiki The charter of the Linux Security Workgroup is to provide on-going security verification of Linux kernel subsystems in order to assist in securing the Linux Kernel and maintain trust and confidence in the security of the Linux ecosystem.'' This may include, but is not limited to, topics such as tooling to assist in securing the Linux Kernel, verification and testing of critical subsystems for vulnerabilities, security improvements for build tools, and providing guidance for maintaining subsystem security. = Projects = * [[Active_Hardening_Projects]] 3a6d217e12729bb412e21dc96cf7f4a1f1d32d73 3405 3404 2012-10-08T20:49:20Z CoreyBryant 4 wikitext text/x-wiki The charter of the Linux Security Workgroup is to provide on-going security verification of Linux kernel subsystems in order to assist in securing the Linux Kernel and maintain trust and confidence in the security of the Linux ecosystem.'' This may include, but is not limited to, topics such as tooling to assist in securing the Linux Kernel, verification and testing of critical subsystems for vulnerabilities, security improvements for build tools, and providing guidance for maintaining subsystem security. = Communication = For communication, we're using the following mail list: kernel-hardening@lists.openwall.com The list can be subscribed to at: http://www.openwall.com/lists/#subscribe = Projects = * [[Active_Hardening_Projects]] 43e19ec38c59224a6ecf9e29bc4a1a148327666c 3406 3405 2012-10-08T20:52:03Z CoreyBryant 4 wikitext text/x-wiki The charter of the Linux Security Workgroup is to provide on-going security verification of Linux kernel subsystems in order to assist in securing the Linux Kernel and maintain trust and confidence in the security of the Linux ecosystem.'' This may include, but is not limited to, topics such as tooling to assist in securing the Linux Kernel, verification and testing of critical subsystems for vulnerabilities, security improvements for build tools, and providing guidance for maintaining subsystem security. = Communication = * We're using the kernel-hardening mail list for communication. The list can be subscribed to at: http://www.openwall.com/lists/#subscribe = Projects = * [[Active_Hardening_Projects]] 4a090f0d25660d0011d48acedac727475eedbb37 3410 3406 2012-10-08T21:48:54Z KeesCook 3 /* Projects */ wikitext text/x-wiki The charter of the Linux Security Workgroup is to provide on-going security verification of Linux kernel subsystems in order to assist in securing the Linux Kernel and maintain trust and confidence in the security of the Linux ecosystem.'' This may include, but is not limited to, topics such as tooling to assist in securing the Linux Kernel, verification and testing of critical subsystems for vulnerabilities, security improvements for build tools, and providing guidance for maintaining subsystem security. = Communication = * We're using the kernel-hardening mail list for communication. The list can be subscribed to at: http://www.openwall.com/lists/#subscribe = Projects = * [[Active_Projects]] 9aae45db3b07de5be94133d6ed3356262fed23d8 3411 3410 2012-10-08T21:59:21Z KeesCook 3 /* Projects */ wikitext text/x-wiki The charter of the Linux Security Workgroup is to provide on-going security verification of Linux kernel subsystems in order to assist in securing the Linux Kernel and maintain trust and confidence in the security of the Linux ecosystem.'' This may include, but is not limited to, topics such as tooling to assist in securing the Linux Kernel, verification and testing of critical subsystems for vulnerabilities, security improvements for build tools, and providing guidance for maintaining subsystem security. = Communication = * We're using the kernel-hardening mail list for communication. The list can be subscribed to at: http://www.openwall.com/lists/#subscribe = Projects = * [[Active Projects]] e99f60141cc7ccf52cc443321fc3de4b7982abaa 3415 3411 2012-11-12T21:27:20Z CoreyBryant 4 wikitext text/x-wiki The charter of the Linux Security Workgroup is to provide on-going security verification of Linux kernel subsystems in order to assist in securing the Linux Kernel and maintain trust and confidence in the security of the Linux ecosystem.'' This may include, but is not limited to, topics such as tooling to assist in securing the Linux Kernel, verification and testing of critical subsystems for vulnerabilities, security improvements for build tools, and providing guidance for maintaining subsystem security. = Communication = * We're using the kernel-hardening mail list for communication. The list can be subscribed to at: http://www.openwall.com/lists/#subscribe = Projects = * [[Active Projects]] * [[Inactive Projects]] d9950e8ac0612a009a3849ab9af7aebebd59fd18 3426 3415 2012-11-14T18:41:19Z CoreyBryant 4 wikitext text/x-wiki The charter of the Linux Security Workgroup is to provide on-going security verification and enhancements to the Linux kernel in order to assist in securing the Linux Kernel and maintaining trust and confidence in the security of the Linux ecosystem.'' This may include, but is not limited to security development projects, tooling to assist in securing the Linux Kernel, verification and testing of critical subsystems for vulnerabilities, security improvements for build tools, and providing guidance for maintaining subsystem security. = Communication = * We're using the kernel-hardening mail list for communication. The list can be subscribed to at: http://www.openwall.com/lists/#subscribe = Projects = * [[Active Projects]] * [[Inactive Projects]] a1778f8ed7b4f5af3aa95687cea9a9a94f9bafd7 3427 3426 2012-11-14T18:41:49Z CoreyBryant 4 wikitext text/x-wiki The charter of the Linux Security Workgroup is to provide on-going security verification and enhancements to the Linux kernel in order to assist in securing the Linux Kernel and maintaining trust and confidence in the security of the Linux ecosystem.'' This may include, but is not limited to: security development projects, tooling to assist in securing the Linux Kernel, verification and testing of critical subsystems for vulnerabilities, security improvements for build tools, and providing guidance for maintaining subsystem security. = Communication = * We're using the kernel-hardening mail list for communication. The list can be subscribed to at: http://www.openwall.com/lists/#subscribe = Projects = * [[Active Projects]] * [[Inactive Projects]] 9b3c4b047ea9b10723e4337c1579920e067c5e54 3428 3427 2012-11-14T18:42:48Z CoreyBryant 4 wikitext text/x-wiki The charter of the Linux Security Workgroup is to provide on-going security verification and enhancements to the Linux kernel in order to assist in securing the Linux Kernel and maintaining trust and confidence in the security of the Linux ecosystem.'' This may include, but is not limited to: * security development projects for hardening the Kernel * tooling to assist in securing the Linux Kernel * verification and testing of critical subsystems for vulnerabilities * security improvements for build tools * providing guidance for maintaining subsystem security = Communication = * We're using the kernel-hardening mail list for communication. The list can be subscribed to at: http://www.openwall.com/lists/#subscribe = Projects = * [[Active Projects]] * [[Inactive Projects]] 439b8838d66163be6ab1e1395999a6ecf7409077 0 103 3390 3381 2012-10-08T14:51:27Z CoreyBryant 4 wikitext text/x-wiki There are a number of active Linux Kernel hardening projects. This page gives details on these projects in order to get an understanding of coverage and to prevent duplication of efforts. Contents: [[#Static Analysis]] [[#Static Analysis|Smatch]] [[#Fuzz Testing]] [[#Fuzz Testing|Trinity]] == Static Analysis == === Smatch === Smatch is a static analysis tool for C. Project page: http://repo.or.cz/w/smatch.git Contributors: Dan Carpenter, Fengguang Wu == Fuzz Testing == === Trinity === Trinity is a Linux system call fuzzer. Project page: http://codemonkey.org.uk/projects/trinity/ Contributors: Dave Jones, Fengguang Wu 59117a5b4600f5ad40c1a3ad8e375f93c997fdcf 3391 3390 2012-10-08T14:52:08Z CoreyBryant 4 wikitext text/x-wiki There are a number of active Linux Kernel hardening projects. This page gives details on these projects in order to get an understanding of coverage and to prevent duplication of efforts. == Static Analysis == === Smatch === Smatch is a static analysis tool for C. Project page: http://repo.or.cz/w/smatch.git Contributors: Dan Carpenter, Fengguang Wu == Fuzz Testing == === Trinity === Trinity is a Linux system call fuzzer. Project page: http://codemonkey.org.uk/projects/trinity/ Contributors: Dave Jones, Fengguang Wu ac1f309d60101b5a309649d3af281d8832aade48 3392 3391 2012-10-08T14:53:30Z CoreyBryant 4 wikitext text/x-wiki There are a number of active Linux Kernel hardening projects and this page gives details on some of them. == Static Analysis == === Smatch === Smatch is a static analysis tool for C. Project page: http://repo.or.cz/w/smatch.git Contributors: Dan Carpenter, Fengguang Wu == Fuzz Testing == === Trinity === Trinity is a Linux system call fuzzer. Project page: http://codemonkey.org.uk/projects/trinity/ Contributors: Dave Jones, Fengguang Wu 759946a2d07bb2174e795fbdc23781501d4d64b9 3393 3392 2012-10-08T14:53:49Z CoreyBryant 4 wikitext text/x-wiki There are a number of active Linux Kernel hardening projects and this page gives details on some of them. == Static Analysis == === Smatch === Smatch is a static analysis tool for C. Project page: http://repo.or.cz/w/smatch.git Contributors: Dan Carpenter, Fengguang Wu == Fuzz Testing == === Trinity === Trinity is a Linux system call fuzzer. Project page: http://codemonkey.org.uk/projects/trinity/ Contributors: Dave Jones, Fengguang Wu c7d143a61b3d84740bb1c2b4bc773f1ab57325d7 3394 3393 2012-10-08T15:46:18Z CoreyBryant 4 wikitext text/x-wiki There are a number of active Linux Kernel hardening projects and this page gives details on some of them. == Static Analysis == === Smatch === Smatch is a static analysis tool for C. Project page: http://repo.or.cz/w/smatch.git Who's running it: Dan Carpenter, Fengguang Wu Targeted subsystems: ? === Coverity === Coverity provides static analysis tools for C, C++, and other languages. Red Hat's Coverity license allows results to be shared with upstream projects. Project page: Coverity is propietary. Who's running it: ? (Red Hat) Targeted subsystems: ? == Fuzz Testing == === Trinity === Trinity is a Linux system call fuzzer. Project page: http://codemonkey.org.uk/projects/trinity/ Who's running it: Dave Jones, Fengguang Wu 1bbe42f03be9ccf3145be259f88a91b40f3ec8af 3395 3394 2012-10-08T16:01:19Z CoreyBryant 4 wikitext text/x-wiki There are a number of active Linux Kernel hardening projects and this page gives details on some of them. == Static Analysis == = Coccinelle = [http://en.wikipedia.org/wiki/Coccinelle_(software)|Coccinelle] is a tool for matching and fixing source code. Who's running it: Fengguang Wu Targeted subsystems: ? === Coverity === Coverity provides static analysis tools for C, C++, and other languages. Red Hat's Coverity license allows results to be shared with upstream projects. Project page: Coverity is propietary. Who's running it: ? (Red Hat) Targeted subsystems: ? === Smatch === Smatch is a static analysis tool for C. Project page: http://repo.or.cz/w/smatch.git Who's running it: Dan Carpenter, Fengguang Wu Targeted subsystems: ? == Fuzz Testing == === Trinity === Trinity is a Linux system call fuzzer. Project page: http://codemonkey.org.uk/projects/trinity/ Who's running it: Dave Jones, Fengguang Wu 77e23c0c8ae6a006c3032f72b6c1ec069a71d206 3396 3395 2012-10-08T16:03:10Z CoreyBryant 4 wikitext text/x-wiki There are a number of active Linux Kernel hardening projects and this page gives details on some of them. == Static Analysis == = Coccinelle = [http://en.wikipedia.org/wiki/Coccinelle_(software) Coccinelle] is a tool for matching and fixing source code. Who's running it: Fengguang Wu Targeted subsystems: ? === Coverity === Coverity provides static analysis tools for C, C++, and other languages. Red Hat's Coverity license allows results to be shared with upstream projects. Project page: Coverity is propietary. Who's running it: ? (Red Hat) Targeted subsystems: ? === Smatch === Smatch is a static analysis tool for C. Project page: http://repo.or.cz/w/smatch.git Who's running it: Dan Carpenter, Fengguang Wu Targeted subsystems: ? == Fuzz Testing == === Trinity === Trinity is a Linux system call fuzzer. Project page: http://codemonkey.org.uk/projects/trinity/ Who's running it: Dave Jones, Fengguang Wu f0af71af5a9f4129f59948db6d0510fa09680687 3397 3396 2012-10-08T16:07:01Z CoreyBryant 4 wikitext text/x-wiki There are a number of active Linux Kernel hardening projects and this page gives details on some of them. == Static Analysis == = Coccinelle = [http://en.wikipedia.org/wiki/Coccinelle_(software) Coccinelle] is a tool for matching and fixing source code for C, C++, and other languages. Who's running it: Fengguang Wu Targeted subsystems: ? === Coverity === [http://en.wikipedia.org/wiki/Coverity Coverity] provides static analysis tools for C, C++, and other languages. Red Hat's Coverity license allows results to be shared with upstream projects. Who's running it: ? (Red Hat) Targeted subsystems: ? === Smatch === [http://smatch.sourceforge.net/ Smatch] is a static analysis tool for C. Who's running it: Dan Carpenter, Fengguang Wu Targeted subsystems: ? == Fuzz Testing == === Trinity === [http://codemonkey.org.uk/projects/trinity/ Trinity] is a Linux system call fuzzer. Who's running it: Dave Jones, Fengguang Wu Targeted subsystems: N/A? 1584891a70a978d818ed3c1fc1206b3e6177eff5 3398 3397 2012-10-08T16:08:23Z CoreyBryant 4 wikitext text/x-wiki There are a number of active Linux Kernel hardening projects and this page gives details on some of them. = Static Analysis = == Coccinelle == [http://en.wikipedia.org/wiki/Coccinelle_(software) Coccinelle] is a tool for matching and fixing source code for C, C++, and other languages. Who's running it: Fengguang Wu Targeted subsystems: ? == Coverity == [http://en.wikipedia.org/wiki/Coverity Coverity] provides static analysis tools for C, C++, and other languages. Red Hat's Coverity license allows results to be shared with upstream projects. Who's running it: ? (Red Hat) Targeted subsystems: ? == Smatch == [http://smatch.sourceforge.net/ Smatch] is a static analysis tool for C. Who's running it: Dan Carpenter, Fengguang Wu Targeted subsystems: ? = Fuzz Testing = == Trinity == [http://codemonkey.org.uk/projects/trinity/ Trinity] is a Linux system call fuzzer. Who's running it: Dave Jones, Fengguang Wu Targeted subsystems: N/A? 11c3ffafcc1615fbd10b0d9765afa363f93c6fa7 3399 3398 2012-10-08T16:10:17Z CoreyBryant 4 wikitext text/x-wiki There are a number of active Linux Kernel hardening projects and this page gives details on some of them. = Static Analysis = == Coccinelle == [http://en.wikipedia.org/wiki/Coccinelle_(software) Coccinelle] is a tool for matching and fixing source code for C, C++, and other languages. Who's running it: Fengguang Wu, Artem Bityutskiy Targeted subsystems: ? == Coverity == [http://en.wikipedia.org/wiki/Coverity Coverity] provides static analysis tools for C, C++, and other languages. Red Hat's Coverity license allows results to be shared with upstream projects. Who's running it: ? (Red Hat) Targeted subsystems: ? == Smatch == [http://smatch.sourceforge.net/ Smatch] is a static analysis tool for C. Who's running it: Dan Carpenter, Fengguang Wu Targeted subsystems: ? = Fuzz Testing = == Trinity == [http://codemonkey.org.uk/projects/trinity/ Trinity] is a Linux system call fuzzer. Who's running it: Dave Jones, Fengguang Wu Targeted subsystems: N/A? 6e0ada30a066fb2f4ba45b826eeb0a390d4690dd 3400 3399 2012-10-08T16:21:10Z CoreyBryant 4 wikitext text/x-wiki There are a number of active Linux Kernel hardening projects and this page gives details on some of them. = Static Analysis = == Coccinelle == [http://en.wikipedia.org/wiki/Coccinelle_(software) Coccinelle] is a tool for matching and fixing source code for C, C++, and other languages. Run by: * Fengguang Wu - Running against ? * Artem Bityutskiy - Running against ? == Coverity == [http://en.wikipedia.org/wiki/Coverity Coverity] provides static analysis tools for C, C++, and other languages. Red Hat's Coverity license allows results to be shared with upstream projects. Run by: * Who's running Coverity at Red Hat and against what trees? == Smatch == [http://smatch.sourceforge.net/ Smatch] is a static analysis tool for C. Run by: * Dan Carpenter - Running against linux-next x86_64 allmodconfig * Fengguang Wu - Running against ? = Fuzz Testing = == Trinity == [http://codemonkey.org.uk/projects/trinity/ Trinity] is a Linux system call fuzzer. Run by: * Dave Jones and Fengguang Wu are running Trinity. 6eefac7e8fc3f336cd6d919f93ee8462aa36e172 3401 3400 2012-10-08T16:21:33Z CoreyBryant 4 wikitext text/x-wiki There are a number of active Linux Kernel hardening projects and this page gives details on some of them. = Static Analysis = == Coccinelle == [http://en.wikipedia.org/wiki/Coccinelle_(software) Coccinelle] is a tool for matching and fixing source code for C, C++, and other languages. Run by: * Fengguang Wu - Running against ? * Artem Bityutskiy - Running against ? == Coverity == [http://en.wikipedia.org/wiki/Coverity Coverity] provides static analysis tools for C, C++, and other languages. Red Hat's Coverity license allows results to be shared with upstream projects. Run by: * Who's running Coverity at Red Hat and against what trees? == Smatch == [http://smatch.sourceforge.net/ Smatch] is a static analysis tool for C. Run by: * Dan Carpenter - Running against linux-next x86_64 allmodconfig * Fengguang Wu - Running against ? = Fuzz Testing = == Trinity == [http://codemonkey.org.uk/projects/trinity/ Trinity] is a Linux system call fuzzer. Run by: * Dave Jones and Fengguang Wu are running Trinity. 5d8f5d2666c0db49a80eb78f326b22d5fea9b154 3402 3401 2012-10-08T16:22:17Z CoreyBryant 4 wikitext text/x-wiki There are a number of active Linux Kernel hardening projects and this page gives details on some of them. = Static Analysis = == Coccinelle == [http://en.wikipedia.org/wiki/Coccinelle_(software) Coccinelle] is a tool for matching and fixing source code for C, C++, and other languages. Run by: * Fengguang Wu - Running against what trees? * Artem Bityutskiy - Running against what trees? == Coverity == [http://en.wikipedia.org/wiki/Coverity Coverity] provides static analysis tools for C, C++, and other languages. Red Hat's Coverity license allows results to be shared with upstream projects. Run by: * Who's running Coverity at Red Hat and against what trees? == Smatch == [http://smatch.sourceforge.net/ Smatch] is a static analysis tool for C. Run by: * Dan Carpenter - Running against linux-next x86_64 allmodconfig * Fengguang Wu - Running against what trees? = Fuzz Testing = == Trinity == [http://codemonkey.org.uk/projects/trinity/ Trinity] is a Linux system call fuzzer. Run by: * Dave Jones and Fengguang Wu are running Trinity. 2c98f66fe840ca0bc9835c58bcd03e8302753780 3407 3402 2012-10-08T21:47:21Z KeesCook 3 /* Coverity */ wikitext text/x-wiki There are a number of active Linux Kernel hardening projects and this page gives details on some of them. = Static Analysis = == Coccinelle == [http://en.wikipedia.org/wiki/Coccinelle_(software) Coccinelle] is a tool for matching and fixing source code for C, C++, and other languages. Run by: * Fengguang Wu - Running against what trees? * Artem Bityutskiy - Running against what trees? == Coverity == [http://en.wikipedia.org/wiki/Coverity Coverity] provides static analysis tools for C, C++, and other languages. Red Hat's Coverity license allows results to be shared with upstream projects. Run by: * Paul Moore at Red Hat against what trees? == Smatch == [http://smatch.sourceforge.net/ Smatch] is a static analysis tool for C. Run by: * Dan Carpenter - Running against linux-next x86_64 allmodconfig * Fengguang Wu - Running against what trees? = Fuzz Testing = == Trinity == [http://codemonkey.org.uk/projects/trinity/ Trinity] is a Linux system call fuzzer. Run by: * Dave Jones and Fengguang Wu are running Trinity. 35769b8e647b66ad52ec195cba62ce96149969a0 3408 3407 2012-10-08T21:48:39Z KeesCook 3 [[Active Hardening Projects]] moved to [[Active Projects]]: let's not over-use "hardening" wikitext text/x-wiki There are a number of active Linux Kernel hardening projects and this page gives details on some of them. = Static Analysis = == Coccinelle == [http://en.wikipedia.org/wiki/Coccinelle_(software) Coccinelle] is a tool for matching and fixing source code for C, C++, and other languages. Run by: * Fengguang Wu - Running against what trees? * Artem Bityutskiy - Running against what trees? == Coverity == [http://en.wikipedia.org/wiki/Coverity Coverity] provides static analysis tools for C, C++, and other languages. Red Hat's Coverity license allows results to be shared with upstream projects. Run by: * Paul Moore at Red Hat against what trees? == Smatch == [http://smatch.sourceforge.net/ Smatch] is a static analysis tool for C. Run by: * Dan Carpenter - Running against linux-next x86_64 allmodconfig * Fengguang Wu - Running against what trees? = Fuzz Testing = == Trinity == [http://codemonkey.org.uk/projects/trinity/ Trinity] is a Linux system call fuzzer. Run by: * Dave Jones and Fengguang Wu are running Trinity. 35769b8e647b66ad52ec195cba62ce96149969a0 3432 3408 2012-11-14T18:48:42Z CoreyBryant 4 wikitext text/x-wiki There are a number of active Linux Kernel hardening projects and this page gives details on some of them. The [[Linux Security Workgroup]] has put together this page in an effort to bring the Linux security community together in hardening the Linux Kernel and prevent duplication of efforts. = Static Analysis = == Coccinelle == [http://en.wikipedia.org/wiki/Coccinelle_(software) Coccinelle] is a tool for matching and fixing source code for C, C++, and other languages. Run by: * Fengguang Wu - Running against what trees? * Artem Bityutskiy - Running against what trees? == Coverity == [http://en.wikipedia.org/wiki/Coverity Coverity] provides static analysis tools for C, C++, and other languages. Red Hat's Coverity license allows results to be shared with upstream projects. Run by: * Paul Moore at Red Hat against what trees? == Smatch == [http://smatch.sourceforge.net/ Smatch] is a static analysis tool for C. Run by: * Dan Carpenter - Running against linux-next x86_64 allmodconfig * Fengguang Wu - Running against what trees? = Fuzz Testing = == Trinity == [http://codemonkey.org.uk/projects/trinity/ Trinity] is a Linux system call fuzzer. Run by: * Dave Jones and Fengguang Wu are running Trinity. 1a04d87b425ef22396b7c0f5e36ba396c4cf61b9 3433 3432 2012-11-14T18:49:19Z CoreyBryant 4 wikitext text/x-wiki There are a number of active Linux Kernel hardening projects and this page gives details on some of them. The [[Linux Security Workgroup]] has put together this page in an effort to bring the Linux security community together in hardening the Linux Kernel and to help prevent duplication of efforts. = Static Analysis = == Coccinelle == [http://en.wikipedia.org/wiki/Coccinelle_(software) Coccinelle] is a tool for matching and fixing source code for C, C++, and other languages. Run by: * Fengguang Wu - Running against what trees? * Artem Bityutskiy - Running against what trees? == Coverity == [http://en.wikipedia.org/wiki/Coverity Coverity] provides static analysis tools for C, C++, and other languages. Red Hat's Coverity license allows results to be shared with upstream projects. Run by: * Paul Moore at Red Hat against what trees? == Smatch == [http://smatch.sourceforge.net/ Smatch] is a static analysis tool for C. Run by: * Dan Carpenter - Running against linux-next x86_64 allmodconfig * Fengguang Wu - Running against what trees? = Fuzz Testing = == Trinity == [http://codemonkey.org.uk/projects/trinity/ Trinity] is a Linux system call fuzzer. Run by: * Dave Jones and Fengguang Wu are running Trinity. e1d90dd02e92df40c45b1f7b9a4a90bc0aa0caf6 3434 3433 2012-11-14T18:49:29Z CoreyBryant 4 wikitext text/x-wiki There are a number of active Linux Kernel hardening projects and this page gives details on some of them. The [[Linux Security Workgroup]] has put together this page in an effort to bring the Linux security community together in hardening the Linux Kernel and to help prevent duplication of efforts. = Static Analysis = == Coccinelle == [http://en.wikipedia.org/wiki/Coccinelle_(software) Coccinelle] is a tool for matching and fixing source code for C, C++, and other languages. Run by: * Fengguang Wu - Running against what trees? * Artem Bityutskiy - Running against what trees? == Coverity == [http://en.wikipedia.org/wiki/Coverity Coverity] provides static analysis tools for C, C++, and other languages. Red Hat's Coverity license allows results to be shared with upstream projects. Run by: * Paul Moore at Red Hat against what trees? == Smatch == [http://smatch.sourceforge.net/ Smatch] is a static analysis tool for C. Run by: * Dan Carpenter - Running against linux-next x86_64 allmodconfig * Fengguang Wu - Running against what trees? = Fuzz Testing = == Trinity == [http://codemonkey.org.uk/projects/trinity/ Trinity] is a Linux system call fuzzer. Run by: * Dave Jones and Fengguang Wu are running Trinity. fe8f90cecde8ef6cefad1c0964ba569449db64e9 0 106 3409 2012-10-08T21:48:39Z KeesCook 3 [[Active Hardening Projects]] moved to [[Active Projects]]: let's not over-use "hardening" wikitext text/x-wiki #REDIRECT [[Active Projects]] 8923599e395b5848532547804392a7940742103b 0 5 3412 47 2012-10-08T21:59:25Z KeesCook 3 /* Kernel Security Projects */ wikitext text/x-wiki == Kernel Security Projects == === Access Control === * [http://vger.kernel.org/vger-lists.html#linux-security-module Linux Security Modules (LSM)], the API for access control frameworks * [http://www.novell.com/linux/security/apparmor/ AppArmor], a pathname-based access control system * [http://selinuxproject.org/page/Main_Page Security Enhanced Linux (SELinux)], a flexible and fine-grained MAC framework * [http://www.schaufler-ca.com/ Smack], the Simplified Mandatory Access Control Kernel for Linux * [http://tomoyo.sourceforge.jp/ TOMOYO], another pathname-based access control system (LiveCD available) * [http://grsecurity.net/features.php grsecurity], extensive security enhancement patch for the Linux kernel (RBAC, chroot hardening, auditing, stack/heap protection randomization and more...) * [http://www.rsbac.org/why Rule Set Based Access Control (RSBAC)], Linux kernel patch implementing a security framework * [http://schreuders.org/FBAC-LSM FBAC-LSM] aims to provide easy to configure (functionality-based) application restrictions * [http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blob;f=Documentation/security/Yama.txt;hb=HEAD Yama] adds restrictions to ptrace, providing a programmatic way to declare relationships between processes === Integrity === This is a rapidly developing area, see the following LWN article for an overview: * [http://lwn.net/Articles/309441/ System integrity in Linux] === Privileges === * [http://www.friedhoff.org/posixfilecaps.html POSIX File Capabilities] ** [http://lwn.net/Articles/313047/ Filesystem capabilities in Fedora 10 LWN article] === Networking === There are several separately maintained projects relating to network security, including: * [http://www.netfilter.org/ Netfilter] packet filtering * Labeled Networking, including NetLabel, CIPSO, Labeled IPsec and SECMARK, see [http://paulmoore.livejournal.com/ Paul Moore's blog] * [http://www.nufw.org/ NuFW] authenticating firewall based on Netfilter === Storage === * [http://selinuxproject.org/page/Labeled_NFS Labeled NFS], a project to add MAC labeling support to the NFSv4 protocol * [http://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=blob;f=Documentation/device-mapper/verity.txt dm-verity], a device mapper target for efficient, integrity-assured block devices === Cryptography === The cryptographic subsystem is maintained separately by Herbert Xu, refer to the [http://vger.kernel.org/vger-lists.html#linux-crypto mailing list]. === Working Group === * [[Linux Security Workgroup]] 60c917e8ca2fdfdc8bdd16440e02728b23ff3ade 0 107 3413 2012-11-12T21:21:42Z CoreyBryant 4 New page: There are a number of desired Linux Kernel hardening projects that are inactive and do not have an owner. This page gives details on some of them. If you are already contributing, or pla... wikitext text/x-wiki There are a number of desired Linux Kernel hardening projects that are inactive and do not have an owner. This page gives details on some of them. If you are already contributing, or plan to contribute, to one of these projects, please email the kernel-hardening mailing list at kernel-hardening@lists.openwall.com and mention what you're covering. = Process Improvements = == Security Code Review Guidelines == This project is an effort to provide a reference that educates subsystem maintainers on what to look for when performing security reviews/audits. This would include various classes of common coding vulnerabilities and how to detect them, as well as other best practices, such as not leaving private keys laying around. == Patch Signing == This project would provide support to determine if patches have been modified or tampered since they were signed. = Verification of Critical Subsystems = This project would provide verification of critical subsystems such as: * Networking * Network file systems * KVM * Cryptographic library * Kernel build infrastructure This could include approaches such as manual audits, static analysis, fuzzing testing, etc. b8bbe1af33dd5a921a2b3de192c85ed94b4b2604 3414 3413 2012-11-12T21:22:20Z CoreyBryant 4 wikitext text/x-wiki There are a number of desired Linux Kernel hardening projects that are inactive and do not have an owner. This page gives details on some of them. If you plan to contribute (or are already contributing) to one of these projects, please email the kernel-hardening mailing list at kernel-hardening@lists.openwall.com and mention what you're covering. = Process Improvements = == Security Code Review Guidelines == This project is an effort to provide a reference that educates subsystem maintainers on what to look for when performing security reviews/audits. This would include various classes of common coding vulnerabilities and how to detect them, as well as other best practices, such as not leaving private keys laying around. == Patch Signing == This project would provide support to determine if patches have been modified or tampered since they were signed. = Verification of Critical Subsystems = This project would provide verification of critical subsystems such as: * Networking * Network file systems * KVM * Cryptographic library * Kernel build infrastructure This could include approaches such as manual audits, static analysis, fuzzing testing, etc. e79d560d4f6973d50b3fcd5bf5526d4a5105b2b8 3416 3414 2012-11-12T22:11:49Z CoreyBryant 4 wikitext text/x-wiki There are a number of desired Linux Kernel hardening projects that are inactive and do not have an owner. This page gives details on some of them. If you plan to contribute (or are already contributing) to one of these projects, please email the kernel-hardening mailing list at kernel-hardening@lists.openwall.com and mention what you're covering. = Process Improvements = == Security Code Review Guidelines == This project is an effort to provide a reference that educates subsystem maintainers on what to look for when performing security reviews/audits. This would include various classes of common coding vulnerabilities and how to detect them, as well as other best practices, such as not leaving private keys laying around. == Patch Signing == This project would provide support to determine if patches have been modified or tampered since they were signed. = Verification of Critical Subsystems = This project would provide verification of critical subsystems such as: * Networking * Network file systems * KVM * Cryptographic library * Kernel build infrastructure This could include approaches such as manual audits, static analysis, fuzzing testing, etc. = Development = There are several kernel hardening features that have appeared in other hardened operating systems that would improve the security of Linux. They have been controversial, so attempts have been made to describe them, including their controversy and discussion over the years, so as much information is available to make an educated decision about potential implementations. == Symlink Protection == A long-standing class of security issues is the symlink-based ToCToU race, most commonly seen in world-writable directories like /tmp/. The common method of exploitation of this flaw is crossing privilege boundaries when following a given symlink (i.e. a root user follows a symlink belonging to another user). The solution is to not permit symlinks to be followed when users do not match, but only in a world-writable sticky directory (with an additional improvement that the directory owner's symlinks can always be followed, regardless who is following them). Some links to the history of its discussion: * 1996 Aug, Zygo Blaxell http://marc.info/?l=bugtraq&m=87602167419830&w=2 * 1996 Oct, Andrew Tridgell http://lkml.indiana.edu/hypermail/linux/kernel/9610.2/0086.html * 1997 Dec, Albert D Cahalan http://lkml.org/lkml/1997/12/16/4 * 2005 Feb, Lorenzo Hernández García-Hierro http://lkml.indiana.edu/hypermail/linux/kernel/0502.0/1896.html Past objections and rebuttals could be summarized as: * Violates POSIX. ** POSIX didn't consider this situation, and it's not useful to follow a broken specification at the cost of security. Also, please reference where POSIX says this. * Might break unknown applications that use this feature. ** Applications that break because of the change are easy to spot and fix. Applications that are vulnerable to symlink ToCToU by not having the change aren't. * Applications should just use mkstemp() or O_CREATE|O_EXCL. ** True, but applications are not perfect, and new software is written all the time that makes these mistakes; blocking this flaw at the kernel is a single solution to the entire class of vulnerability. [http://kernel.ubuntu.com/git?p=kees/linux-2.6.git;a=shortlog;h=refs/heads/symlink proposed upstream patch] 9b20d90afddca7ce1da9569c0633938dc6e3a7ee 3417 3416 2012-11-12T22:12:25Z CoreyBryant 4 wikitext text/x-wiki There are a number of desired Linux Kernel hardening projects that are inactive and do not have an owner. This page gives details on some of them. If you plan to contribute (or are already contributing) to one of these projects, please email the kernel-hardening mailing list at kernel-hardening@lists.openwall.com and mention what you're covering. = Process Improvements = == Security Code Review Guidelines == This project is an effort to provide a reference that educates subsystem maintainers on what to look for when performing security reviews/audits. This would include various classes of common coding vulnerabilities and how to detect them, as well as other best practices, such as not leaving private keys laying around. == Patch Signing == This project would provide support to determine if patches have been modified or tampered since they were signed. = Verification of Critical Subsystems = This project would provide verification of critical subsystems such as: * Networking * Network file systems * KVM * Cryptographic library * Kernel build infrastructure This could include approaches such as manual audits, static analysis, fuzzing testing, etc. = Development = There are several kernel hardening features that have appeared in other hardened operating systems that would improve the security of Linux. Some have been controversial, so attempts have been made to describe them, including their controversy and discussion over the years, so as much information is available to make an educated decision about potential implementations. == Symlink Protection == A long-standing class of security issues is the symlink-based ToCToU race, most commonly seen in world-writable directories like /tmp/. The common method of exploitation of this flaw is crossing privilege boundaries when following a given symlink (i.e. a root user follows a symlink belonging to another user). The solution is to not permit symlinks to be followed when users do not match, but only in a world-writable sticky directory (with an additional improvement that the directory owner's symlinks can always be followed, regardless who is following them). Some links to the history of its discussion: * 1996 Aug, Zygo Blaxell http://marc.info/?l=bugtraq&m=87602167419830&w=2 * 1996 Oct, Andrew Tridgell http://lkml.indiana.edu/hypermail/linux/kernel/9610.2/0086.html * 1997 Dec, Albert D Cahalan http://lkml.org/lkml/1997/12/16/4 * 2005 Feb, Lorenzo Hernández García-Hierro http://lkml.indiana.edu/hypermail/linux/kernel/0502.0/1896.html Past objections and rebuttals could be summarized as: * Violates POSIX. ** POSIX didn't consider this situation, and it's not useful to follow a broken specification at the cost of security. Also, please reference where POSIX says this. * Might break unknown applications that use this feature. ** Applications that break because of the change are easy to spot and fix. Applications that are vulnerable to symlink ToCToU by not having the change aren't. * Applications should just use mkstemp() or O_CREATE|O_EXCL. ** True, but applications are not perfect, and new software is written all the time that makes these mistakes; blocking this flaw at the kernel is a single solution to the entire class of vulnerability. [http://kernel.ubuntu.com/git?p=kees/linux-2.6.git;a=shortlog;h=refs/heads/symlink proposed upstream patch] cb98057b9ce58a82dd8e0f9c4ee2996cb91a9dee 3418 3417 2012-11-12T22:16:50Z CoreyBryant 4 wikitext text/x-wiki There are a number of desired Linux Kernel hardening projects that are inactive and do not have an owner. This page gives details on some of them. If you plan to contribute (or are already contributing) to one of these projects, please email the kernel-hardening mailing list at kernel-hardening@lists.openwall.com and mention what you're covering. = Process Improvements = == Security Code Review Guidelines == This project is an effort to provide a reference that educates subsystem maintainers on what to look for when performing security reviews/audits. This would include various classes of common coding vulnerabilities and how to detect them, as well as other best practices, such as not leaving private keys laying around. == Patch Signing == This project would provide support to determine if patches have been modified or tampered since they were signed. = Verification of Critical Subsystems = This project would provide verification of critical subsystems such as: * Networking * Network file systems * KVM * Cryptographic library * Kernel build infrastructure This could include approaches such as manual audits, static analysis, fuzzing testing, etc. = Development = There are several kernel hardening features that have appeared in other hardened operating systems that would improve the security of Linux. Some have been controversial, so attempts have been made to describe them, including their controversy and discussion over the years, so as much information is available to make an educated decision about potential implementations. == Symlink Protection == A long-standing class of security issues is the symlink-based ToCToU race, most commonly seen in world-writable directories like /tmp/. The common method of exploitation of this flaw is crossing privilege boundaries when following a given symlink (i.e. a root user follows a symlink belonging to another user). The solution is to not permit symlinks to be followed when users do not match, but only in a world-writable sticky directory (with an additional improvement that the directory owner's symlinks can always be followed, regardless who is following them). Some links to the history of its discussion: * 1996 Aug, Zygo Blaxell http://marc.info/?l=bugtraq&m=87602167419830&w=2 * 1996 Oct, Andrew Tridgell http://lkml.indiana.edu/hypermail/linux/kernel/9610.2/0086.html * 1997 Dec, Albert D Cahalan http://lkml.org/lkml/1997/12/16/4 * 2005 Feb, Lorenzo Hernández García-Hierro http://lkml.indiana.edu/hypermail/linux/kernel/0502.0/1896.html Past objections and rebuttals could be summarized as: * Violates POSIX. ** POSIX didn't consider this situation, and it's not useful to follow a broken specification at the cost of security. Also, please reference where POSIX says this. * Might break unknown applications that use this feature. ** Applications that break because of the change are easy to spot and fix. Applications that are vulnerable to symlink ToCToU by not having the change aren't. * Applications should just use mkstemp() or O_CREATE|O_EXCL. ** True, but applications are not perfect, and new software is written all the time that makes these mistakes; blocking this flaw at the kernel is a single solution to the entire class of vulnerability. [http://kernel.ubuntu.com/git?p=kees/linux-2.6.git;a=shortlog;h=refs/heads/symlink proposed upstream patch] == Hardlink Protection == Hardlinks can be abused in a similar fashion to symlinks above, but they are not limited to world-writable directories. If /etc/ and /home/ are on the same partition, a regular user can create a hardlink to /etc/shadow in their home directory. While it retains the original owner and permissions, it is possible for privileged programs that are otherwise symlink-safe to mistakenly access the file through its hardlink. Additionally, a very minor untraceable quota-bypassing local denial of service is possible by an attacker exhausting disk space by filling a world-writable directory with hardlinks. The solution is to not allow the creation of hardlinks to files that a given user would be unable to write to originally. Some links to the history of its discussion: * 1997 Dec, Yuri Kuzmenko http://lkml.org/lkml/1997/12/29/20 * 2002 Apr, Chris Wright http://lkml.org/lkml/2002/4/13/99 Past objections and rebuttals could be summarized as: * Violates POSIX. ** POSIX didn't consider this situation, and it's not useful to follow a broken specification at the cost of security. Also, please reference where POSIX says this. * Might break atd, courier, and other unknown applications that use this feature. ** These applications are easy to spot and can be tested and fixed. Applications that are vulnerable to hardlink attacks by not having the change aren't. ** atd could be easily "repaired" by including a real uid==0 check, like Linux 2.4.x-ow does for that reason, or it might have been fixed since then, or better yet OpenBSD-derived crond should be used instead, which includes at(1) support (and it never had the problem with hardlinks). The latter solution also gets rid of a SUID root program (at(1) is SGID to group crontab then) and of a root-privileged daemon (cron and atd are replaced with just one crond). ** Courier was only broken by the original most restrictive -ow patch; it was "repaired" in newer -ow patch revisions by adding the "or is writable by the current user" check, which is also present in the proposed patches below (in other words, Courier won't break with these patches) * Applications should correctly drop privileges before attempting to access user files. ** True, but applications are not perfect, and new software is written all the time that makes these mistakes; blocking this flaw at the kernel is a single solution to the entire class of vulnerability. [http://kernel.ubuntu.com/git?p=kees/linux-2.6.git;a=shortlog;h=refs/heads/hardlink proposed upstream patch] 4ea78bf2a2942410520cba21877549e1eb56b450 3419 3418 2012-11-12T22:23:27Z CoreyBryant 4 wikitext text/x-wiki There are a number of desired Linux Kernel hardening projects that are inactive and do not have an owner. This page gives details on some of them. If you plan to contribute (or are already contributing) to one of these projects, please email the kernel-hardening mailing list at kernel-hardening@lists.openwall.com and mention what you're covering. = Process Improvements = == Security Code Review Guidelines == This project is an effort to provide a reference that educates subsystem maintainers on what to look for when performing security reviews/audits. This would include various classes of common coding vulnerabilities and how to detect them, as well as other best practices, such as not leaving private keys laying around. == Patch Signing == This project would provide support to determine if patches have been modified or tampered since they were signed. = Verification of Critical Subsystems = This project would provide verification of critical subsystems such as: * Networking * Network file systems * KVM * Cryptographic library * Kernel build infrastructure This could include approaches such as manual audits, static analysis, fuzzing testing, etc. = Development = There are several kernel hardening features that have appeared in other hardened operating systems that would improve the security of Linux. Some have been controversial, so attempts have been made to describe them, including their controversy and discussion over the years, so as much information is available to make an educated decision about potential implementations. == Symlink Protection == A long-standing class of security issues is the symlink-based [http://en.wikipedia.org/wiki/Time-of-check-to-time-of-use ToCToU] race, most commonly seen in world-writable directories like /tmp/. The common method of exploitation of [http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=tmp+symlink this flaw] is crossing privilege boundaries when following a given symlink (i.e. a root user follows a symlink belonging to another user). The solution is to not permit symlinks to be followed when users do not match, but only in a world-writable sticky directory (with an additional improvement that the directory owner's symlinks can always be followed, regardless who is following them). Some links to the history of its discussion: * 1996 Aug, Zygo Blaxell http://marc.info/?l=bugtraq&m=87602167419830&w=2 * 1996 Oct, Andrew Tridgell http://lkml.indiana.edu/hypermail/linux/kernel/9610.2/0086.html * 1997 Dec, Albert D Cahalan http://lkml.org/lkml/1997/12/16/4 * 2005 Feb, Lorenzo Hernández García-Hierro http://lkml.indiana.edu/hypermail/linux/kernel/0502.0/1896.html Past objections and rebuttals could be summarized as: * Violates POSIX. ** POSIX didn't consider this situation, and it's not useful to follow a broken specification at the cost of security. Also, please reference where POSIX says this. * Might break unknown applications that use this feature. ** Applications that break because of the change are easy to spot and fix. Applications that are vulnerable to symlink ToCToU by not having the change aren't. * Applications should just use mkstemp() or O_CREATE|O_EXCL. ** True, but applications are not perfect, and new software is written all the time that makes these mistakes; blocking this flaw at the kernel is a single solution to the entire class of vulnerability. [http://kernel.ubuntu.com/git?p=kees/linux-2.6.git;a=shortlog;h=refs/heads/symlink proposed upstream patch] == Hardlink Protection == Hardlinks can be abused in a [http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=hardlink similar fashion] to symlinks above, but they are not limited to world-writable directories. If /etc/ and /home/ are on the same partition, a regular user can create a hardlink to /etc/shadow in their home directory. While it retains the original owner and permissions, it is possible for privileged programs that are otherwise symlink-safe to mistakenly access the file through its hardlink. Additionally, a very minor untraceable quota-bypassing local denial of service is possible by an attacker exhausting disk space by filling a world-writable directory with hardlinks. The solution is to not allow the creation of hardlinks to files that a given user would be unable to write to originally. Some links to the history of its discussion: * 1997 Dec, Yuri Kuzmenko http://lkml.org/lkml/1997/12/29/20 * 2002 Apr, Chris Wright http://lkml.org/lkml/2002/4/13/99 Past objections and rebuttals could be summarized as: * Violates POSIX. ** POSIX didn't consider this situation, and it's not useful to follow a broken specification at the cost of security. Also, please reference where POSIX says this. * Might break atd, courier, and other unknown applications that use this feature. ** These applications are easy to spot and can be tested and fixed. Applications that are vulnerable to hardlink attacks by not having the change aren't. ** atd could be easily "repaired" by including a real uid==0 check, like Linux 2.4.x-ow does for that reason, or it might have been fixed since then, or better yet [http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/vixie-cron/ OpenBSD-derived crond] should be used instead, which includes at(1) support (and it never had the problem with hardlinks). The latter solution also gets rid of a SUID root program (at(1) is SGID to group crontab then) and of a root-privileged daemon (cron and atd are replaced with just one crond). ** Courier was only broken by the original most restrictive -ow patch; it was "repaired" in newer -ow patch revisions by adding the "or is writable by the current user" check, which is also present in the proposed patches below (in other words, Courier won't break with these patches) * Applications should correctly drop privileges before attempting to access user files. ** True, but applications are not perfect, and new software is written all the time that makes these mistakes; blocking this flaw at the kernel is a single solution to the entire class of vulnerability. [http://kernel.ubuntu.com/git?p=kees/linux-2.6.git;a=shortlog;h=refs/heads/hardlink proposed upstream patch] == ptrace Protection == As Linux grows in popularity, it will become a growing target for malware. One particularly troubling weakness of the Linux process interfaces is that a single user is able to examine the memory and running state of any of their processes. For example, if one application (e.g. firefox) was compromised, it would be possible for an attacker to attach to other running processes (e.g. gpg-agent) to extract additional credentials and continue to expand the scope of their attack. This is not a theoretical problem. [http://www.storm.net.nz/projects/7 SSH session hijacking] and even [http://c-skills.blogspot.com/2009/10/injectso-32bit-x86-port.html arbitrary code injection] is fully possible if ptrace is allowed normally. For a solution, some applications use prctl() to specifically disallow such ptrace attachment (e.g. ssh-agent). A more general solution is to only allow ptrace directly from a parent to a child process (i.e. direct gdb and strace still work), or as the root user (i.e. gdb BIN PID, and strace -p PID still work as root). This behavior is controlled via the /proc/sys/kernel/yama/ptrace_scope sysctl value. The default is "1" to block non-child ptrace. A value of "0" restores the prior more permissive behavior, which may be more appropriate for some development systems and servers with only admin accounts. Using "sudo" can also grant temporarily ptrace permissions via the CAP_SYS_PTRACE capability, though this method allows the ptrace of any process. [http://kernel.ubuntu.com/git?p=kees/linux-2.6.git;a=shortlog;h=refs/heads/ptrace proposed upstream patch] 298f3545b3ebe119979a2b9602637344d0d7bb9e 3420 3419 2012-11-12T22:27:20Z CoreyBryant 4 wikitext text/x-wiki There are a number of desired Linux Kernel hardening projects that are inactive and do not have an owner. This page gives details on some of them. If you plan to contribute (or are already contributing) to one of these projects, please email the kernel-hardening mailing list at kernel-hardening@lists.openwall.com and mention what you're covering. = Process Improvements = == Security Code Review Guidelines == This project is an effort to provide a reference that educates subsystem maintainers on what to look for when performing security reviews/audits. This would include various classes of common coding vulnerabilities and how to detect them, as well as other best practices, such as not leaving private keys laying around. == Patch Signing == This project would provide support to determine if patches have been modified or tampered since they were signed. = Verification of Critical Subsystems = This project would provide verification of critical subsystems such as: * Networking * Network file systems * KVM * Cryptographic library * Kernel build infrastructure This could include approaches such as manual audits, static analysis, fuzzing testing, etc. = Development = There are several kernel hardening features that have appeared in other hardened operating systems that would improve the security of Linux. Some have been controversial, so attempts have been made to describe them, including their controversy and discussion over the years, so as much information is available to make an educated decision about potential implementations. == Symlink Protection == A long-standing class of security issues is the symlink-based [http://en.wikipedia.org/wiki/Time-of-check-to-time-of-use ToCToU] race, most commonly seen in world-writable directories like /tmp/. The common method of exploitation of [http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=tmp+symlink this flaw] is crossing privilege boundaries when following a given symlink (i.e. a root user follows a symlink belonging to another user). The solution is to not permit symlinks to be followed when users do not match, but only in a world-writable sticky directory (with an additional improvement that the directory owner's symlinks can always be followed, regardless who is following them). Some links to the history of its discussion: * 1996 Aug, Zygo Blaxell http://marc.info/?l=bugtraq&m=87602167419830&w=2 * 1996 Oct, Andrew Tridgell http://lkml.indiana.edu/hypermail/linux/kernel/9610.2/0086.html * 1997 Dec, Albert D Cahalan http://lkml.org/lkml/1997/12/16/4 * 2005 Feb, Lorenzo Hernández García-Hierro http://lkml.indiana.edu/hypermail/linux/kernel/0502.0/1896.html Past objections and rebuttals could be summarized as: * Violates POSIX. ** POSIX didn't consider this situation, and it's not useful to follow a broken specification at the cost of security. Also, please reference where POSIX says this. * Might break unknown applications that use this feature. ** Applications that break because of the change are easy to spot and fix. Applications that are vulnerable to symlink ToCToU by not having the change aren't. * Applications should just use mkstemp() or O_CREATE|O_EXCL. ** True, but applications are not perfect, and new software is written all the time that makes these mistakes; blocking this flaw at the kernel is a single solution to the entire class of vulnerability. [https://lists.ubuntu.com/archives/kernel-team/2010-May/010491.html initial proposed patch] [http://kernel.ubuntu.com/git?p=kees/linux-2.6.git;a=shortlog;h=refs/heads/symlink proposed upstream patch] == Hardlink Protection == Hardlinks can be abused in a [http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=hardlink similar fashion] to symlinks above, but they are not limited to world-writable directories. If /etc/ and /home/ are on the same partition, a regular user can create a hardlink to /etc/shadow in their home directory. While it retains the original owner and permissions, it is possible for privileged programs that are otherwise symlink-safe to mistakenly access the file through its hardlink. Additionally, a very minor untraceable quota-bypassing local denial of service is possible by an attacker exhausting disk space by filling a world-writable directory with hardlinks. The solution is to not allow the creation of hardlinks to files that a given user would be unable to write to originally. Some links to the history of its discussion: * 1997 Dec, Yuri Kuzmenko http://lkml.org/lkml/1997/12/29/20 * 2002 Apr, Chris Wright http://lkml.org/lkml/2002/4/13/99 Past objections and rebuttals could be summarized as: * Violates POSIX. ** POSIX didn't consider this situation, and it's not useful to follow a broken specification at the cost of security. Also, please reference where POSIX says this. * Might break atd, courier, and other unknown applications that use this feature. ** These applications are easy to spot and can be tested and fixed. Applications that are vulnerable to hardlink attacks by not having the change aren't. ** atd could be easily "repaired" by including a real uid==0 check, like Linux 2.4.x-ow does for that reason, or it might have been fixed since then, or better yet [http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/vixie-cron/ OpenBSD-derived crond] should be used instead, which includes at(1) support (and it never had the problem with hardlinks). The latter solution also gets rid of a SUID root program (at(1) is SGID to group crontab then) and of a root-privileged daemon (cron and atd are replaced with just one crond). ** Courier was only broken by the original most restrictive -ow patch; it was "repaired" in newer -ow patch revisions by adding the "or is writable by the current user" check, which is also present in the proposed patches below (in other words, Courier won't break with these patches) * Applications should correctly drop privileges before attempting to access user files. ** True, but applications are not perfect, and new software is written all the time that makes these mistakes; blocking this flaw at the kernel is a single solution to the entire class of vulnerability. [https://lists.ubuntu.com/archives/kernel-team/2010-May/010495.html initial proposed patch] [http://kernel.ubuntu.com/git?p=kees/linux-2.6.git;a=shortlog;h=refs/heads/hardlink proposed upstream patch] == ptrace Protection == As Linux grows in popularity, it will become a growing target for malware. One particularly troubling weakness of the Linux process interfaces is that a single user is able to examine the memory and running state of any of their processes. For example, if one application (e.g. firefox) was compromised, it would be possible for an attacker to attach to other running processes (e.g. gpg-agent) to extract additional credentials and continue to expand the scope of their attack. This is not a theoretical problem. [http://www.storm.net.nz/projects/7 SSH session hijacking] and even [http://c-skills.blogspot.com/2009/10/injectso-32bit-x86-port.html arbitrary code injection] is fully possible if ptrace is allowed normally. For a solution, some applications use prctl() to specifically disallow such ptrace attachment (e.g. ssh-agent). A more general solution is to only allow ptrace directly from a parent to a child process (i.e. direct gdb and strace still work), or as the root user (i.e. gdb BIN PID, and strace -p PID still work as root). This behavior is controlled via the /proc/sys/kernel/yama/ptrace_scope sysctl value. The default is "1" to block non-child ptrace. A value of "0" restores the prior more permissive behavior, which may be more appropriate for some development systems and servers with only admin accounts. Using "sudo" can also grant temporarily ptrace permissions via the CAP_SYS_PTRACE capability, though this method allows the ptrace of any process. [https://lists.ubuntu.com/archives/kernel-team/2010-May/010499.html initial proposed patch] [http://kernel.ubuntu.com/git?p=kees/linux-2.6.git;a=shortlog;h=refs/heads/ptrace proposed upstream patch] fb2d80d9ad09e21ae6ddaaa52f5cadc6a74306c0 3421 3420 2012-11-14T15:50:15Z CoreyBryant 4 wikitext text/x-wiki There are a number of desired Linux Kernel hardening projects that are inactive and do not have an owner. This page gives details on some of them. If you plan to contribute (or are already contributing) to one of these projects, please email the kernel-hardening mailing list at kernel-hardening@lists.openwall.com and mention what you're covering. = Process Improvements = == Security Code Review Guidelines == This project is an effort to provide a reference that educates subsystem maintainers on what to look for when performing security reviews/audits. This would include various classes of common coding vulnerabilities and how to detect them, as well as other best practices, such as not leaving private keys laying around. == Patch Signing == This project would provide support to determine if patches have been modified or tampered since they were signed. = Verification of Critical Subsystems = This project would provide verification of critical subsystems such as: * Networking * Network file systems * KVM * Cryptographic library * Kernel build infrastructure This could include approaches such as manual audits, static analysis, fuzzing testing, etc. = Development = There are several kernel hardening features that have appeared in other hardened operating systems that would improve the security of Linux. Some have been controversial, so attempts have been made to describe them, including their controversy and discussion over the years, so as much information is available to make an educated decision about potential implementations. == Symlink Protection == A long-standing class of security issues is the symlink-based [http://en.wikipedia.org/wiki/Time-of-check-to-time-of-use ToCToU] race, most commonly seen in world-writable directories like /tmp/. The common method of exploitation of [http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=tmp+symlink this flaw] is crossing privilege boundaries when following a given symlink (i.e. a root user follows a symlink belonging to another user). The solution is to not permit symlinks to be followed when users do not match, but only in a world-writable sticky directory (with an additional improvement that the directory owner's symlinks can always be followed, regardless who is following them). Some links to the history of its discussion: * 1996 Aug, Zygo Blaxell http://marc.info/?l=bugtraq&m=87602167419830&w=2 * 1996 Oct, Andrew Tridgell http://lkml.indiana.edu/hypermail/linux/kernel/9610.2/0086.html * 1997 Dec, Albert D Cahalan http://lkml.org/lkml/1997/12/16/4 * 2005 Feb, Lorenzo Hernández García-Hierro http://lkml.indiana.edu/hypermail/linux/kernel/0502.0/1896.html Past objections and rebuttals could be summarized as: * Violates POSIX. ** POSIX didn't consider this situation, and it's not useful to follow a broken specification at the cost of security. Also, please reference where POSIX says this. * Might break unknown applications that use this feature. ** Applications that break because of the change are easy to spot and fix. Applications that are vulnerable to symlink ToCToU by not having the change aren't. * Applications should just use mkstemp() or O_CREATE|O_EXCL. ** True, but applications are not perfect, and new software is written all the time that makes these mistakes; blocking this flaw at the kernel is a single solution to the entire class of vulnerability. [https://lists.ubuntu.com/archives/kernel-team/2010-May/010491.html initial proposed patch] [http://kernel.ubuntu.com/git?p=kees/linux-2.6.git;a=shortlog;h=refs/heads/symlink proposed upstream patch] == Hardlink Protection == Hardlinks can be abused in a [http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=hardlink similar fashion] to symlinks above, but they are not limited to world-writable directories. If /etc/ and /home/ are on the same partition, a regular user can create a hardlink to /etc/shadow in their home directory. While it retains the original owner and permissions, it is possible for privileged programs that are otherwise symlink-safe to mistakenly access the file through its hardlink. Additionally, a very minor untraceable quota-bypassing local denial of service is possible by an attacker exhausting disk space by filling a world-writable directory with hardlinks. The solution is to not allow the creation of hardlinks to files that a given user would be unable to write to originally. Some links to the history of its discussion: * 1997 Dec, Yuri Kuzmenko http://lkml.org/lkml/1997/12/29/20 * 2002 Apr, Chris Wright http://lkml.org/lkml/2002/4/13/99 Past objections and rebuttals could be summarized as: * Violates POSIX. ** POSIX didn't consider this situation, and it's not useful to follow a broken specification at the cost of security. Also, please reference where POSIX says this. * Might break atd, courier, and other unknown applications that use this feature. ** These applications are easy to spot and can be tested and fixed. Applications that are vulnerable to hardlink attacks by not having the change aren't. ** atd could be easily "repaired" by including a real uid==0 check, like Linux 2.4.x-ow does for that reason, or it might have been fixed since then, or better yet [http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/vixie-cron/ OpenBSD-derived crond] should be used instead, which includes at(1) support (and it never had the problem with hardlinks). The latter solution also gets rid of a SUID root program (at(1) is SGID to group crontab then) and of a root-privileged daemon (cron and atd are replaced with just one crond). ** Courier was only broken by the original most restrictive -ow patch; it was "repaired" in newer -ow patch revisions by adding the "or is writable by the current user" check, which is also present in the proposed patches below (in other words, Courier won't break with these patches) * Applications should correctly drop privileges before attempting to access user files. ** True, but applications are not perfect, and new software is written all the time that makes these mistakes; blocking this flaw at the kernel is a single solution to the entire class of vulnerability. [https://lists.ubuntu.com/archives/kernel-team/2010-May/010495.html initial proposed patch] [http://kernel.ubuntu.com/git?p=kees/linux-2.6.git;a=shortlog;h=refs/heads/hardlink proposed upstream patch] == ptrace Protection == As Linux grows in popularity, it will become a growing target for malware. One particularly troubling weakness of the Linux process interfaces is that a single user is able to examine the memory and running state of any of their processes. For example, if one application (e.g. firefox) was compromised, it would be possible for an attacker to attach to other running processes (e.g. gpg-agent) to extract additional credentials and continue to expand the scope of their attack. This is not a theoretical problem. [http://www.storm.net.nz/projects/7 SSH session hijacking] and even [http://c-skills.blogspot.com/2009/10/injectso-32bit-x86-port.html arbitrary code injection] is fully possible if ptrace is allowed normally. For a solution, some applications use prctl() to specifically disallow such ptrace attachment (e.g. ssh-agent). A more general solution is to only allow ptrace directly from a parent to a child process (i.e. direct gdb and strace still work), or as the root user (i.e. gdb BIN PID, and strace -p PID still work as root). This behavior is controlled via the /proc/sys/kernel/yama/ptrace_scope sysctl value. The default is "1" to block non-child ptrace. A value of "0" restores the prior more permissive behavior, which may be more appropriate for some development systems and servers with only admin accounts. Using "sudo" can also grant temporarily ptrace permissions via the CAP_SYS_PTRACE capability, though this method allows the ptrace of any process. [https://lists.ubuntu.com/archives/kernel-team/2010-May/010499.html initial proposed patch] [http://kernel.ubuntu.com/git?p=kees/linux-2.6.git;a=shortlog;h=refs/heads/ptrace proposed upstream patch] == Partial NX Emulation == Non-executable memory is likely one of the most important protections in modern computing. Hardware support exists for it in modern CPUs, but many systems do not benefit from this security. To simulate the execute bit in the kernel's memory page tables, the CS register is used to break memory into two regions. This allows for a fast way to distinguish between memory above and below the CS-limit. Executable regions are loaded below the CS-limit. This is fast but not perfectly accurate, since the BSS regions of loaded libraries will remain in the executable region. It does provide a split between the loaded libraries (and BSS) and text segment from the brk and mmap heap and stack regions. Versions of this patch have been carried by RedHat, SUSE, Openwall, grsecurity and others for a long time. [http://kernel.ubuntu.com/git?p=kees/linux-2.6.git;a=shortlog;h=refs/heads/nx-emu proposed upstream patch] 73b68fa1b98a4d1e38a5b690bbb4a6a341e5fd51 3422 3421 2012-11-14T15:53:49Z CoreyBryant 4 wikitext text/x-wiki There are a number of desired Linux Kernel hardening projects that are inactive and do not have an owner. This page gives details on some of them. If you plan to contribute (or are already contributing) to one of these projects, please email the kernel-hardening mailing list at kernel-hardening@lists.openwall.com and mention what you're covering. = Process Improvements = == Security Code Review Guidelines == This project is an effort to provide a reference that educates subsystem maintainers on what to look for when performing security reviews/audits. This would include various classes of common coding vulnerabilities and how to detect them, as well as other best practices, such as not leaving private keys laying around. == Patch Signing == This project would provide support to determine if patches have been modified or tampered since they were signed. = Verification of Critical Subsystems = This project would provide verification of critical subsystems such as: * Networking * Network file systems * KVM * Cryptographic library * Kernel build infrastructure This could include approaches such as manual audits, static analysis, fuzzing testing, etc. = Development = There are several kernel hardening features that have appeared in other hardened operating systems that would improve the security of Linux. Some have been controversial, so attempts have been made to describe them, including their controversy and discussion over the years, so as much information is available to make an educated decision about potential implementations. == Symlink Protection == A long-standing class of security issues is the symlink-based [http://en.wikipedia.org/wiki/Time-of-check-to-time-of-use ToCToU] race, most commonly seen in world-writable directories like /tmp/. The common method of exploitation of [http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=tmp+symlink this flaw] is crossing privilege boundaries when following a given symlink (i.e. a root user follows a symlink belonging to another user). The solution is to not permit symlinks to be followed when users do not match, but only in a world-writable sticky directory (with an additional improvement that the directory owner's symlinks can always be followed, regardless who is following them). Some links to the history of its discussion: * 1996 Aug, Zygo Blaxell http://marc.info/?l=bugtraq&m=87602167419830&w=2 * 1996 Oct, Andrew Tridgell http://lkml.indiana.edu/hypermail/linux/kernel/9610.2/0086.html * 1997 Dec, Albert D Cahalan http://lkml.org/lkml/1997/12/16/4 * 2005 Feb, Lorenzo Hernández García-Hierro http://lkml.indiana.edu/hypermail/linux/kernel/0502.0/1896.html Past objections and rebuttals could be summarized as: * Violates POSIX. ** POSIX didn't consider this situation, and it's not useful to follow a broken specification at the cost of security. Also, please reference where POSIX says this. * Might break unknown applications that use this feature. ** Applications that break because of the change are easy to spot and fix. Applications that are vulnerable to symlink ToCToU by not having the change aren't. * Applications should just use mkstemp() or O_CREATE|O_EXCL. ** True, but applications are not perfect, and new software is written all the time that makes these mistakes; blocking this flaw at the kernel is a single solution to the entire class of vulnerability. [https://lists.ubuntu.com/archives/kernel-team/2010-May/010491.html initial proposed patch] [http://kernel.ubuntu.com/git?p=kees/linux-2.6.git;a=shortlog;h=refs/heads/symlink proposed upstream patch] == Hardlink Protection == Hardlinks can be abused in a [http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=hardlink similar fashion] to symlinks above, but they are not limited to world-writable directories. If /etc/ and /home/ are on the same partition, a regular user can create a hardlink to /etc/shadow in their home directory. While it retains the original owner and permissions, it is possible for privileged programs that are otherwise symlink-safe to mistakenly access the file through its hardlink. Additionally, a very minor untraceable quota-bypassing local denial of service is possible by an attacker exhausting disk space by filling a world-writable directory with hardlinks. The solution is to not allow the creation of hardlinks to files that a given user would be unable to write to originally. Some links to the history of its discussion: * 1997 Dec, Yuri Kuzmenko http://lkml.org/lkml/1997/12/29/20 * 2002 Apr, Chris Wright http://lkml.org/lkml/2002/4/13/99 Past objections and rebuttals could be summarized as: * Violates POSIX. ** POSIX didn't consider this situation, and it's not useful to follow a broken specification at the cost of security. Also, please reference where POSIX says this. * Might break atd, courier, and other unknown applications that use this feature. ** These applications are easy to spot and can be tested and fixed. Applications that are vulnerable to hardlink attacks by not having the change aren't. ** atd could be easily "repaired" by including a real uid==0 check, like Linux 2.4.x-ow does for that reason, or it might have been fixed since then, or better yet [http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/vixie-cron/ OpenBSD-derived crond] should be used instead, which includes at(1) support (and it never had the problem with hardlinks). The latter solution also gets rid of a SUID root program (at(1) is SGID to group crontab then) and of a root-privileged daemon (cron and atd are replaced with just one crond). ** Courier was only broken by the original most restrictive -ow patch; it was "repaired" in newer -ow patch revisions by adding the "or is writable by the current user" check, which is also present in the proposed patches below (in other words, Courier won't break with these patches) * Applications should correctly drop privileges before attempting to access user files. ** True, but applications are not perfect, and new software is written all the time that makes these mistakes; blocking this flaw at the kernel is a single solution to the entire class of vulnerability. [https://lists.ubuntu.com/archives/kernel-team/2010-May/010495.html initial proposed patch] [http://kernel.ubuntu.com/git?p=kees/linux-2.6.git;a=shortlog;h=refs/heads/hardlink proposed upstream patch] == ptrace Protection == As Linux grows in popularity, it will become a growing target for malware. One particularly troubling weakness of the Linux process interfaces is that a single user is able to examine the memory and running state of any of their processes. For example, if one application (e.g. firefox) was compromised, it would be possible for an attacker to attach to other running processes (e.g. gpg-agent) to extract additional credentials and continue to expand the scope of their attack. This is not a theoretical problem. [http://www.storm.net.nz/projects/7 SSH session hijacking] and even [http://c-skills.blogspot.com/2009/10/injectso-32bit-x86-port.html arbitrary code injection] is fully possible if ptrace is allowed normally. For a solution, some applications use prctl() to specifically disallow such ptrace attachment (e.g. ssh-agent). A more general solution is to only allow ptrace directly from a parent to a child process (i.e. direct gdb and strace still work), or as the root user (i.e. gdb BIN PID, and strace -p PID still work as root). This behavior is controlled via the /proc/sys/kernel/yama/ptrace_scope sysctl value. The default is "1" to block non-child ptrace. A value of "0" restores the prior more permissive behavior, which may be more appropriate for some development systems and servers with only admin accounts. Using "sudo" can also grant temporarily ptrace permissions via the CAP_SYS_PTRACE capability, though this method allows the ptrace of any process. [https://lists.ubuntu.com/archives/kernel-team/2010-May/010499.html initial proposed patch] [http://kernel.ubuntu.com/git?p=kees/linux-2.6.git;a=shortlog;h=refs/heads/ptrace proposed upstream patch] == Partial NX Emulation == Non-executable memory is likely one of the most important protections in modern computing. Hardware support exists for it in modern CPUs, but many systems do not benefit from this security. To simulate the execute bit in the kernel's memory page tables, the CS register is used to break memory into two regions. This allows for a fast way to distinguish between memory above and below the CS-limit. Executable regions are loaded below the CS-limit. This is fast but not perfectly accurate, since the BSS regions of loaded libraries will remain in the executable region. It does provide a split between the loaded libraries (and BSS) and text segment from the brk and mmap heap and stack regions. Versions of this patch have been carried by RedHat, SUSE, Openwall, grsecurity and others for a long time. [http://kernel.ubuntu.com/git?p=kees/linux-2.6.git;a=shortlog;h=refs/heads/nx-emu proposed upstream patch] == chroot Protection == Many administrators attempt to contain potentially exploitable services in chroots. Unfortunately, chroots are not designed to be a security protection (they are for development and debugging). It is possible to reasonably contain a non-privileged process in a chroot, but attempting to contain a root user is fraught with pitfalls. While it is certainly possible to patch the kernel to have a hardened chroot() (for example, grsecurity has a large set of protections that lock down chroots) so many behaviors are changed and come in conflict with the more common development configurations. Solutions are varied. Among the methods of chroot escape is manipulating the current working directory to be outside the current chroot via a second chroot() call (others include using /proc/*/cwd, fchdir(), and ptrace). This single flaw is trivial to fix, but does not block the other avenues, so the gain is very small when compared with the down-side of carrying a delta from the upstream kernel. A better solution is to side-step the problem entirely. Since these security protections are being designed correctly with containers (see [http://manpages.ubuntu.com/manpages/precise/en/man8/clone.8.html CLONE_NEW*]), it would be better to use containers or MAC from the start when trying to isolate a service. Some links to the history of its discussion: * 2007 Sep, David Newall http://lkml.indiana.edu/hypermail/linux/kernel/0709.3/0721.html Past objections and rebuttals could be summarized as: * Violates POSIX. ** POSIX didn't consider or really define this situation, and it's not useful to follow a broken specification at the cost of security. * Might break debootstrap, debian-installer, and anything else that expects to chroot() within a chroot. ** True, but maybe disallowing double-chroot is okay. * Can escape chroots in a large number of ways; containers are better. ** Fix each flaw. Containers are not very easy to use yet. [http://people.canonical.com/~kees/0001-chroot-cwd-protection.patch Example implementation of cwd fix] 27fed980c054b251451f047d8dad9d920846b2c3 3423 3422 2012-11-14T18:28:49Z CoreyBryant 4 wikitext text/x-wiki There are a number of desired Linux Kernel hardening projects that are inactive and do not have an owner. This page gives details on some of them. If you plan to contribute (or are already contributing) to one of these projects, please email the kernel-hardening mailing list at kernel-hardening@lists.openwall.com and mention what you're covering. = Process Improvements = == Security Code Review Guidelines == This project is an effort to provide a reference that educates subsystem maintainers on what to look for when performing security reviews/audits. This would include various classes of common coding vulnerabilities and how to detect them, as well as other best practices, such as not leaving private keys laying around. == Patch Signing == This project would provide support to determine if patches have been modified or tampered since they were signed. = Verification of Critical Subsystems = This project would provide verification of critical subsystems such as: * Networking * Network file systems * KVM * Cryptographic library * Kernel build infrastructure This could include approaches such as manual audits, static analysis, fuzzing testing, etc. = Development = There are several kernel hardening features that have appeared in other hardened operating systems that would improve the security of Linux. Some have been controversial, so attempts have been made to describe them, including their controversy and discussion over the years, so as much information is available to make an educated decision about potential implementations. == Symlink Protection == A long-standing class of security issues is the symlink-based [http://en.wikipedia.org/wiki/Time-of-check-to-time-of-use ToCToU] race, most commonly seen in world-writable directories like /tmp/. The common method of exploitation of [http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=tmp+symlink this flaw] is crossing privilege boundaries when following a given symlink (i.e. a root user follows a symlink belonging to another user). The solution is to not permit symlinks to be followed when users do not match, but only in a world-writable sticky directory (with an additional improvement that the directory owner's symlinks can always be followed, regardless who is following them). Some links to the history of its discussion: * 1996 Aug, Zygo Blaxell http://marc.info/?l=bugtraq&m=87602167419830&w=2 * 1996 Oct, Andrew Tridgell http://lkml.indiana.edu/hypermail/linux/kernel/9610.2/0086.html * 1997 Dec, Albert D Cahalan http://lkml.org/lkml/1997/12/16/4 * 2005 Feb, Lorenzo Hernández García-Hierro http://lkml.indiana.edu/hypermail/linux/kernel/0502.0/1896.html Past objections and rebuttals could be summarized as: * Violates POSIX. ** POSIX didn't consider this situation, and it's not useful to follow a broken specification at the cost of security. Also, please reference where POSIX says this. * Might break unknown applications that use this feature. ** Applications that break because of the change are easy to spot and fix. Applications that are vulnerable to symlink ToCToU by not having the change aren't. * Applications should just use mkstemp() or O_CREATE|O_EXCL. ** True, but applications are not perfect, and new software is written all the time that makes these mistakes; blocking this flaw at the kernel is a single solution to the entire class of vulnerability. [https://lists.ubuntu.com/archives/kernel-team/2010-May/010491.html initial proposed patch] [http://kernel.ubuntu.com/git?p=kees/linux-2.6.git;a=shortlog;h=refs/heads/symlink proposed upstream patch] == Hardlink Protection == Hardlinks can be abused in a [http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=hardlink similar fashion] to symlinks above, but they are not limited to world-writable directories. If /etc/ and /home/ are on the same partition, a regular user can create a hardlink to /etc/shadow in their home directory. While it retains the original owner and permissions, it is possible for privileged programs that are otherwise symlink-safe to mistakenly access the file through its hardlink. Additionally, a very minor untraceable quota-bypassing local denial of service is possible by an attacker exhausting disk space by filling a world-writable directory with hardlinks. The solution is to not allow the creation of hardlinks to files that a given user would be unable to write to originally. Some links to the history of its discussion: * 1997 Dec, Yuri Kuzmenko http://lkml.org/lkml/1997/12/29/20 * 2002 Apr, Chris Wright http://lkml.org/lkml/2002/4/13/99 Past objections and rebuttals could be summarized as: * Violates POSIX. ** POSIX didn't consider this situation, and it's not useful to follow a broken specification at the cost of security. Also, please reference where POSIX says this. * Might break atd, courier, and other unknown applications that use this feature. ** These applications are easy to spot and can be tested and fixed. Applications that are vulnerable to hardlink attacks by not having the change aren't. ** atd could be easily "repaired" by including a real uid==0 check, like Linux 2.4.x-ow does for that reason, or it might have been fixed since then, or better yet [http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/vixie-cron/ OpenBSD-derived crond] should be used instead, which includes at(1) support (and it never had the problem with hardlinks). The latter solution also gets rid of a SUID root program (at(1) is SGID to group crontab then) and of a root-privileged daemon (cron and atd are replaced with just one crond). ** Courier was only broken by the original most restrictive -ow patch; it was "repaired" in newer -ow patch revisions by adding the "or is writable by the current user" check, which is also present in the proposed patches below (in other words, Courier won't break with these patches) * Applications should correctly drop privileges before attempting to access user files. ** True, but applications are not perfect, and new software is written all the time that makes these mistakes; blocking this flaw at the kernel is a single solution to the entire class of vulnerability. [https://lists.ubuntu.com/archives/kernel-team/2010-May/010495.html initial proposed patch] [http://kernel.ubuntu.com/git?p=kees/linux-2.6.git;a=shortlog;h=refs/heads/hardlink proposed upstream patch] == ptrace Protection == As Linux grows in popularity, it will become a growing target for malware. One particularly troubling weakness of the Linux process interfaces is that a single user is able to examine the memory and running state of any of their processes. For example, if one application (e.g. firefox) was compromised, it would be possible for an attacker to attach to other running processes (e.g. gpg-agent) to extract additional credentials and continue to expand the scope of their attack. This is not a theoretical problem. [http://www.storm.net.nz/projects/7 SSH session hijacking] and even [http://c-skills.blogspot.com/2009/10/injectso-32bit-x86-port.html arbitrary code injection] is fully possible if ptrace is allowed normally. For a solution, some applications use prctl() to specifically disallow such ptrace attachment (e.g. ssh-agent). A more general solution is to only allow ptrace directly from a parent to a child process (i.e. direct gdb and strace still work), or as the root user (i.e. gdb BIN PID, and strace -p PID still work as root). This behavior is controlled via the /proc/sys/kernel/yama/ptrace_scope sysctl value. The default is "1" to block non-child ptrace. A value of "0" restores the prior more permissive behavior, which may be more appropriate for some development systems and servers with only admin accounts. Using "sudo" can also grant temporarily ptrace permissions via the CAP_SYS_PTRACE capability, though this method allows the ptrace of any process. [https://lists.ubuntu.com/archives/kernel-team/2010-May/010499.html initial proposed patch] [http://kernel.ubuntu.com/git?p=kees/linux-2.6.git;a=shortlog;h=refs/heads/ptrace proposed upstream patch] == Partial NX Emulation == Non-executable memory is likely one of the most important protections in modern computing. Hardware support exists for it in modern CPUs, but many systems do not benefit from this security. To simulate the execute bit in the kernel's memory page tables, the CS register is used to break memory into two regions. This allows for a fast way to distinguish between memory above and below the CS-limit. Executable regions are loaded below the CS-limit. This is fast but not perfectly accurate, since the BSS regions of loaded libraries will remain in the executable region. It does provide a split between the loaded libraries (and BSS) and text segment from the brk and mmap heap and stack regions. Versions of this patch have been carried by RedHat, SUSE, Openwall, grsecurity and others for a long time. [http://kernel.ubuntu.com/git?p=kees/linux-2.6.git;a=shortlog;h=refs/heads/nx-emu proposed upstream patch] == chroot Protection == Many administrators attempt to contain potentially exploitable services in chroots. Unfortunately, chroots are not designed to be a security protection (they are for development and debugging). It is possible to reasonably contain a non-privileged process in a chroot, but attempting to contain a root user is fraught with pitfalls. While it is certainly possible to patch the kernel to have a hardened chroot() (for example, grsecurity has a large set of protections that lock down chroots) so many behaviors are changed and come in conflict with the more common development configurations. Solutions are varied. Among the methods of chroot escape is manipulating the current working directory to be outside the current chroot via a second chroot() call (others include using /proc/*/cwd, fchdir(), and ptrace). This single flaw is trivial to fix, but does not block the other avenues, so the gain is very small when compared with the down-side of carrying a delta from the upstream kernel. A better solution is to side-step the problem entirely. Since these security protections are being designed correctly with containers (see [http://manpages.ubuntu.com/manpages/precise/en/man8/clone.8.html CLONE_NEW*]), it would be better to use containers or MAC from the start when trying to isolate a service. Some links to the history of its discussion: * 2007 Sep, David Newall http://lkml.indiana.edu/hypermail/linux/kernel/0709.3/0721.html Past objections and rebuttals could be summarized as: * Violates POSIX. ** POSIX didn't consider or really define this situation, and it's not useful to follow a broken specification at the cost of security. * Might break debootstrap, debian-installer, and anything else that expects to chroot() within a chroot. ** True, but maybe disallowing double-chroot is okay. * Can escape chroots in a large number of ways; containers are better. ** Fix each flaw. Containers are not very easy to use yet. [http://people.canonical.com/~kees/0001-chroot-cwd-protection.patch Example implementation of cwd fix] == Additional Kernel Hardening Development Projects == * ASLR for kernel code (Dan Rosenberg: IN PROGRESS) * remove remaining kernel address leaks that prevent ASLR from being effective (Dan Rosenberg) ** https://patchwork.kernel.org/patch/487751/ *** kernel/cgroup.c *** kernel/kprobes.c *** kernel/lockdep_proc.c ** /proc/mtrr ** /proc/slabinfo ** /proc/asound/cards ** /sys/devices/*/*/resources ** /proc/net/ptype ** /sys/kernel/slab/*/ctor ** /proc/iomem ** inet_diag NETLINK socket addresses ** ... * chase down const-ification of function pointers (Kees Cook) ** Emese Revfy's patches ** Lionel Debroux's grsecurity extractions *** http://lkml.org/lkml/2010/11/7/51 *** http://lkml.org/lkml/2010/11/7/52 *** http://lkml.org/lkml/2010/11/7/53 *** http://lkml.org/lkml/2010/11/8/14 * examine page permissions and get rid of rwx mappings * implement __read_only for things that can't really be const, like CONFIG_PAX_KERNEXEC * disable set_kernel_text_rw() and friends via sysctl * module autoloading control, like CONFIG_GRKERNSEC_MODHARDEN ** http://lkml.org/lkml/2010/11/7/212 * block hibernation image attacks (Vasiliy Kulikov) ** http://permalink.gmane.org/gmane.linux.kernel/1108853 * copy_*_user() hardening, like CONFIG_PAX_USERCOPY ** keep length under MAX_INT ** validate targets against compiler knowledge of static buffers or look up buffer sizes from heap allocator * User/Kernel memory segmentation, like CONFIG_PAX_MEMORY_UDEREF or Intel SMEP * Kernel stack ASLR, like CONFIG_PAX_RANDKSTACK * Kernel stack clearing, like CONFIG_PAX_STACKLEAK * Kernel refcount overflow protection, like CONFIG_PAX_REFCOUNT * kernel symbol name hiding, like CONFIG_GRKERNSEC_HIDESYM * add -Wextra and perform associated cleanups * restricted access to vm86-related syscall/features, like CONFIG_HARDEN_VM86 in Linux 2.4.x-ow, but turned into a sysctl * ability to set/lock/force a process (and/or any children it might spawn) to 32-bit only or 64-bit only (or implement a general "personality lock" and have main/compat syscall availability be actually affected by the current personality, which is currently not the case) ** this will be particularly useful with container-based virtualization (LXC, OpenVZ, vserver), where the container startup program will lock the bitness/personality before launching the container's /sbin/init (e.g., a prctl() affecting _only_ child processes - e.g., not yet vzctl, but the container's /sbin/init - will do for this purpose) * whitelist filesystem module autoloading. similar to rare network module blacklist 2147b25092027b052922a298fe2d2507af7c953d 3424 3423 2012-11-14T18:34:16Z CoreyBryant 4 wikitext text/x-wiki There are a number of desired Linux Kernel hardening projects that are inactive and do not have an owner. This page gives details on some of them. If you plan to contribute (or are already contributing) to one of these projects, please email the kernel-hardening mailing list at kernel-hardening@lists.openwall.com and mention what you're covering. = Process Improvements = == Security Code Review Guidelines == This project is an effort to provide a reference that educates subsystem maintainers on what to look for when performing security reviews/audits. This would include various classes of common coding vulnerabilities and how to detect them, as well as other best practices, such as not leaving private keys laying around. == Patch Signing == This project would provide support to determine if patches have been modified or tampered since they were signed. = Verification of Critical Subsystems = This project would provide verification of critical subsystems such as: * Networking * Network file systems * KVM * Cryptographic library * Kernel build infrastructure This could include approaches such as manual audits, static analysis, fuzzing testing, etc. = Development = There are several kernel hardening features that have appeared in other hardened operating systems that would improve the security of Linux. Some have been controversial, so attempts have been made to describe them, including their controversy and discussion over the years, so as much information is available to make an educated decision about potential implementations. == Symlink Protection == A long-standing class of security issues is the symlink-based [http://en.wikipedia.org/wiki/Time-of-check-to-time-of-use ToCToU] race, most commonly seen in world-writable directories like /tmp/. The common method of exploitation of [http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=tmp+symlink this flaw] is crossing privilege boundaries when following a given symlink (i.e. a root user follows a symlink belonging to another user). The solution is to not permit symlinks to be followed when users do not match, but only in a world-writable sticky directory (with an additional improvement that the directory owner's symlinks can always be followed, regardless who is following them). Some links to the history of its discussion: * 1996 Aug, Zygo Blaxell http://marc.info/?l=bugtraq&m=87602167419830&w=2 * 1996 Oct, Andrew Tridgell http://lkml.indiana.edu/hypermail/linux/kernel/9610.2/0086.html * 1997 Dec, Albert D Cahalan http://lkml.org/lkml/1997/12/16/4 * 2005 Feb, Lorenzo Hernández García-Hierro http://lkml.indiana.edu/hypermail/linux/kernel/0502.0/1896.html Past objections and rebuttals could be summarized as: * Violates POSIX. ** POSIX didn't consider this situation, and it's not useful to follow a broken specification at the cost of security. Also, please reference where POSIX says this. * Might break unknown applications that use this feature. ** Applications that break because of the change are easy to spot and fix. Applications that are vulnerable to symlink ToCToU by not having the change aren't. * Applications should just use mkstemp() or O_CREATE|O_EXCL. ** True, but applications are not perfect, and new software is written all the time that makes these mistakes; blocking this flaw at the kernel is a single solution to the entire class of vulnerability. [https://lists.ubuntu.com/archives/kernel-team/2010-May/010491.html initial proposed patch] [http://kernel.ubuntu.com/git?p=kees/linux-2.6.git;a=shortlog;h=refs/heads/symlink proposed upstream patch] == Hardlink Protection == Hardlinks can be abused in a [http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=hardlink similar fashion] to symlinks above, but they are not limited to world-writable directories. If /etc/ and /home/ are on the same partition, a regular user can create a hardlink to /etc/shadow in their home directory. While it retains the original owner and permissions, it is possible for privileged programs that are otherwise symlink-safe to mistakenly access the file through its hardlink. Additionally, a very minor untraceable quota-bypassing local denial of service is possible by an attacker exhausting disk space by filling a world-writable directory with hardlinks. The solution is to not allow the creation of hardlinks to files that a given user would be unable to write to originally. Some links to the history of its discussion: * 1997 Dec, Yuri Kuzmenko http://lkml.org/lkml/1997/12/29/20 * 2002 Apr, Chris Wright http://lkml.org/lkml/2002/4/13/99 Past objections and rebuttals could be summarized as: * Violates POSIX. ** POSIX didn't consider this situation, and it's not useful to follow a broken specification at the cost of security. Also, please reference where POSIX says this. * Might break atd, courier, and other unknown applications that use this feature. ** These applications are easy to spot and can be tested and fixed. Applications that are vulnerable to hardlink attacks by not having the change aren't. ** atd could be easily "repaired" by including a real uid==0 check, like Linux 2.4.x-ow does for that reason, or it might have been fixed since then, or better yet [http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/vixie-cron/ OpenBSD-derived crond] should be used instead, which includes at(1) support (and it never had the problem with hardlinks). The latter solution also gets rid of a SUID root program (at(1) is SGID to group crontab then) and of a root-privileged daemon (cron and atd are replaced with just one crond). ** Courier was only broken by the original most restrictive -ow patch; it was "repaired" in newer -ow patch revisions by adding the "or is writable by the current user" check, which is also present in the proposed patches below (in other words, Courier won't break with these patches) * Applications should correctly drop privileges before attempting to access user files. ** True, but applications are not perfect, and new software is written all the time that makes these mistakes; blocking this flaw at the kernel is a single solution to the entire class of vulnerability. [https://lists.ubuntu.com/archives/kernel-team/2010-May/010495.html initial proposed patch] [http://kernel.ubuntu.com/git?p=kees/linux-2.6.git;a=shortlog;h=refs/heads/hardlink proposed upstream patch] == ptrace Protection == As Linux grows in popularity, it will become a growing target for malware. One particularly troubling weakness of the Linux process interfaces is that a single user is able to examine the memory and running state of any of their processes. For example, if one application (e.g. firefox) was compromised, it would be possible for an attacker to attach to other running processes (e.g. gpg-agent) to extract additional credentials and continue to expand the scope of their attack. This is not a theoretical problem. [http://www.storm.net.nz/projects/7 SSH session hijacking] and even [http://c-skills.blogspot.com/2009/10/injectso-32bit-x86-port.html arbitrary code injection] is fully possible if ptrace is allowed normally. For a solution, some applications use prctl() to specifically disallow such ptrace attachment (e.g. ssh-agent). A more general solution is to only allow ptrace directly from a parent to a child process (i.e. direct gdb and strace still work), or as the root user (i.e. gdb BIN PID, and strace -p PID still work as root). This behavior is controlled via the /proc/sys/kernel/yama/ptrace_scope sysctl value. The default is "1" to block non-child ptrace. A value of "0" restores the prior more permissive behavior, which may be more appropriate for some development systems and servers with only admin accounts. Using "sudo" can also grant temporarily ptrace permissions via the CAP_SYS_PTRACE capability, though this method allows the ptrace of any process. [https://lists.ubuntu.com/archives/kernel-team/2010-May/010499.html initial proposed patch] [http://kernel.ubuntu.com/git?p=kees/linux-2.6.git;a=shortlog;h=refs/heads/ptrace proposed upstream patch] == Partial NX Emulation == Non-executable memory is likely one of the most important protections in modern computing. Hardware support exists for it in modern CPUs, but many systems do not benefit from this security. To simulate the execute bit in the kernel's memory page tables, the CS register is used to break memory into two regions. This allows for a fast way to distinguish between memory above and below the CS-limit. Executable regions are loaded below the CS-limit. This is fast but not perfectly accurate, since the BSS regions of loaded libraries will remain in the executable region. It does provide a split between the loaded libraries (and BSS) and text segment from the brk and mmap heap and stack regions. Versions of this patch have been carried by RedHat, SUSE, Openwall, grsecurity and others for a long time. [http://kernel.ubuntu.com/git?p=kees/linux-2.6.git;a=shortlog;h=refs/heads/nx-emu proposed upstream patch] == chroot Protection == Many administrators attempt to contain potentially exploitable services in chroots. Unfortunately, chroots are not designed to be a security protection (they are for development and debugging). It is possible to reasonably contain a non-privileged process in a chroot, but attempting to contain a root user is fraught with pitfalls. While it is certainly possible to patch the kernel to have a hardened chroot() (for example, grsecurity has a large set of protections that lock down chroots) so many behaviors are changed and come in conflict with the more common development configurations. Solutions are varied. Among the methods of chroot escape is manipulating the current working directory to be outside the current chroot via a second chroot() call (others include using /proc/*/cwd, fchdir(), and ptrace). This single flaw is trivial to fix, but does not block the other avenues, so the gain is very small when compared with the down-side of carrying a delta from the upstream kernel. A better solution is to side-step the problem entirely. Since these security protections are being designed correctly with containers (see [http://manpages.ubuntu.com/manpages/precise/en/man8/clone.8.html CLONE_NEW*]), it would be better to use containers or MAC from the start when trying to isolate a service. Some links to the history of its discussion: * 2007 Sep, David Newall http://lkml.indiana.edu/hypermail/linux/kernel/0709.3/0721.html Past objections and rebuttals could be summarized as: * Violates POSIX. ** POSIX didn't consider or really define this situation, and it's not useful to follow a broken specification at the cost of security. * Might break debootstrap, debian-installer, and anything else that expects to chroot() within a chroot. ** True, but maybe disallowing double-chroot is okay. * Can escape chroots in a large number of ways; containers are better. ** Fix each flaw. Containers are not very easy to use yet. [http://people.canonical.com/~kees/0001-chroot-cwd-protection.patch Example implementation of cwd fix] == Additional Kernel Hardening Development Projects == Here is a rough plan for things to do to the upstream Linux kernel to make it harder for security vulnerabilities to become exploitable. Note: Many CONFIG_* items below refer to PaX and grsecurity. * ASLR for kernel code (Dan Rosenberg: IN PROGRESS) * remove remaining kernel address leaks that prevent ASLR from being effective (Dan Rosenberg) ** https://patchwork.kernel.org/patch/487751/ *** kernel/cgroup.c *** kernel/kprobes.c *** kernel/lockdep_proc.c ** /proc/mtrr ** /proc/slabinfo ** /proc/asound/cards ** /sys/devices/*/*/resources ** /proc/net/ptype ** /sys/kernel/slab/*/ctor ** /proc/iomem ** inet_diag NETLINK socket addresses ** ... * chase down const-ification of function pointers (Kees Cook) ** Emese Revfy's patches ** Lionel Debroux's grsecurity extractions *** http://lkml.org/lkml/2010/11/7/51 *** http://lkml.org/lkml/2010/11/7/52 *** http://lkml.org/lkml/2010/11/7/53 *** http://lkml.org/lkml/2010/11/8/14 * examine page permissions and get rid of rwx mappings * implement __read_only for things that can't really be const, like CONFIG_PAX_KERNEXEC * disable set_kernel_text_rw() and friends via sysctl * module autoloading control, like CONFIG_GRKERNSEC_MODHARDEN ** http://lkml.org/lkml/2010/11/7/212 * block hibernation image attacks (Vasiliy Kulikov) ** http://permalink.gmane.org/gmane.linux.kernel/1108853 * copy_*_user() hardening, like CONFIG_PAX_USERCOPY ** keep length under MAX_INT ** validate targets against compiler knowledge of static buffers or look up buffer sizes from heap allocator * User/Kernel memory segmentation, like CONFIG_PAX_MEMORY_UDEREF or Intel SMEP * Kernel stack ASLR, like CONFIG_PAX_RANDKSTACK * Kernel stack clearing, like CONFIG_PAX_STACKLEAK * Kernel refcount overflow protection, like CONFIG_PAX_REFCOUNT * kernel symbol name hiding, like CONFIG_GRKERNSEC_HIDESYM * add -Wextra and perform associated cleanups * restricted access to vm86-related syscall/features, like CONFIG_HARDEN_VM86 in Linux 2.4.x-ow, but turned into a sysctl * ability to set/lock/force a process (and/or any children it might spawn) to 32-bit only or 64-bit only (or implement a general "personality lock" and have main/compat syscall availability be actually affected by the current personality, which is currently not the case) ** this will be particularly useful with container-based virtualization (LXC, OpenVZ, vserver), where the container startup program will lock the bitness/personality before launching the container's /sbin/init (e.g., a prctl() affecting _only_ child processes - e.g., not yet vzctl, but the container's /sbin/init - will do for this purpose) * whitelist filesystem module autoloading. similar to rare network module blacklist == Userspace Protections == * linking restrictions (CONFIG_GRKERNSEC_LINK), see above... (Kees Cook) * fifo restrictions (CONFIG_GRKERNSEC_FIFO), closely related to the linking restrictions mentioned above * mprotect hardening (CONFIG_PAX_MPROTECT) * segv respawn restriction (CONFIG_GRKERNSEC_BRUTE) * /proc visibility restriction (CONFIG_GRKERNSEC_PROC_USER) * safer set*uid() behavior on error (don't fail & return, instead SIGSEGV if has to fail because of resource shortage), was implemented unconditionally in Linux 2.4.x-ow but needs different treatment for 2.6.x/upstream (maybe sysctl'able) * destroy shm not in use (CONFIG_HARDEN_SHM from Linux 2.4.x-ow), which is needed to prevent RLIMIT_AS*RLIMIT_NPROC bypasses * nx-emulation (RedHat Exec-Shield, CONFIG_PAX_SEGMEXEC, or better yet CONFIG_PAX_PAGEEXEC) ** http://git.kernel.org/?p=linux/kernel/git/frob/linux-2.6-roland.git;a=shortlog;h=refs/heads/fedora/x86-nx-emulation * ASCII-armor ASLR (RedHat Exec-Shield) ** needs serious entropy improvement if it should be used at all *** http://git.kernel.org/?p=linux/kernel/git/frob/linux-2.6-roland.git;a=shortlog;h=refs/heads/fedora/32bit-mmap-exec-randomization *** http://scarybeastsecurity.blogspot.com/2012/03/some-random-observations-on-linux-aslr.html ** at least with RHEL5'ish kernels (not tested on Ubuntu specifically), exec-shield appears to provide ASCII-armor for mmap'ed shared libs with 32-bit kernels, but does not do it when running 32-bit binaries on 64-bit kernels (64-bit bins are OK) - looks like a code bug (or incomplete implementation) to chase down and fix (this is needed for our own use regardless of upstream submission) ** "enforcing" mode for W^X (ignore GNU ELF flags), sysctl'able and/or per process tree and/or per-container ** TARPIT netfilter target https://bugs.launchpad.net/ubuntu/+source/linux/+bug/78361 ** CAPs-less ping: http://marc.info/?l=linux-kernel&m=129434182105135 32b32680fcc24c45ba5a6fcdae10dc8adf033e3d 3425 3424 2012-11-14T18:36:09Z CoreyBryant 4 wikitext text/x-wiki There are a number of desired Linux Kernel hardening projects that are inactive and do not have an owner. This page gives details on some of them. If you have an update for this page, please email the kernel-hardening mailing list at kernel-hardening@lists.openwall.com. = Process Improvements = == Security Code Review Guidelines == This project is an effort to provide a reference that educates subsystem maintainers on what to look for when performing security reviews/audits. This would include various classes of common coding vulnerabilities and how to detect them, as well as other best practices, such as not leaving private keys laying around. == Patch Signing == This project would provide support to determine if patches have been modified or tampered since they were signed. = Verification of Critical Subsystems = This project would provide verification of critical subsystems such as: * Networking * Network file systems * KVM * Cryptographic library * Kernel build infrastructure This could include approaches such as manual audits, static analysis, fuzzing testing, etc. = Development = There are several kernel hardening features that have appeared in other hardened operating systems that would improve the security of Linux. Some have been controversial, so attempts have been made to describe them, including their controversy and discussion over the years, so as much information is available to make an educated decision about potential implementations. == Symlink Protection == A long-standing class of security issues is the symlink-based [http://en.wikipedia.org/wiki/Time-of-check-to-time-of-use ToCToU] race, most commonly seen in world-writable directories like /tmp/. The common method of exploitation of [http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=tmp+symlink this flaw] is crossing privilege boundaries when following a given symlink (i.e. a root user follows a symlink belonging to another user). The solution is to not permit symlinks to be followed when users do not match, but only in a world-writable sticky directory (with an additional improvement that the directory owner's symlinks can always be followed, regardless who is following them). Some links to the history of its discussion: * 1996 Aug, Zygo Blaxell http://marc.info/?l=bugtraq&m=87602167419830&w=2 * 1996 Oct, Andrew Tridgell http://lkml.indiana.edu/hypermail/linux/kernel/9610.2/0086.html * 1997 Dec, Albert D Cahalan http://lkml.org/lkml/1997/12/16/4 * 2005 Feb, Lorenzo Hernández García-Hierro http://lkml.indiana.edu/hypermail/linux/kernel/0502.0/1896.html Past objections and rebuttals could be summarized as: * Violates POSIX. ** POSIX didn't consider this situation, and it's not useful to follow a broken specification at the cost of security. Also, please reference where POSIX says this. * Might break unknown applications that use this feature. ** Applications that break because of the change are easy to spot and fix. Applications that are vulnerable to symlink ToCToU by not having the change aren't. * Applications should just use mkstemp() or O_CREATE|O_EXCL. ** True, but applications are not perfect, and new software is written all the time that makes these mistakes; blocking this flaw at the kernel is a single solution to the entire class of vulnerability. [https://lists.ubuntu.com/archives/kernel-team/2010-May/010491.html initial proposed patch] [http://kernel.ubuntu.com/git?p=kees/linux-2.6.git;a=shortlog;h=refs/heads/symlink proposed upstream patch] == Hardlink Protection == Hardlinks can be abused in a [http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=hardlink similar fashion] to symlinks above, but they are not limited to world-writable directories. If /etc/ and /home/ are on the same partition, a regular user can create a hardlink to /etc/shadow in their home directory. While it retains the original owner and permissions, it is possible for privileged programs that are otherwise symlink-safe to mistakenly access the file through its hardlink. Additionally, a very minor untraceable quota-bypassing local denial of service is possible by an attacker exhausting disk space by filling a world-writable directory with hardlinks. The solution is to not allow the creation of hardlinks to files that a given user would be unable to write to originally. Some links to the history of its discussion: * 1997 Dec, Yuri Kuzmenko http://lkml.org/lkml/1997/12/29/20 * 2002 Apr, Chris Wright http://lkml.org/lkml/2002/4/13/99 Past objections and rebuttals could be summarized as: * Violates POSIX. ** POSIX didn't consider this situation, and it's not useful to follow a broken specification at the cost of security. Also, please reference where POSIX says this. * Might break atd, courier, and other unknown applications that use this feature. ** These applications are easy to spot and can be tested and fixed. Applications that are vulnerable to hardlink attacks by not having the change aren't. ** atd could be easily "repaired" by including a real uid==0 check, like Linux 2.4.x-ow does for that reason, or it might have been fixed since then, or better yet [http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/vixie-cron/ OpenBSD-derived crond] should be used instead, which includes at(1) support (and it never had the problem with hardlinks). The latter solution also gets rid of a SUID root program (at(1) is SGID to group crontab then) and of a root-privileged daemon (cron and atd are replaced with just one crond). ** Courier was only broken by the original most restrictive -ow patch; it was "repaired" in newer -ow patch revisions by adding the "or is writable by the current user" check, which is also present in the proposed patches below (in other words, Courier won't break with these patches) * Applications should correctly drop privileges before attempting to access user files. ** True, but applications are not perfect, and new software is written all the time that makes these mistakes; blocking this flaw at the kernel is a single solution to the entire class of vulnerability. [https://lists.ubuntu.com/archives/kernel-team/2010-May/010495.html initial proposed patch] [http://kernel.ubuntu.com/git?p=kees/linux-2.6.git;a=shortlog;h=refs/heads/hardlink proposed upstream patch] == ptrace Protection == As Linux grows in popularity, it will become a growing target for malware. One particularly troubling weakness of the Linux process interfaces is that a single user is able to examine the memory and running state of any of their processes. For example, if one application (e.g. firefox) was compromised, it would be possible for an attacker to attach to other running processes (e.g. gpg-agent) to extract additional credentials and continue to expand the scope of their attack. This is not a theoretical problem. [http://www.storm.net.nz/projects/7 SSH session hijacking] and even [http://c-skills.blogspot.com/2009/10/injectso-32bit-x86-port.html arbitrary code injection] is fully possible if ptrace is allowed normally. For a solution, some applications use prctl() to specifically disallow such ptrace attachment (e.g. ssh-agent). A more general solution is to only allow ptrace directly from a parent to a child process (i.e. direct gdb and strace still work), or as the root user (i.e. gdb BIN PID, and strace -p PID still work as root). This behavior is controlled via the /proc/sys/kernel/yama/ptrace_scope sysctl value. The default is "1" to block non-child ptrace. A value of "0" restores the prior more permissive behavior, which may be more appropriate for some development systems and servers with only admin accounts. Using "sudo" can also grant temporarily ptrace permissions via the CAP_SYS_PTRACE capability, though this method allows the ptrace of any process. [https://lists.ubuntu.com/archives/kernel-team/2010-May/010499.html initial proposed patch] [http://kernel.ubuntu.com/git?p=kees/linux-2.6.git;a=shortlog;h=refs/heads/ptrace proposed upstream patch] == Partial NX Emulation == Non-executable memory is likely one of the most important protections in modern computing. Hardware support exists for it in modern CPUs, but many systems do not benefit from this security. To simulate the execute bit in the kernel's memory page tables, the CS register is used to break memory into two regions. This allows for a fast way to distinguish between memory above and below the CS-limit. Executable regions are loaded below the CS-limit. This is fast but not perfectly accurate, since the BSS regions of loaded libraries will remain in the executable region. It does provide a split between the loaded libraries (and BSS) and text segment from the brk and mmap heap and stack regions. Versions of this patch have been carried by RedHat, SUSE, Openwall, grsecurity and others for a long time. [http://kernel.ubuntu.com/git?p=kees/linux-2.6.git;a=shortlog;h=refs/heads/nx-emu proposed upstream patch] == chroot Protection == Many administrators attempt to contain potentially exploitable services in chroots. Unfortunately, chroots are not designed to be a security protection (they are for development and debugging). It is possible to reasonably contain a non-privileged process in a chroot, but attempting to contain a root user is fraught with pitfalls. While it is certainly possible to patch the kernel to have a hardened chroot() (for example, grsecurity has a large set of protections that lock down chroots) so many behaviors are changed and come in conflict with the more common development configurations. Solutions are varied. Among the methods of chroot escape is manipulating the current working directory to be outside the current chroot via a second chroot() call (others include using /proc/*/cwd, fchdir(), and ptrace). This single flaw is trivial to fix, but does not block the other avenues, so the gain is very small when compared with the down-side of carrying a delta from the upstream kernel. A better solution is to side-step the problem entirely. Since these security protections are being designed correctly with containers (see [http://manpages.ubuntu.com/manpages/precise/en/man8/clone.8.html CLONE_NEW*]), it would be better to use containers or MAC from the start when trying to isolate a service. Some links to the history of its discussion: * 2007 Sep, David Newall http://lkml.indiana.edu/hypermail/linux/kernel/0709.3/0721.html Past objections and rebuttals could be summarized as: * Violates POSIX. ** POSIX didn't consider or really define this situation, and it's not useful to follow a broken specification at the cost of security. * Might break debootstrap, debian-installer, and anything else that expects to chroot() within a chroot. ** True, but maybe disallowing double-chroot is okay. * Can escape chroots in a large number of ways; containers are better. ** Fix each flaw. Containers are not very easy to use yet. [http://people.canonical.com/~kees/0001-chroot-cwd-protection.patch Example implementation of cwd fix] == Additional Kernel Hardening Development Projects == Here is a rough plan for things to do to the upstream Linux kernel to make it harder for security vulnerabilities to become exploitable. Note: Many CONFIG_* items below refer to PaX and grsecurity. * ASLR for kernel code (Dan Rosenberg: IN PROGRESS) * remove remaining kernel address leaks that prevent ASLR from being effective (Dan Rosenberg) ** https://patchwork.kernel.org/patch/487751/ *** kernel/cgroup.c *** kernel/kprobes.c *** kernel/lockdep_proc.c ** /proc/mtrr ** /proc/slabinfo ** /proc/asound/cards ** /sys/devices/*/*/resources ** /proc/net/ptype ** /sys/kernel/slab/*/ctor ** /proc/iomem ** inet_diag NETLINK socket addresses ** ... * chase down const-ification of function pointers (Kees Cook) ** Emese Revfy's patches ** Lionel Debroux's grsecurity extractions *** http://lkml.org/lkml/2010/11/7/51 *** http://lkml.org/lkml/2010/11/7/52 *** http://lkml.org/lkml/2010/11/7/53 *** http://lkml.org/lkml/2010/11/8/14 * examine page permissions and get rid of rwx mappings * implement __read_only for things that can't really be const, like CONFIG_PAX_KERNEXEC * disable set_kernel_text_rw() and friends via sysctl * module autoloading control, like CONFIG_GRKERNSEC_MODHARDEN ** http://lkml.org/lkml/2010/11/7/212 * block hibernation image attacks (Vasiliy Kulikov) ** http://permalink.gmane.org/gmane.linux.kernel/1108853 * copy_*_user() hardening, like CONFIG_PAX_USERCOPY ** keep length under MAX_INT ** validate targets against compiler knowledge of static buffers or look up buffer sizes from heap allocator * User/Kernel memory segmentation, like CONFIG_PAX_MEMORY_UDEREF or Intel SMEP * Kernel stack ASLR, like CONFIG_PAX_RANDKSTACK * Kernel stack clearing, like CONFIG_PAX_STACKLEAK * Kernel refcount overflow protection, like CONFIG_PAX_REFCOUNT * kernel symbol name hiding, like CONFIG_GRKERNSEC_HIDESYM * add -Wextra and perform associated cleanups * restricted access to vm86-related syscall/features, like CONFIG_HARDEN_VM86 in Linux 2.4.x-ow, but turned into a sysctl * ability to set/lock/force a process (and/or any children it might spawn) to 32-bit only or 64-bit only (or implement a general "personality lock" and have main/compat syscall availability be actually affected by the current personality, which is currently not the case) ** this will be particularly useful with container-based virtualization (LXC, OpenVZ, vserver), where the container startup program will lock the bitness/personality before launching the container's /sbin/init (e.g., a prctl() affecting _only_ child processes - e.g., not yet vzctl, but the container's /sbin/init - will do for this purpose) * whitelist filesystem module autoloading. similar to rare network module blacklist == Userspace Protections == * linking restrictions (CONFIG_GRKERNSEC_LINK), see above... (Kees Cook) * fifo restrictions (CONFIG_GRKERNSEC_FIFO), closely related to the linking restrictions mentioned above * mprotect hardening (CONFIG_PAX_MPROTECT) * segv respawn restriction (CONFIG_GRKERNSEC_BRUTE) * /proc visibility restriction (CONFIG_GRKERNSEC_PROC_USER) * safer set*uid() behavior on error (don't fail & return, instead SIGSEGV if has to fail because of resource shortage), was implemented unconditionally in Linux 2.4.x-ow but needs different treatment for 2.6.x/upstream (maybe sysctl'able) * destroy shm not in use (CONFIG_HARDEN_SHM from Linux 2.4.x-ow), which is needed to prevent RLIMIT_AS*RLIMIT_NPROC bypasses * nx-emulation (RedHat Exec-Shield, CONFIG_PAX_SEGMEXEC, or better yet CONFIG_PAX_PAGEEXEC) ** http://git.kernel.org/?p=linux/kernel/git/frob/linux-2.6-roland.git;a=shortlog;h=refs/heads/fedora/x86-nx-emulation * ASCII-armor ASLR (RedHat Exec-Shield) ** needs serious entropy improvement if it should be used at all *** http://git.kernel.org/?p=linux/kernel/git/frob/linux-2.6-roland.git;a=shortlog;h=refs/heads/fedora/32bit-mmap-exec-randomization *** http://scarybeastsecurity.blogspot.com/2012/03/some-random-observations-on-linux-aslr.html ** at least with RHEL5'ish kernels (not tested on Ubuntu specifically), exec-shield appears to provide ASCII-armor for mmap'ed shared libs with 32-bit kernels, but does not do it when running 32-bit binaries on 64-bit kernels (64-bit bins are OK) - looks like a code bug (or incomplete implementation) to chase down and fix (this is needed for our own use regardless of upstream submission) ** "enforcing" mode for W^X (ignore GNU ELF flags), sysctl'able and/or per process tree and/or per-container ** TARPIT netfilter target https://bugs.launchpad.net/ubuntu/+source/linux/+bug/78361 ** CAPs-less ping: http://marc.info/?l=linux-kernel&m=129434182105135 33d89c21d8126abfd77be8412c4eb3854194f365 3429 3425 2012-11-14T18:45:33Z CoreyBryant 4 wikitext text/x-wiki The [http://kernsec.org/wiki/index.php/Linux_Security_Workgroup Linux Security Workgroup] has a number of desired Linux Kernel hardening projects that are inactive and do not have an owner. This page gives details on some of them. If you have an update for this page, please email the kernel-hardening mailing list at kernel-hardening@lists.openwall.com. = Process Improvements = == Security Code Review Guidelines == This project is an effort to provide a reference that educates subsystem maintainers on what to look for when performing security reviews/audits. This would include various classes of common coding vulnerabilities and how to detect them, as well as other best practices, such as not leaving private keys laying around. == Patch Signing == This project would provide support to determine if patches have been modified or tampered since they were signed. = Verification of Critical Subsystems = This project would provide verification of critical subsystems such as: * Networking * Network file systems * KVM * Cryptographic library * Kernel build infrastructure This could include approaches such as manual audits, static analysis, fuzzing testing, etc. = Development = There are several kernel hardening features that have appeared in other hardened operating systems that would improve the security of Linux. Some have been controversial, so attempts have been made to describe them, including their controversy and discussion over the years, so as much information is available to make an educated decision about potential implementations. == Symlink Protection == A long-standing class of security issues is the symlink-based [http://en.wikipedia.org/wiki/Time-of-check-to-time-of-use ToCToU] race, most commonly seen in world-writable directories like /tmp/. The common method of exploitation of [http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=tmp+symlink this flaw] is crossing privilege boundaries when following a given symlink (i.e. a root user follows a symlink belonging to another user). The solution is to not permit symlinks to be followed when users do not match, but only in a world-writable sticky directory (with an additional improvement that the directory owner's symlinks can always be followed, regardless who is following them). Some links to the history of its discussion: * 1996 Aug, Zygo Blaxell http://marc.info/?l=bugtraq&m=87602167419830&w=2 * 1996 Oct, Andrew Tridgell http://lkml.indiana.edu/hypermail/linux/kernel/9610.2/0086.html * 1997 Dec, Albert D Cahalan http://lkml.org/lkml/1997/12/16/4 * 2005 Feb, Lorenzo Hernández García-Hierro http://lkml.indiana.edu/hypermail/linux/kernel/0502.0/1896.html Past objections and rebuttals could be summarized as: * Violates POSIX. ** POSIX didn't consider this situation, and it's not useful to follow a broken specification at the cost of security. Also, please reference where POSIX says this. * Might break unknown applications that use this feature. ** Applications that break because of the change are easy to spot and fix. Applications that are vulnerable to symlink ToCToU by not having the change aren't. * Applications should just use mkstemp() or O_CREATE|O_EXCL. ** True, but applications are not perfect, and new software is written all the time that makes these mistakes; blocking this flaw at the kernel is a single solution to the entire class of vulnerability. [https://lists.ubuntu.com/archives/kernel-team/2010-May/010491.html initial proposed patch] [http://kernel.ubuntu.com/git?p=kees/linux-2.6.git;a=shortlog;h=refs/heads/symlink proposed upstream patch] == Hardlink Protection == Hardlinks can be abused in a [http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=hardlink similar fashion] to symlinks above, but they are not limited to world-writable directories. If /etc/ and /home/ are on the same partition, a regular user can create a hardlink to /etc/shadow in their home directory. While it retains the original owner and permissions, it is possible for privileged programs that are otherwise symlink-safe to mistakenly access the file through its hardlink. Additionally, a very minor untraceable quota-bypassing local denial of service is possible by an attacker exhausting disk space by filling a world-writable directory with hardlinks. The solution is to not allow the creation of hardlinks to files that a given user would be unable to write to originally. Some links to the history of its discussion: * 1997 Dec, Yuri Kuzmenko http://lkml.org/lkml/1997/12/29/20 * 2002 Apr, Chris Wright http://lkml.org/lkml/2002/4/13/99 Past objections and rebuttals could be summarized as: * Violates POSIX. ** POSIX didn't consider this situation, and it's not useful to follow a broken specification at the cost of security. Also, please reference where POSIX says this. * Might break atd, courier, and other unknown applications that use this feature. ** These applications are easy to spot and can be tested and fixed. Applications that are vulnerable to hardlink attacks by not having the change aren't. ** atd could be easily "repaired" by including a real uid==0 check, like Linux 2.4.x-ow does for that reason, or it might have been fixed since then, or better yet [http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/vixie-cron/ OpenBSD-derived crond] should be used instead, which includes at(1) support (and it never had the problem with hardlinks). The latter solution also gets rid of a SUID root program (at(1) is SGID to group crontab then) and of a root-privileged daemon (cron and atd are replaced with just one crond). ** Courier was only broken by the original most restrictive -ow patch; it was "repaired" in newer -ow patch revisions by adding the "or is writable by the current user" check, which is also present in the proposed patches below (in other words, Courier won't break with these patches) * Applications should correctly drop privileges before attempting to access user files. ** True, but applications are not perfect, and new software is written all the time that makes these mistakes; blocking this flaw at the kernel is a single solution to the entire class of vulnerability. [https://lists.ubuntu.com/archives/kernel-team/2010-May/010495.html initial proposed patch] [http://kernel.ubuntu.com/git?p=kees/linux-2.6.git;a=shortlog;h=refs/heads/hardlink proposed upstream patch] == ptrace Protection == As Linux grows in popularity, it will become a growing target for malware. One particularly troubling weakness of the Linux process interfaces is that a single user is able to examine the memory and running state of any of their processes. For example, if one application (e.g. firefox) was compromised, it would be possible for an attacker to attach to other running processes (e.g. gpg-agent) to extract additional credentials and continue to expand the scope of their attack. This is not a theoretical problem. [http://www.storm.net.nz/projects/7 SSH session hijacking] and even [http://c-skills.blogspot.com/2009/10/injectso-32bit-x86-port.html arbitrary code injection] is fully possible if ptrace is allowed normally. For a solution, some applications use prctl() to specifically disallow such ptrace attachment (e.g. ssh-agent). A more general solution is to only allow ptrace directly from a parent to a child process (i.e. direct gdb and strace still work), or as the root user (i.e. gdb BIN PID, and strace -p PID still work as root). This behavior is controlled via the /proc/sys/kernel/yama/ptrace_scope sysctl value. The default is "1" to block non-child ptrace. A value of "0" restores the prior more permissive behavior, which may be more appropriate for some development systems and servers with only admin accounts. Using "sudo" can also grant temporarily ptrace permissions via the CAP_SYS_PTRACE capability, though this method allows the ptrace of any process. [https://lists.ubuntu.com/archives/kernel-team/2010-May/010499.html initial proposed patch] [http://kernel.ubuntu.com/git?p=kees/linux-2.6.git;a=shortlog;h=refs/heads/ptrace proposed upstream patch] == Partial NX Emulation == Non-executable memory is likely one of the most important protections in modern computing. Hardware support exists for it in modern CPUs, but many systems do not benefit from this security. To simulate the execute bit in the kernel's memory page tables, the CS register is used to break memory into two regions. This allows for a fast way to distinguish between memory above and below the CS-limit. Executable regions are loaded below the CS-limit. This is fast but not perfectly accurate, since the BSS regions of loaded libraries will remain in the executable region. It does provide a split between the loaded libraries (and BSS) and text segment from the brk and mmap heap and stack regions. Versions of this patch have been carried by RedHat, SUSE, Openwall, grsecurity and others for a long time. [http://kernel.ubuntu.com/git?p=kees/linux-2.6.git;a=shortlog;h=refs/heads/nx-emu proposed upstream patch] == chroot Protection == Many administrators attempt to contain potentially exploitable services in chroots. Unfortunately, chroots are not designed to be a security protection (they are for development and debugging). It is possible to reasonably contain a non-privileged process in a chroot, but attempting to contain a root user is fraught with pitfalls. While it is certainly possible to patch the kernel to have a hardened chroot() (for example, grsecurity has a large set of protections that lock down chroots) so many behaviors are changed and come in conflict with the more common development configurations. Solutions are varied. Among the methods of chroot escape is manipulating the current working directory to be outside the current chroot via a second chroot() call (others include using /proc/*/cwd, fchdir(), and ptrace). This single flaw is trivial to fix, but does not block the other avenues, so the gain is very small when compared with the down-side of carrying a delta from the upstream kernel. A better solution is to side-step the problem entirely. Since these security protections are being designed correctly with containers (see [http://manpages.ubuntu.com/manpages/precise/en/man8/clone.8.html CLONE_NEW*]), it would be better to use containers or MAC from the start when trying to isolate a service. Some links to the history of its discussion: * 2007 Sep, David Newall http://lkml.indiana.edu/hypermail/linux/kernel/0709.3/0721.html Past objections and rebuttals could be summarized as: * Violates POSIX. ** POSIX didn't consider or really define this situation, and it's not useful to follow a broken specification at the cost of security. * Might break debootstrap, debian-installer, and anything else that expects to chroot() within a chroot. ** True, but maybe disallowing double-chroot is okay. * Can escape chroots in a large number of ways; containers are better. ** Fix each flaw. Containers are not very easy to use yet. [http://people.canonical.com/~kees/0001-chroot-cwd-protection.patch Example implementation of cwd fix] == Additional Kernel Hardening Development Projects == Here is a rough plan for things to do to the upstream Linux kernel to make it harder for security vulnerabilities to become exploitable. Note: Many CONFIG_* items below refer to PaX and grsecurity. * ASLR for kernel code (Dan Rosenberg: IN PROGRESS) * remove remaining kernel address leaks that prevent ASLR from being effective (Dan Rosenberg) ** https://patchwork.kernel.org/patch/487751/ *** kernel/cgroup.c *** kernel/kprobes.c *** kernel/lockdep_proc.c ** /proc/mtrr ** /proc/slabinfo ** /proc/asound/cards ** /sys/devices/*/*/resources ** /proc/net/ptype ** /sys/kernel/slab/*/ctor ** /proc/iomem ** inet_diag NETLINK socket addresses ** ... * chase down const-ification of function pointers (Kees Cook) ** Emese Revfy's patches ** Lionel Debroux's grsecurity extractions *** http://lkml.org/lkml/2010/11/7/51 *** http://lkml.org/lkml/2010/11/7/52 *** http://lkml.org/lkml/2010/11/7/53 *** http://lkml.org/lkml/2010/11/8/14 * examine page permissions and get rid of rwx mappings * implement __read_only for things that can't really be const, like CONFIG_PAX_KERNEXEC * disable set_kernel_text_rw() and friends via sysctl * module autoloading control, like CONFIG_GRKERNSEC_MODHARDEN ** http://lkml.org/lkml/2010/11/7/212 * block hibernation image attacks (Vasiliy Kulikov) ** http://permalink.gmane.org/gmane.linux.kernel/1108853 * copy_*_user() hardening, like CONFIG_PAX_USERCOPY ** keep length under MAX_INT ** validate targets against compiler knowledge of static buffers or look up buffer sizes from heap allocator * User/Kernel memory segmentation, like CONFIG_PAX_MEMORY_UDEREF or Intel SMEP * Kernel stack ASLR, like CONFIG_PAX_RANDKSTACK * Kernel stack clearing, like CONFIG_PAX_STACKLEAK * Kernel refcount overflow protection, like CONFIG_PAX_REFCOUNT * kernel symbol name hiding, like CONFIG_GRKERNSEC_HIDESYM * add -Wextra and perform associated cleanups * restricted access to vm86-related syscall/features, like CONFIG_HARDEN_VM86 in Linux 2.4.x-ow, but turned into a sysctl * ability to set/lock/force a process (and/or any children it might spawn) to 32-bit only or 64-bit only (or implement a general "personality lock" and have main/compat syscall availability be actually affected by the current personality, which is currently not the case) ** this will be particularly useful with container-based virtualization (LXC, OpenVZ, vserver), where the container startup program will lock the bitness/personality before launching the container's /sbin/init (e.g., a prctl() affecting _only_ child processes - e.g., not yet vzctl, but the container's /sbin/init - will do for this purpose) * whitelist filesystem module autoloading. similar to rare network module blacklist == Userspace Protections == * linking restrictions (CONFIG_GRKERNSEC_LINK), see above... (Kees Cook) * fifo restrictions (CONFIG_GRKERNSEC_FIFO), closely related to the linking restrictions mentioned above * mprotect hardening (CONFIG_PAX_MPROTECT) * segv respawn restriction (CONFIG_GRKERNSEC_BRUTE) * /proc visibility restriction (CONFIG_GRKERNSEC_PROC_USER) * safer set*uid() behavior on error (don't fail & return, instead SIGSEGV if has to fail because of resource shortage), was implemented unconditionally in Linux 2.4.x-ow but needs different treatment for 2.6.x/upstream (maybe sysctl'able) * destroy shm not in use (CONFIG_HARDEN_SHM from Linux 2.4.x-ow), which is needed to prevent RLIMIT_AS*RLIMIT_NPROC bypasses * nx-emulation (RedHat Exec-Shield, CONFIG_PAX_SEGMEXEC, or better yet CONFIG_PAX_PAGEEXEC) ** http://git.kernel.org/?p=linux/kernel/git/frob/linux-2.6-roland.git;a=shortlog;h=refs/heads/fedora/x86-nx-emulation * ASCII-armor ASLR (RedHat Exec-Shield) ** needs serious entropy improvement if it should be used at all *** http://git.kernel.org/?p=linux/kernel/git/frob/linux-2.6-roland.git;a=shortlog;h=refs/heads/fedora/32bit-mmap-exec-randomization *** http://scarybeastsecurity.blogspot.com/2012/03/some-random-observations-on-linux-aslr.html ** at least with RHEL5'ish kernels (not tested on Ubuntu specifically), exec-shield appears to provide ASCII-armor for mmap'ed shared libs with 32-bit kernels, but does not do it when running 32-bit binaries on 64-bit kernels (64-bit bins are OK) - looks like a code bug (or incomplete implementation) to chase down and fix (this is needed for our own use regardless of upstream submission) ** "enforcing" mode for W^X (ignore GNU ELF flags), sysctl'able and/or per process tree and/or per-container ** TARPIT netfilter target https://bugs.launchpad.net/ubuntu/+source/linux/+bug/78361 ** CAPs-less ping: http://marc.info/?l=linux-kernel&m=129434182105135 1c38fec2a2e85ce63938a2b0187943205065e60b 3430 3429 2012-11-14T18:46:26Z CoreyBryant 4 wikitext text/x-wiki The [[Linux Security Worgroup]] has a number of desired Linux Kernel hardening projects that are inactive and do not have an owner. This page gives details on some of them. If you have an update for this page, please email the kernel-hardening mailing list at kernel-hardening@lists.openwall.com. = Process Improvements = == Security Code Review Guidelines == This project is an effort to provide a reference that educates subsystem maintainers on what to look for when performing security reviews/audits. This would include various classes of common coding vulnerabilities and how to detect them, as well as other best practices, such as not leaving private keys laying around. == Patch Signing == This project would provide support to determine if patches have been modified or tampered since they were signed. = Verification of Critical Subsystems = This project would provide verification of critical subsystems such as: * Networking * Network file systems * KVM * Cryptographic library * Kernel build infrastructure This could include approaches such as manual audits, static analysis, fuzzing testing, etc. = Development = There are several kernel hardening features that have appeared in other hardened operating systems that would improve the security of Linux. Some have been controversial, so attempts have been made to describe them, including their controversy and discussion over the years, so as much information is available to make an educated decision about potential implementations. == Symlink Protection == A long-standing class of security issues is the symlink-based [http://en.wikipedia.org/wiki/Time-of-check-to-time-of-use ToCToU] race, most commonly seen in world-writable directories like /tmp/. The common method of exploitation of [http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=tmp+symlink this flaw] is crossing privilege boundaries when following a given symlink (i.e. a root user follows a symlink belonging to another user). The solution is to not permit symlinks to be followed when users do not match, but only in a world-writable sticky directory (with an additional improvement that the directory owner's symlinks can always be followed, regardless who is following them). Some links to the history of its discussion: * 1996 Aug, Zygo Blaxell http://marc.info/?l=bugtraq&m=87602167419830&w=2 * 1996 Oct, Andrew Tridgell http://lkml.indiana.edu/hypermail/linux/kernel/9610.2/0086.html * 1997 Dec, Albert D Cahalan http://lkml.org/lkml/1997/12/16/4 * 2005 Feb, Lorenzo Hernández García-Hierro http://lkml.indiana.edu/hypermail/linux/kernel/0502.0/1896.html Past objections and rebuttals could be summarized as: * Violates POSIX. ** POSIX didn't consider this situation, and it's not useful to follow a broken specification at the cost of security. Also, please reference where POSIX says this. * Might break unknown applications that use this feature. ** Applications that break because of the change are easy to spot and fix. Applications that are vulnerable to symlink ToCToU by not having the change aren't. * Applications should just use mkstemp() or O_CREATE|O_EXCL. ** True, but applications are not perfect, and new software is written all the time that makes these mistakes; blocking this flaw at the kernel is a single solution to the entire class of vulnerability. [https://lists.ubuntu.com/archives/kernel-team/2010-May/010491.html initial proposed patch] [http://kernel.ubuntu.com/git?p=kees/linux-2.6.git;a=shortlog;h=refs/heads/symlink proposed upstream patch] == Hardlink Protection == Hardlinks can be abused in a [http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=hardlink similar fashion] to symlinks above, but they are not limited to world-writable directories. If /etc/ and /home/ are on the same partition, a regular user can create a hardlink to /etc/shadow in their home directory. While it retains the original owner and permissions, it is possible for privileged programs that are otherwise symlink-safe to mistakenly access the file through its hardlink. Additionally, a very minor untraceable quota-bypassing local denial of service is possible by an attacker exhausting disk space by filling a world-writable directory with hardlinks. The solution is to not allow the creation of hardlinks to files that a given user would be unable to write to originally. Some links to the history of its discussion: * 1997 Dec, Yuri Kuzmenko http://lkml.org/lkml/1997/12/29/20 * 2002 Apr, Chris Wright http://lkml.org/lkml/2002/4/13/99 Past objections and rebuttals could be summarized as: * Violates POSIX. ** POSIX didn't consider this situation, and it's not useful to follow a broken specification at the cost of security. Also, please reference where POSIX says this. * Might break atd, courier, and other unknown applications that use this feature. ** These applications are easy to spot and can be tested and fixed. Applications that are vulnerable to hardlink attacks by not having the change aren't. ** atd could be easily "repaired" by including a real uid==0 check, like Linux 2.4.x-ow does for that reason, or it might have been fixed since then, or better yet [http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/vixie-cron/ OpenBSD-derived crond] should be used instead, which includes at(1) support (and it never had the problem with hardlinks). The latter solution also gets rid of a SUID root program (at(1) is SGID to group crontab then) and of a root-privileged daemon (cron and atd are replaced with just one crond). ** Courier was only broken by the original most restrictive -ow patch; it was "repaired" in newer -ow patch revisions by adding the "or is writable by the current user" check, which is also present in the proposed patches below (in other words, Courier won't break with these patches) * Applications should correctly drop privileges before attempting to access user files. ** True, but applications are not perfect, and new software is written all the time that makes these mistakes; blocking this flaw at the kernel is a single solution to the entire class of vulnerability. [https://lists.ubuntu.com/archives/kernel-team/2010-May/010495.html initial proposed patch] [http://kernel.ubuntu.com/git?p=kees/linux-2.6.git;a=shortlog;h=refs/heads/hardlink proposed upstream patch] == ptrace Protection == As Linux grows in popularity, it will become a growing target for malware. One particularly troubling weakness of the Linux process interfaces is that a single user is able to examine the memory and running state of any of their processes. For example, if one application (e.g. firefox) was compromised, it would be possible for an attacker to attach to other running processes (e.g. gpg-agent) to extract additional credentials and continue to expand the scope of their attack. This is not a theoretical problem. [http://www.storm.net.nz/projects/7 SSH session hijacking] and even [http://c-skills.blogspot.com/2009/10/injectso-32bit-x86-port.html arbitrary code injection] is fully possible if ptrace is allowed normally. For a solution, some applications use prctl() to specifically disallow such ptrace attachment (e.g. ssh-agent). A more general solution is to only allow ptrace directly from a parent to a child process (i.e. direct gdb and strace still work), or as the root user (i.e. gdb BIN PID, and strace -p PID still work as root). This behavior is controlled via the /proc/sys/kernel/yama/ptrace_scope sysctl value. The default is "1" to block non-child ptrace. A value of "0" restores the prior more permissive behavior, which may be more appropriate for some development systems and servers with only admin accounts. Using "sudo" can also grant temporarily ptrace permissions via the CAP_SYS_PTRACE capability, though this method allows the ptrace of any process. [https://lists.ubuntu.com/archives/kernel-team/2010-May/010499.html initial proposed patch] [http://kernel.ubuntu.com/git?p=kees/linux-2.6.git;a=shortlog;h=refs/heads/ptrace proposed upstream patch] == Partial NX Emulation == Non-executable memory is likely one of the most important protections in modern computing. Hardware support exists for it in modern CPUs, but many systems do not benefit from this security. To simulate the execute bit in the kernel's memory page tables, the CS register is used to break memory into two regions. This allows for a fast way to distinguish between memory above and below the CS-limit. Executable regions are loaded below the CS-limit. This is fast but not perfectly accurate, since the BSS regions of loaded libraries will remain in the executable region. It does provide a split between the loaded libraries (and BSS) and text segment from the brk and mmap heap and stack regions. Versions of this patch have been carried by RedHat, SUSE, Openwall, grsecurity and others for a long time. [http://kernel.ubuntu.com/git?p=kees/linux-2.6.git;a=shortlog;h=refs/heads/nx-emu proposed upstream patch] == chroot Protection == Many administrators attempt to contain potentially exploitable services in chroots. Unfortunately, chroots are not designed to be a security protection (they are for development and debugging). It is possible to reasonably contain a non-privileged process in a chroot, but attempting to contain a root user is fraught with pitfalls. While it is certainly possible to patch the kernel to have a hardened chroot() (for example, grsecurity has a large set of protections that lock down chroots) so many behaviors are changed and come in conflict with the more common development configurations. Solutions are varied. Among the methods of chroot escape is manipulating the current working directory to be outside the current chroot via a second chroot() call (others include using /proc/*/cwd, fchdir(), and ptrace). This single flaw is trivial to fix, but does not block the other avenues, so the gain is very small when compared with the down-side of carrying a delta from the upstream kernel. A better solution is to side-step the problem entirely. Since these security protections are being designed correctly with containers (see [http://manpages.ubuntu.com/manpages/precise/en/man8/clone.8.html CLONE_NEW*]), it would be better to use containers or MAC from the start when trying to isolate a service. Some links to the history of its discussion: * 2007 Sep, David Newall http://lkml.indiana.edu/hypermail/linux/kernel/0709.3/0721.html Past objections and rebuttals could be summarized as: * Violates POSIX. ** POSIX didn't consider or really define this situation, and it's not useful to follow a broken specification at the cost of security. * Might break debootstrap, debian-installer, and anything else that expects to chroot() within a chroot. ** True, but maybe disallowing double-chroot is okay. * Can escape chroots in a large number of ways; containers are better. ** Fix each flaw. Containers are not very easy to use yet. [http://people.canonical.com/~kees/0001-chroot-cwd-protection.patch Example implementation of cwd fix] == Additional Kernel Hardening Development Projects == Here is a rough plan for things to do to the upstream Linux kernel to make it harder for security vulnerabilities to become exploitable. Note: Many CONFIG_* items below refer to PaX and grsecurity. * ASLR for kernel code (Dan Rosenberg: IN PROGRESS) * remove remaining kernel address leaks that prevent ASLR from being effective (Dan Rosenberg) ** https://patchwork.kernel.org/patch/487751/ *** kernel/cgroup.c *** kernel/kprobes.c *** kernel/lockdep_proc.c ** /proc/mtrr ** /proc/slabinfo ** /proc/asound/cards ** /sys/devices/*/*/resources ** /proc/net/ptype ** /sys/kernel/slab/*/ctor ** /proc/iomem ** inet_diag NETLINK socket addresses ** ... * chase down const-ification of function pointers (Kees Cook) ** Emese Revfy's patches ** Lionel Debroux's grsecurity extractions *** http://lkml.org/lkml/2010/11/7/51 *** http://lkml.org/lkml/2010/11/7/52 *** http://lkml.org/lkml/2010/11/7/53 *** http://lkml.org/lkml/2010/11/8/14 * examine page permissions and get rid of rwx mappings * implement __read_only for things that can't really be const, like CONFIG_PAX_KERNEXEC * disable set_kernel_text_rw() and friends via sysctl * module autoloading control, like CONFIG_GRKERNSEC_MODHARDEN ** http://lkml.org/lkml/2010/11/7/212 * block hibernation image attacks (Vasiliy Kulikov) ** http://permalink.gmane.org/gmane.linux.kernel/1108853 * copy_*_user() hardening, like CONFIG_PAX_USERCOPY ** keep length under MAX_INT ** validate targets against compiler knowledge of static buffers or look up buffer sizes from heap allocator * User/Kernel memory segmentation, like CONFIG_PAX_MEMORY_UDEREF or Intel SMEP * Kernel stack ASLR, like CONFIG_PAX_RANDKSTACK * Kernel stack clearing, like CONFIG_PAX_STACKLEAK * Kernel refcount overflow protection, like CONFIG_PAX_REFCOUNT * kernel symbol name hiding, like CONFIG_GRKERNSEC_HIDESYM * add -Wextra and perform associated cleanups * restricted access to vm86-related syscall/features, like CONFIG_HARDEN_VM86 in Linux 2.4.x-ow, but turned into a sysctl * ability to set/lock/force a process (and/or any children it might spawn) to 32-bit only or 64-bit only (or implement a general "personality lock" and have main/compat syscall availability be actually affected by the current personality, which is currently not the case) ** this will be particularly useful with container-based virtualization (LXC, OpenVZ, vserver), where the container startup program will lock the bitness/personality before launching the container's /sbin/init (e.g., a prctl() affecting _only_ child processes - e.g., not yet vzctl, but the container's /sbin/init - will do for this purpose) * whitelist filesystem module autoloading. similar to rare network module blacklist == Userspace Protections == * linking restrictions (CONFIG_GRKERNSEC_LINK), see above... (Kees Cook) * fifo restrictions (CONFIG_GRKERNSEC_FIFO), closely related to the linking restrictions mentioned above * mprotect hardening (CONFIG_PAX_MPROTECT) * segv respawn restriction (CONFIG_GRKERNSEC_BRUTE) * /proc visibility restriction (CONFIG_GRKERNSEC_PROC_USER) * safer set*uid() behavior on error (don't fail & return, instead SIGSEGV if has to fail because of resource shortage), was implemented unconditionally in Linux 2.4.x-ow but needs different treatment for 2.6.x/upstream (maybe sysctl'able) * destroy shm not in use (CONFIG_HARDEN_SHM from Linux 2.4.x-ow), which is needed to prevent RLIMIT_AS*RLIMIT_NPROC bypasses * nx-emulation (RedHat Exec-Shield, CONFIG_PAX_SEGMEXEC, or better yet CONFIG_PAX_PAGEEXEC) ** http://git.kernel.org/?p=linux/kernel/git/frob/linux-2.6-roland.git;a=shortlog;h=refs/heads/fedora/x86-nx-emulation * ASCII-armor ASLR (RedHat Exec-Shield) ** needs serious entropy improvement if it should be used at all *** http://git.kernel.org/?p=linux/kernel/git/frob/linux-2.6-roland.git;a=shortlog;h=refs/heads/fedora/32bit-mmap-exec-randomization *** http://scarybeastsecurity.blogspot.com/2012/03/some-random-observations-on-linux-aslr.html ** at least with RHEL5'ish kernels (not tested on Ubuntu specifically), exec-shield appears to provide ASCII-armor for mmap'ed shared libs with 32-bit kernels, but does not do it when running 32-bit binaries on 64-bit kernels (64-bit bins are OK) - looks like a code bug (or incomplete implementation) to chase down and fix (this is needed for our own use regardless of upstream submission) ** "enforcing" mode for W^X (ignore GNU ELF flags), sysctl'able and/or per process tree and/or per-container ** TARPIT netfilter target https://bugs.launchpad.net/ubuntu/+source/linux/+bug/78361 ** CAPs-less ping: http://marc.info/?l=linux-kernel&m=129434182105135 466637cc7e546c6969c8ed16eee728aa21924ce0 3431 3430 2012-11-14T18:47:00Z CoreyBryant 4 wikitext text/x-wiki The [[Linux Security Workgroup]] has a number of desired Linux Kernel hardening projects that are inactive and do not have an owner. This page gives details on some of them. If you have an update for this page, please email the kernel-hardening mailing list at kernel-hardening@lists.openwall.com. = Process Improvements = == Security Code Review Guidelines == This project is an effort to provide a reference that educates subsystem maintainers on what to look for when performing security reviews/audits. This would include various classes of common coding vulnerabilities and how to detect them, as well as other best practices, such as not leaving private keys laying around. == Patch Signing == This project would provide support to determine if patches have been modified or tampered since they were signed. = Verification of Critical Subsystems = This project would provide verification of critical subsystems such as: * Networking * Network file systems * KVM * Cryptographic library * Kernel build infrastructure This could include approaches such as manual audits, static analysis, fuzzing testing, etc. = Development = There are several kernel hardening features that have appeared in other hardened operating systems that would improve the security of Linux. Some have been controversial, so attempts have been made to describe them, including their controversy and discussion over the years, so as much information is available to make an educated decision about potential implementations. == Symlink Protection == A long-standing class of security issues is the symlink-based [http://en.wikipedia.org/wiki/Time-of-check-to-time-of-use ToCToU] race, most commonly seen in world-writable directories like /tmp/. The common method of exploitation of [http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=tmp+symlink this flaw] is crossing privilege boundaries when following a given symlink (i.e. a root user follows a symlink belonging to another user). The solution is to not permit symlinks to be followed when users do not match, but only in a world-writable sticky directory (with an additional improvement that the directory owner's symlinks can always be followed, regardless who is following them). Some links to the history of its discussion: * 1996 Aug, Zygo Blaxell http://marc.info/?l=bugtraq&m=87602167419830&w=2 * 1996 Oct, Andrew Tridgell http://lkml.indiana.edu/hypermail/linux/kernel/9610.2/0086.html * 1997 Dec, Albert D Cahalan http://lkml.org/lkml/1997/12/16/4 * 2005 Feb, Lorenzo Hernández García-Hierro http://lkml.indiana.edu/hypermail/linux/kernel/0502.0/1896.html Past objections and rebuttals could be summarized as: * Violates POSIX. ** POSIX didn't consider this situation, and it's not useful to follow a broken specification at the cost of security. Also, please reference where POSIX says this. * Might break unknown applications that use this feature. ** Applications that break because of the change are easy to spot and fix. Applications that are vulnerable to symlink ToCToU by not having the change aren't. * Applications should just use mkstemp() or O_CREATE|O_EXCL. ** True, but applications are not perfect, and new software is written all the time that makes these mistakes; blocking this flaw at the kernel is a single solution to the entire class of vulnerability. [https://lists.ubuntu.com/archives/kernel-team/2010-May/010491.html initial proposed patch] [http://kernel.ubuntu.com/git?p=kees/linux-2.6.git;a=shortlog;h=refs/heads/symlink proposed upstream patch] == Hardlink Protection == Hardlinks can be abused in a [http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=hardlink similar fashion] to symlinks above, but they are not limited to world-writable directories. If /etc/ and /home/ are on the same partition, a regular user can create a hardlink to /etc/shadow in their home directory. While it retains the original owner and permissions, it is possible for privileged programs that are otherwise symlink-safe to mistakenly access the file through its hardlink. Additionally, a very minor untraceable quota-bypassing local denial of service is possible by an attacker exhausting disk space by filling a world-writable directory with hardlinks. The solution is to not allow the creation of hardlinks to files that a given user would be unable to write to originally. Some links to the history of its discussion: * 1997 Dec, Yuri Kuzmenko http://lkml.org/lkml/1997/12/29/20 * 2002 Apr, Chris Wright http://lkml.org/lkml/2002/4/13/99 Past objections and rebuttals could be summarized as: * Violates POSIX. ** POSIX didn't consider this situation, and it's not useful to follow a broken specification at the cost of security. Also, please reference where POSIX says this. * Might break atd, courier, and other unknown applications that use this feature. ** These applications are easy to spot and can be tested and fixed. Applications that are vulnerable to hardlink attacks by not having the change aren't. ** atd could be easily "repaired" by including a real uid==0 check, like Linux 2.4.x-ow does for that reason, or it might have been fixed since then, or better yet [http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/vixie-cron/ OpenBSD-derived crond] should be used instead, which includes at(1) support (and it never had the problem with hardlinks). The latter solution also gets rid of a SUID root program (at(1) is SGID to group crontab then) and of a root-privileged daemon (cron and atd are replaced with just one crond). ** Courier was only broken by the original most restrictive -ow patch; it was "repaired" in newer -ow patch revisions by adding the "or is writable by the current user" check, which is also present in the proposed patches below (in other words, Courier won't break with these patches) * Applications should correctly drop privileges before attempting to access user files. ** True, but applications are not perfect, and new software is written all the time that makes these mistakes; blocking this flaw at the kernel is a single solution to the entire class of vulnerability. [https://lists.ubuntu.com/archives/kernel-team/2010-May/010495.html initial proposed patch] [http://kernel.ubuntu.com/git?p=kees/linux-2.6.git;a=shortlog;h=refs/heads/hardlink proposed upstream patch] == ptrace Protection == As Linux grows in popularity, it will become a growing target for malware. One particularly troubling weakness of the Linux process interfaces is that a single user is able to examine the memory and running state of any of their processes. For example, if one application (e.g. firefox) was compromised, it would be possible for an attacker to attach to other running processes (e.g. gpg-agent) to extract additional credentials and continue to expand the scope of their attack. This is not a theoretical problem. [http://www.storm.net.nz/projects/7 SSH session hijacking] and even [http://c-skills.blogspot.com/2009/10/injectso-32bit-x86-port.html arbitrary code injection] is fully possible if ptrace is allowed normally. For a solution, some applications use prctl() to specifically disallow such ptrace attachment (e.g. ssh-agent). A more general solution is to only allow ptrace directly from a parent to a child process (i.e. direct gdb and strace still work), or as the root user (i.e. gdb BIN PID, and strace -p PID still work as root). This behavior is controlled via the /proc/sys/kernel/yama/ptrace_scope sysctl value. The default is "1" to block non-child ptrace. A value of "0" restores the prior more permissive behavior, which may be more appropriate for some development systems and servers with only admin accounts. Using "sudo" can also grant temporarily ptrace permissions via the CAP_SYS_PTRACE capability, though this method allows the ptrace of any process. [https://lists.ubuntu.com/archives/kernel-team/2010-May/010499.html initial proposed patch] [http://kernel.ubuntu.com/git?p=kees/linux-2.6.git;a=shortlog;h=refs/heads/ptrace proposed upstream patch] == Partial NX Emulation == Non-executable memory is likely one of the most important protections in modern computing. Hardware support exists for it in modern CPUs, but many systems do not benefit from this security. To simulate the execute bit in the kernel's memory page tables, the CS register is used to break memory into two regions. This allows for a fast way to distinguish between memory above and below the CS-limit. Executable regions are loaded below the CS-limit. This is fast but not perfectly accurate, since the BSS regions of loaded libraries will remain in the executable region. It does provide a split between the loaded libraries (and BSS) and text segment from the brk and mmap heap and stack regions. Versions of this patch have been carried by RedHat, SUSE, Openwall, grsecurity and others for a long time. [http://kernel.ubuntu.com/git?p=kees/linux-2.6.git;a=shortlog;h=refs/heads/nx-emu proposed upstream patch] == chroot Protection == Many administrators attempt to contain potentially exploitable services in chroots. Unfortunately, chroots are not designed to be a security protection (they are for development and debugging). It is possible to reasonably contain a non-privileged process in a chroot, but attempting to contain a root user is fraught with pitfalls. While it is certainly possible to patch the kernel to have a hardened chroot() (for example, grsecurity has a large set of protections that lock down chroots) so many behaviors are changed and come in conflict with the more common development configurations. Solutions are varied. Among the methods of chroot escape is manipulating the current working directory to be outside the current chroot via a second chroot() call (others include using /proc/*/cwd, fchdir(), and ptrace). This single flaw is trivial to fix, but does not block the other avenues, so the gain is very small when compared with the down-side of carrying a delta from the upstream kernel. A better solution is to side-step the problem entirely. Since these security protections are being designed correctly with containers (see [http://manpages.ubuntu.com/manpages/precise/en/man8/clone.8.html CLONE_NEW*]), it would be better to use containers or MAC from the start when trying to isolate a service. Some links to the history of its discussion: * 2007 Sep, David Newall http://lkml.indiana.edu/hypermail/linux/kernel/0709.3/0721.html Past objections and rebuttals could be summarized as: * Violates POSIX. ** POSIX didn't consider or really define this situation, and it's not useful to follow a broken specification at the cost of security. * Might break debootstrap, debian-installer, and anything else that expects to chroot() within a chroot. ** True, but maybe disallowing double-chroot is okay. * Can escape chroots in a large number of ways; containers are better. ** Fix each flaw. Containers are not very easy to use yet. [http://people.canonical.com/~kees/0001-chroot-cwd-protection.patch Example implementation of cwd fix] == Additional Kernel Hardening Development Projects == Here is a rough plan for things to do to the upstream Linux kernel to make it harder for security vulnerabilities to become exploitable. Note: Many CONFIG_* items below refer to PaX and grsecurity. * ASLR for kernel code (Dan Rosenberg: IN PROGRESS) * remove remaining kernel address leaks that prevent ASLR from being effective (Dan Rosenberg) ** https://patchwork.kernel.org/patch/487751/ *** kernel/cgroup.c *** kernel/kprobes.c *** kernel/lockdep_proc.c ** /proc/mtrr ** /proc/slabinfo ** /proc/asound/cards ** /sys/devices/*/*/resources ** /proc/net/ptype ** /sys/kernel/slab/*/ctor ** /proc/iomem ** inet_diag NETLINK socket addresses ** ... * chase down const-ification of function pointers (Kees Cook) ** Emese Revfy's patches ** Lionel Debroux's grsecurity extractions *** http://lkml.org/lkml/2010/11/7/51 *** http://lkml.org/lkml/2010/11/7/52 *** http://lkml.org/lkml/2010/11/7/53 *** http://lkml.org/lkml/2010/11/8/14 * examine page permissions and get rid of rwx mappings * implement __read_only for things that can't really be const, like CONFIG_PAX_KERNEXEC * disable set_kernel_text_rw() and friends via sysctl * module autoloading control, like CONFIG_GRKERNSEC_MODHARDEN ** http://lkml.org/lkml/2010/11/7/212 * block hibernation image attacks (Vasiliy Kulikov) ** http://permalink.gmane.org/gmane.linux.kernel/1108853 * copy_*_user() hardening, like CONFIG_PAX_USERCOPY ** keep length under MAX_INT ** validate targets against compiler knowledge of static buffers or look up buffer sizes from heap allocator * User/Kernel memory segmentation, like CONFIG_PAX_MEMORY_UDEREF or Intel SMEP * Kernel stack ASLR, like CONFIG_PAX_RANDKSTACK * Kernel stack clearing, like CONFIG_PAX_STACKLEAK * Kernel refcount overflow protection, like CONFIG_PAX_REFCOUNT * kernel symbol name hiding, like CONFIG_GRKERNSEC_HIDESYM * add -Wextra and perform associated cleanups * restricted access to vm86-related syscall/features, like CONFIG_HARDEN_VM86 in Linux 2.4.x-ow, but turned into a sysctl * ability to set/lock/force a process (and/or any children it might spawn) to 32-bit only or 64-bit only (or implement a general "personality lock" and have main/compat syscall availability be actually affected by the current personality, which is currently not the case) ** this will be particularly useful with container-based virtualization (LXC, OpenVZ, vserver), where the container startup program will lock the bitness/personality before launching the container's /sbin/init (e.g., a prctl() affecting _only_ child processes - e.g., not yet vzctl, but the container's /sbin/init - will do for this purpose) * whitelist filesystem module autoloading. similar to rare network module blacklist == Userspace Protections == * linking restrictions (CONFIG_GRKERNSEC_LINK), see above... (Kees Cook) * fifo restrictions (CONFIG_GRKERNSEC_FIFO), closely related to the linking restrictions mentioned above * mprotect hardening (CONFIG_PAX_MPROTECT) * segv respawn restriction (CONFIG_GRKERNSEC_BRUTE) * /proc visibility restriction (CONFIG_GRKERNSEC_PROC_USER) * safer set*uid() behavior on error (don't fail & return, instead SIGSEGV if has to fail because of resource shortage), was implemented unconditionally in Linux 2.4.x-ow but needs different treatment for 2.6.x/upstream (maybe sysctl'able) * destroy shm not in use (CONFIG_HARDEN_SHM from Linux 2.4.x-ow), which is needed to prevent RLIMIT_AS*RLIMIT_NPROC bypasses * nx-emulation (RedHat Exec-Shield, CONFIG_PAX_SEGMEXEC, or better yet CONFIG_PAX_PAGEEXEC) ** http://git.kernel.org/?p=linux/kernel/git/frob/linux-2.6-roland.git;a=shortlog;h=refs/heads/fedora/x86-nx-emulation * ASCII-armor ASLR (RedHat Exec-Shield) ** needs serious entropy improvement if it should be used at all *** http://git.kernel.org/?p=linux/kernel/git/frob/linux-2.6-roland.git;a=shortlog;h=refs/heads/fedora/32bit-mmap-exec-randomization *** http://scarybeastsecurity.blogspot.com/2012/03/some-random-observations-on-linux-aslr.html ** at least with RHEL5'ish kernels (not tested on Ubuntu specifically), exec-shield appears to provide ASCII-armor for mmap'ed shared libs with 32-bit kernels, but does not do it when running 32-bit binaries on 64-bit kernels (64-bit bins are OK) - looks like a code bug (or incomplete implementation) to chase down and fix (this is needed for our own use regardless of upstream submission) ** "enforcing" mode for W^X (ignore GNU ELF flags), sysctl'able and/or per process tree and/or per-container ** TARPIT netfilter target https://bugs.launchpad.net/ubuntu/+source/linux/+bug/78361 ** CAPs-less ping: http://marc.info/?l=linux-kernel&m=129434182105135 c938af94ff0861f2b334472003e0ec622c7fcb76 3435 3431 2012-11-14T18:50:44Z CoreyBryant 4 wikitext text/x-wiki There are a number of desired Linux Kernel hardening projects that are inactive and do not have an owner. This page gives details on some of them. If you have an update for this page, please email the kernel-hardening mailing list at kernel-hardening@lists.openwall.com. The [[Linux Security Workgroup]] has put together this page in an effort to bring the Linux security community together in hardening the Linux Kernel and to help prevent duplication of efforts. = Process Improvements = == Security Code Review Guidelines == This project is an effort to provide a reference that educates subsystem maintainers on what to look for when performing security reviews/audits. This would include various classes of common coding vulnerabilities and how to detect them, as well as other best practices, such as not leaving private keys laying around. == Patch Signing == This project would provide support to determine if patches have been modified or tampered since they were signed. = Verification of Critical Subsystems = This project would provide verification of critical subsystems such as: * Networking * Network file systems * KVM * Cryptographic library * Kernel build infrastructure This could include approaches such as manual audits, static analysis, fuzzing testing, etc. = Development = There are several kernel hardening features that have appeared in other hardened operating systems that would improve the security of Linux. Some have been controversial, so attempts have been made to describe them, including their controversy and discussion over the years, so as much information is available to make an educated decision about potential implementations. == Symlink Protection == A long-standing class of security issues is the symlink-based [http://en.wikipedia.org/wiki/Time-of-check-to-time-of-use ToCToU] race, most commonly seen in world-writable directories like /tmp/. The common method of exploitation of [http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=tmp+symlink this flaw] is crossing privilege boundaries when following a given symlink (i.e. a root user follows a symlink belonging to another user). The solution is to not permit symlinks to be followed when users do not match, but only in a world-writable sticky directory (with an additional improvement that the directory owner's symlinks can always be followed, regardless who is following them). Some links to the history of its discussion: * 1996 Aug, Zygo Blaxell http://marc.info/?l=bugtraq&m=87602167419830&w=2 * 1996 Oct, Andrew Tridgell http://lkml.indiana.edu/hypermail/linux/kernel/9610.2/0086.html * 1997 Dec, Albert D Cahalan http://lkml.org/lkml/1997/12/16/4 * 2005 Feb, Lorenzo Hernández García-Hierro http://lkml.indiana.edu/hypermail/linux/kernel/0502.0/1896.html Past objections and rebuttals could be summarized as: * Violates POSIX. ** POSIX didn't consider this situation, and it's not useful to follow a broken specification at the cost of security. Also, please reference where POSIX says this. * Might break unknown applications that use this feature. ** Applications that break because of the change are easy to spot and fix. Applications that are vulnerable to symlink ToCToU by not having the change aren't. * Applications should just use mkstemp() or O_CREATE|O_EXCL. ** True, but applications are not perfect, and new software is written all the time that makes these mistakes; blocking this flaw at the kernel is a single solution to the entire class of vulnerability. [https://lists.ubuntu.com/archives/kernel-team/2010-May/010491.html initial proposed patch] [http://kernel.ubuntu.com/git?p=kees/linux-2.6.git;a=shortlog;h=refs/heads/symlink proposed upstream patch] == Hardlink Protection == Hardlinks can be abused in a [http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=hardlink similar fashion] to symlinks above, but they are not limited to world-writable directories. If /etc/ and /home/ are on the same partition, a regular user can create a hardlink to /etc/shadow in their home directory. While it retains the original owner and permissions, it is possible for privileged programs that are otherwise symlink-safe to mistakenly access the file through its hardlink. Additionally, a very minor untraceable quota-bypassing local denial of service is possible by an attacker exhausting disk space by filling a world-writable directory with hardlinks. The solution is to not allow the creation of hardlinks to files that a given user would be unable to write to originally. Some links to the history of its discussion: * 1997 Dec, Yuri Kuzmenko http://lkml.org/lkml/1997/12/29/20 * 2002 Apr, Chris Wright http://lkml.org/lkml/2002/4/13/99 Past objections and rebuttals could be summarized as: * Violates POSIX. ** POSIX didn't consider this situation, and it's not useful to follow a broken specification at the cost of security. Also, please reference where POSIX says this. * Might break atd, courier, and other unknown applications that use this feature. ** These applications are easy to spot and can be tested and fixed. Applications that are vulnerable to hardlink attacks by not having the change aren't. ** atd could be easily "repaired" by including a real uid==0 check, like Linux 2.4.x-ow does for that reason, or it might have been fixed since then, or better yet [http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/vixie-cron/ OpenBSD-derived crond] should be used instead, which includes at(1) support (and it never had the problem with hardlinks). The latter solution also gets rid of a SUID root program (at(1) is SGID to group crontab then) and of a root-privileged daemon (cron and atd are replaced with just one crond). ** Courier was only broken by the original most restrictive -ow patch; it was "repaired" in newer -ow patch revisions by adding the "or is writable by the current user" check, which is also present in the proposed patches below (in other words, Courier won't break with these patches) * Applications should correctly drop privileges before attempting to access user files. ** True, but applications are not perfect, and new software is written all the time that makes these mistakes; blocking this flaw at the kernel is a single solution to the entire class of vulnerability. [https://lists.ubuntu.com/archives/kernel-team/2010-May/010495.html initial proposed patch] [http://kernel.ubuntu.com/git?p=kees/linux-2.6.git;a=shortlog;h=refs/heads/hardlink proposed upstream patch] == ptrace Protection == As Linux grows in popularity, it will become a growing target for malware. One particularly troubling weakness of the Linux process interfaces is that a single user is able to examine the memory and running state of any of their processes. For example, if one application (e.g. firefox) was compromised, it would be possible for an attacker to attach to other running processes (e.g. gpg-agent) to extract additional credentials and continue to expand the scope of their attack. This is not a theoretical problem. [http://www.storm.net.nz/projects/7 SSH session hijacking] and even [http://c-skills.blogspot.com/2009/10/injectso-32bit-x86-port.html arbitrary code injection] is fully possible if ptrace is allowed normally. For a solution, some applications use prctl() to specifically disallow such ptrace attachment (e.g. ssh-agent). A more general solution is to only allow ptrace directly from a parent to a child process (i.e. direct gdb and strace still work), or as the root user (i.e. gdb BIN PID, and strace -p PID still work as root). This behavior is controlled via the /proc/sys/kernel/yama/ptrace_scope sysctl value. The default is "1" to block non-child ptrace. A value of "0" restores the prior more permissive behavior, which may be more appropriate for some development systems and servers with only admin accounts. Using "sudo" can also grant temporarily ptrace permissions via the CAP_SYS_PTRACE capability, though this method allows the ptrace of any process. [https://lists.ubuntu.com/archives/kernel-team/2010-May/010499.html initial proposed patch] [http://kernel.ubuntu.com/git?p=kees/linux-2.6.git;a=shortlog;h=refs/heads/ptrace proposed upstream patch] == Partial NX Emulation == Non-executable memory is likely one of the most important protections in modern computing. Hardware support exists for it in modern CPUs, but many systems do not benefit from this security. To simulate the execute bit in the kernel's memory page tables, the CS register is used to break memory into two regions. This allows for a fast way to distinguish between memory above and below the CS-limit. Executable regions are loaded below the CS-limit. This is fast but not perfectly accurate, since the BSS regions of loaded libraries will remain in the executable region. It does provide a split between the loaded libraries (and BSS) and text segment from the brk and mmap heap and stack regions. Versions of this patch have been carried by RedHat, SUSE, Openwall, grsecurity and others for a long time. [http://kernel.ubuntu.com/git?p=kees/linux-2.6.git;a=shortlog;h=refs/heads/nx-emu proposed upstream patch] == chroot Protection == Many administrators attempt to contain potentially exploitable services in chroots. Unfortunately, chroots are not designed to be a security protection (they are for development and debugging). It is possible to reasonably contain a non-privileged process in a chroot, but attempting to contain a root user is fraught with pitfalls. While it is certainly possible to patch the kernel to have a hardened chroot() (for example, grsecurity has a large set of protections that lock down chroots) so many behaviors are changed and come in conflict with the more common development configurations. Solutions are varied. Among the methods of chroot escape is manipulating the current working directory to be outside the current chroot via a second chroot() call (others include using /proc/*/cwd, fchdir(), and ptrace). This single flaw is trivial to fix, but does not block the other avenues, so the gain is very small when compared with the down-side of carrying a delta from the upstream kernel. A better solution is to side-step the problem entirely. Since these security protections are being designed correctly with containers (see [http://manpages.ubuntu.com/manpages/precise/en/man8/clone.8.html CLONE_NEW*]), it would be better to use containers or MAC from the start when trying to isolate a service. Some links to the history of its discussion: * 2007 Sep, David Newall http://lkml.indiana.edu/hypermail/linux/kernel/0709.3/0721.html Past objections and rebuttals could be summarized as: * Violates POSIX. ** POSIX didn't consider or really define this situation, and it's not useful to follow a broken specification at the cost of security. * Might break debootstrap, debian-installer, and anything else that expects to chroot() within a chroot. ** True, but maybe disallowing double-chroot is okay. * Can escape chroots in a large number of ways; containers are better. ** Fix each flaw. Containers are not very easy to use yet. [http://people.canonical.com/~kees/0001-chroot-cwd-protection.patch Example implementation of cwd fix] == Additional Kernel Hardening Development Projects == Here is a rough plan for things to do to the upstream Linux kernel to make it harder for security vulnerabilities to become exploitable. Note: Many CONFIG_* items below refer to PaX and grsecurity. * ASLR for kernel code (Dan Rosenberg: IN PROGRESS) * remove remaining kernel address leaks that prevent ASLR from being effective (Dan Rosenberg) ** https://patchwork.kernel.org/patch/487751/ *** kernel/cgroup.c *** kernel/kprobes.c *** kernel/lockdep_proc.c ** /proc/mtrr ** /proc/slabinfo ** /proc/asound/cards ** /sys/devices/*/*/resources ** /proc/net/ptype ** /sys/kernel/slab/*/ctor ** /proc/iomem ** inet_diag NETLINK socket addresses ** ... * chase down const-ification of function pointers (Kees Cook) ** Emese Revfy's patches ** Lionel Debroux's grsecurity extractions *** http://lkml.org/lkml/2010/11/7/51 *** http://lkml.org/lkml/2010/11/7/52 *** http://lkml.org/lkml/2010/11/7/53 *** http://lkml.org/lkml/2010/11/8/14 * examine page permissions and get rid of rwx mappings * implement __read_only for things that can't really be const, like CONFIG_PAX_KERNEXEC * disable set_kernel_text_rw() and friends via sysctl * module autoloading control, like CONFIG_GRKERNSEC_MODHARDEN ** http://lkml.org/lkml/2010/11/7/212 * block hibernation image attacks (Vasiliy Kulikov) ** http://permalink.gmane.org/gmane.linux.kernel/1108853 * copy_*_user() hardening, like CONFIG_PAX_USERCOPY ** keep length under MAX_INT ** validate targets against compiler knowledge of static buffers or look up buffer sizes from heap allocator * User/Kernel memory segmentation, like CONFIG_PAX_MEMORY_UDEREF or Intel SMEP * Kernel stack ASLR, like CONFIG_PAX_RANDKSTACK * Kernel stack clearing, like CONFIG_PAX_STACKLEAK * Kernel refcount overflow protection, like CONFIG_PAX_REFCOUNT * kernel symbol name hiding, like CONFIG_GRKERNSEC_HIDESYM * add -Wextra and perform associated cleanups * restricted access to vm86-related syscall/features, like CONFIG_HARDEN_VM86 in Linux 2.4.x-ow, but turned into a sysctl * ability to set/lock/force a process (and/or any children it might spawn) to 32-bit only or 64-bit only (or implement a general "personality lock" and have main/compat syscall availability be actually affected by the current personality, which is currently not the case) ** this will be particularly useful with container-based virtualization (LXC, OpenVZ, vserver), where the container startup program will lock the bitness/personality before launching the container's /sbin/init (e.g., a prctl() affecting _only_ child processes - e.g., not yet vzctl, but the container's /sbin/init - will do for this purpose) * whitelist filesystem module autoloading. similar to rare network module blacklist == Userspace Protections == * linking restrictions (CONFIG_GRKERNSEC_LINK), see above... (Kees Cook) * fifo restrictions (CONFIG_GRKERNSEC_FIFO), closely related to the linking restrictions mentioned above * mprotect hardening (CONFIG_PAX_MPROTECT) * segv respawn restriction (CONFIG_GRKERNSEC_BRUTE) * /proc visibility restriction (CONFIG_GRKERNSEC_PROC_USER) * safer set*uid() behavior on error (don't fail & return, instead SIGSEGV if has to fail because of resource shortage), was implemented unconditionally in Linux 2.4.x-ow but needs different treatment for 2.6.x/upstream (maybe sysctl'able) * destroy shm not in use (CONFIG_HARDEN_SHM from Linux 2.4.x-ow), which is needed to prevent RLIMIT_AS*RLIMIT_NPROC bypasses * nx-emulation (RedHat Exec-Shield, CONFIG_PAX_SEGMEXEC, or better yet CONFIG_PAX_PAGEEXEC) ** http://git.kernel.org/?p=linux/kernel/git/frob/linux-2.6-roland.git;a=shortlog;h=refs/heads/fedora/x86-nx-emulation * ASCII-armor ASLR (RedHat Exec-Shield) ** needs serious entropy improvement if it should be used at all *** http://git.kernel.org/?p=linux/kernel/git/frob/linux-2.6-roland.git;a=shortlog;h=refs/heads/fedora/32bit-mmap-exec-randomization *** http://scarybeastsecurity.blogspot.com/2012/03/some-random-observations-on-linux-aslr.html ** at least with RHEL5'ish kernels (not tested on Ubuntu specifically), exec-shield appears to provide ASCII-armor for mmap'ed shared libs with 32-bit kernels, but does not do it when running 32-bit binaries on 64-bit kernels (64-bit bins are OK) - looks like a code bug (or incomplete implementation) to chase down and fix (this is needed for our own use regardless of upstream submission) ** "enforcing" mode for W^X (ignore GNU ELF flags), sysctl'able and/or per process tree and/or per-container ** TARPIT netfilter target https://bugs.launchpad.net/ubuntu/+source/linux/+bug/78361 ** CAPs-less ping: http://marc.info/?l=linux-kernel&m=129434182105135 6d580b7d3d583e281fe12cb3edb7d3fea5b72f33 3436 3435 2012-11-14T18:51:16Z CoreyBryant 4 wikitext text/x-wiki There are a number of desired Linux Kernel hardening projects that are inactive and do not have an owner. This page gives details on some of them. The [[Linux Security Workgroup]] has put together this page in an effort to bring the Linux security community together in hardening the Linux Kernel and to help prevent duplication of efforts. If you have an update for this page, please email the kernel-hardening mailing list at kernel-hardening@lists.openwall.com. = Process Improvements = == Security Code Review Guidelines == This project is an effort to provide a reference that educates subsystem maintainers on what to look for when performing security reviews/audits. This would include various classes of common coding vulnerabilities and how to detect them, as well as other best practices, such as not leaving private keys laying around. == Patch Signing == This project would provide support to determine if patches have been modified or tampered since they were signed. = Verification of Critical Subsystems = This project would provide verification of critical subsystems such as: * Networking * Network file systems * KVM * Cryptographic library * Kernel build infrastructure This could include approaches such as manual audits, static analysis, fuzzing testing, etc. = Development = There are several kernel hardening features that have appeared in other hardened operating systems that would improve the security of Linux. Some have been controversial, so attempts have been made to describe them, including their controversy and discussion over the years, so as much information is available to make an educated decision about potential implementations. == Symlink Protection == A long-standing class of security issues is the symlink-based [http://en.wikipedia.org/wiki/Time-of-check-to-time-of-use ToCToU] race, most commonly seen in world-writable directories like /tmp/. The common method of exploitation of [http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=tmp+symlink this flaw] is crossing privilege boundaries when following a given symlink (i.e. a root user follows a symlink belonging to another user). The solution is to not permit symlinks to be followed when users do not match, but only in a world-writable sticky directory (with an additional improvement that the directory owner's symlinks can always be followed, regardless who is following them). Some links to the history of its discussion: * 1996 Aug, Zygo Blaxell http://marc.info/?l=bugtraq&m=87602167419830&w=2 * 1996 Oct, Andrew Tridgell http://lkml.indiana.edu/hypermail/linux/kernel/9610.2/0086.html * 1997 Dec, Albert D Cahalan http://lkml.org/lkml/1997/12/16/4 * 2005 Feb, Lorenzo Hernández García-Hierro http://lkml.indiana.edu/hypermail/linux/kernel/0502.0/1896.html Past objections and rebuttals could be summarized as: * Violates POSIX. ** POSIX didn't consider this situation, and it's not useful to follow a broken specification at the cost of security. Also, please reference where POSIX says this. * Might break unknown applications that use this feature. ** Applications that break because of the change are easy to spot and fix. Applications that are vulnerable to symlink ToCToU by not having the change aren't. * Applications should just use mkstemp() or O_CREATE|O_EXCL. ** True, but applications are not perfect, and new software is written all the time that makes these mistakes; blocking this flaw at the kernel is a single solution to the entire class of vulnerability. [https://lists.ubuntu.com/archives/kernel-team/2010-May/010491.html initial proposed patch] [http://kernel.ubuntu.com/git?p=kees/linux-2.6.git;a=shortlog;h=refs/heads/symlink proposed upstream patch] == Hardlink Protection == Hardlinks can be abused in a [http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=hardlink similar fashion] to symlinks above, but they are not limited to world-writable directories. If /etc/ and /home/ are on the same partition, a regular user can create a hardlink to /etc/shadow in their home directory. While it retains the original owner and permissions, it is possible for privileged programs that are otherwise symlink-safe to mistakenly access the file through its hardlink. Additionally, a very minor untraceable quota-bypassing local denial of service is possible by an attacker exhausting disk space by filling a world-writable directory with hardlinks. The solution is to not allow the creation of hardlinks to files that a given user would be unable to write to originally. Some links to the history of its discussion: * 1997 Dec, Yuri Kuzmenko http://lkml.org/lkml/1997/12/29/20 * 2002 Apr, Chris Wright http://lkml.org/lkml/2002/4/13/99 Past objections and rebuttals could be summarized as: * Violates POSIX. ** POSIX didn't consider this situation, and it's not useful to follow a broken specification at the cost of security. Also, please reference where POSIX says this. * Might break atd, courier, and other unknown applications that use this feature. ** These applications are easy to spot and can be tested and fixed. Applications that are vulnerable to hardlink attacks by not having the change aren't. ** atd could be easily "repaired" by including a real uid==0 check, like Linux 2.4.x-ow does for that reason, or it might have been fixed since then, or better yet [http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/vixie-cron/ OpenBSD-derived crond] should be used instead, which includes at(1) support (and it never had the problem with hardlinks). The latter solution also gets rid of a SUID root program (at(1) is SGID to group crontab then) and of a root-privileged daemon (cron and atd are replaced with just one crond). ** Courier was only broken by the original most restrictive -ow patch; it was "repaired" in newer -ow patch revisions by adding the "or is writable by the current user" check, which is also present in the proposed patches below (in other words, Courier won't break with these patches) * Applications should correctly drop privileges before attempting to access user files. ** True, but applications are not perfect, and new software is written all the time that makes these mistakes; blocking this flaw at the kernel is a single solution to the entire class of vulnerability. [https://lists.ubuntu.com/archives/kernel-team/2010-May/010495.html initial proposed patch] [http://kernel.ubuntu.com/git?p=kees/linux-2.6.git;a=shortlog;h=refs/heads/hardlink proposed upstream patch] == ptrace Protection == As Linux grows in popularity, it will become a growing target for malware. One particularly troubling weakness of the Linux process interfaces is that a single user is able to examine the memory and running state of any of their processes. For example, if one application (e.g. firefox) was compromised, it would be possible for an attacker to attach to other running processes (e.g. gpg-agent) to extract additional credentials and continue to expand the scope of their attack. This is not a theoretical problem. [http://www.storm.net.nz/projects/7 SSH session hijacking] and even [http://c-skills.blogspot.com/2009/10/injectso-32bit-x86-port.html arbitrary code injection] is fully possible if ptrace is allowed normally. For a solution, some applications use prctl() to specifically disallow such ptrace attachment (e.g. ssh-agent). A more general solution is to only allow ptrace directly from a parent to a child process (i.e. direct gdb and strace still work), or as the root user (i.e. gdb BIN PID, and strace -p PID still work as root). This behavior is controlled via the /proc/sys/kernel/yama/ptrace_scope sysctl value. The default is "1" to block non-child ptrace. A value of "0" restores the prior more permissive behavior, which may be more appropriate for some development systems and servers with only admin accounts. Using "sudo" can also grant temporarily ptrace permissions via the CAP_SYS_PTRACE capability, though this method allows the ptrace of any process. [https://lists.ubuntu.com/archives/kernel-team/2010-May/010499.html initial proposed patch] [http://kernel.ubuntu.com/git?p=kees/linux-2.6.git;a=shortlog;h=refs/heads/ptrace proposed upstream patch] == Partial NX Emulation == Non-executable memory is likely one of the most important protections in modern computing. Hardware support exists for it in modern CPUs, but many systems do not benefit from this security. To simulate the execute bit in the kernel's memory page tables, the CS register is used to break memory into two regions. This allows for a fast way to distinguish between memory above and below the CS-limit. Executable regions are loaded below the CS-limit. This is fast but not perfectly accurate, since the BSS regions of loaded libraries will remain in the executable region. It does provide a split between the loaded libraries (and BSS) and text segment from the brk and mmap heap and stack regions. Versions of this patch have been carried by RedHat, SUSE, Openwall, grsecurity and others for a long time. [http://kernel.ubuntu.com/git?p=kees/linux-2.6.git;a=shortlog;h=refs/heads/nx-emu proposed upstream patch] == chroot Protection == Many administrators attempt to contain potentially exploitable services in chroots. Unfortunately, chroots are not designed to be a security protection (they are for development and debugging). It is possible to reasonably contain a non-privileged process in a chroot, but attempting to contain a root user is fraught with pitfalls. While it is certainly possible to patch the kernel to have a hardened chroot() (for example, grsecurity has a large set of protections that lock down chroots) so many behaviors are changed and come in conflict with the more common development configurations. Solutions are varied. Among the methods of chroot escape is manipulating the current working directory to be outside the current chroot via a second chroot() call (others include using /proc/*/cwd, fchdir(), and ptrace). This single flaw is trivial to fix, but does not block the other avenues, so the gain is very small when compared with the down-side of carrying a delta from the upstream kernel. A better solution is to side-step the problem entirely. Since these security protections are being designed correctly with containers (see [http://manpages.ubuntu.com/manpages/precise/en/man8/clone.8.html CLONE_NEW*]), it would be better to use containers or MAC from the start when trying to isolate a service. Some links to the history of its discussion: * 2007 Sep, David Newall http://lkml.indiana.edu/hypermail/linux/kernel/0709.3/0721.html Past objections and rebuttals could be summarized as: * Violates POSIX. ** POSIX didn't consider or really define this situation, and it's not useful to follow a broken specification at the cost of security. * Might break debootstrap, debian-installer, and anything else that expects to chroot() within a chroot. ** True, but maybe disallowing double-chroot is okay. * Can escape chroots in a large number of ways; containers are better. ** Fix each flaw. Containers are not very easy to use yet. [http://people.canonical.com/~kees/0001-chroot-cwd-protection.patch Example implementation of cwd fix] == Additional Kernel Hardening Development Projects == Here is a rough plan for things to do to the upstream Linux kernel to make it harder for security vulnerabilities to become exploitable. Note: Many CONFIG_* items below refer to PaX and grsecurity. * ASLR for kernel code (Dan Rosenberg: IN PROGRESS) * remove remaining kernel address leaks that prevent ASLR from being effective (Dan Rosenberg) ** https://patchwork.kernel.org/patch/487751/ *** kernel/cgroup.c *** kernel/kprobes.c *** kernel/lockdep_proc.c ** /proc/mtrr ** /proc/slabinfo ** /proc/asound/cards ** /sys/devices/*/*/resources ** /proc/net/ptype ** /sys/kernel/slab/*/ctor ** /proc/iomem ** inet_diag NETLINK socket addresses ** ... * chase down const-ification of function pointers (Kees Cook) ** Emese Revfy's patches ** Lionel Debroux's grsecurity extractions *** http://lkml.org/lkml/2010/11/7/51 *** http://lkml.org/lkml/2010/11/7/52 *** http://lkml.org/lkml/2010/11/7/53 *** http://lkml.org/lkml/2010/11/8/14 * examine page permissions and get rid of rwx mappings * implement __read_only for things that can't really be const, like CONFIG_PAX_KERNEXEC * disable set_kernel_text_rw() and friends via sysctl * module autoloading control, like CONFIG_GRKERNSEC_MODHARDEN ** http://lkml.org/lkml/2010/11/7/212 * block hibernation image attacks (Vasiliy Kulikov) ** http://permalink.gmane.org/gmane.linux.kernel/1108853 * copy_*_user() hardening, like CONFIG_PAX_USERCOPY ** keep length under MAX_INT ** validate targets against compiler knowledge of static buffers or look up buffer sizes from heap allocator * User/Kernel memory segmentation, like CONFIG_PAX_MEMORY_UDEREF or Intel SMEP * Kernel stack ASLR, like CONFIG_PAX_RANDKSTACK * Kernel stack clearing, like CONFIG_PAX_STACKLEAK * Kernel refcount overflow protection, like CONFIG_PAX_REFCOUNT * kernel symbol name hiding, like CONFIG_GRKERNSEC_HIDESYM * add -Wextra and perform associated cleanups * restricted access to vm86-related syscall/features, like CONFIG_HARDEN_VM86 in Linux 2.4.x-ow, but turned into a sysctl * ability to set/lock/force a process (and/or any children it might spawn) to 32-bit only or 64-bit only (or implement a general "personality lock" and have main/compat syscall availability be actually affected by the current personality, which is currently not the case) ** this will be particularly useful with container-based virtualization (LXC, OpenVZ, vserver), where the container startup program will lock the bitness/personality before launching the container's /sbin/init (e.g., a prctl() affecting _only_ child processes - e.g., not yet vzctl, but the container's /sbin/init - will do for this purpose) * whitelist filesystem module autoloading. similar to rare network module blacklist == Userspace Protections == * linking restrictions (CONFIG_GRKERNSEC_LINK), see above... (Kees Cook) * fifo restrictions (CONFIG_GRKERNSEC_FIFO), closely related to the linking restrictions mentioned above * mprotect hardening (CONFIG_PAX_MPROTECT) * segv respawn restriction (CONFIG_GRKERNSEC_BRUTE) * /proc visibility restriction (CONFIG_GRKERNSEC_PROC_USER) * safer set*uid() behavior on error (don't fail & return, instead SIGSEGV if has to fail because of resource shortage), was implemented unconditionally in Linux 2.4.x-ow but needs different treatment for 2.6.x/upstream (maybe sysctl'able) * destroy shm not in use (CONFIG_HARDEN_SHM from Linux 2.4.x-ow), which is needed to prevent RLIMIT_AS*RLIMIT_NPROC bypasses * nx-emulation (RedHat Exec-Shield, CONFIG_PAX_SEGMEXEC, or better yet CONFIG_PAX_PAGEEXEC) ** http://git.kernel.org/?p=linux/kernel/git/frob/linux-2.6-roland.git;a=shortlog;h=refs/heads/fedora/x86-nx-emulation * ASCII-armor ASLR (RedHat Exec-Shield) ** needs serious entropy improvement if it should be used at all *** http://git.kernel.org/?p=linux/kernel/git/frob/linux-2.6-roland.git;a=shortlog;h=refs/heads/fedora/32bit-mmap-exec-randomization *** http://scarybeastsecurity.blogspot.com/2012/03/some-random-observations-on-linux-aslr.html ** at least with RHEL5'ish kernels (not tested on Ubuntu specifically), exec-shield appears to provide ASCII-armor for mmap'ed shared libs with 32-bit kernels, but does not do it when running 32-bit binaries on 64-bit kernels (64-bit bins are OK) - looks like a code bug (or incomplete implementation) to chase down and fix (this is needed for our own use regardless of upstream submission) ** "enforcing" mode for W^X (ignore GNU ELF flags), sysctl'able and/or per process tree and/or per-container ** TARPIT netfilter target https://bugs.launchpad.net/ubuntu/+source/linux/+bug/78361 ** CAPs-less ping: http://marc.info/?l=linux-kernel&m=129434182105135 685405bf7cb39be87deae1fb2ce34fb8eee364db 3437 3436 2012-11-14T18:52:57Z CoreyBryant 4 wikitext text/x-wiki There are a number of desired Linux Kernel hardening projects listed below that are inactive and do not have an owner. If you would like to take ownership of one of these projects or have an update for this page, please email the kernel-hardening mailing list at kernel-hardening@lists.openwall.com. The [[Linux Security Workgroup]] has put together this page in an effort to bring the Linux security community together in hardening the Linux Kernel and to help prevent duplication of efforts. = Process Improvements = == Security Code Review Guidelines == This project is an effort to provide a reference that educates subsystem maintainers on what to look for when performing security reviews/audits. This would include various classes of common coding vulnerabilities and how to detect them, as well as other best practices, such as not leaving private keys laying around. == Patch Signing == This project would provide support to determine if patches have been modified or tampered since they were signed. = Verification of Critical Subsystems = This project would provide verification of critical subsystems such as: * Networking * Network file systems * KVM * Cryptographic library * Kernel build infrastructure This could include approaches such as manual audits, static analysis, fuzzing testing, etc. = Development = There are several kernel hardening features that have appeared in other hardened operating systems that would improve the security of Linux. Some have been controversial, so attempts have been made to describe them, including their controversy and discussion over the years, so as much information is available to make an educated decision about potential implementations. == Symlink Protection == A long-standing class of security issues is the symlink-based [http://en.wikipedia.org/wiki/Time-of-check-to-time-of-use ToCToU] race, most commonly seen in world-writable directories like /tmp/. The common method of exploitation of [http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=tmp+symlink this flaw] is crossing privilege boundaries when following a given symlink (i.e. a root user follows a symlink belonging to another user). The solution is to not permit symlinks to be followed when users do not match, but only in a world-writable sticky directory (with an additional improvement that the directory owner's symlinks can always be followed, regardless who is following them). Some links to the history of its discussion: * 1996 Aug, Zygo Blaxell http://marc.info/?l=bugtraq&m=87602167419830&w=2 * 1996 Oct, Andrew Tridgell http://lkml.indiana.edu/hypermail/linux/kernel/9610.2/0086.html * 1997 Dec, Albert D Cahalan http://lkml.org/lkml/1997/12/16/4 * 2005 Feb, Lorenzo Hernández García-Hierro http://lkml.indiana.edu/hypermail/linux/kernel/0502.0/1896.html Past objections and rebuttals could be summarized as: * Violates POSIX. ** POSIX didn't consider this situation, and it's not useful to follow a broken specification at the cost of security. Also, please reference where POSIX says this. * Might break unknown applications that use this feature. ** Applications that break because of the change are easy to spot and fix. Applications that are vulnerable to symlink ToCToU by not having the change aren't. * Applications should just use mkstemp() or O_CREATE|O_EXCL. ** True, but applications are not perfect, and new software is written all the time that makes these mistakes; blocking this flaw at the kernel is a single solution to the entire class of vulnerability. [https://lists.ubuntu.com/archives/kernel-team/2010-May/010491.html initial proposed patch] [http://kernel.ubuntu.com/git?p=kees/linux-2.6.git;a=shortlog;h=refs/heads/symlink proposed upstream patch] == Hardlink Protection == Hardlinks can be abused in a [http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=hardlink similar fashion] to symlinks above, but they are not limited to world-writable directories. If /etc/ and /home/ are on the same partition, a regular user can create a hardlink to /etc/shadow in their home directory. While it retains the original owner and permissions, it is possible for privileged programs that are otherwise symlink-safe to mistakenly access the file through its hardlink. Additionally, a very minor untraceable quota-bypassing local denial of service is possible by an attacker exhausting disk space by filling a world-writable directory with hardlinks. The solution is to not allow the creation of hardlinks to files that a given user would be unable to write to originally. Some links to the history of its discussion: * 1997 Dec, Yuri Kuzmenko http://lkml.org/lkml/1997/12/29/20 * 2002 Apr, Chris Wright http://lkml.org/lkml/2002/4/13/99 Past objections and rebuttals could be summarized as: * Violates POSIX. ** POSIX didn't consider this situation, and it's not useful to follow a broken specification at the cost of security. Also, please reference where POSIX says this. * Might break atd, courier, and other unknown applications that use this feature. ** These applications are easy to spot and can be tested and fixed. Applications that are vulnerable to hardlink attacks by not having the change aren't. ** atd could be easily "repaired" by including a real uid==0 check, like Linux 2.4.x-ow does for that reason, or it might have been fixed since then, or better yet [http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/vixie-cron/ OpenBSD-derived crond] should be used instead, which includes at(1) support (and it never had the problem with hardlinks). The latter solution also gets rid of a SUID root program (at(1) is SGID to group crontab then) and of a root-privileged daemon (cron and atd are replaced with just one crond). ** Courier was only broken by the original most restrictive -ow patch; it was "repaired" in newer -ow patch revisions by adding the "or is writable by the current user" check, which is also present in the proposed patches below (in other words, Courier won't break with these patches) * Applications should correctly drop privileges before attempting to access user files. ** True, but applications are not perfect, and new software is written all the time that makes these mistakes; blocking this flaw at the kernel is a single solution to the entire class of vulnerability. [https://lists.ubuntu.com/archives/kernel-team/2010-May/010495.html initial proposed patch] [http://kernel.ubuntu.com/git?p=kees/linux-2.6.git;a=shortlog;h=refs/heads/hardlink proposed upstream patch] == ptrace Protection == As Linux grows in popularity, it will become a growing target for malware. One particularly troubling weakness of the Linux process interfaces is that a single user is able to examine the memory and running state of any of their processes. For example, if one application (e.g. firefox) was compromised, it would be possible for an attacker to attach to other running processes (e.g. gpg-agent) to extract additional credentials and continue to expand the scope of their attack. This is not a theoretical problem. [http://www.storm.net.nz/projects/7 SSH session hijacking] and even [http://c-skills.blogspot.com/2009/10/injectso-32bit-x86-port.html arbitrary code injection] is fully possible if ptrace is allowed normally. For a solution, some applications use prctl() to specifically disallow such ptrace attachment (e.g. ssh-agent). A more general solution is to only allow ptrace directly from a parent to a child process (i.e. direct gdb and strace still work), or as the root user (i.e. gdb BIN PID, and strace -p PID still work as root). This behavior is controlled via the /proc/sys/kernel/yama/ptrace_scope sysctl value. The default is "1" to block non-child ptrace. A value of "0" restores the prior more permissive behavior, which may be more appropriate for some development systems and servers with only admin accounts. Using "sudo" can also grant temporarily ptrace permissions via the CAP_SYS_PTRACE capability, though this method allows the ptrace of any process. [https://lists.ubuntu.com/archives/kernel-team/2010-May/010499.html initial proposed patch] [http://kernel.ubuntu.com/git?p=kees/linux-2.6.git;a=shortlog;h=refs/heads/ptrace proposed upstream patch] == Partial NX Emulation == Non-executable memory is likely one of the most important protections in modern computing. Hardware support exists for it in modern CPUs, but many systems do not benefit from this security. To simulate the execute bit in the kernel's memory page tables, the CS register is used to break memory into two regions. This allows for a fast way to distinguish between memory above and below the CS-limit. Executable regions are loaded below the CS-limit. This is fast but not perfectly accurate, since the BSS regions of loaded libraries will remain in the executable region. It does provide a split between the loaded libraries (and BSS) and text segment from the brk and mmap heap and stack regions. Versions of this patch have been carried by RedHat, SUSE, Openwall, grsecurity and others for a long time. [http://kernel.ubuntu.com/git?p=kees/linux-2.6.git;a=shortlog;h=refs/heads/nx-emu proposed upstream patch] == chroot Protection == Many administrators attempt to contain potentially exploitable services in chroots. Unfortunately, chroots are not designed to be a security protection (they are for development and debugging). It is possible to reasonably contain a non-privileged process in a chroot, but attempting to contain a root user is fraught with pitfalls. While it is certainly possible to patch the kernel to have a hardened chroot() (for example, grsecurity has a large set of protections that lock down chroots) so many behaviors are changed and come in conflict with the more common development configurations. Solutions are varied. Among the methods of chroot escape is manipulating the current working directory to be outside the current chroot via a second chroot() call (others include using /proc/*/cwd, fchdir(), and ptrace). This single flaw is trivial to fix, but does not block the other avenues, so the gain is very small when compared with the down-side of carrying a delta from the upstream kernel. A better solution is to side-step the problem entirely. Since these security protections are being designed correctly with containers (see [http://manpages.ubuntu.com/manpages/precise/en/man8/clone.8.html CLONE_NEW*]), it would be better to use containers or MAC from the start when trying to isolate a service. Some links to the history of its discussion: * 2007 Sep, David Newall http://lkml.indiana.edu/hypermail/linux/kernel/0709.3/0721.html Past objections and rebuttals could be summarized as: * Violates POSIX. ** POSIX didn't consider or really define this situation, and it's not useful to follow a broken specification at the cost of security. * Might break debootstrap, debian-installer, and anything else that expects to chroot() within a chroot. ** True, but maybe disallowing double-chroot is okay. * Can escape chroots in a large number of ways; containers are better. ** Fix each flaw. Containers are not very easy to use yet. [http://people.canonical.com/~kees/0001-chroot-cwd-protection.patch Example implementation of cwd fix] == Additional Kernel Hardening Development Projects == Here is a rough plan for things to do to the upstream Linux kernel to make it harder for security vulnerabilities to become exploitable. Note: Many CONFIG_* items below refer to PaX and grsecurity. * ASLR for kernel code (Dan Rosenberg: IN PROGRESS) * remove remaining kernel address leaks that prevent ASLR from being effective (Dan Rosenberg) ** https://patchwork.kernel.org/patch/487751/ *** kernel/cgroup.c *** kernel/kprobes.c *** kernel/lockdep_proc.c ** /proc/mtrr ** /proc/slabinfo ** /proc/asound/cards ** /sys/devices/*/*/resources ** /proc/net/ptype ** /sys/kernel/slab/*/ctor ** /proc/iomem ** inet_diag NETLINK socket addresses ** ... * chase down const-ification of function pointers (Kees Cook) ** Emese Revfy's patches ** Lionel Debroux's grsecurity extractions *** http://lkml.org/lkml/2010/11/7/51 *** http://lkml.org/lkml/2010/11/7/52 *** http://lkml.org/lkml/2010/11/7/53 *** http://lkml.org/lkml/2010/11/8/14 * examine page permissions and get rid of rwx mappings * implement __read_only for things that can't really be const, like CONFIG_PAX_KERNEXEC * disable set_kernel_text_rw() and friends via sysctl * module autoloading control, like CONFIG_GRKERNSEC_MODHARDEN ** http://lkml.org/lkml/2010/11/7/212 * block hibernation image attacks (Vasiliy Kulikov) ** http://permalink.gmane.org/gmane.linux.kernel/1108853 * copy_*_user() hardening, like CONFIG_PAX_USERCOPY ** keep length under MAX_INT ** validate targets against compiler knowledge of static buffers or look up buffer sizes from heap allocator * User/Kernel memory segmentation, like CONFIG_PAX_MEMORY_UDEREF or Intel SMEP * Kernel stack ASLR, like CONFIG_PAX_RANDKSTACK * Kernel stack clearing, like CONFIG_PAX_STACKLEAK * Kernel refcount overflow protection, like CONFIG_PAX_REFCOUNT * kernel symbol name hiding, like CONFIG_GRKERNSEC_HIDESYM * add -Wextra and perform associated cleanups * restricted access to vm86-related syscall/features, like CONFIG_HARDEN_VM86 in Linux 2.4.x-ow, but turned into a sysctl * ability to set/lock/force a process (and/or any children it might spawn) to 32-bit only or 64-bit only (or implement a general "personality lock" and have main/compat syscall availability be actually affected by the current personality, which is currently not the case) ** this will be particularly useful with container-based virtualization (LXC, OpenVZ, vserver), where the container startup program will lock the bitness/personality before launching the container's /sbin/init (e.g., a prctl() affecting _only_ child processes - e.g., not yet vzctl, but the container's /sbin/init - will do for this purpose) * whitelist filesystem module autoloading. similar to rare network module blacklist == Userspace Protections == * linking restrictions (CONFIG_GRKERNSEC_LINK), see above... (Kees Cook) * fifo restrictions (CONFIG_GRKERNSEC_FIFO), closely related to the linking restrictions mentioned above * mprotect hardening (CONFIG_PAX_MPROTECT) * segv respawn restriction (CONFIG_GRKERNSEC_BRUTE) * /proc visibility restriction (CONFIG_GRKERNSEC_PROC_USER) * safer set*uid() behavior on error (don't fail & return, instead SIGSEGV if has to fail because of resource shortage), was implemented unconditionally in Linux 2.4.x-ow but needs different treatment for 2.6.x/upstream (maybe sysctl'able) * destroy shm not in use (CONFIG_HARDEN_SHM from Linux 2.4.x-ow), which is needed to prevent RLIMIT_AS*RLIMIT_NPROC bypasses * nx-emulation (RedHat Exec-Shield, CONFIG_PAX_SEGMEXEC, or better yet CONFIG_PAX_PAGEEXEC) ** http://git.kernel.org/?p=linux/kernel/git/frob/linux-2.6-roland.git;a=shortlog;h=refs/heads/fedora/x86-nx-emulation * ASCII-armor ASLR (RedHat Exec-Shield) ** needs serious entropy improvement if it should be used at all *** http://git.kernel.org/?p=linux/kernel/git/frob/linux-2.6-roland.git;a=shortlog;h=refs/heads/fedora/32bit-mmap-exec-randomization *** http://scarybeastsecurity.blogspot.com/2012/03/some-random-observations-on-linux-aslr.html ** at least with RHEL5'ish kernels (not tested on Ubuntu specifically), exec-shield appears to provide ASCII-armor for mmap'ed shared libs with 32-bit kernels, but does not do it when running 32-bit binaries on 64-bit kernels (64-bit bins are OK) - looks like a code bug (or incomplete implementation) to chase down and fix (this is needed for our own use regardless of upstream submission) ** "enforcing" mode for W^X (ignore GNU ELF flags), sysctl'able and/or per process tree and/or per-container ** TARPIT netfilter target https://bugs.launchpad.net/ubuntu/+source/linux/+bug/78361 ** CAPs-less ping: http://marc.info/?l=linux-kernel&m=129434182105135 f98616dac50e3082c0ca13193054f85a19172f7b 0 107 3438 3437 2012-11-14T18:53:50Z CoreyBryant 4 wikitext text/x-wiki The [[Linux Security Workgroup]] has put together this page in an effort to bring the Linux security community together in hardening the Linux Kernel and to help prevent duplication of efforts. There are a number of desired Linux Kernel hardening projects listed below that are inactive and do not have an owner. If you would like to take ownership of one of these projects or have an update for this page, please email the kernel-hardening mailing list at kernel-hardening@lists.openwall.com. = Process Improvements = == Security Code Review Guidelines == This project is an effort to provide a reference that educates subsystem maintainers on what to look for when performing security reviews/audits. This would include various classes of common coding vulnerabilities and how to detect them, as well as other best practices, such as not leaving private keys laying around. == Patch Signing == This project would provide support to determine if patches have been modified or tampered since they were signed. = Verification of Critical Subsystems = This project would provide verification of critical subsystems such as: * Networking * Network file systems * KVM * Cryptographic library * Kernel build infrastructure This could include approaches such as manual audits, static analysis, fuzzing testing, etc. = Development = There are several kernel hardening features that have appeared in other hardened operating systems that would improve the security of Linux. Some have been controversial, so attempts have been made to describe them, including their controversy and discussion over the years, so as much information is available to make an educated decision about potential implementations. == Symlink Protection == A long-standing class of security issues is the symlink-based [http://en.wikipedia.org/wiki/Time-of-check-to-time-of-use ToCToU] race, most commonly seen in world-writable directories like /tmp/. The common method of exploitation of [http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=tmp+symlink this flaw] is crossing privilege boundaries when following a given symlink (i.e. a root user follows a symlink belonging to another user). The solution is to not permit symlinks to be followed when users do not match, but only in a world-writable sticky directory (with an additional improvement that the directory owner's symlinks can always be followed, regardless who is following them). Some links to the history of its discussion: * 1996 Aug, Zygo Blaxell http://marc.info/?l=bugtraq&m=87602167419830&w=2 * 1996 Oct, Andrew Tridgell http://lkml.indiana.edu/hypermail/linux/kernel/9610.2/0086.html * 1997 Dec, Albert D Cahalan http://lkml.org/lkml/1997/12/16/4 * 2005 Feb, Lorenzo Hernández García-Hierro http://lkml.indiana.edu/hypermail/linux/kernel/0502.0/1896.html Past objections and rebuttals could be summarized as: * Violates POSIX. ** POSIX didn't consider this situation, and it's not useful to follow a broken specification at the cost of security. Also, please reference where POSIX says this. * Might break unknown applications that use this feature. ** Applications that break because of the change are easy to spot and fix. Applications that are vulnerable to symlink ToCToU by not having the change aren't. * Applications should just use mkstemp() or O_CREATE|O_EXCL. ** True, but applications are not perfect, and new software is written all the time that makes these mistakes; blocking this flaw at the kernel is a single solution to the entire class of vulnerability. [https://lists.ubuntu.com/archives/kernel-team/2010-May/010491.html initial proposed patch] [http://kernel.ubuntu.com/git?p=kees/linux-2.6.git;a=shortlog;h=refs/heads/symlink proposed upstream patch] == Hardlink Protection == Hardlinks can be abused in a [http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=hardlink similar fashion] to symlinks above, but they are not limited to world-writable directories. If /etc/ and /home/ are on the same partition, a regular user can create a hardlink to /etc/shadow in their home directory. While it retains the original owner and permissions, it is possible for privileged programs that are otherwise symlink-safe to mistakenly access the file through its hardlink. Additionally, a very minor untraceable quota-bypassing local denial of service is possible by an attacker exhausting disk space by filling a world-writable directory with hardlinks. The solution is to not allow the creation of hardlinks to files that a given user would be unable to write to originally. Some links to the history of its discussion: * 1997 Dec, Yuri Kuzmenko http://lkml.org/lkml/1997/12/29/20 * 2002 Apr, Chris Wright http://lkml.org/lkml/2002/4/13/99 Past objections and rebuttals could be summarized as: * Violates POSIX. ** POSIX didn't consider this situation, and it's not useful to follow a broken specification at the cost of security. Also, please reference where POSIX says this. * Might break atd, courier, and other unknown applications that use this feature. ** These applications are easy to spot and can be tested and fixed. Applications that are vulnerable to hardlink attacks by not having the change aren't. ** atd could be easily "repaired" by including a real uid==0 check, like Linux 2.4.x-ow does for that reason, or it might have been fixed since then, or better yet [http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/vixie-cron/ OpenBSD-derived crond] should be used instead, which includes at(1) support (and it never had the problem with hardlinks). The latter solution also gets rid of a SUID root program (at(1) is SGID to group crontab then) and of a root-privileged daemon (cron and atd are replaced with just one crond). ** Courier was only broken by the original most restrictive -ow patch; it was "repaired" in newer -ow patch revisions by adding the "or is writable by the current user" check, which is also present in the proposed patches below (in other words, Courier won't break with these patches) * Applications should correctly drop privileges before attempting to access user files. ** True, but applications are not perfect, and new software is written all the time that makes these mistakes; blocking this flaw at the kernel is a single solution to the entire class of vulnerability. [https://lists.ubuntu.com/archives/kernel-team/2010-May/010495.html initial proposed patch] [http://kernel.ubuntu.com/git?p=kees/linux-2.6.git;a=shortlog;h=refs/heads/hardlink proposed upstream patch] == ptrace Protection == As Linux grows in popularity, it will become a growing target for malware. One particularly troubling weakness of the Linux process interfaces is that a single user is able to examine the memory and running state of any of their processes. For example, if one application (e.g. firefox) was compromised, it would be possible for an attacker to attach to other running processes (e.g. gpg-agent) to extract additional credentials and continue to expand the scope of their attack. This is not a theoretical problem. [http://www.storm.net.nz/projects/7 SSH session hijacking] and even [http://c-skills.blogspot.com/2009/10/injectso-32bit-x86-port.html arbitrary code injection] is fully possible if ptrace is allowed normally. For a solution, some applications use prctl() to specifically disallow such ptrace attachment (e.g. ssh-agent). A more general solution is to only allow ptrace directly from a parent to a child process (i.e. direct gdb and strace still work), or as the root user (i.e. gdb BIN PID, and strace -p PID still work as root). This behavior is controlled via the /proc/sys/kernel/yama/ptrace_scope sysctl value. The default is "1" to block non-child ptrace. A value of "0" restores the prior more permissive behavior, which may be more appropriate for some development systems and servers with only admin accounts. Using "sudo" can also grant temporarily ptrace permissions via the CAP_SYS_PTRACE capability, though this method allows the ptrace of any process. [https://lists.ubuntu.com/archives/kernel-team/2010-May/010499.html initial proposed patch] [http://kernel.ubuntu.com/git?p=kees/linux-2.6.git;a=shortlog;h=refs/heads/ptrace proposed upstream patch] == Partial NX Emulation == Non-executable memory is likely one of the most important protections in modern computing. Hardware support exists for it in modern CPUs, but many systems do not benefit from this security. To simulate the execute bit in the kernel's memory page tables, the CS register is used to break memory into two regions. This allows for a fast way to distinguish between memory above and below the CS-limit. Executable regions are loaded below the CS-limit. This is fast but not perfectly accurate, since the BSS regions of loaded libraries will remain in the executable region. It does provide a split between the loaded libraries (and BSS) and text segment from the brk and mmap heap and stack regions. Versions of this patch have been carried by RedHat, SUSE, Openwall, grsecurity and others for a long time. [http://kernel.ubuntu.com/git?p=kees/linux-2.6.git;a=shortlog;h=refs/heads/nx-emu proposed upstream patch] == chroot Protection == Many administrators attempt to contain potentially exploitable services in chroots. Unfortunately, chroots are not designed to be a security protection (they are for development and debugging). It is possible to reasonably contain a non-privileged process in a chroot, but attempting to contain a root user is fraught with pitfalls. While it is certainly possible to patch the kernel to have a hardened chroot() (for example, grsecurity has a large set of protections that lock down chroots) so many behaviors are changed and come in conflict with the more common development configurations. Solutions are varied. Among the methods of chroot escape is manipulating the current working directory to be outside the current chroot via a second chroot() call (others include using /proc/*/cwd, fchdir(), and ptrace). This single flaw is trivial to fix, but does not block the other avenues, so the gain is very small when compared with the down-side of carrying a delta from the upstream kernel. A better solution is to side-step the problem entirely. Since these security protections are being designed correctly with containers (see [http://manpages.ubuntu.com/manpages/precise/en/man8/clone.8.html CLONE_NEW*]), it would be better to use containers or MAC from the start when trying to isolate a service. Some links to the history of its discussion: * 2007 Sep, David Newall http://lkml.indiana.edu/hypermail/linux/kernel/0709.3/0721.html Past objections and rebuttals could be summarized as: * Violates POSIX. ** POSIX didn't consider or really define this situation, and it's not useful to follow a broken specification at the cost of security. * Might break debootstrap, debian-installer, and anything else that expects to chroot() within a chroot. ** True, but maybe disallowing double-chroot is okay. * Can escape chroots in a large number of ways; containers are better. ** Fix each flaw. Containers are not very easy to use yet. [http://people.canonical.com/~kees/0001-chroot-cwd-protection.patch Example implementation of cwd fix] == Additional Kernel Hardening Development Projects == Here is a rough plan for things to do to the upstream Linux kernel to make it harder for security vulnerabilities to become exploitable. Note: Many CONFIG_* items below refer to PaX and grsecurity. * ASLR for kernel code (Dan Rosenberg: IN PROGRESS) * remove remaining kernel address leaks that prevent ASLR from being effective (Dan Rosenberg) ** https://patchwork.kernel.org/patch/487751/ *** kernel/cgroup.c *** kernel/kprobes.c *** kernel/lockdep_proc.c ** /proc/mtrr ** /proc/slabinfo ** /proc/asound/cards ** /sys/devices/*/*/resources ** /proc/net/ptype ** /sys/kernel/slab/*/ctor ** /proc/iomem ** inet_diag NETLINK socket addresses ** ... * chase down const-ification of function pointers (Kees Cook) ** Emese Revfy's patches ** Lionel Debroux's grsecurity extractions *** http://lkml.org/lkml/2010/11/7/51 *** http://lkml.org/lkml/2010/11/7/52 *** http://lkml.org/lkml/2010/11/7/53 *** http://lkml.org/lkml/2010/11/8/14 * examine page permissions and get rid of rwx mappings * implement __read_only for things that can't really be const, like CONFIG_PAX_KERNEXEC * disable set_kernel_text_rw() and friends via sysctl * module autoloading control, like CONFIG_GRKERNSEC_MODHARDEN ** http://lkml.org/lkml/2010/11/7/212 * block hibernation image attacks (Vasiliy Kulikov) ** http://permalink.gmane.org/gmane.linux.kernel/1108853 * copy_*_user() hardening, like CONFIG_PAX_USERCOPY ** keep length under MAX_INT ** validate targets against compiler knowledge of static buffers or look up buffer sizes from heap allocator * User/Kernel memory segmentation, like CONFIG_PAX_MEMORY_UDEREF or Intel SMEP * Kernel stack ASLR, like CONFIG_PAX_RANDKSTACK * Kernel stack clearing, like CONFIG_PAX_STACKLEAK * Kernel refcount overflow protection, like CONFIG_PAX_REFCOUNT * kernel symbol name hiding, like CONFIG_GRKERNSEC_HIDESYM * add -Wextra and perform associated cleanups * restricted access to vm86-related syscall/features, like CONFIG_HARDEN_VM86 in Linux 2.4.x-ow, but turned into a sysctl * ability to set/lock/force a process (and/or any children it might spawn) to 32-bit only or 64-bit only (or implement a general "personality lock" and have main/compat syscall availability be actually affected by the current personality, which is currently not the case) ** this will be particularly useful with container-based virtualization (LXC, OpenVZ, vserver), where the container startup program will lock the bitness/personality before launching the container's /sbin/init (e.g., a prctl() affecting _only_ child processes - e.g., not yet vzctl, but the container's /sbin/init - will do for this purpose) * whitelist filesystem module autoloading. similar to rare network module blacklist == Userspace Protections == * linking restrictions (CONFIG_GRKERNSEC_LINK), see above... (Kees Cook) * fifo restrictions (CONFIG_GRKERNSEC_FIFO), closely related to the linking restrictions mentioned above * mprotect hardening (CONFIG_PAX_MPROTECT) * segv respawn restriction (CONFIG_GRKERNSEC_BRUTE) * /proc visibility restriction (CONFIG_GRKERNSEC_PROC_USER) * safer set*uid() behavior on error (don't fail & return, instead SIGSEGV if has to fail because of resource shortage), was implemented unconditionally in Linux 2.4.x-ow but needs different treatment for 2.6.x/upstream (maybe sysctl'able) * destroy shm not in use (CONFIG_HARDEN_SHM from Linux 2.4.x-ow), which is needed to prevent RLIMIT_AS*RLIMIT_NPROC bypasses * nx-emulation (RedHat Exec-Shield, CONFIG_PAX_SEGMEXEC, or better yet CONFIG_PAX_PAGEEXEC) ** http://git.kernel.org/?p=linux/kernel/git/frob/linux-2.6-roland.git;a=shortlog;h=refs/heads/fedora/x86-nx-emulation * ASCII-armor ASLR (RedHat Exec-Shield) ** needs serious entropy improvement if it should be used at all *** http://git.kernel.org/?p=linux/kernel/git/frob/linux-2.6-roland.git;a=shortlog;h=refs/heads/fedora/32bit-mmap-exec-randomization *** http://scarybeastsecurity.blogspot.com/2012/03/some-random-observations-on-linux-aslr.html ** at least with RHEL5'ish kernels (not tested on Ubuntu specifically), exec-shield appears to provide ASCII-armor for mmap'ed shared libs with 32-bit kernels, but does not do it when running 32-bit binaries on 64-bit kernels (64-bit bins are OK) - looks like a code bug (or incomplete implementation) to chase down and fix (this is needed for our own use regardless of upstream submission) ** "enforcing" mode for W^X (ignore GNU ELF flags), sysctl'able and/or per process tree and/or per-container ** TARPIT netfilter target https://bugs.launchpad.net/ubuntu/+source/linux/+bug/78361 ** CAPs-less ping: http://marc.info/?l=linux-kernel&m=129434182105135 0d064bbd6f28f558794565931d6c9aa74b3235a5 3440 3438 2012-11-14T19:00:36Z CoreyBryant 4 wikitext text/x-wiki The [[Linux Security Workgroup]] has put together this page in an effort to bring the Linux security community together in hardening the Linux Kernel and to help prevent duplication of efforts. There are a number of desired Linux Kernel hardening projects listed below that are inactive and do not have an owner. If you would like to take ownership of one of these projects or have an update for this page, please email the kernel-hardening mailing list at kernel-hardening@lists.openwall.com. = Process Improvements = == Security Code Review Guidelines == This project is an effort to provide a reference that educates subsystem maintainers on what to look for when performing security reviews/audits. This would include various classes of common coding vulnerabilities and how to detect them, as well as other best practices, such as not leaving private keys laying around. == Patch Signing == This project would provide support to determine if patches have been modified or tampered since they were signed. = Verification of Critical Subsystems = This project would provide verification of critical subsystems such as: * Networking * Network file systems * KVM * Cryptographic library * Kernel build infrastructure This could include approaches such as manual audits, static analysis, fuzzing testing, etc. = Development = There are several kernel hardening features that have appeared in other hardened operating systems that would improve the security of Linux. Some have been controversial, so attempts have been made to describe them, including their controversy and discussion over the years, so as much information is available to make an educated decision about potential implementations. == Symlink Protection == A long-standing class of security issues is the symlink-based [http://en.wikipedia.org/wiki/Time-of-check-to-time-of-use ToCToU] race, most commonly seen in world-writable directories like /tmp/. The common method of exploitation of [http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=tmp+symlink this flaw] is crossing privilege boundaries when following a given symlink (i.e. a root user follows a symlink belonging to another user). The solution is to not permit symlinks to be followed when users do not match, but only in a world-writable sticky directory (with an additional improvement that the directory owner's symlinks can always be followed, regardless who is following them). Some links to the history of its discussion: * 1996 Aug, Zygo Blaxell http://marc.info/?l=bugtraq&m=87602167419830&w=2 * 1996 Oct, Andrew Tridgell http://lkml.indiana.edu/hypermail/linux/kernel/9610.2/0086.html * 1997 Dec, Albert D Cahalan http://lkml.org/lkml/1997/12/16/4 * 2005 Feb, Lorenzo Hernández García-Hierro http://lkml.indiana.edu/hypermail/linux/kernel/0502.0/1896.html Past objections and rebuttals could be summarized as: * Violates POSIX. ** POSIX didn't consider this situation, and it's not useful to follow a broken specification at the cost of security. Also, please reference where POSIX says this. * Might break unknown applications that use this feature. ** Applications that break because of the change are easy to spot and fix. Applications that are vulnerable to symlink ToCToU by not having the change aren't. * Applications should just use mkstemp() or O_CREATE|O_EXCL. ** True, but applications are not perfect, and new software is written all the time that makes these mistakes; blocking this flaw at the kernel is a single solution to the entire class of vulnerability. [https://lists.ubuntu.com/archives/kernel-team/2010-May/010491.html initial proposed patch] [http://kernel.ubuntu.com/git?p=kees/linux-2.6.git;a=shortlog;h=refs/heads/symlink proposed upstream patch] == Hardlink Protection == Hardlinks can be abused in a [http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=hardlink similar fashion] to symlinks above, but they are not limited to world-writable directories. If /etc/ and /home/ are on the same partition, a regular user can create a hardlink to /etc/shadow in their home directory. While it retains the original owner and permissions, it is possible for privileged programs that are otherwise symlink-safe to mistakenly access the file through its hardlink. Additionally, a very minor untraceable quota-bypassing local denial of service is possible by an attacker exhausting disk space by filling a world-writable directory with hardlinks. The solution is to not allow the creation of hardlinks to files that a given user would be unable to write to originally. Some links to the history of its discussion: * 1997 Dec, Yuri Kuzmenko http://lkml.org/lkml/1997/12/29/20 * 2002 Apr, Chris Wright http://lkml.org/lkml/2002/4/13/99 Past objections and rebuttals could be summarized as: * Violates POSIX. ** POSIX didn't consider this situation, and it's not useful to follow a broken specification at the cost of security. Also, please reference where POSIX says this. * Might break atd, courier, and other unknown applications that use this feature. ** These applications are easy to spot and can be tested and fixed. Applications that are vulnerable to hardlink attacks by not having the change aren't. ** atd could be easily "repaired" by including a real uid==0 check, like Linux 2.4.x-ow does for that reason, or it might have been fixed since then, or better yet [http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/vixie-cron/ OpenBSD-derived crond] should be used instead, which includes at(1) support (and it never had the problem with hardlinks). The latter solution also gets rid of a SUID root program (at(1) is SGID to group crontab then) and of a root-privileged daemon (cron and atd are replaced with just one crond). ** Courier was only broken by the original most restrictive -ow patch; it was "repaired" in newer -ow patch revisions by adding the "or is writable by the current user" check, which is also present in the proposed patches below (in other words, Courier won't break with these patches) * Applications should correctly drop privileges before attempting to access user files. ** True, but applications are not perfect, and new software is written all the time that makes these mistakes; blocking this flaw at the kernel is a single solution to the entire class of vulnerability. [https://lists.ubuntu.com/archives/kernel-team/2010-May/010495.html initial proposed patch] [http://kernel.ubuntu.com/git?p=kees/linux-2.6.git;a=shortlog;h=refs/heads/hardlink proposed upstream patch] == ptrace Protection == As Linux grows in popularity, it will become a growing target for malware. One particularly troubling weakness of the Linux process interfaces is that a single user is able to examine the memory and running state of any of their processes. For example, if one application (e.g. firefox) was compromised, it would be possible for an attacker to attach to other running processes (e.g. gpg-agent) to extract additional credentials and continue to expand the scope of their attack. This is not a theoretical problem. [http://www.storm.net.nz/projects/7 SSH session hijacking] and even [http://c-skills.blogspot.com/2009/10/injectso-32bit-x86-port.html arbitrary code injection] is fully possible if ptrace is allowed normally. For a solution, some applications use prctl() to specifically disallow such ptrace attachment (e.g. ssh-agent). A more general solution is to only allow ptrace directly from a parent to a child process (i.e. direct gdb and strace still work), or as the root user (i.e. gdb BIN PID, and strace -p PID still work as root). This behavior is controlled via the /proc/sys/kernel/yama/ptrace_scope sysctl value. The default is "1" to block non-child ptrace. A value of "0" restores the prior more permissive behavior, which may be more appropriate for some development systems and servers with only admin accounts. Using "sudo" can also grant temporarily ptrace permissions via the CAP_SYS_PTRACE capability, though this method allows the ptrace of any process. [https://lists.ubuntu.com/archives/kernel-team/2010-May/010499.html initial proposed patch] [http://kernel.ubuntu.com/git?p=kees/linux-2.6.git;a=shortlog;h=refs/heads/ptrace proposed upstream patch] == Partial NX Emulation == Non-executable memory is likely one of the most important protections in modern computing. Hardware support exists for it in modern CPUs, but many systems do not benefit from this security. To simulate the execute bit in the kernel's memory page tables, the CS register is used to break memory into two regions. This allows for a fast way to distinguish between memory above and below the CS-limit. Executable regions are loaded below the CS-limit. This is fast but not perfectly accurate, since the BSS regions of loaded libraries will remain in the executable region. It does provide a split between the loaded libraries (and BSS) and text segment from the brk and mmap heap and stack regions. Versions of this patch have been carried by RedHat, SUSE, Openwall, grsecurity and others for a long time. [http://kernel.ubuntu.com/git?p=kees/linux-2.6.git;a=shortlog;h=refs/heads/nx-emu proposed upstream patch] == chroot Protection == Many administrators attempt to contain potentially exploitable services in chroots. Unfortunately, chroots are not designed to be a security protection (they are for development and debugging). It is possible to reasonably contain a non-privileged process in a chroot, but attempting to contain a root user is fraught with pitfalls. While it is certainly possible to patch the kernel to have a hardened chroot() (for example, grsecurity has a large set of protections that lock down chroots) so many behaviors are changed and come in conflict with the more common development configurations. Solutions are varied. Among the methods of chroot escape is manipulating the current working directory to be outside the current chroot via a second chroot() call (others include using /proc/*/cwd, fchdir(), and ptrace). This single flaw is trivial to fix, but does not block the other avenues, so the gain is very small when compared with the down-side of carrying a delta from the upstream kernel. A better solution is to side-step the problem entirely. Since these security protections are being designed correctly with containers (see [http://manpages.ubuntu.com/manpages/precise/en/man8/clone.8.html CLONE_NEW*]), it would be better to use containers or MAC from the start when trying to isolate a service. Some links to the history of its discussion: * 2007 Sep, David Newall http://lkml.indiana.edu/hypermail/linux/kernel/0709.3/0721.html Past objections and rebuttals could be summarized as: * Violates POSIX. ** POSIX didn't consider or really define this situation, and it's not useful to follow a broken specification at the cost of security. * Might break debootstrap, debian-installer, and anything else that expects to chroot() within a chroot. ** True, but maybe disallowing double-chroot is okay. * Can escape chroots in a large number of ways; containers are better. ** Fix each flaw. Containers are not very easy to use yet. [http://people.canonical.com/~kees/0001-chroot-cwd-protection.patch Example implementation of cwd fix] == Additional Kernel Hardening Development Projects == Following are more upstream Linux kernel projects that would make it harder for security vulnerabilities to become exploitable. Note: Many CONFIG_* items below refer to PaX and grsecurity. * ASLR for kernel code (Dan Rosenberg: IN PROGRESS) * remove remaining kernel address leaks that prevent ASLR from being effective (Dan Rosenberg) ** https://patchwork.kernel.org/patch/487751/ *** kernel/cgroup.c *** kernel/kprobes.c *** kernel/lockdep_proc.c ** /proc/mtrr ** /proc/slabinfo ** /proc/asound/cards ** /sys/devices/*/*/resources ** /proc/net/ptype ** /sys/kernel/slab/*/ctor ** /proc/iomem ** inet_diag NETLINK socket addresses ** ... * chase down const-ification of function pointers (Kees Cook) ** Emese Revfy's patches ** Lionel Debroux's grsecurity extractions *** http://lkml.org/lkml/2010/11/7/51 *** http://lkml.org/lkml/2010/11/7/52 *** http://lkml.org/lkml/2010/11/7/53 *** http://lkml.org/lkml/2010/11/8/14 * examine page permissions and get rid of rwx mappings * implement __read_only for things that can't really be const, like CONFIG_PAX_KERNEXEC * disable set_kernel_text_rw() and friends via sysctl * module autoloading control, like CONFIG_GRKERNSEC_MODHARDEN ** http://lkml.org/lkml/2010/11/7/212 * block hibernation image attacks (Vasiliy Kulikov) ** http://permalink.gmane.org/gmane.linux.kernel/1108853 * copy_*_user() hardening, like CONFIG_PAX_USERCOPY ** keep length under MAX_INT ** validate targets against compiler knowledge of static buffers or look up buffer sizes from heap allocator * User/Kernel memory segmentation, like CONFIG_PAX_MEMORY_UDEREF or Intel SMEP * Kernel stack ASLR, like CONFIG_PAX_RANDKSTACK * Kernel stack clearing, like CONFIG_PAX_STACKLEAK * Kernel refcount overflow protection, like CONFIG_PAX_REFCOUNT * kernel symbol name hiding, like CONFIG_GRKERNSEC_HIDESYM * add -Wextra and perform associated cleanups * restricted access to vm86-related syscall/features, like CONFIG_HARDEN_VM86 in Linux 2.4.x-ow, but turned into a sysctl * ability to set/lock/force a process (and/or any children it might spawn) to 32-bit only or 64-bit only (or implement a general "personality lock" and have main/compat syscall availability be actually affected by the current personality, which is currently not the case) ** this will be particularly useful with container-based virtualization (LXC, OpenVZ, vserver), where the container startup program will lock the bitness/personality before launching the container's /sbin/init (e.g., a prctl() affecting _only_ child processes - e.g., not yet vzctl, but the container's /sbin/init - will do for this purpose) * whitelist filesystem module autoloading. similar to rare network module blacklist == Userspace Protections == * linking restrictions (CONFIG_GRKERNSEC_LINK), see above... (Kees Cook) * fifo restrictions (CONFIG_GRKERNSEC_FIFO), closely related to the linking restrictions mentioned above * mprotect hardening (CONFIG_PAX_MPROTECT) * segv respawn restriction (CONFIG_GRKERNSEC_BRUTE) * /proc visibility restriction (CONFIG_GRKERNSEC_PROC_USER) * safer set*uid() behavior on error (don't fail & return, instead SIGSEGV if has to fail because of resource shortage), was implemented unconditionally in Linux 2.4.x-ow but needs different treatment for 2.6.x/upstream (maybe sysctl'able) * destroy shm not in use (CONFIG_HARDEN_SHM from Linux 2.4.x-ow), which is needed to prevent RLIMIT_AS*RLIMIT_NPROC bypasses * nx-emulation (RedHat Exec-Shield, CONFIG_PAX_SEGMEXEC, or better yet CONFIG_PAX_PAGEEXEC) ** http://git.kernel.org/?p=linux/kernel/git/frob/linux-2.6-roland.git;a=shortlog;h=refs/heads/fedora/x86-nx-emulation * ASCII-armor ASLR (RedHat Exec-Shield) ** needs serious entropy improvement if it should be used at all *** http://git.kernel.org/?p=linux/kernel/git/frob/linux-2.6-roland.git;a=shortlog;h=refs/heads/fedora/32bit-mmap-exec-randomization *** http://scarybeastsecurity.blogspot.com/2012/03/some-random-observations-on-linux-aslr.html ** at least with RHEL5'ish kernels (not tested on Ubuntu specifically), exec-shield appears to provide ASCII-armor for mmap'ed shared libs with 32-bit kernels, but does not do it when running 32-bit binaries on 64-bit kernels (64-bit bins are OK) - looks like a code bug (or incomplete implementation) to chase down and fix (this is needed for our own use regardless of upstream submission) ** "enforcing" mode for W^X (ignore GNU ELF flags), sysctl'able and/or per process tree and/or per-container ** TARPIT netfilter target https://bugs.launchpad.net/ubuntu/+source/linux/+bug/78361 ** CAPs-less ping: http://marc.info/?l=linux-kernel&m=129434182105135 a9429aa96a16a069895d9e063cb0fdc6c854dc25 3441 3440 2012-11-14T19:43:27Z CoreyBryant 4 wikitext text/x-wiki The [[Linux Security Workgroup]] has put together this page in an effort to bring the Linux security community together in hardening the Linux Kernel and to help prevent duplication of efforts. There are a number of desired Linux Kernel hardening projects listed below that are inactive and do not have an owner. If you would like to take ownership of one of these projects or have an update for this page, please email the kernel-hardening mailing list at kernel-hardening@lists.openwall.com. = Process Improvements = == Security Code Review Guidelines == This project is an effort to provide a reference that educates subsystem maintainers on what to look for when performing security reviews/audits. This would include various classes of common coding vulnerabilities and how to detect them, as well as other best practices, such as not leaving private keys laying around. == Patch Signing == This project would provide support to determine if patches have been modified or tampered since they were signed. = Verification of Critical Subsystems = This project would provide verification of critical subsystems such as: * Networking * Network file systems * KVM * Cryptographic library * Kernel build infrastructure This could include approaches such as manual audits, static analysis, fuzzing testing, etc. = Development = There are several kernel hardening features that have appeared in other hardened operating systems that would improve the security of Linux. Some have been controversial, so attempts have been made to describe them, including their controversy and discussion over the years, so as much information is available to make an educated decision about potential implementations. == Partial NX Emulation == Non-executable memory is likely one of the most important protections in modern computing. Hardware support exists for it in modern CPUs, but many systems do not benefit from this security. To simulate the execute bit in the kernel's memory page tables, the CS register is used to break memory into two regions. This allows for a fast way to distinguish between memory above and below the CS-limit. Executable regions are loaded below the CS-limit. This is fast but not perfectly accurate, since the BSS regions of loaded libraries will remain in the executable region. It does provide a split between the loaded libraries (and BSS) and text segment from the brk and mmap heap and stack regions. Versions of this patch have been carried by RedHat, SUSE, Openwall, grsecurity and others for a long time. [http://kernel.ubuntu.com/git?p=kees/linux-2.6.git;a=shortlog;h=refs/heads/nx-emu proposed upstream patch] == chroot Protection == Many administrators attempt to contain potentially exploitable services in chroots. Unfortunately, chroots are not designed to be a security protection (they are for development and debugging). It is possible to reasonably contain a non-privileged process in a chroot, but attempting to contain a root user is fraught with pitfalls. While it is certainly possible to patch the kernel to have a hardened chroot() (for example, grsecurity has a large set of protections that lock down chroots) so many behaviors are changed and come in conflict with the more common development configurations. Solutions are varied. Among the methods of chroot escape is manipulating the current working directory to be outside the current chroot via a second chroot() call (others include using /proc/*/cwd, fchdir(), and ptrace). This single flaw is trivial to fix, but does not block the other avenues, so the gain is very small when compared with the down-side of carrying a delta from the upstream kernel. A better solution is to side-step the problem entirely. Since these security protections are being designed correctly with containers (see [http://manpages.ubuntu.com/manpages/precise/en/man8/clone.8.html CLONE_NEW*]), it would be better to use containers or MAC from the start when trying to isolate a service. Some links to the history of its discussion: * 2007 Sep, David Newall http://lkml.indiana.edu/hypermail/linux/kernel/0709.3/0721.html Past objections and rebuttals could be summarized as: * Violates POSIX. ** POSIX didn't consider or really define this situation, and it's not useful to follow a broken specification at the cost of security. * Might break debootstrap, debian-installer, and anything else that expects to chroot() within a chroot. ** True, but maybe disallowing double-chroot is okay. * Can escape chroots in a large number of ways; containers are better. ** Fix each flaw. Containers are not very easy to use yet. [http://people.canonical.com/~kees/0001-chroot-cwd-protection.patch Example implementation of cwd fix] == Additional Kernel Hardening Development Projects == Following are more upstream Linux kernel projects that would make it harder for security vulnerabilities to become exploitable. Note: Many CONFIG_* items below refer to PaX and grsecurity. * remove remaining kernel address leaks that prevent ASLR from being effective ** https://patchwork.kernel.org/patch/487751/ *** kernel/cgroup.c *** kernel/kprobes.c *** kernel/lockdep_proc.c ** /proc/mtrr ** /proc/slabinfo ** /proc/asound/cards ** /sys/devices/*/*/resources ** /proc/net/ptype ** /sys/kernel/slab/*/ctor ** /proc/iomem ** inet_diag NETLINK socket addresses ** ... * chase down const-ification of function pointers ** Emese Revfy's patches ** Lionel Debroux's grsecurity extractions *** http://lkml.org/lkml/2010/11/7/51 *** http://lkml.org/lkml/2010/11/7/52 *** http://lkml.org/lkml/2010/11/7/53 *** http://lkml.org/lkml/2010/11/8/14 * examine page permissions and get rid of rwx mappings * implement __read_only for things that can't really be const, like CONFIG_PAX_KERNEXEC * disable set_kernel_text_rw() and friends via sysctl * module autoloading control, like CONFIG_GRKERNSEC_MODHARDEN ** http://lkml.org/lkml/2010/11/7/212 * block hibernation image attacks (Vasiliy Kulikov) ** http://permalink.gmane.org/gmane.linux.kernel/1108853 * copy_*_user() hardening, like CONFIG_PAX_USERCOPY ** keep length under MAX_INT ** validate targets against compiler knowledge of static buffers or look up buffer sizes from heap allocator * User/Kernel memory segmentation, like CONFIG_PAX_MEMORY_UDEREF or Intel SMEP * Kernel stack ASLR, like CONFIG_PAX_RANDKSTACK * Kernel stack clearing, like CONFIG_PAX_STACKLEAK * Kernel refcount overflow protection, like CONFIG_PAX_REFCOUNT * kernel symbol name hiding, like CONFIG_GRKERNSEC_HIDESYM * add -Wextra and perform associated cleanups * restricted access to vm86-related syscall/features, like CONFIG_HARDEN_VM86 in Linux 2.4.x-ow, but turned into a sysctl * ability to set/lock/force a process (and/or any children it might spawn) to 32-bit only or 64-bit only (or implement a general "personality lock" and have main/compat syscall availability be actually affected by the current personality, which is currently not the case) ** this will be particularly useful with container-based virtualization (LXC, OpenVZ, vserver), where the container startup program will lock the bitness/personality before launching the container's /sbin/init (e.g., a prctl() affecting _only_ child processes - e.g., not yet vzctl, but the container's /sbin/init - will do for this purpose) * whitelist filesystem module autoloading. similar to rare network module blacklist == Userspace Protections == * linking restrictions (CONFIG_GRKERNSEC_LINK), see above... (Kees Cook) * fifo restrictions (CONFIG_GRKERNSEC_FIFO), closely related to the linking restrictions mentioned above * mprotect hardening (CONFIG_PAX_MPROTECT) * segv respawn restriction (CONFIG_GRKERNSEC_BRUTE) * /proc visibility restriction (CONFIG_GRKERNSEC_PROC_USER) * safer set*uid() behavior on error (don't fail & return, instead SIGSEGV if has to fail because of resource shortage), was implemented unconditionally in Linux 2.4.x-ow but needs different treatment for 2.6.x/upstream (maybe sysctl'able) * destroy shm not in use (CONFIG_HARDEN_SHM from Linux 2.4.x-ow), which is needed to prevent RLIMIT_AS*RLIMIT_NPROC bypasses * nx-emulation (RedHat Exec-Shield, CONFIG_PAX_SEGMEXEC, or better yet CONFIG_PAX_PAGEEXEC) ** http://git.kernel.org/?p=linux/kernel/git/frob/linux-2.6-roland.git;a=shortlog;h=refs/heads/fedora/x86-nx-emulation * ASCII-armor ASLR (RedHat Exec-Shield) ** needs serious entropy improvement if it should be used at all *** http://git.kernel.org/?p=linux/kernel/git/frob/linux-2.6-roland.git;a=shortlog;h=refs/heads/fedora/32bit-mmap-exec-randomization *** http://scarybeastsecurity.blogspot.com/2012/03/some-random-observations-on-linux-aslr.html ** at least with RHEL5'ish kernels (not tested on Ubuntu specifically), exec-shield appears to provide ASCII-armor for mmap'ed shared libs with 32-bit kernels, but does not do it when running 32-bit binaries on 64-bit kernels (64-bit bins are OK) - looks like a code bug (or incomplete implementation) to chase down and fix (this is needed for our own use regardless of upstream submission) ** "enforcing" mode for W^X (ignore GNU ELF flags), sysctl'able and/or per process tree and/or per-container ** TARPIT netfilter target https://bugs.launchpad.net/ubuntu/+source/linux/+bug/78361 ** CAPs-less ping: http://marc.info/?l=linux-kernel&m=129434182105135 38e224bbc891f3e1dacea6f66b6fc2621b54b5b2 3443 3441 2012-11-14T19:47:14Z CoreyBryant 4 wikitext text/x-wiki The [[Linux Security Workgroup]] has put together this page in an effort to bring the Linux security community together in hardening the Linux Kernel and to help prevent duplication of efforts. There are a number of desired Linux Kernel hardening projects listed below that are inactive and do not have an owner. If you would like to take ownership of one of these projects or have an update for this page, please email the kernel-hardening mailing list at kernel-hardening@lists.openwall.com. = Process Improvements = == Security Code Review Guidelines == This project is an effort to provide a reference that educates subsystem maintainers on what to look for when performing security reviews/audits. This would include various classes of common coding vulnerabilities and how to detect them, as well as other best practices, such as not leaving private keys laying around. == Patch Signing == This project would provide support to determine if patches have been modified or tampered since they were signed. = Verification of Critical Subsystems = This project would provide verification of critical subsystems such as: * Networking * Network file systems * KVM * Cryptographic library * Kernel build infrastructure This could include approaches such as manual audits, static analysis, fuzz testing, etc. = Development = There are several kernel hardening features that have appeared in other hardened operating systems that would improve the security of Linux. Some have been controversial, so attempts have been made to describe them, including their controversy and discussion over the years, so as much information is available to make an educated decision about potential implementations. == Partial NX Emulation == Non-executable memory is likely one of the most important protections in modern computing. Hardware support exists for it in modern CPUs, but many systems do not benefit from this security. To simulate the execute bit in the kernel's memory page tables, the CS register is used to break memory into two regions. This allows for a fast way to distinguish between memory above and below the CS-limit. Executable regions are loaded below the CS-limit. This is fast but not perfectly accurate, since the BSS regions of loaded libraries will remain in the executable region. It does provide a split between the loaded libraries (and BSS) and text segment from the brk and mmap heap and stack regions. Versions of this patch have been carried by RedHat, SUSE, Openwall, grsecurity and others for a long time. [http://kernel.ubuntu.com/git?p=kees/linux-2.6.git;a=shortlog;h=refs/heads/nx-emu proposed upstream patch] == chroot Protection == Many administrators attempt to contain potentially exploitable services in chroots. Unfortunately, chroots are not designed to be a security protection (they are for development and debugging). It is possible to reasonably contain a non-privileged process in a chroot, but attempting to contain a root user is fraught with pitfalls. While it is certainly possible to patch the kernel to have a hardened chroot() (for example, grsecurity has a large set of protections that lock down chroots) so many behaviors are changed and come in conflict with the more common development configurations. Solutions are varied. Among the methods of chroot escape is manipulating the current working directory to be outside the current chroot via a second chroot() call (others include using /proc/*/cwd, fchdir(), and ptrace). This single flaw is trivial to fix, but does not block the other avenues, so the gain is very small when compared with the down-side of carrying a delta from the upstream kernel. A better solution is to side-step the problem entirely. Since these security protections are being designed correctly with containers (see [http://manpages.ubuntu.com/manpages/precise/en/man8/clone.8.html CLONE_NEW*]), it would be better to use containers or MAC from the start when trying to isolate a service. Some links to the history of its discussion: * 2007 Sep, David Newall http://lkml.indiana.edu/hypermail/linux/kernel/0709.3/0721.html Past objections and rebuttals could be summarized as: * Violates POSIX. ** POSIX didn't consider or really define this situation, and it's not useful to follow a broken specification at the cost of security. * Might break debootstrap, debian-installer, and anything else that expects to chroot() within a chroot. ** True, but maybe disallowing double-chroot is okay. * Can escape chroots in a large number of ways; containers are better. ** Fix each flaw. Containers are not very easy to use yet. [http://people.canonical.com/~kees/0001-chroot-cwd-protection.patch Example implementation of cwd fix] == Additional Kernel Hardening Development Projects == Following are more upstream Linux kernel projects that would make it harder for security vulnerabilities to become exploitable. Note: Many CONFIG_* items below refer to PaX and grsecurity. * remove remaining kernel address leaks that prevent ASLR from being effective ** https://patchwork.kernel.org/patch/487751/ *** kernel/cgroup.c *** kernel/kprobes.c *** kernel/lockdep_proc.c ** /proc/mtrr ** /proc/slabinfo ** /proc/asound/cards ** /sys/devices/*/*/resources ** /proc/net/ptype ** /sys/kernel/slab/*/ctor ** /proc/iomem ** inet_diag NETLINK socket addresses ** ... * chase down const-ification of function pointers ** Emese Revfy's patches ** Lionel Debroux's grsecurity extractions *** http://lkml.org/lkml/2010/11/7/51 *** http://lkml.org/lkml/2010/11/7/52 *** http://lkml.org/lkml/2010/11/7/53 *** http://lkml.org/lkml/2010/11/8/14 * examine page permissions and get rid of rwx mappings * implement __read_only for things that can't really be const, like CONFIG_PAX_KERNEXEC * disable set_kernel_text_rw() and friends via sysctl * module autoloading control, like CONFIG_GRKERNSEC_MODHARDEN ** http://lkml.org/lkml/2010/11/7/212 * block hibernation image attacks (Vasiliy Kulikov) ** http://permalink.gmane.org/gmane.linux.kernel/1108853 * copy_*_user() hardening, like CONFIG_PAX_USERCOPY ** keep length under MAX_INT ** validate targets against compiler knowledge of static buffers or look up buffer sizes from heap allocator * User/Kernel memory segmentation, like CONFIG_PAX_MEMORY_UDEREF or Intel SMEP * Kernel stack ASLR, like CONFIG_PAX_RANDKSTACK * Kernel stack clearing, like CONFIG_PAX_STACKLEAK * Kernel refcount overflow protection, like CONFIG_PAX_REFCOUNT * kernel symbol name hiding, like CONFIG_GRKERNSEC_HIDESYM * add -Wextra and perform associated cleanups * restricted access to vm86-related syscall/features, like CONFIG_HARDEN_VM86 in Linux 2.4.x-ow, but turned into a sysctl * ability to set/lock/force a process (and/or any children it might spawn) to 32-bit only or 64-bit only (or implement a general "personality lock" and have main/compat syscall availability be actually affected by the current personality, which is currently not the case) ** this will be particularly useful with container-based virtualization (LXC, OpenVZ, vserver), where the container startup program will lock the bitness/personality before launching the container's /sbin/init (e.g., a prctl() affecting _only_ child processes - e.g., not yet vzctl, but the container's /sbin/init - will do for this purpose) * whitelist filesystem module autoloading. similar to rare network module blacklist == Userspace Protections == * linking restrictions (CONFIG_GRKERNSEC_LINK), see above... (Kees Cook) * fifo restrictions (CONFIG_GRKERNSEC_FIFO), closely related to the linking restrictions mentioned above * mprotect hardening (CONFIG_PAX_MPROTECT) * segv respawn restriction (CONFIG_GRKERNSEC_BRUTE) * /proc visibility restriction (CONFIG_GRKERNSEC_PROC_USER) * safer set*uid() behavior on error (don't fail & return, instead SIGSEGV if has to fail because of resource shortage), was implemented unconditionally in Linux 2.4.x-ow but needs different treatment for 2.6.x/upstream (maybe sysctl'able) * destroy shm not in use (CONFIG_HARDEN_SHM from Linux 2.4.x-ow), which is needed to prevent RLIMIT_AS*RLIMIT_NPROC bypasses * nx-emulation (RedHat Exec-Shield, CONFIG_PAX_SEGMEXEC, or better yet CONFIG_PAX_PAGEEXEC) ** http://git.kernel.org/?p=linux/kernel/git/frob/linux-2.6-roland.git;a=shortlog;h=refs/heads/fedora/x86-nx-emulation * ASCII-armor ASLR (RedHat Exec-Shield) ** needs serious entropy improvement if it should be used at all *** http://git.kernel.org/?p=linux/kernel/git/frob/linux-2.6-roland.git;a=shortlog;h=refs/heads/fedora/32bit-mmap-exec-randomization *** http://scarybeastsecurity.blogspot.com/2012/03/some-random-observations-on-linux-aslr.html ** at least with RHEL5'ish kernels (not tested on Ubuntu specifically), exec-shield appears to provide ASCII-armor for mmap'ed shared libs with 32-bit kernels, but does not do it when running 32-bit binaries on 64-bit kernels (64-bit bins are OK) - looks like a code bug (or incomplete implementation) to chase down and fix (this is needed for our own use regardless of upstream submission) ** "enforcing" mode for W^X (ignore GNU ELF flags), sysctl'able and/or per process tree and/or per-container ** TARPIT netfilter target https://bugs.launchpad.net/ubuntu/+source/linux/+bug/78361 ** CAPs-less ping: http://marc.info/?l=linux-kernel&m=129434182105135 542930151c856522dc52486646f7d025d0861283 3451 3443 2012-11-15T18:04:18Z CoreyBryant 4 wikitext text/x-wiki The [[Linux Security Workgroup]] has put together this page in an effort to bring the Linux security community together in hardening the Linux Kernel and to help prevent duplication of efforts. There are a number of desired Linux Kernel hardening projects listed below that are inactive and do not have an owner. = Process Improvements = == Security Code Review Guidelines == This project is an effort to provide a reference that educates subsystem maintainers on what to look for when performing security reviews/audits. This would include various classes of common coding vulnerabilities and how to detect them, as well as other best practices, such as not leaving private keys laying around. == Patch Signing == This project would provide support to determine if patches have been modified or tampered since they were signed. = Verification of Critical Subsystems = This project would provide verification of critical subsystems such as: * Networking * Network file systems * KVM * Cryptographic library * Kernel build infrastructure This could include approaches such as manual audits, static analysis, fuzz testing, etc. = Development = There are several kernel hardening features that have appeared in other hardened operating systems that would improve the security of Linux. Some have been controversial, so attempts have been made to describe them, including their controversy and discussion over the years, so as much information is available to make an educated decision about potential implementations. == Partial NX Emulation == Non-executable memory is likely one of the most important protections in modern computing. Hardware support exists for it in modern CPUs, but many systems do not benefit from this security. To simulate the execute bit in the kernel's memory page tables, the CS register is used to break memory into two regions. This allows for a fast way to distinguish between memory above and below the CS-limit. Executable regions are loaded below the CS-limit. This is fast but not perfectly accurate, since the BSS regions of loaded libraries will remain in the executable region. It does provide a split between the loaded libraries (and BSS) and text segment from the brk and mmap heap and stack regions. Versions of this patch have been carried by RedHat, SUSE, Openwall, grsecurity and others for a long time. [http://kernel.ubuntu.com/git?p=kees/linux-2.6.git;a=shortlog;h=refs/heads/nx-emu proposed upstream patch] == chroot Protection == Many administrators attempt to contain potentially exploitable services in chroots. Unfortunately, chroots are not designed to be a security protection (they are for development and debugging). It is possible to reasonably contain a non-privileged process in a chroot, but attempting to contain a root user is fraught with pitfalls. While it is certainly possible to patch the kernel to have a hardened chroot() (for example, grsecurity has a large set of protections that lock down chroots) so many behaviors are changed and come in conflict with the more common development configurations. Solutions are varied. Among the methods of chroot escape is manipulating the current working directory to be outside the current chroot via a second chroot() call (others include using /proc/*/cwd, fchdir(), and ptrace). This single flaw is trivial to fix, but does not block the other avenues, so the gain is very small when compared with the down-side of carrying a delta from the upstream kernel. A better solution is to side-step the problem entirely. Since these security protections are being designed correctly with containers (see [http://manpages.ubuntu.com/manpages/precise/en/man8/clone.8.html CLONE_NEW*]), it would be better to use containers or MAC from the start when trying to isolate a service. Some links to the history of its discussion: * 2007 Sep, David Newall http://lkml.indiana.edu/hypermail/linux/kernel/0709.3/0721.html Past objections and rebuttals could be summarized as: * Violates POSIX. ** POSIX didn't consider or really define this situation, and it's not useful to follow a broken specification at the cost of security. * Might break debootstrap, debian-installer, and anything else that expects to chroot() within a chroot. ** True, but maybe disallowing double-chroot is okay. * Can escape chroots in a large number of ways; containers are better. ** Fix each flaw. Containers are not very easy to use yet. [http://people.canonical.com/~kees/0001-chroot-cwd-protection.patch Example implementation of cwd fix] == Additional Kernel Hardening Development Projects == Following are more upstream Linux kernel projects that would make it harder for security vulnerabilities to become exploitable. Note: Many CONFIG_* items below refer to PaX and grsecurity. * remove remaining kernel address leaks that prevent ASLR from being effective ** https://patchwork.kernel.org/patch/487751/ *** kernel/cgroup.c *** kernel/kprobes.c *** kernel/lockdep_proc.c ** /proc/mtrr ** /proc/slabinfo ** /proc/asound/cards ** /sys/devices/*/*/resources ** /proc/net/ptype ** /sys/kernel/slab/*/ctor ** /proc/iomem ** inet_diag NETLINK socket addresses ** ... * chase down const-ification of function pointers ** Emese Revfy's patches ** Lionel Debroux's grsecurity extractions *** http://lkml.org/lkml/2010/11/7/51 *** http://lkml.org/lkml/2010/11/7/52 *** http://lkml.org/lkml/2010/11/7/53 *** http://lkml.org/lkml/2010/11/8/14 * examine page permissions and get rid of rwx mappings * implement __read_only for things that can't really be const, like CONFIG_PAX_KERNEXEC * disable set_kernel_text_rw() and friends via sysctl * module autoloading control, like CONFIG_GRKERNSEC_MODHARDEN ** http://lkml.org/lkml/2010/11/7/212 * block hibernation image attacks (Vasiliy Kulikov) ** http://permalink.gmane.org/gmane.linux.kernel/1108853 * copy_*_user() hardening, like CONFIG_PAX_USERCOPY ** keep length under MAX_INT ** validate targets against compiler knowledge of static buffers or look up buffer sizes from heap allocator * User/Kernel memory segmentation, like CONFIG_PAX_MEMORY_UDEREF or Intel SMEP * Kernel stack ASLR, like CONFIG_PAX_RANDKSTACK * Kernel stack clearing, like CONFIG_PAX_STACKLEAK * Kernel refcount overflow protection, like CONFIG_PAX_REFCOUNT * kernel symbol name hiding, like CONFIG_GRKERNSEC_HIDESYM * add -Wextra and perform associated cleanups * restricted access to vm86-related syscall/features, like CONFIG_HARDEN_VM86 in Linux 2.4.x-ow, but turned into a sysctl * ability to set/lock/force a process (and/or any children it might spawn) to 32-bit only or 64-bit only (or implement a general "personality lock" and have main/compat syscall availability be actually affected by the current personality, which is currently not the case) ** this will be particularly useful with container-based virtualization (LXC, OpenVZ, vserver), where the container startup program will lock the bitness/personality before launching the container's /sbin/init (e.g., a prctl() affecting _only_ child processes - e.g., not yet vzctl, but the container's /sbin/init - will do for this purpose) * whitelist filesystem module autoloading. similar to rare network module blacklist == Userspace Protections == * linking restrictions (CONFIG_GRKERNSEC_LINK), see above... (Kees Cook) * fifo restrictions (CONFIG_GRKERNSEC_FIFO), closely related to the linking restrictions mentioned above * mprotect hardening (CONFIG_PAX_MPROTECT) * segv respawn restriction (CONFIG_GRKERNSEC_BRUTE) * /proc visibility restriction (CONFIG_GRKERNSEC_PROC_USER) * safer set*uid() behavior on error (don't fail & return, instead SIGSEGV if has to fail because of resource shortage), was implemented unconditionally in Linux 2.4.x-ow but needs different treatment for 2.6.x/upstream (maybe sysctl'able) * destroy shm not in use (CONFIG_HARDEN_SHM from Linux 2.4.x-ow), which is needed to prevent RLIMIT_AS*RLIMIT_NPROC bypasses * nx-emulation (RedHat Exec-Shield, CONFIG_PAX_SEGMEXEC, or better yet CONFIG_PAX_PAGEEXEC) ** http://git.kernel.org/?p=linux/kernel/git/frob/linux-2.6-roland.git;a=shortlog;h=refs/heads/fedora/x86-nx-emulation * ASCII-armor ASLR (RedHat Exec-Shield) ** needs serious entropy improvement if it should be used at all *** http://git.kernel.org/?p=linux/kernel/git/frob/linux-2.6-roland.git;a=shortlog;h=refs/heads/fedora/32bit-mmap-exec-randomization *** http://scarybeastsecurity.blogspot.com/2012/03/some-random-observations-on-linux-aslr.html ** at least with RHEL5'ish kernels (not tested on Ubuntu specifically), exec-shield appears to provide ASCII-armor for mmap'ed shared libs with 32-bit kernels, but does not do it when running 32-bit binaries on 64-bit kernels (64-bit bins are OK) - looks like a code bug (or incomplete implementation) to chase down and fix (this is needed for our own use regardless of upstream submission) ** "enforcing" mode for W^X (ignore GNU ELF flags), sysctl'able and/or per process tree and/or per-container ** TARPIT netfilter target https://bugs.launchpad.net/ubuntu/+source/linux/+bug/78361 ** CAPs-less ping: http://marc.info/?l=linux-kernel&m=129434182105135 e67a4961c1bfc6462dd443cc1f6f42ed643839ab 0 103 3439 3434 2012-11-14T18:55:21Z CoreyBryant 4 wikitext text/x-wiki The [[Linux Security Workgroup]] has put together this page in an effort to bring the Linux security community together in hardening the Linux Kernel and to help prevent duplication of efforts. There are a number of active Linux Kernel hardening projects and this page gives details on some of them. If you have an update for this page, please email the kernel-hardening mailing list at kernel-hardening@lists.openwall.com. = Static Analysis = == Coccinelle == [http://en.wikipedia.org/wiki/Coccinelle_(software) Coccinelle] is a tool for matching and fixing source code for C, C++, and other languages. Run by: * Fengguang Wu - Running against what trees? * Artem Bityutskiy - Running against what trees? == Coverity == [http://en.wikipedia.org/wiki/Coverity Coverity] provides static analysis tools for C, C++, and other languages. Red Hat's Coverity license allows results to be shared with upstream projects. Run by: * Paul Moore at Red Hat against what trees? == Smatch == [http://smatch.sourceforge.net/ Smatch] is a static analysis tool for C. Run by: * Dan Carpenter - Running against linux-next x86_64 allmodconfig * Fengguang Wu - Running against what trees? = Fuzz Testing = == Trinity == [http://codemonkey.org.uk/projects/trinity/ Trinity] is a Linux system call fuzzer. Run by: * Dave Jones and Fengguang Wu are running Trinity. d04501094ee77dab7a20d32b313281404268117c 3442 3439 2012-11-14T19:44:56Z CoreyBryant 4 wikitext text/x-wiki The [[Linux Security Workgroup]] has put together this page in an effort to bring the Linux security community together in hardening the Linux Kernel and to help prevent duplication of efforts. There are a number of active Linux Kernel hardening projects and this page gives details on some of them. If you have an update for this page, please email the kernel-hardening mailing list at kernel-hardening@lists.openwall.com. = Static Analysis = == Coccinelle == [http://en.wikipedia.org/wiki/Coccinelle_(software) Coccinelle] is a tool for matching and fixing source code for C, C++, and other languages. Run by: * Fengguang Wu - Running against what trees? * Artem Bityutskiy - Running against what trees? == Coverity == [http://en.wikipedia.org/wiki/Coverity Coverity] provides static analysis tools for C, C++, and other languages. Red Hat's Coverity license allows results to be shared with upstream projects. Run by: * Paul Moore at Red Hat against what trees? == Smatch == [http://smatch.sourceforge.net/ Smatch] is a static analysis tool for C. Run by: * Dan Carpenter - Running against linux-next x86_64 allmodconfig * Fengguang Wu - Running against what trees? = Fuzz Testing = == Trinity == [http://codemonkey.org.uk/projects/trinity/ Trinity] is a Linux system call fuzzer. Run by: * Dave Jones and Fengguang Wu are running Trinity. = Development = * ASLR for kernel code (Google) 57aa75ac2dd2ad4e7b88648cf23e98fc8da4a2e1 3444 3442 2012-11-14T22:09:46Z CoreyBryant 4 wikitext text/x-wiki The [[Linux Security Workgroup]] has put together this page in an effort to bring the Linux security community together in hardening the Linux Kernel and to help prevent duplication of efforts. There are a number of active Linux Kernel hardening projects and this page gives details on some of them. If you have an update for this page, please email the kernel-hardening mailing list at kernel-hardening@lists.openwall.com. = Static Analysis = == Coccinelle == [http://en.wikipedia.org/wiki/Coccinelle_(software) Coccinelle] is a tool for matching and fixing source code for C, C++, and other languages. Run by: * Fengguang Wu - Running against what trees? * Artem Bityutskiy - Running against what trees? == Coverity == [http://en.wikipedia.org/wiki/Coverity Coverity] provides static analysis tools for C, C++, and other languages. Red Hat's Coverity license allows results to be shared with upstream projects. Run by: * Paul Moore at Red Hat against what trees? == Smatch == [http://smatch.sourceforge.net/ Smatch] is a static analysis tool for C. Run by: * Dan Carpenter - Running against linux-next x86_64 allmodconfig * Fengguang Wu - Running against what trees? = Dynamic Analysis = == Valgrind == [http://valgrind.org/ Valgrind] is an instrumentation framework for building dynamic analysis tools and there are Valgrind tools for automatically detecting many memory management and threading bugs. = Fuzz Testing = == Trinity == [http://codemonkey.org.uk/projects/trinity/ Trinity] is a Linux system call fuzzer. Run by: * Dave Jones and Fengguang Wu are running Trinity. == Metasploit == [http://www.metasploit.com/ Metasploit] software is used for identifying security issues. It includes many capabilities, including fuzz testing. Run by: * ? = Development = * ASLR for kernel code (Google) f91cbe57fbe5e17ba73eda4f2a9745a72dd70e02 3445 3444 2012-11-14T22:10:22Z CoreyBryant 4 wikitext text/x-wiki The [[Linux Security Workgroup]] has put together this page in an effort to bring the Linux security community together in hardening the Linux Kernel and to help prevent duplication of efforts. There are a number of active Linux Kernel hardening projects and this page gives details on some of them. If you have an update for this page, please email the kernel-hardening mailing list at kernel-hardening@lists.openwall.com. = Static Analysis = == Coccinelle == [http://en.wikipedia.org/wiki/Coccinelle_(software) Coccinelle] is a tool for matching and fixing source code for C, C++, and other languages. Run by: * Fengguang Wu - Running against what trees? * Artem Bityutskiy - Running against what trees? == Coverity == [http://en.wikipedia.org/wiki/Coverity Coverity] provides static analysis tools for C, C++, and other languages. Red Hat's Coverity license allows results to be shared with upstream projects. Run by: * Paul Moore at Red Hat against what trees? == Smatch == [http://smatch.sourceforge.net/ Smatch] is a static analysis tool for C. Run by: * Dan Carpenter - Running against linux-next x86_64 allmodconfig * Fengguang Wu - Running against what trees? = Dynamic Analysis = == Valgrind == [http://valgrind.org/ Valgrind] is an instrumentation framework for building dynamic analysis tools and there are Valgrind tools for automatically detecting many memory management and threading bugs. Run by: * ? = Fuzz Testing = == Trinity == [http://codemonkey.org.uk/projects/trinity/ Trinity] is a Linux system call fuzzer. Run by: * Dave Jones and Fengguang Wu are running Trinity. == Metasploit == [http://www.metasploit.com/ Metasploit] software is used for identifying security issues. It includes many capabilities, including fuzz testing. Run by: * ? = Development = * ASLR for kernel code (Google) e0e3f8032b60d77088bce9a607bd222893274a40 3446 3445 2012-11-14T22:11:24Z CoreyBryant 4 wikitext text/x-wiki The [[Linux Security Workgroup]] has put together this page in an effort to bring the Linux security community together in hardening the Linux Kernel and to help prevent duplication of efforts. There are a number of active Linux Kernel hardening projects and this page gives details on some of them. If you have an update for this page, please email the kernel-hardening mailing list at kernel-hardening@lists.openwall.com. = Static Analysis = == Coccinelle == [http://en.wikipedia.org/wiki/Coccinelle_(software) Coccinelle] is a tool for matching and fixing source code for C, C++, and other languages. Run by: * Fengguang Wu - Running against what trees? * Artem Bityutskiy - Running against what trees? == Coverity == [http://en.wikipedia.org/wiki/Coverity Coverity] provides static analysis tools for C, C++, and other languages. Red Hat's Coverity license allows results to be shared with upstream projects. Run by: * Paul Moore at Red Hat against what trees? == Smatch == [http://smatch.sourceforge.net/ Smatch] is a static analysis tool for C. Run by: * Dan Carpenter - Running against linux-next x86_64 allmodconfig * Fengguang Wu - Running against what trees? = Dynamic Analysis = == Valgrind == [http://valgrind.org/ Valgrind] is an instrumentation framework for building dynamic analysis tools and there are Valgrind tools for automatically detecting many memory management and threading bugs. Run by: * ? = Fuzz Testing = == Trinity == [http://codemonkey.org.uk/projects/trinity/ Trinity] is a Linux system call fuzzer. Run by: * Dave Jones and Fengguang Wu are running Trinity. == Metasploit == [http://www.metasploit.com/ Metasploit] software is used for identifying security issues. It includes many capabilities, including fuzzer support. Run by: * ? = Development = * ASLR for kernel code (Google) d4c94d5f2af44117a8e59781ffeb7df8e3d9d0e2 3447 3446 2012-11-14T22:12:03Z CoreyBryant 4 wikitext text/x-wiki The [[Linux Security Workgroup]] has put together this page in an effort to bring the Linux security community together in hardening the Linux Kernel and to help prevent duplication of efforts. There are a number of active Linux Kernel hardening projects and this page gives details on some of them. If you have an update for this page, please email the kernel-hardening mailing list at kernel-hardening@lists.openwall.com. = Static Analysis = == Coccinelle == [http://en.wikipedia.org/wiki/Coccinelle_(software) Coccinelle] is a tool for matching and fixing source code for C, C++, and other languages. Run by: * Fengguang Wu - Running against what trees? * Artem Bityutskiy - Running against what trees? == Coverity == [http://en.wikipedia.org/wiki/Coverity Coverity] provides static analysis tools for C, C++, and other languages. Red Hat's Coverity license allows results to be shared with upstream projects. Run by: * Paul Moore at Red Hat against what trees? == Smatch == [http://smatch.sourceforge.net/ Smatch] is a static analysis tool for C. Run by: * Dan Carpenter - Running against linux-next x86_64 allmodconfig * Fengguang Wu - Running against what trees? = Dynamic Analysis = == Valgrind == [http://valgrind.org/ Valgrind] is an instrumentation framework for building dynamic analysis tools and there are Valgrind tools for automatically detecting many memory management and threading bugs. Run by: * ? = Fuzz Testing = == Trinity == [http://codemonkey.org.uk/projects/trinity/ Trinity] is a Linux system call fuzzer. Run by: * Dave Jones and Fengguang Wu are running Trinity. == Metasploit == [http://www.metasploit.com/ Metasploit] software is used for identifying security issues. It includes many capabilities, including fuzzer support. Run by: * ? = Development = * ASLR for kernel code Owner: Google f7aa2e0f8d9fe72d5b8525cbe7a05f876772f345 3448 3447 2012-11-14T22:13:03Z CoreyBryant 4 wikitext text/x-wiki The [[Linux Security Workgroup]] has put together this page in an effort to bring the Linux security community together in hardening the Linux Kernel and to help prevent duplication of efforts. There are a number of active Linux Kernel hardening projects and this page gives details on some of them. If you have an update for this page, please email the kernel-hardening mailing list at kernel-hardening@lists.openwall.com. = Static Analysis = == Coccinelle == [http://en.wikipedia.org/wiki/Coccinelle_(software) Coccinelle] is a tool for matching and fixing source code for C, C++, and other languages. Run by: * Fengguang Wu - Running against what trees? * Artem Bityutskiy - Running against what trees? == Coverity == [http://en.wikipedia.org/wiki/Coverity Coverity] provides static analysis tools for C, C++, and other languages. Red Hat's Coverity license allows results to be shared with upstream projects. Run by: * Paul Moore at Red Hat against what trees? == Smatch == [http://smatch.sourceforge.net/ Smatch] is a static analysis tool for C. Run by: * Dan Carpenter - Running against linux-next x86_64 allmodconfig * Fengguang Wu - Running against what trees? = Dynamic Analysis = == Valgrind == [http://valgrind.org/ Valgrind] is an instrumentation framework for building dynamic analysis tools and there are Valgrind tools for automatically detecting many memory management and threading bugs. Run by: * ? = Fuzz Testing = == Trinity == [http://codemonkey.org.uk/projects/trinity/ Trinity] is a Linux system call fuzzer. Run by: * Dave Jones and Fengguang Wu are running Trinity. == Metasploit == [http://www.metasploit.com/ Metasploit] software is used for identifying security issues. It includes many capabilities, including fuzzer support. Run by: * ? = Development = == ASLR for kernel code == Owner: Google 93fd4ede061895e1c745ec3720fc349f77842c06 3449 3448 2012-11-14T22:14:00Z CoreyBryant 4 wikitext text/x-wiki The [[Linux Security Workgroup]] has put together this page in an effort to bring the Linux security community together in hardening the Linux Kernel and to help prevent duplication of efforts. There are a number of active Linux Kernel hardening projects and this page gives details on some of them. If you have an update for this page, please email the kernel-hardening mailing list at kernel-hardening@lists.openwall.com. = Static Analysis = == Coccinelle == [http://en.wikipedia.org/wiki/Coccinelle_(software) Coccinelle] is a tool for matching and fixing source code for C, C++, and other languages. Run by: * Fengguang Wu - Running against what trees? * Artem Bityutskiy - Running against what trees? == Coverity == [http://en.wikipedia.org/wiki/Coverity Coverity] provides static analysis tools for C, C++, and other languages. Red Hat's Coverity license allows results to be shared with upstream projects. Run by: Paul Moore at Red Hat against what trees? == Smatch == [http://smatch.sourceforge.net/ Smatch] is a static analysis tool for C. Run by: * Dan Carpenter - Running against linux-next x86_64 allmodconfig * Fengguang Wu - Running against what trees? = Dynamic Analysis = == Valgrind == [http://valgrind.org/ Valgrind] is an instrumentation framework for building dynamic analysis tools and there are Valgrind tools for automatically detecting many memory management and threading bugs. Run by: ? = Fuzz Testing = == Trinity == [http://codemonkey.org.uk/projects/trinity/ Trinity] is a Linux system call fuzzer. Run by: Dave Jones and Fengguang Wu == Metasploit == [http://www.metasploit.com/ Metasploit] software is used for identifying security issues. It includes many capabilities, including fuzzer support. Run by: ? = Development = == ASLR for kernel code == Project Owner: Google 6de449e80078a9e16039616fe912f8fd0b6f157f 3450 3449 2012-11-15T18:03:59Z CoreyBryant 4 wikitext text/x-wiki The [[Linux Security Workgroup]] has put together this page in an effort to bring the Linux security community together in hardening the Linux Kernel and to help prevent duplication of efforts. There are a number of active Linux Kernel hardening projects and this page gives details on some of them. = Static Analysis = == Coccinelle == [http://en.wikipedia.org/wiki/Coccinelle_(software) Coccinelle] is a tool for matching and fixing source code for C, C++, and other languages. Run by: * Fengguang Wu - Running against what trees? * Artem Bityutskiy - Running against what trees? == Coverity == [http://en.wikipedia.org/wiki/Coverity Coverity] provides static analysis tools for C, C++, and other languages. Red Hat's Coverity license allows results to be shared with upstream projects. Run by: Paul Moore at Red Hat against what trees? == Smatch == [http://smatch.sourceforge.net/ Smatch] is a static analysis tool for C. Run by: * Dan Carpenter - Running against linux-next x86_64 allmodconfig * Fengguang Wu - Running against what trees? = Dynamic Analysis = == Valgrind == [http://valgrind.org/ Valgrind] is an instrumentation framework for building dynamic analysis tools and there are Valgrind tools for automatically detecting many memory management and threading bugs. Run by: ? = Fuzz Testing = == Trinity == [http://codemonkey.org.uk/projects/trinity/ Trinity] is a Linux system call fuzzer. Run by: Dave Jones and Fengguang Wu == Metasploit == [http://www.metasploit.com/ Metasploit] software is used for identifying security issues. It includes many capabilities, including fuzzer support. Run by: ? = Development = == ASLR for kernel code == Project Owner: Google 6a24639d06f02e026e922e450e354f4f69769cfc 3452 3450 2012-11-20T20:39:56Z CoreyBryant 4 /* Valgrind */ wikitext text/x-wiki The [[Linux Security Workgroup]] has put together this page in an effort to bring the Linux security community together in hardening the Linux Kernel and to help prevent duplication of efforts. There are a number of active Linux Kernel hardening projects and this page gives details on some of them. = Static Analysis = == Coccinelle == [http://en.wikipedia.org/wiki/Coccinelle_(software) Coccinelle] is a tool for matching and fixing source code for C, C++, and other languages. Run by: * Fengguang Wu - Running against what trees? * Artem Bityutskiy - Running against what trees? == Coverity == [http://en.wikipedia.org/wiki/Coverity Coverity] provides static analysis tools for C, C++, and other languages. Red Hat's Coverity license allows results to be shared with upstream projects. Run by: Paul Moore at Red Hat against what trees? == Smatch == [http://smatch.sourceforge.net/ Smatch] is a static analysis tool for C. Run by: * Dan Carpenter - Running against linux-next x86_64 allmodconfig * Fengguang Wu - Running against what trees? = Dynamic Analysis = == kmemcheck, kmemleak == Linux Kernel debugging features for detecting memory issues. Run by: ? == KEDR == [http://kedr.berlios.de/ KEDR] provides runtime analysis of Linux kernel modules including device drivers, file system modules, etc. Run by: ? = Fuzz Testing = == Trinity == [http://codemonkey.org.uk/projects/trinity/ Trinity] is a Linux system call fuzzer. Run by: Dave Jones and Fengguang Wu == Metasploit == [http://www.metasploit.com/ Metasploit] software is used for identifying security issues. It includes many capabilities, including fuzzer support. Run by: ? = Development = == ASLR for kernel code == Project Owner: Google dcf8361ceaf83c643e5bcd863c3ab0196f724a22 0 6 3453 3361 2013-02-04T04:07:38Z JamesMorris 2 /* 2013 */ wikitext text/x-wiki == Upcoming == ===2013=== 19-20 September, New Orleans, USA. Co-located with [http://events.linuxfoundation.org/events/linuxcon LinuxCon] and [http://www.linuxplumbersconf.org/2013/ Linux Plumbers]. == Past == === 2012 === * [[Linux Security Summit 2012]], San Diego, CA, USA. ===2011=== * [[Linux Security Summit 2011]], Santa Rosa, CA, USA. ===2010=== * [[Linux Security Summit 2012]], Boston MA, USA. ===2009=== *Security Microconf at the Linux Plumbers Conference 2009, September, Portland OR, USA. **CFP **LWN discussion *SELinux Developer Summit at LinuxCon 2009, September, Portland OR, USA. **Event Details *Security BoF (Birds of Feather) meeting at the Japan Linux Symposium, October 2009. Tokyo, Japan. **Enhanced Securities: Where Should We Go Next *Kernel Conference Australia, July 2009, Brisbane, Australia. *LCA security miniconf 20 January 2009, Hobart, Australia. be7bb6f40312a06b9f951d9dbeee4443162e9f54 3456 3453 2013-02-04T04:28:16Z JamesMorris 2 /* Upcoming */ wikitext text/x-wiki == Upcoming == ===2013=== * [[Linux Security Summit 2013]] 19-20 September, New Orleans, USA. Co-located with [http://events.linuxfoundation.org/events/linuxcon LinuxCon] and [http://www.linuxplumbersconf.org/2013/ Linux Plumbers]. == Past == === 2012 === * [[Linux Security Summit 2012]], San Diego, CA, USA. ===2011=== * [[Linux Security Summit 2011]], Santa Rosa, CA, USA. ===2010=== * [[Linux Security Summit 2012]], Boston MA, USA. ===2009=== *Security Microconf at the Linux Plumbers Conference 2009, September, Portland OR, USA. **CFP **LWN discussion *SELinux Developer Summit at LinuxCon 2009, September, Portland OR, USA. **Event Details *Security BoF (Birds of Feather) meeting at the Japan Linux Symposium, October 2009. Tokyo, Japan. **Enhanced Securities: Where Should We Go Next *Kernel Conference Australia, July 2009, Brisbane, Australia. *LCA security miniconf 20 January 2009, Hobart, Australia. 97d1b5d2d17ef606f66c6c96f1da61f124958b39 3457 3456 2013-02-04T04:28:34Z JamesMorris 2 wikitext text/x-wiki == Upcoming == ===2013=== * [[Linux Security Summit 2013]] 19-20 September, New Orleans, USA. Co-located with [http://events.linuxfoundation.org/events/linuxcon LinuxCon] and [http://www.linuxplumbersconf.org/2013/ Linux Plumbers]. == Past == === 2012 === * [[Linux Security Summit 2012]], San Diego, CA, USA. ===2011=== * [[Linux Security Summit 2011]], Santa Rosa, CA, USA. ===2010=== * [[Linux Security Summit 2012]], Boston MA, USA. ===2009=== *Security Microconf at the Linux Plumbers Conference 2009, September, Portland OR, USA. **CFP **LWN discussion *SELinux Developer Summit at LinuxCon 2009, September, Portland OR, USA. **Event Details *Security BoF (Birds of Feather) meeting at the Japan Linux Symposium, October 2009. Tokyo, Japan. **Enhanced Securities: Where Should We Go Next *Kernel Conference Australia, July 2009, Brisbane, Australia. *LCA security miniconf 20 January 2009, Hobart, Australia. 38f6b29b43511f951721e2fb98a0b490bf055235 3466 3457 2013-07-15T15:18:50Z JamesMorris 2 /* 2010 */ wikitext text/x-wiki == Upcoming == ===2013=== * [[Linux Security Summit 2013]] 19-20 September, New Orleans, USA. Co-located with [http://events.linuxfoundation.org/events/linuxcon LinuxCon] and [http://www.linuxplumbersconf.org/2013/ Linux Plumbers]. == Past == === 2012 === * [[Linux Security Summit 2012]], San Diego, CA, USA. ===2011=== * [[Linux Security Summit 2011]], Santa Rosa, CA, USA. ===2010=== * [[Linux Security Summit 2010]], Boston MA, USA. ===2009=== *Security Microconf at the Linux Plumbers Conference 2009, September, Portland OR, USA. **CFP **LWN discussion *SELinux Developer Summit at LinuxCon 2009, September, Portland OR, USA. **Event Details *Security BoF (Birds of Feather) meeting at the Japan Linux Symposium, October 2009. Tokyo, Japan. **Enhanced Securities: Where Should We Go Next *Kernel Conference Australia, July 2009, Brisbane, Australia. *LCA security miniconf 20 January 2009, Hobart, Australia. 35712187c012941a9ce4ab6689d2337967de9fcf 3467 3466 2013-07-15T15:21:03Z JamesMorris 2 /* 2010 */ wikitext text/x-wiki == Upcoming == ===2013=== * [[Linux Security Summit 2013]] 19-20 September, New Orleans, USA. Co-located with [http://events.linuxfoundation.org/events/linuxcon LinuxCon] and [http://www.linuxplumbersconf.org/2013/ Linux Plumbers]. == Past == === 2012 === * [[Linux Security Summit 2012]], San Diego, CA, USA. ===2011=== * [[Linux Security Summit 2011]], Santa Rosa, CA, USA. ===2010=== * [https://security.wiki.kernel.org/index.php/LinuxSecuritySummit2010 Linux Security Summit 2010], Boston MA, USA. ===2009=== *Security Microconf at the Linux Plumbers Conference 2009, September, Portland OR, USA. **CFP **LWN discussion *SELinux Developer Summit at LinuxCon 2009, September, Portland OR, USA. **Event Details *Security BoF (Birds of Feather) meeting at the Japan Linux Symposium, October 2009. Tokyo, Japan. **Enhanced Securities: Where Should We Go Next *Kernel Conference Australia, July 2009, Brisbane, Australia. *LCA security miniconf 20 January 2009, Hobart, Australia. bf390407f7e91f693c50d16ca5a044836b83fcc2 3487 3467 2014-02-13T13:31:32Z JamesMorris 2 wikitext text/x-wiki == Upcoming == ===2014=== * [[Linux Security Summit 2014]] 19-20 August, Chicago, USA. Co-located with [http://events.linuxfoundation.org/events/linuxcon LinuxCon]. == Past == === 2013 === * [[Linux Security Summit 2013]] New Orleans, USA. === 2012 === * [[Linux Security Summit 2012]], San Diego, CA, USA. ===2011=== * [[Linux Security Summit 2011]], Santa Rosa, CA, USA. ===2010=== * [https://security.wiki.kernel.org/index.php/LinuxSecuritySummit2010 Linux Security Summit 2010], Boston MA, USA. ===2009=== *Security Microconf at the Linux Plumbers Conference 2009, September, Portland OR, USA. **CFP **LWN discussion *SELinux Developer Summit at LinuxCon 2009, September, Portland OR, USA. **Event Details *Security BoF (Birds of Feather) meeting at the Japan Linux Symposium, October 2009. Tokyo, Japan. **Enhanced Securities: Where Should We Go Next *Kernel Conference Australia, July 2009, Brisbane, Australia. *LCA security miniconf 20 January 2009, Hobart, Australia. b8a292114dcd3c7691876a6ffe98732c07e21c34 0 108 3454 2013-02-04T04:26:16Z JamesMorris 2 New page: =Description= The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts ... wikitext text/x-wiki =Description= The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Short talks * Roundtable discussions * Breakout development sessions = Schedule = The Linux Security Summit for 2013 will be held across 19 and 20 September in New Orleans, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon], as well as [Linux Plumbers. Note that Linux Security Summit attendees and speakers must be registered to attend LinuxCon. See the [https://events.linuxfoundation.org/events/linuxcon LinuxCon site] for details on registration, travel, and accommodation. =Call for Participation= The CFP will be announced soon. =Program Committee= The Linux Security Summit for 2013 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Tresys * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss-pc (_at_) ext.namei.org b02ad62a5e0280677ebb712415a762a9941f2689 3455 3454 2013-02-04T04:26:46Z JamesMorris 2 /* Schedule */ wikitext text/x-wiki =Description= The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Short talks * Roundtable discussions * Breakout development sessions = Schedule = The Linux Security Summit for 2013 will be held across 19 and 20 September in New Orleans, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon], as well as [http://www.linuxplumbersconf.org/2013/ Linux Plumbers]. Note that Linux Security Summit attendees and speakers must be registered to attend LinuxCon. See the [https://events.linuxfoundation.org/events/linuxcon LinuxCon site] for details on registration, travel, and accommodation. =Call for Participation= The CFP will be announced soon. =Program Committee= The Linux Security Summit for 2013 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Tresys * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss-pc (_at_) ext.namei.org 72b6d517ace34741b6e74d08d67c98070aeb62ae 3458 3455 2013-03-11T01:40:49Z JamesMorris 2 /* Program Committee */ wikitext text/x-wiki =Description= The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Short talks * Roundtable discussions * Breakout development sessions = Schedule = The Linux Security Summit for 2013 will be held across 19 and 20 September in New Orleans, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon], as well as [http://www.linuxplumbersconf.org/2013/ Linux Plumbers]. Note that Linux Security Summit attendees and speakers must be registered to attend LinuxCon. See the [https://events.linuxfoundation.org/events/linuxcon LinuxCon site] for details on registration, travel, and accommodation. =Call for Participation= The CFP will be announced soon. =Program Committee= The Linux Security Summit for 2013 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Quark Security * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss-pc (_at_) ext.namei.org b9fd0e32649fd0892634e6ae87b94539373f6233 3459 3458 2013-05-06T08:51:57Z JamesMorris 2 /* Description */ wikitext text/x-wiki =Description= The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions = Schedule = The Linux Security Summit for 2013 will be held across 19 and 20 September in New Orleans, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon], as well as [http://www.linuxplumbersconf.org/2013/ Linux Plumbers]. Note that Linux Security Summit attendees and speakers must be registered to attend LinuxCon. See the [https://events.linuxfoundation.org/events/linuxcon LinuxCon site] for details on registration, travel, and accommodation. =Call for Participation= The CFP will be announced soon. =Program Committee= The Linux Security Summit for 2013 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Quark Security * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss-pc (_at_) ext.namei.org f8436d66387256aa0fc5904be2788f09d7b6ff66 3460 3459 2013-05-06T09:17:08Z JamesMorris 2 /* Call for Participation */ wikitext text/x-wiki =Description= The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions = Schedule = The Linux Security Summit for 2013 will be held across 19 and 20 September in New Orleans, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon], as well as [http://www.linuxplumbersconf.org/2013/ Linux Plumbers]. Note that Linux Security Summit attendees and speakers must be registered to attend LinuxCon. See the [https://events.linuxfoundation.org/events/linuxcon LinuxCon site] for details on registration, travel, and accommodation. =Call for Participation= The Linux Security Summit CFP is now open, and will close on '''4th June'''. Accepted speakers will be notified by 21st of June. The program committee currently seeks proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques Proposals should be submitted in plain text via email to the program committee at: lss-pc (_at_) ext.namei.org Abstracts should be approximately 150 words in total. =Program Committee= The Linux Security Summit for 2013 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Quark Security * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss-pc (_at_) ext.namei.org 2c36cbb448b22868bdf4e71be664ee43b8bc7feb 3461 3460 2013-05-06T09:17:26Z JamesMorris 2 /* Call for Participation */ wikitext text/x-wiki =Description= The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions = Schedule = The Linux Security Summit for 2013 will be held across 19 and 20 September in New Orleans, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon], as well as [http://www.linuxplumbersconf.org/2013/ Linux Plumbers]. Note that Linux Security Summit attendees and speakers must be registered to attend LinuxCon. See the [https://events.linuxfoundation.org/events/linuxcon LinuxCon site] for details on registration, travel, and accommodation. =Call for Participation= The Linux Security Summit CFP is now open, and will close on '''4th June'''. Accepted speakers will be notified by 21st of June. The program committee currently seeks proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques Proposals should be submitted in plain text via email to the program committee at: lss-pc (_at_) ext.namei.org Abstracts should be approximately 150 words in total. =Program Committee= The Linux Security Summit for 2013 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Quark Security * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss-pc (_at_) ext.namei.org 38b7e69b15707796c4aa0f2664b8c7a48e5fe6aa 3462 3461 2013-05-06T09:57:07Z JamesMorris 2 /* Call for Participation */ wikitext text/x-wiki =Description= The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions = Schedule = The Linux Security Summit for 2013 will be held across 19 and 20 September in New Orleans, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon], as well as [http://www.linuxplumbersconf.org/2013/ Linux Plumbers]. Note that Linux Security Summit attendees and speakers must be registered to attend LinuxCon. See the [https://events.linuxfoundation.org/events/linuxcon LinuxCon site] for details on registration, travel, and accommodation. =Call for Participation= The Linux Security Summit CFP is now open, and will close on '''14th June'''. Accepted speakers will be notified by 21st of June. The program committee currently seeks proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques Proposals should be submitted in plain text via email to the program committee at: lss-pc (_at_) ext.namei.org Abstracts should be approximately 150 words in total. =Program Committee= The Linux Security Summit for 2013 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Quark Security * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss-pc (_at_) ext.namei.org b81510b7076978c4f7364c455fd8ee010098a47c 3463 3462 2013-05-24T04:41:52Z JamesMorris 2 /* Schedule */ wikitext text/x-wiki =Description= The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions = Schedule = The Linux Security Summit for 2013 will be held across 19 and 20 September in New Orleans, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon], as well as [http://www.linuxplumbersconf.org/2013/ Linux Plumbers]. (Note that a separate registration is required for Plumbers if attending that). Note that Linux Security Summit attendees and speakers must be registered to attend LinuxCon. See the [https://events.linuxfoundation.org/events/linuxcon LinuxCon site] for details on registration, travel, and accommodation. =Call for Participation= The Linux Security Summit CFP is now open, and will close on '''14th June'''. Accepted speakers will be notified by 21st of June. The program committee currently seeks proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques Proposals should be submitted in plain text via email to the program committee at: lss-pc (_at_) ext.namei.org Abstracts should be approximately 150 words in total. =Program Committee= The Linux Security Summit for 2013 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Quark Security * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss-pc (_at_) ext.namei.org 5ad4e8ee17480abba8dd694eb283d340add8ebc0 3464 3463 2013-05-24T04:42:33Z JamesMorris 2 /* Schedule */ wikitext text/x-wiki =Description= The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions = Schedule = The Linux Security Summit for 2013 will be held across 19 and 20 September in New Orleans, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon], as well as [http://www.linuxplumbersconf.org/2013/ Linux Plumbers]. Note that Linux Security Summit attendees and speakers must be registered to attend LinuxCon. See the [https://events.linuxfoundation.org/events/linuxcon LinuxCon site] for details on registration, travel, and accommodation. (For those wishing to also attend Plumbers, a separate registration for that is required). =Call for Participation= The Linux Security Summit CFP is now open, and will close on '''14th June'''. Accepted speakers will be notified by 21st of June. The program committee currently seeks proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques Proposals should be submitted in plain text via email to the program committee at: lss-pc (_at_) ext.namei.org Abstracts should be approximately 150 words in total. =Program Committee= The Linux Security Summit for 2013 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Quark Security * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss-pc (_at_) ext.namei.org c1656887baac2e3c7fa0c4bc81812252361aa2cc 3465 3464 2013-06-18T13:54:23Z JamesMorris 2 /* Call for Participation */ wikitext text/x-wiki =Description= The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions = Schedule = The Linux Security Summit for 2013 will be held across 19 and 20 September in New Orleans, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon], as well as [http://www.linuxplumbersconf.org/2013/ Linux Plumbers]. Note that Linux Security Summit attendees and speakers must be registered to attend LinuxCon. See the [https://events.linuxfoundation.org/events/linuxcon LinuxCon site] for details on registration, travel, and accommodation. (For those wishing to also attend Plumbers, a separate registration for that is required). =Call for Participation= The Linux Security Summit CFP '''closed on 14th June'''. Accepted speakers will be notified by 21st of June. The program committee currently seeks proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques Proposals should be submitted in plain text via email to the program committee at: lss-pc (_at_) ext.namei.org Abstracts should be approximately 150 words in total. =Program Committee= The Linux Security Summit for 2013 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Quark Security * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss-pc (_at_) ext.namei.org 5c00b55ce287c78a0994d6607f789b5d9b0f179f 3473 3465 2013-08-02T06:02:01Z JamesMorris 2 /* Schedule */ wikitext text/x-wiki =Description= The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions = Schedule = The Linux Security Summit for 2013 will be held across 19 and 20 September in New Orleans, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon], as well as [http://www.linuxplumbersconf.org/2013/ Linux Plumbers]. == Day 1 (19th September) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk'''</span> | Ted Ts'o, Google |- |''09:50'' |colspan="2"|''Break'' |- |colspan="3" align="center"|'''Refereed Talks''' |- |10:00 | [[Linux_Security_Summit_2013/Abstracts/Safford|Embedded Linux Security]] | David Safford, IBM |- |10:45 | [[Linux_Security_Summit_2013/Abstracts/Johansen|Extending AppArmor Mediation into the Userspace]] | John Johansen, Canonical |- |''11:30'' |colspan="2"|''Break'' |- |11:45 | [[Linux_Security_Summit_2013/Abstracts/Schaufler|Multiple Concurrent Security Models? Really?]] | Casey Schaufler, Intel |- |''12:30'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | [[Linux_Security_Summit_2013/Abstracts/Cook|Linux Kernel ASLR]] | Kees Cook, Google |- |14:45 | [[Linux_Security_Summit_2013/Abstracts/Johansen2|The AppArmor Labeling Model]] | NNN, CCC |- |''15:30'' |colspan="2"|''Break'' |- |colspan="3" align="center"|'''Short Topics''' |- |15:50 | SELinux update | TBA |- |16:10 | Smack update | Casey Schaufler, Intel |- |16:30 | Integrity update | Mimi Zohar, IBM |- |16:50 | Core Kernel - "Fixing anti-patterns" | Kees Cook, Canonical |- |''17:30'' |colspan="2"|''Finish'' |} == Day 2 (20th September) == Break-out sessions starting at 9am. Details TBA. Note that Linux Security Summit attendees and speakers must be registered to attend LinuxCon. See the [https://events.linuxfoundation.org/events/linuxcon LinuxCon site] for details on registration, travel, and accommodation. (For those wishing to also attend Plumbers, a separate registration for that is required). =Call for Participation= The Linux Security Summit CFP '''closed on 14th June'''. Accepted speakers will be notified by 21st of June. The program committee currently seeks proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques Proposals should be submitted in plain text via email to the program committee at: lss-pc (_at_) ext.namei.org Abstracts should be approximately 150 words in total. =Program Committee= The Linux Security Summit for 2013 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Quark Security * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss-pc (_at_) ext.namei.org 82d5500574efdd57959594e3e957625daf04df7d 3474 3473 2013-08-02T06:08:44Z JamesMorris 2 /* Day 1 (19th September) */ wikitext text/x-wiki =Description= The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions = Schedule = The Linux Security Summit for 2013 will be held across 19 and 20 September in New Orleans, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon], as well as [http://www.linuxplumbersconf.org/2013/ Linux Plumbers]. == Day 1 (19th September) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk'''</span> | [http://thunk.org/tytso Ted Ts'o], Google |- |''09:50'' |colspan="2"|''Break'' |- |colspan="3" align="center"|'''Refereed Talks''' |- |10:00 | [[Linux_Security_Summit_2013/Abstracts/Safford|Embedded Linux Security]] | David Safford, IBM |- |10:45 | [[Linux_Security_Summit_2013/Abstracts/Johansen|Extending AppArmor Mediation into the Userspace]] | John Johansen, Canonical |- |''11:30'' |colspan="2"|''Break'' |- |11:45 | [[Linux_Security_Summit_2013/Abstracts/Schaufler|Multiple Concurrent Security Models? Really?]] | Casey Schaufler, Intel |- |''12:30'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | [[Linux_Security_Summit_2013/Abstracts/Cook|Linux Kernel ASLR]] | Kees Cook, Google |- |14:45 | [[Linux_Security_Summit_2013/Abstracts/Johansen2|The AppArmor Labeling Model]] | NNN, CCC |- |''15:30'' |colspan="2"|''Break'' |- |colspan="3" align="center"|'''Short Topics''' |- |15:50 | SELinux update | TBA |- |16:10 | Smack update | Casey Schaufler, Intel |- |16:30 | Integrity update | Mimi Zohar, IBM |- |16:50 | Core Kernel - "Fixing anti-patterns" | Kees Cook, Canonical |- |''17:30'' |colspan="2"|''Finish'' |} == Day 2 (20th September) == Break-out sessions starting at 9am. Details TBA. Note that Linux Security Summit attendees and speakers must be registered to attend LinuxCon. See the [https://events.linuxfoundation.org/events/linuxcon LinuxCon site] for details on registration, travel, and accommodation. (For those wishing to also attend Plumbers, a separate registration for that is required). =Call for Participation= The Linux Security Summit CFP '''closed on 14th June'''. Accepted speakers will be notified by 21st of June. The program committee currently seeks proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques Proposals should be submitted in plain text via email to the program committee at: lss-pc (_at_) ext.namei.org Abstracts should be approximately 150 words in total. =Program Committee= The Linux Security Summit for 2013 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Quark Security * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss-pc (_at_) ext.namei.org 3dba93753ef2788c3b80efd03f723d27af300e3f 3475 3474 2013-08-02T06:09:19Z JamesMorris 2 /* Day 1 (19th September) */ wikitext text/x-wiki =Description= The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions = Schedule = The Linux Security Summit for 2013 will be held across 19 and 20 September in New Orleans, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon], as well as [http://www.linuxplumbersconf.org/2013/ Linux Plumbers]. == Day 1 (19th September) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk'''</span> | [http://thunk.org/tytso Ted Ts'o], Google |- |''09:50'' |colspan="2"|''Break'' |- |colspan="3" align="center"|'''Refereed Talks''' |- |10:00 | [[Linux_Security_Summit_2013/Abstracts/Safford|Embedded Linux Security]] | David Safford, IBM |- |10:45 | [[Linux_Security_Summit_2013/Abstracts/Johansen|Extending AppArmor Mediation into the Userspace]] | John Johansen, Canonical |- |''11:30'' |colspan="2"|''Break'' |- |11:45 | [[Linux_Security_Summit_2013/Abstracts/Schaufler|Multiple Concurrent Security Models? Really?]] | Casey Schaufler, Intel |- |''12:30'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | [[Linux_Security_Summit_2013/Abstracts/Cook|Linux Kernel ASLR]] | Kees Cook, Google |- |14:45 | [[Linux_Security_Summit_2013/Abstracts/Johansen2|The AppArmor Labeling Model]] | John Johansen, Canonical |- |''15:30'' |colspan="2"|''Break'' |- |colspan="3" align="center"|'''Short Topics''' |- |15:50 | SELinux update | TBA |- |16:10 | Smack update | Casey Schaufler, Intel |- |16:30 | Integrity update | Mimi Zohar, IBM |- |16:50 | Core Kernel - "Fixing anti-patterns" | Kees Cook, Canonical |- |''17:30'' |colspan="2"|''Finish'' |} == Day 2 (20th September) == Break-out sessions starting at 9am. Details TBA. Note that Linux Security Summit attendees and speakers must be registered to attend LinuxCon. See the [https://events.linuxfoundation.org/events/linuxcon LinuxCon site] for details on registration, travel, and accommodation. (For those wishing to also attend Plumbers, a separate registration for that is required). =Call for Participation= The Linux Security Summit CFP '''closed on 14th June'''. Accepted speakers will be notified by 21st of June. The program committee currently seeks proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques Proposals should be submitted in plain text via email to the program committee at: lss-pc (_at_) ext.namei.org Abstracts should be approximately 150 words in total. =Program Committee= The Linux Security Summit for 2013 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Quark Security * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss-pc (_at_) ext.namei.org 16dd91681ad9107de0d476bcd840f5070fbc3976 3476 3475 2013-09-11T20:43:22Z JamesMorris 2 /* Day 1 (19th September) */ wikitext text/x-wiki =Description= The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions = Schedule = The Linux Security Summit for 2013 will be held across 19 and 20 September in New Orleans, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon], as well as [http://www.linuxplumbersconf.org/2013/ Linux Plumbers]. == Day 1 (19th September) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk'''</span> | [http://thunk.org/tytso Ted Ts'o], Google |- |''09:50'' |colspan="2"|''Break'' |- |colspan="3" align="center"|'''Refereed Talks''' |- |10:00 | [[Linux_Security_Summit_2013/Abstracts/Safford|Embedded Linux Security]] | David Safford, IBM |- |10:45 | [[Linux_Security_Summit_2013/Abstracts/Johansen|Extending AppArmor Mediation into the Userspace]] | John Johansen, Canonical |- |''11:30'' |colspan="2"|''Break'' |- |11:45 | [[Linux_Security_Summit_2013/Abstracts/Schaufler|Multiple Concurrent Security Models? Really?]] | Casey Schaufler, Intel |- |''12:30'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | [[Linux_Security_Summit_2013/Abstracts/Cook|Linux Kernel ASLR]] | Kees Cook, Google |- |14:45 | [[Linux_Security_Summit_2013/Abstracts/Johansen2|The AppArmor Labeling Model]] | John Johansen, Canonical |- |''15:30'' |colspan="2"|''Break'' |- |colspan="3" align="center"|'''Short Topics''' |- |15:50 | SELinux update | Paul Moore, Red Hat |- |16:10 | Smack update | Casey Schaufler, Intel |- |16:30 | Integrity update | Mimi Zohar, IBM |- |16:50 | Core Kernel - "Fixing anti-patterns" | Kees Cook, Canonical |- |''17:30'' |colspan="2"|''Finish'' |} == Day 2 (20th September) == Break-out sessions starting at 9am. Details TBA. Note that Linux Security Summit attendees and speakers must be registered to attend LinuxCon. See the [https://events.linuxfoundation.org/events/linuxcon LinuxCon site] for details on registration, travel, and accommodation. (For those wishing to also attend Plumbers, a separate registration for that is required). =Call for Participation= The Linux Security Summit CFP '''closed on 14th June'''. Accepted speakers will be notified by 21st of June. The program committee currently seeks proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques Proposals should be submitted in plain text via email to the program committee at: lss-pc (_at_) ext.namei.org Abstracts should be approximately 150 words in total. =Program Committee= The Linux Security Summit for 2013 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Quark Security * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss-pc (_at_) ext.namei.org b2c6d02423f0217f9e0795f0a257f3ef9d88a656 3477 3476 2013-09-14T06:38:05Z KeesCook 3 /* Day 1 (19th September) */ wikitext text/x-wiki =Description= The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions = Schedule = The Linux Security Summit for 2013 will be held across 19 and 20 September in New Orleans, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon], as well as [http://www.linuxplumbersconf.org/2013/ Linux Plumbers]. == Day 1 (19th September) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk'''</span> | [http://thunk.org/tytso Ted Ts'o], Google |- |''09:50'' |colspan="2"|''Break'' |- |colspan="3" align="center"|'''Refereed Talks''' |- |10:00 | [[Linux_Security_Summit_2013/Abstracts/Safford|Embedded Linux Security]] | David Safford, IBM |- |10:45 | [[Linux_Security_Summit_2013/Abstracts/Johansen|Extending AppArmor Mediation into the Userspace]] | John Johansen, Canonical |- |''11:30'' |colspan="2"|''Break'' |- |11:45 | [[Linux_Security_Summit_2013/Abstracts/Schaufler|Multiple Concurrent Security Models? Really?]] | Casey Schaufler, Intel |- |''12:30'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | [[Linux_Security_Summit_2013/Abstracts/Cook|Linux Kernel ASLR]] | Kees Cook, Google |- |14:45 | [[Linux_Security_Summit_2013/Abstracts/Johansen2|The AppArmor Labeling Model]] | John Johansen, Canonical |- |''15:30'' |colspan="2"|''Break'' |- |colspan="3" align="center"|'''Short Topics''' |- |15:50 | SELinux update | Paul Moore, Red Hat |- |16:10 | Smack update | Casey Schaufler, Intel |- |16:30 | Integrity update | Mimi Zohar, IBM |- |16:50 | Core Kernel - "Fixing anti-patterns" | Kees Cook, Google |- |''17:30'' |colspan="2"|''Finish'' |} == Day 2 (20th September) == Break-out sessions starting at 9am. Details TBA. Note that Linux Security Summit attendees and speakers must be registered to attend LinuxCon. See the [https://events.linuxfoundation.org/events/linuxcon LinuxCon site] for details on registration, travel, and accommodation. (For those wishing to also attend Plumbers, a separate registration for that is required). =Call for Participation= The Linux Security Summit CFP '''closed on 14th June'''. Accepted speakers will be notified by 21st of June. The program committee currently seeks proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques Proposals should be submitted in plain text via email to the program committee at: lss-pc (_at_) ext.namei.org Abstracts should be approximately 150 words in total. =Program Committee= The Linux Security Summit for 2013 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Quark Security * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss-pc (_at_) ext.namei.org 3b51d14dfd0319899c3cd02a7098b52575a0f71b 3478 3477 2013-09-20T14:47:48Z JamesMorris 2 /* Day 1 (19th September) */ wikitext text/x-wiki =Description= The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions = Schedule = The Linux Security Summit for 2013 will be held across 19 and 20 September in New Orleans, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon], as well as [http://www.linuxplumbersconf.org/2013/ Linux Plumbers]. == Day 1 (19th September) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk'''</span> | [http://thunk.org/tytso Ted Ts'o], Google |- |''09:50'' |colspan="2"|''Break'' |- |colspan="3" align="center"|'''Refereed Talks''' |- |10:00 | [[Linux_Security_Summit_2013/Abstracts/Safford|Embedded Linux Security]] ''([http://selinuxproject.org/~jmorris/lss2013_slides/safford_embedded_lss_slides.pdf slides] [http://selinuxproject.org/~jmorris/lss2013_slides/safford_embedded_lss_paper.pdf paper])'' | David Safford, IBM |- |10:45 | [[Linux_Security_Summit_2013/Abstracts/Johansen|Extending AppArmor Mediation into the Userspace]] ''([http://selinuxproject.org/~jmorris/lss2013_slides/jj_apparmor-userspace-2013.odp slides])'' | John Johansen, Canonical |- |''11:30'' |colspan="2"|''Break'' |- |11:45 | [[Linux_Security_Summit_2013/Abstracts/Schaufler|Multiple Concurrent Security Models? Really?]] ''([http://selinuxproject.org/~jmorris/lss2013_slides/casey_Glass2013.pdf slides])'' | Casey Schaufler, Intel |- |''12:30'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | [[Linux_Security_Summit_2013/Abstracts/Cook|Linux Kernel ASLR]] ''([http://selinuxproject.org/~jmorris/lss2013_slides/cook_kaslr.pdf slides])'' | Kees Cook, Google |- |14:45 | [[Linux_Security_Summit_2013/Abstracts/Johansen2|The AppArmor Labeling Model]] ''([http://selinuxproject.org/~jmorris/lss2013_slides/jj_apparmor-labeling-2013.odp slides])'' | John Johansen, Canonical |- |''15:30'' |colspan="2"|''Break'' |- |colspan="3" align="center"|'''Short Topics''' |- |15:50 | SELinux update | Paul Moore, Red Hat |- |16:10 | Smack update | Casey Schaufler, Intel |- |16:30 | Integrity update | Mimi Zohar, IBM |- |16:50 | Core Kernel - "Fixing anti-patterns" | Kees Cook, Google |- |''17:30'' |colspan="2"|''Finish'' |} == Day 2 (20th September) == Break-out sessions starting at 9am. Details TBA. Note that Linux Security Summit attendees and speakers must be registered to attend LinuxCon. See the [https://events.linuxfoundation.org/events/linuxcon LinuxCon site] for details on registration, travel, and accommodation. (For those wishing to also attend Plumbers, a separate registration for that is required). =Call for Participation= The Linux Security Summit CFP '''closed on 14th June'''. Accepted speakers will be notified by 21st of June. The program committee currently seeks proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques Proposals should be submitted in plain text via email to the program committee at: lss-pc (_at_) ext.namei.org Abstracts should be approximately 150 words in total. =Program Committee= The Linux Security Summit for 2013 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Quark Security * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss-pc (_at_) ext.namei.org f7e42b8d532cbe0796cc92d8a2306bae53607f62 3479 3478 2013-09-20T14:49:18Z JamesMorris 2 /* Day 1 (19th September) */ wikitext text/x-wiki =Description= The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions = Schedule = The Linux Security Summit for 2013 will be held across 19 and 20 September in New Orleans, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon], as well as [http://www.linuxplumbersconf.org/2013/ Linux Plumbers]. == Day 1 (19th September) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk'''</span> | [http://thunk.org/tytso Ted Ts'o], Google |- |''09:50'' |colspan="2"|''Break'' |- |colspan="3" align="center"|'''Refereed Talks''' |- |10:00 | [[Linux_Security_Summit_2013/Abstracts/Safford|Embedded Linux Security]] ''([http://selinuxproject.org/~jmorris/lss2013_slides/safford_embedded_lss_slides.pdf slides] [http://selinuxproject.org/~jmorris/lss2013_slides/safford_embedded_lss_paper.pdf paper] [http://selinuxproject.org/~jmorris/lss2013_slides/safford_chromebook_takeown.pdf supplement: Chromebook Takedown])'' | David Safford, IBM |- |10:45 | [[Linux_Security_Summit_2013/Abstracts/Johansen|Extending AppArmor Mediation into the Userspace]] ''([http://selinuxproject.org/~jmorris/lss2013_slides/jj_apparmor-userspace-2013.odp slides])'' | John Johansen, Canonical |- |''11:30'' |colspan="2"|''Break'' |- |11:45 | [[Linux_Security_Summit_2013/Abstracts/Schaufler|Multiple Concurrent Security Models? Really?]] ''([http://selinuxproject.org/~jmorris/lss2013_slides/casey_Glass2013.pdf slides])'' | Casey Schaufler, Intel |- |''12:30'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | [[Linux_Security_Summit_2013/Abstracts/Cook|Linux Kernel ASLR]] ''([http://selinuxproject.org/~jmorris/lss2013_slides/cook_kaslr.pdf slides])'' | Kees Cook, Google |- |14:45 | [[Linux_Security_Summit_2013/Abstracts/Johansen2|The AppArmor Labeling Model]] ''([http://selinuxproject.org/~jmorris/lss2013_slides/jj_apparmor-labeling-2013.odp slides])'' | John Johansen, Canonical |- |''15:30'' |colspan="2"|''Break'' |- |colspan="3" align="center"|'''Short Topics''' |- |15:50 | SELinux update | Paul Moore, Red Hat |- |16:10 | Smack update | Casey Schaufler, Intel |- |16:30 | Integrity update | Mimi Zohar, IBM |- |16:50 | Core Kernel - "Fixing anti-patterns" | Kees Cook, Google |- |''17:30'' |colspan="2"|''Finish'' |} == Day 2 (20th September) == Break-out sessions starting at 9am. Details TBA. Note that Linux Security Summit attendees and speakers must be registered to attend LinuxCon. See the [https://events.linuxfoundation.org/events/linuxcon LinuxCon site] for details on registration, travel, and accommodation. (For those wishing to also attend Plumbers, a separate registration for that is required). =Call for Participation= The Linux Security Summit CFP '''closed on 14th June'''. Accepted speakers will be notified by 21st of June. The program committee currently seeks proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques Proposals should be submitted in plain text via email to the program committee at: lss-pc (_at_) ext.namei.org Abstracts should be approximately 150 words in total. =Program Committee= The Linux Security Summit for 2013 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Quark Security * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss-pc (_at_) ext.namei.org 180b944dbd717b2e64211aef0c1d4d1ace574ee4 3480 3479 2013-09-20T14:50:19Z JamesMorris 2 /* Day 1 (19th September) */ wikitext text/x-wiki =Description= The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions = Schedule = The Linux Security Summit for 2013 will be held across 19 and 20 September in New Orleans, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon], as well as [http://www.linuxplumbersconf.org/2013/ Linux Plumbers]. == Day 1 (19th September) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk'''</span> | [http://thunk.org/tytso Ted Ts'o], Google |- |''09:50'' |colspan="2"|''Break'' |- |colspan="3" align="center"|'''Refereed Talks''' |- |10:00 | [[Linux_Security_Summit_2013/Abstracts/Safford|Embedded Linux Security]] ''([http://selinuxproject.org/~jmorris/lss2013_slides/safford_embedded_lss_slides.pdf slides] [http://selinuxproject.org/~jmorris/lss2013_slides/safford_embedded_lss_paper.pdf paper] [http://selinuxproject.org/~jmorris/lss2013_slides/safford_chromebook_takeown.pdf supplement: Chromebook Takedown])'' | David Safford, IBM |- |10:45 | [[Linux_Security_Summit_2013/Abstracts/Johansen|Extending AppArmor Mediation into the Userspace]] ''([http://selinuxproject.org/~jmorris/lss2013_slides/jj_apparmor-userspace-2013.odp slides])'' | John Johansen, Canonical |- |''11:30'' |colspan="2"|''Break'' |- |11:45 | [[Linux_Security_Summit_2013/Abstracts/Schaufler|Multiple Concurrent Security Models? Really?]] ''([http://selinuxproject.org/~jmorris/lss2013_slides/casey_Glass2013.pdf slides])'' | Casey Schaufler, Intel |- |''12:30'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | [[Linux_Security_Summit_2013/Abstracts/Cook|Linux Kernel ASLR]] ''([http://selinuxproject.org/~jmorris/lss2013_slides/cook_kaslr.pdf slides])'' | Kees Cook, Google |- |14:45 | [[Linux_Security_Summit_2013/Abstracts/Johansen2|The AppArmor Labeling Model]] ''([http://selinuxproject.org/~jmorris/lss2013_slides/jj_apparmor-labeling-2013.odp slides])'' | John Johansen, Canonical |- |''15:30'' |colspan="2"|''Break'' |- |colspan="3" align="center"|'''Short Topics''' |- |15:50 | SELinux update | Paul Moore, Red Hat |- |16:10 | Smack update | Casey Schaufler, Intel |- |16:30 | Integrity update | Mimi Zohar, IBM |- |16:50 | Core Kernel - "Fixing anti-patterns" ''([http://selinuxproject.org/~jmorris/lss2013_slides/cook_fruit.pdf slides])'' | Kees Cook, Google |- |''17:30'' |colspan="2"|''Finish'' |} == Day 2 (20th September) == Break-out sessions starting at 9am. Details TBA. Note that Linux Security Summit attendees and speakers must be registered to attend LinuxCon. See the [https://events.linuxfoundation.org/events/linuxcon LinuxCon site] for details on registration, travel, and accommodation. (For those wishing to also attend Plumbers, a separate registration for that is required). =Call for Participation= The Linux Security Summit CFP '''closed on 14th June'''. Accepted speakers will be notified by 21st of June. The program committee currently seeks proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques Proposals should be submitted in plain text via email to the program committee at: lss-pc (_at_) ext.namei.org Abstracts should be approximately 150 words in total. =Program Committee= The Linux Security Summit for 2013 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Quark Security * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss-pc (_at_) ext.namei.org 8edc669933e06cbc70c64b7a55ba5b85f5322e0d 3481 3480 2013-09-20T14:54:46Z JamesMorris 2 /* Day 1 (19th September) */ wikitext text/x-wiki =Description= The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions = Schedule = The Linux Security Summit for 2013 will be held across 19 and 20 September in New Orleans, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon], as well as [http://www.linuxplumbersconf.org/2013/ Linux Plumbers]. == Day 1 (19th September) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk'''</span> | [http://thunk.org/tytso Ted Ts'o], Google |- |''09:50'' |colspan="2"|''Break'' |- |colspan="3" align="center"|'''Refereed Talks''' |- |10:00 | [[Linux_Security_Summit_2013/Abstracts/Safford|Embedded Linux Security]] ''([http://selinuxproject.org/~jmorris/lss2013_slides/safford_embedded_lss_slides.pdf slides] [http://selinuxproject.org/~jmorris/lss2013_slides/safford_embedded_lss_paper.pdf paper] [http://selinuxproject.org/~jmorris/lss2013_slides/safford_chromebook_takeown.pdf supplement: Chromebook Takedown])'' | David Safford, IBM |- |10:45 | [[Linux_Security_Summit_2013/Abstracts/Johansen|Extending AppArmor Mediation into the Userspace]] ''([http://selinuxproject.org/~jmorris/lss2013_slides/jj_apparmor-userspace-2013.odp slides])'' | John Johansen, Canonical |- |''11:30'' |colspan="2"|''Break'' |- |11:45 | [[Linux_Security_Summit_2013/Abstracts/Schaufler|Multiple Concurrent Security Models? Really?]] ''([http://selinuxproject.org/~jmorris/lss2013_slides/casey_Glass2013.pdf slides])'' | Casey Schaufler, Intel |- |''12:30'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | [[Linux_Security_Summit_2013/Abstracts/Cook|Linux Kernel ASLR]] ''([http://selinuxproject.org/~jmorris/lss2013_slides/cook_kaslr.pdf slides])'' | Kees Cook, Google |- |14:45 | [[Linux_Security_Summit_2013/Abstracts/Johansen2|The AppArmor Labeling Model]] ''([http://selinuxproject.org/~jmorris/lss2013_slides/jj_apparmor-labeling-2013.odp slides])'' | John Johansen, Canonical |- |''15:30'' |colspan="2"|''Break'' |- |colspan="3" align="center"|'''Short Topics''' |- |15:50 | SELinux update ''([http://selinuxproject.org/~jmorris/lss2013_slides/moore_lss-state_of_selinux-pmoore-092013-r2.pdf slides])'' | Paul Moore, Red Hat |- |16:10 | Smack update ''([http://selinuxproject.org/~jmorris/lss2013_slides/casey_SmackLinuxSecuritySummit2013.pdf slides])'' | Casey Schaufler, Intel |- |16:30 | Integrity update ''([http://selinuxproject.org/~jmorris/lss2013_slides/zohar_LSS2013-LinuxIntegritySubsystem-status.odp slides])'' | Mimi Zohar, IBM |- |16:50 | Core Kernel - "Fixing anti-patterns" ''([http://selinuxproject.org/~jmorris/lss2013_slides/cook_fruit.pdf slides])'' | Kees Cook, Google |- |''17:30'' |colspan="2"|''Finish'' |} == Day 2 (20th September) == Break-out sessions starting at 9am. Details TBA. Note that Linux Security Summit attendees and speakers must be registered to attend LinuxCon. See the [https://events.linuxfoundation.org/events/linuxcon LinuxCon site] for details on registration, travel, and accommodation. (For those wishing to also attend Plumbers, a separate registration for that is required). =Call for Participation= The Linux Security Summit CFP '''closed on 14th June'''. Accepted speakers will be notified by 21st of June. The program committee currently seeks proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques Proposals should be submitted in plain text via email to the program committee at: lss-pc (_at_) ext.namei.org Abstracts should be approximately 150 words in total. =Program Committee= The Linux Security Summit for 2013 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Quark Security * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss-pc (_at_) ext.namei.org b09091209597bab4a944c0b30755eb9ff6019225 0 109 3468 2013-08-02T05:30:50Z JamesMorris 2 New page: == Title == Embedded Linux Security == Presenter == David Safford, IBM == Abstract == Linux is in widespread use in embedded devices, but these devices typically lack critical securit... wikitext text/x-wiki == Title == Embedded Linux Security == Presenter == David Safford, IBM == Abstract == Linux is in widespread use in embedded devices, but these devices typically lack critical security features found in higher-end Linux systems. They typically do not have any way to validate their firmware, they do not have hardware roots of trust for trusted or secure boot, they do not have provisions for physical presence, and they do not have secure update. Vendors claim that these features are either too large, or too expensive to fit in their embedded devices. This presentation will summarize the recent widespread vulnerabilities and compromises of embedded devices, and will show how the given security features would defeat such attacks, relating the concepts to the NIST SP800 guidelines for BIOS measurement and protection, and to the ongoing work on Linux secure boot for higher end devices. It will look at four typical embedded devices, will show how all of these features can be added at _zero_ cost, and will give a live demonstration of the added security features on one such device - a TP-Link MR3020. As a bonus, the presentation will show how the same techniques can be used to fix the restricted boot of the Samsung Arm Chromebook, with physical presence enablement for updating the secure boot public key. 5c7d35d1f77e6bd1d258a65cc2ce0401fcb1da6d 0 110 3469 2013-08-02T05:36:22Z JamesMorris 2 New page: == Title == Extending AppArmor Mediation into the Userspace == Presenter == John Johansen == Abstract == This presentation will cover the work to extend AppArmor support into the user... wikitext text/x-wiki == Title == Extending AppArmor Mediation into the Userspace == Presenter == John Johansen == Abstract == This presentation will cover the work to extend AppArmor support into the userspace, providing better mediation for the Desktop and Ubuntu phone. It will cover how AppArmor policy can be extended for user based services, and the various options a service has for leveraging AppArmor support. A set of examples services that have been extended with AppArmor support (dbus, upstart, on-line accounts, content picking, ...), will be covered with design decisions and analysis around each. 8f419eeba28a982b9786f56816250bd9d6d7d972 0 111 3470 2013-08-02T05:39:50Z JamesMorris 2 New page: == Title == Multiple Concurrent Security Models? Really? == Presenter == Casey Schaufler, Intel == Abstract == This talk will cover the ongoing work to update the Linux Security Modu... wikitext text/x-wiki == Title == Multiple Concurrent Security Models? Really? == Presenter == Casey Schaufler, Intel == Abstract == This talk will cover the ongoing work to update the Linux Security Module (LSM) infrastructure to allow multiple concurrent security modules. The talk starts with a statement of the problem being solved, that the existing infrastructure allows only a single LSM (plus Yama) to be active at a time. The rationale for the current scheme will be discussed as well as what has changed so that the new scheme is in the works. The talk continues with a description of the externally visible changes and the reasons they've been made. The peculiar configuration issues with networking will be covered in some detail. The additions in /proc/.../attr will be noted. Next the structure of the stacking mechanism is detailed, with special attention to the allocation and freeing of security blobs. The handling of networking hooks and secids will be examined. Finally, the current project plan and status will be described. d8a14db9d82ee623faf9995d897f85c5d4da6a03 0 112 3471 2013-08-02T05:45:43Z JamesMorris 2 New page: == Title == Linux Kernel ASLR == Presenter == Kees Cook, Google == Abstract == Address Space Layout Randomization has been successfully used as a statistical defense against vulnerabi... wikitext text/x-wiki == Title == Linux Kernel ASLR == Presenter == Kees Cook, Google == Abstract == Address Space Layout Randomization has been successfully used as a statistical defense against vulnerability exploitation in userspace for some time now. Applying it to the kernel has benefits as well, though they are somewhat more limited in scope. This talk will explore the benefits, down-sides, and scenarios for successful application. Implementation details and a demonstration will be shown, along with a discussion of the what kASLR means for information leaks. 75030ef638da77af48450c6b4e599bd74260cf97 0 113 3472 2013-08-02T05:48:33Z JamesMorris 2 New page: == Title == The AppArmor Labeling Model == Presenter == John Johansen, Canonical == Abstract == This presentation would cover in greater detail the AppArmor labeling extension. Specif... wikitext text/x-wiki == Title == The AppArmor Labeling Model == Presenter == John Johansen, Canonical == Abstract == This presentation would cover in greater detail the AppArmor labeling extension. Specifics of how ApppArmor's labeling model works, and design decisions that where made around the model and implementation. This will include a discussion of the interaction of object labeling with access path based rules. The relationship between AppArmor's labeling and types, how types can be derived from AppArmor policy, and why labeling is not always a type. Some performance analysis and comparisons with older versions of AppArmor will can be covered if time permits. 2dec38547a298e6e0c91861d6f40679ce63acd2b 0 4 3482 12 2013-09-20T15:03:14Z JamesMorris 2 wikitext text/x-wiki To develop patches for the kernel security subsystem, use git to clone the linux-security tree: <code>$ git clone git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git</code> Unless otherwise requested, all development should be done against the next branch, which is automatically pulled into the linux-next tree. To track this branch: <code>$ git checkout --track -b my-next origin/next</code> You can also fetch this branch into an existing local kernel repository and manage it via git remote. Refer to the git documentation and the Kernel Hackers' Guide to git for more information. Patches for review and submission should be generated with git format-patch. If you want a git branch pulled directly, use git request-pull. A web-browsable interface via gitweb may be found at: http://git.kernel.org/?p=linux/kernel/git/jmorris/linux-security.git;a=summary Patches should be sent as inline text to linux-kernel @ vger.kernel.org, and preferably cc'd to linux-security-module @ vger.kernel.org and jmorris @ namei.org. == Notes for Subsystem Maintainers == - Code to be merged must be in -next for at least two weeks before I can submit to Linus (excepting urgent bugfixes) - This means it must be in my tree (which is pulled to -next) for at least that long, unless you separately push to -next. - I recommend having your code submitted to my try by -rc4. - Once Linus' merge window opens, no new code can go into -next until -rc1. I can queue your code in a branch in my tree, or you can submit it after -rc1. 3247434a38e28cef958c253f753725dcb9478169 3483 3482 2013-09-20T15:03:34Z JamesMorris 2 /* Notes for Subsystem Maintainers */ wikitext text/x-wiki To develop patches for the kernel security subsystem, use git to clone the linux-security tree: <code>$ git clone git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git</code> Unless otherwise requested, all development should be done against the next branch, which is automatically pulled into the linux-next tree. To track this branch: <code>$ git checkout --track -b my-next origin/next</code> You can also fetch this branch into an existing local kernel repository and manage it via git remote. Refer to the git documentation and the Kernel Hackers' Guide to git for more information. Patches for review and submission should be generated with git format-patch. If you want a git branch pulled directly, use git request-pull. A web-browsable interface via gitweb may be found at: http://git.kernel.org/?p=linux/kernel/git/jmorris/linux-security.git;a=summary Patches should be sent as inline text to linux-kernel @ vger.kernel.org, and preferably cc'd to linux-security-module @ vger.kernel.org and jmorris @ namei.org. == Notes for Subsystem Maintainers == * Code to be merged must be in -next for at least two weeks before I can submit to Linus (excepting urgent bugfixes) * This means it must be in my tree (which is pulled to -next) for at least that long, unless you separately push to -next. * I recommend having your code submitted to my try by -rc4. * Once Linus' merge window opens, no new code can go into -next until -rc1. I can queue your code in a branch in my tree, or you can submit it after -rc1. 5611ca3e6d60688baa8de84129922a33edab414e 3484 3483 2013-09-20T15:04:45Z JamesMorris 2 /* Notes for Subsystem Maintainers */ wikitext text/x-wiki To develop patches for the kernel security subsystem, use git to clone the linux-security tree: <code>$ git clone git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git</code> Unless otherwise requested, all development should be done against the next branch, which is automatically pulled into the linux-next tree. To track this branch: <code>$ git checkout --track -b my-next origin/next</code> You can also fetch this branch into an existing local kernel repository and manage it via git remote. Refer to the git documentation and the Kernel Hackers' Guide to git for more information. Patches for review and submission should be generated with git format-patch. If you want a git branch pulled directly, use git request-pull. A web-browsable interface via gitweb may be found at: http://git.kernel.org/?p=linux/kernel/git/jmorris/linux-security.git;a=summary Patches should be sent as inline text to linux-kernel @ vger.kernel.org, and preferably cc'd to linux-security-module @ vger.kernel.org and jmorris @ namei.org. == Notes for Subsystem Maintainers == * Code to be merged must be in -next for at least two weeks before I can submit to Linus (excepting urgent bugfixes) * This means it must be in my tree (which is pulled to -next) for at least that long, unless you separately push to -next * I recommend having your code submitted to my try by -rc4 * Once Linus' merge window opens, no new code can go into -next until -rc1. I can queue your code in a branch in my tree, or you can submit it after -rc1 * Ensure that the branch to be pulled merges cleanly into mine! 348f9f13a532be25f8d80f46a641db01982a3e04 3485 3484 2013-11-25T02:09:18Z JamesMorris 2 /* Notes for Subsystem Maintainers */ wikitext text/x-wiki To develop patches for the kernel security subsystem, use git to clone the linux-security tree: <code>$ git clone git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git</code> Unless otherwise requested, all development should be done against the next branch, which is automatically pulled into the linux-next tree. To track this branch: <code>$ git checkout --track -b my-next origin/next</code> You can also fetch this branch into an existing local kernel repository and manage it via git remote. Refer to the git documentation and the Kernel Hackers' Guide to git for more information. Patches for review and submission should be generated with git format-patch. If you want a git branch pulled directly, use git request-pull. A web-browsable interface via gitweb may be found at: http://git.kernel.org/?p=linux/kernel/git/jmorris/linux-security.git;a=summary Patches should be sent as inline text to linux-kernel @ vger.kernel.org, and preferably cc'd to linux-security-module @ vger.kernel.org and jmorris @ namei.org. == Notes for Subsystem Maintainers == * Code to be merged must be in -next for at least two weeks before I can submit to Linus (excepting urgent bugfixes) * This means it must be in my tree (which is pulled to -next) for at least that long, unless you separately push to -next '''* Your code must be submitted to my tree by -rc4''' * Once Linus' merge window opens, no new code can go into -next until -rc1. I can queue your code in a branch in my tree, or you can submit it after -rc1 * Ensure that the branch to be pulled merges cleanly into mine! 679aa721cb2453e09a2ecc570cb6a379d69ab9ff 3486 3485 2013-11-25T02:09:33Z JamesMorris 2 /* Notes for Subsystem Maintainers */ wikitext text/x-wiki To develop patches for the kernel security subsystem, use git to clone the linux-security tree: <code>$ git clone git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git</code> Unless otherwise requested, all development should be done against the next branch, which is automatically pulled into the linux-next tree. To track this branch: <code>$ git checkout --track -b my-next origin/next</code> You can also fetch this branch into an existing local kernel repository and manage it via git remote. Refer to the git documentation and the Kernel Hackers' Guide to git for more information. Patches for review and submission should be generated with git format-patch. If you want a git branch pulled directly, use git request-pull. A web-browsable interface via gitweb may be found at: http://git.kernel.org/?p=linux/kernel/git/jmorris/linux-security.git;a=summary Patches should be sent as inline text to linux-kernel @ vger.kernel.org, and preferably cc'd to linux-security-module @ vger.kernel.org and jmorris @ namei.org. == Notes for Subsystem Maintainers == * Code to be merged must be in -next for at least two weeks before I can submit to Linus (excepting urgent bugfixes) * This means it must be in my tree (which is pulled to -next) for at least that long, unless you separately push to -next * '''Your code must be submitted to my tree by -rc4''' * Once Linus' merge window opens, no new code can go into -next until -rc1. I can queue your code in a branch in my tree, or you can submit it after -rc1 * Ensure that the branch to be pulled merges cleanly into mine! 2a549e18c3f657f8c94fdce144887fb3bc050c25 0 6 3488 3487 2014-02-13T13:31:56Z JamesMorris 2 /* Upcoming */ wikitext text/x-wiki == Upcoming == ===2014=== * [[Linux Security Summit 2014]], 19-20 August, Chicago, USA. Co-located with [http://events.linuxfoundation.org/events/linuxcon LinuxCon]. == Past == === 2013 === * [[Linux Security Summit 2013]] New Orleans, USA. === 2012 === * [[Linux Security Summit 2012]], San Diego, CA, USA. ===2011=== * [[Linux Security Summit 2011]], Santa Rosa, CA, USA. ===2010=== * [https://security.wiki.kernel.org/index.php/LinuxSecuritySummit2010 Linux Security Summit 2010], Boston MA, USA. ===2009=== *Security Microconf at the Linux Plumbers Conference 2009, September, Portland OR, USA. **CFP **LWN discussion *SELinux Developer Summit at LinuxCon 2009, September, Portland OR, USA. **Event Details *Security BoF (Birds of Feather) meeting at the Japan Linux Symposium, October 2009. Tokyo, Japan. **Enhanced Securities: Where Should We Go Next *Kernel Conference Australia, July 2009, Brisbane, Australia. *LCA security miniconf 20 January 2009, Hobart, Australia. d2c5d7ab991930957bdc5b1e22fc726b47f1b3d0 3489 3488 2014-02-13T13:32:12Z JamesMorris 2 wikitext text/x-wiki == Upcoming == ===2014=== * [[Linux Security Summit 2014]], 19-20 August, Chicago, USA. Co-located with [http://events.linuxfoundation.org/events/linuxcon LinuxCon]. == Past == === 2013 === * [[Linux Security Summit 2013]] New Orleans, USA. === 2012 === * [[Linux Security Summit 2012]], San Diego, CA, USA. ===2011=== * [[Linux Security Summit 2011]], Santa Rosa, CA, USA. ===2010=== * [https://security.wiki.kernel.org/index.php/LinuxSecuritySummit2010 Linux Security Summit 2010], Boston MA, USA. ===2009=== *Security Microconf at the Linux Plumbers Conference 2009, September, Portland OR, USA. **CFP **LWN discussion *SELinux Developer Summit at LinuxCon 2009, September, Portland OR, USA. **Event Details *Security BoF (Birds of Feather) meeting at the Japan Linux Symposium, October 2009. Tokyo, Japan. **Enhanced Securities: Where Should We Go Next *Kernel Conference Australia, July 2009, Brisbane, Australia. *LCA security miniconf 20 January 2009, Hobart, Australia. 5c933b5db0edd18a027e80e39a646e013edec6ac 3490 3489 2014-02-13T13:33:12Z JamesMorris 2 /* 2014 */ wikitext text/x-wiki == Upcoming == ===2014=== * [[Linux Security Summit 2014]], 18-19 August, Chicago, USA. Co-located with [http://events.linuxfoundation.org/events/linuxcon LinuxCon]. == Past == === 2013 === * [[Linux Security Summit 2013]] New Orleans, USA. === 2012 === * [[Linux Security Summit 2012]], San Diego, CA, USA. ===2011=== * [[Linux Security Summit 2011]], Santa Rosa, CA, USA. ===2010=== * [https://security.wiki.kernel.org/index.php/LinuxSecuritySummit2010 Linux Security Summit 2010], Boston MA, USA. ===2009=== *Security Microconf at the Linux Plumbers Conference 2009, September, Portland OR, USA. **CFP **LWN discussion *SELinux Developer Summit at LinuxCon 2009, September, Portland OR, USA. **Event Details *Security BoF (Birds of Feather) meeting at the Japan Linux Symposium, October 2009. Tokyo, Japan. **Enhanced Securities: Where Should We Go Next *Kernel Conference Australia, July 2009, Brisbane, Australia. *LCA security miniconf 20 January 2009, Hobart, Australia. 74f2c4fb0b0b2a50614f82eeaf9f3fdcb38ebbc6 0 114 3491 2014-02-13T13:35:26Z JamesMorris 2 New page: =Description= The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts ... wikitext text/x-wiki =Description= The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions = Venue = The Linux Security Summit for 2014 will be held across 18 and 19 August in Chicago, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon], along with the Kernel Summit and other events. = CFP = TBA = Program Committee= The Linux Security Summit for 2014 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Quark Security * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss-pc (_at_) ext.namei.org ccb0a1c6a7c0b5ffbbfc3bb0d250d2c2a115a66a 3492 3491 2014-02-13T13:36:23Z JamesMorris 2 wikitext text/x-wiki =Description= The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions A Call for Participation (CfP) will be announced later. = Venue = The Linux Security Summit for 2014 will be held across 18 and 19 August in Chicago, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon], along with the Kernel Summit and other events. = Program Committee= The Linux Security Summit for 2014 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Quark Security * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss-pc (_at_) ext.namei.org e2bbb207e750abc4c9e4c7d340caf789b39527cb 3493 3492 2014-02-13T13:36:48Z JamesMorris 2 wikitext text/x-wiki =Description= The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions A Call for Participation (CfP) will be announced later. = Venue = The Linux Security Summit for 2014 will be held across 18 and 19 August in Chicago, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon], along with the Kernel Summit and other events. = Program Committee= The Linux Security Summit for 2014 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Quark Security * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss-pc (_at_) ext.namei.org 90670d755b319ef2e1b03b0ec84105860d97715c 3494 3493 2014-02-13T13:37:38Z JamesMorris 2 wikitext text/x-wiki =Description= The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions A Call for Participation (CfP) will be announced later on the [http://vger.kernel.org/vger-lists.html#linux-security-module LSM mailing list]. = Venue = The Linux Security Summit for 2014 will be held across 18 and 19 August in Chicago, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon], along with the Kernel Summit and other events. = Program Committee= The Linux Security Summit for 2014 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Quark Security * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss-pc (_at_) ext.namei.org a647a55ad87cf90ceed8019ce61fbace299e819d 3495 3494 2014-02-24T03:42:42Z JamesMorris 2 /* Venue */ wikitext text/x-wiki =Description= The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions A Call for Participation (CfP) will be announced later on the [http://vger.kernel.org/vger-lists.html#linux-security-module LSM mailing list]. = Venue = The Linux Security Summit for 2014 will be held across '''18 and 19 August''' in Chicago, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon], along with the Kernel Summit and other events. = Program Committee= The Linux Security Summit for 2014 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Quark Security * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss-pc (_at_) ext.namei.org fc0ba0cdde5bce6be4c35c0f6538e5b6019131c8 3496 3495 2014-04-29T11:25:29Z JamesMorris 2 wikitext text/x-wiki = Description = The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions = Venue = The Linux Security Summit for 2014 will be held across '''18 and 19 August''' in Chicago, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon], along with the Kernel Summit and other events. = Call for Participation = '''The CFP is now open, and will close on 6th June.''' '''Accepted speakers will be notified by 15th of June.''' The program committee currently seeks proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. * Discussion Topics: 30 minutes in length. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques Proposals should be submitted in plain text via email to the program committee at: lss-pc (_at_) ext.namei.org Abstracts should be approximately 150 words in total. = Program Committee= The Linux Security Summit for 2014 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Quark Security * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss-pc (_at_) ext.namei.org cd8671d8c0e074a599aab0fbbcbdc8e9f8caf7d0 3497 3496 2014-06-10T05:11:37Z JamesMorris 2 /* Call for Participation */ wikitext text/x-wiki = Description = The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions = Venue = The Linux Security Summit for 2014 will be held across '''18 and 19 August''' in Chicago, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon], along with the Kernel Summit and other events. = Call for Participation = '''The CFP is now open, and will close on 14th June.''' '''Accepted speakers will be notified by 21st of June.''' The program committee currently seeks proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. * Discussion Topics: 30 minutes in length. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques Proposals should be submitted in plain text via email to the program committee at: lss-pc (_at_) ext.namei.org Abstracts should be approximately 150 words in total. = Program Committee= The Linux Security Summit for 2014 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Quark Security * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss-pc (_at_) ext.namei.org c15cda5e935bd61d0d322ee4c2c04a3050f5b804 3498 3497 2014-06-11T22:54:14Z JamesMorris 2 /* Call for Participation */ wikitext text/x-wiki = Description = The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions = Venue = The Linux Security Summit for 2014 will be held across '''18 and 19 August''' in Chicago, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon], along with the Kernel Summit and other events. = Call for Participation = '''The CFP is now open, and will close on 20th June.''' '''Accepted speakers will be notified by 27th of June.''' The program committee currently seeks proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. * Discussion Topics: 30 minutes in length. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques Proposals should be submitted in plain text via email to the program committee at: lss-pc (_at_) ext.namei.org Abstracts should be approximately 150 words in total. = Program Committee= The Linux Security Summit for 2014 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Quark Security * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss-pc (_at_) ext.namei.org ceebf58ccdf061650fe4bec695d16e9fb32975c7 3499 3498 2014-06-28T09:28:35Z JamesMorris 2 /* Program Committee */ wikitext text/x-wiki = Description = The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions = Venue = The Linux Security Summit for 2014 will be held across '''18 and 19 August''' in Chicago, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon], along with the Kernel Summit and other events. = Call for Participation = '''The CFP is now open, and will close on 20th June.''' '''Accepted speakers will be notified by 27th of June.''' The program committee currently seeks proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. * Discussion Topics: 30 minutes in length. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques Proposals should be submitted in plain text via email to the program committee at: lss-pc (_at_) ext.namei.org Abstracts should be approximately 150 words in total. = Program Committee= The Linux Security Summit for 2014 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Quark Security * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss-pc [at] lists.linuxfoundation.org 69faf252ac3b12ced8c9d476b05ed71d3720ea76 3500 3499 2014-07-08T23:00:11Z JamesMorris 2 /* Call for Participation */ wikitext text/x-wiki = Description = The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions = Venue = The Linux Security Summit for 2014 will be held across '''18 and 19 August''' in Chicago, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon], along with the Kernel Summit and other events. = Call for Participation = '''The CFP is now closed.''' The program committee currently seeks proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. * Discussion Topics: 30 minutes in length. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques Proposals should be submitted in plain text via email to the program committee at: lss-pc (_at_) ext.namei.org Abstracts should be approximately 150 words in total. = Program Committee= The Linux Security Summit for 2014 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Quark Security * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss-pc [at] lists.linuxfoundation.org 613a2d5cb1c1478b1ac3af0cef7828ce17c97a39 3519 3500 2014-07-15T22:33:43Z JamesMorris 2 wikitext text/x-wiki = Description = The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions = Event = The Linux Security Summit for 2014 will be held across '''18 and 19 August''' in Chicago, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon], along with the Kernel Summit and other events. All attendees and presenters must be registered to attend LinuxCon. = Schedule = == Day 1 (Monday 18th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk'''</span> | James Bottomley, Parallels |- |''09:50'' |colspan="2"|''Break'' |- |10:00 | [[Linux_Security_Summit_2014/Abstracts/Cook_1|Verified Component Firmware]] | Kees Cook, Google |- |10:45 | [[Linux_Security_Summit_2014/Abstracts/Smalley|Protecting the Android TCB with SELinux]] | Stephen Smalley, NSA |- |''11:30'' |colspan="2"|''Break'' |- |11:45 | [[Linux_Security_Summit_2014/Abstracts/Schaufler|Tizen, Security and the Internet of Things]] | Casey Schaufler, Intel |- |''12:30'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | [[Linux_Security_Summit_2014/Abstracts/Drysdale|Capsicum on Linux]] | David Drysdale, Google |- |14:45 | [[Linux_Security_Summit_2014/Abstracts/Kurmus|Quantifying and Reducing the Kernel Attack Surface]] | Anil Kurmus, IBM |- |''15:30'' |colspan="2"|''Break'' |- |15:45 | [[Linux_Security_Summit_2014/Abstracts/Safford|Extending the Linux Integrity Subsystem for TCB Protection]] | David Safford & Mimi Zohar, IBM |- |16:30 | [[Linux_Security_Summit_2014/Abstracts/Cook_2|Trusted Kernel Lock-down Patch Series]] (discussion) | Kees Cook, Google |- |''17:00'' |colspan="2"|''Finish'' |} == Day 2 (Tuesday 19th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | SELinux update | Paul Moore |- |09:20 | AppArmor update | TBA |- |09:40 | Integrity update | Mimi Zohar |- |10:00 | Smack update | Casey Schaufler |- |''10:20'' |colspan="2"|''Break'' |- |10:30 |colspan="2"| Break-out Session #1 |- ||''12:00'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |13:30 | [[Linux_Security_Summit_2014/Abstracts/Halcrow|EXT4 Encryption]] (discussion) | Michael Halcrow & Ted Ts'o, Google |- |''14:30'' | colspan="2"|''Break'' |- |14:45 | [[Linux_Security_Summit_2014/Abstracts/Hallyn|Application Confinement with User Namespaces]] | Serge Hallyn & Stéphane Graber, Canonical |- |15:30 |colspan="2"| Break-out Session #2 |- |''17:00'' |colspan="2"|''Finish'' |} = Call for Participation = '''The CFP is now closed.''' The program committee currently seeks proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. * Discussion Topics: 30 minutes in length. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques Proposals should be submitted in plain text via email to the program committee at: lss-pc (_at_) ext.namei.org Abstracts should be approximately 150 words in total. = Program Committee= The Linux Security Summit for 2014 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Quark Security * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss-pc [at] lists.linuxfoundation.org 6d2167a0a58fd48a6b415612f1c9e3d17c982432 3520 3519 2014-07-15T22:37:10Z JamesMorris 2 /* Day 2 (Tuesday 19th August) */ wikitext text/x-wiki = Description = The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions = Event = The Linux Security Summit for 2014 will be held across '''18 and 19 August''' in Chicago, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon], along with the Kernel Summit and other events. All attendees and presenters must be registered to attend LinuxCon. = Schedule = == Day 1 (Monday 18th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk'''</span> | James Bottomley, Parallels |- |''09:50'' |colspan="2"|''Break'' |- |10:00 | [[Linux_Security_Summit_2014/Abstracts/Cook_1|Verified Component Firmware]] | Kees Cook, Google |- |10:45 | [[Linux_Security_Summit_2014/Abstracts/Smalley|Protecting the Android TCB with SELinux]] | Stephen Smalley, NSA |- |''11:30'' |colspan="2"|''Break'' |- |11:45 | [[Linux_Security_Summit_2014/Abstracts/Schaufler|Tizen, Security and the Internet of Things]] | Casey Schaufler, Intel |- |''12:30'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | [[Linux_Security_Summit_2014/Abstracts/Drysdale|Capsicum on Linux]] | David Drysdale, Google |- |14:45 | [[Linux_Security_Summit_2014/Abstracts/Kurmus|Quantifying and Reducing the Kernel Attack Surface]] | Anil Kurmus, IBM |- |''15:30'' |colspan="2"|''Break'' |- |15:45 | [[Linux_Security_Summit_2014/Abstracts/Safford|Extending the Linux Integrity Subsystem for TCB Protection]] | David Safford & Mimi Zohar, IBM |- |16:30 | [[Linux_Security_Summit_2014/Abstracts/Cook_2|Trusted Kernel Lock-down Patch Series]] (discussion) | Kees Cook, Google |- |''17:00'' |colspan="2"|''Finish'' |} == Day 2 (Tuesday 19th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | SELinux update | Paul Moore, Red Hat |- |09:20 | AppArmor update | TBA |- |09:40 | Integrity update | Mimi Zohar, IBM |- |10:00 | Smack update | Casey Schaufler, Intel |- |''10:20'' |colspan="2"|''Break'' |- |10:30 |colspan="2"| Break-out Session #1 |- ||''12:00'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |13:30 | [[Linux_Security_Summit_2014/Abstracts/Halcrow|EXT4 Encryption]] (discussion) | Michael Halcrow & Ted Ts'o, Google |- |''14:30'' | colspan="2"|''Break'' |- |14:45 | [[Linux_Security_Summit_2014/Abstracts/Hallyn|Application Confinement with User Namespaces]] | Serge Hallyn & Stéphane Graber, Canonical |- |15:30 |colspan="2"| Break-out Session #2 |- |''17:00'' |colspan="2"|''Finish'' |} = Call for Participation = '''The CFP is now closed.''' The program committee currently seeks proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. * Discussion Topics: 30 minutes in length. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques Proposals should be submitted in plain text via email to the program committee at: lss-pc (_at_) ext.namei.org Abstracts should be approximately 150 words in total. = Program Committee= The Linux Security Summit for 2014 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Quark Security * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss-pc [at] lists.linuxfoundation.org e7462269f529bc2266abe9d36d5e2b47e83c6e71 3521 3520 2014-07-15T22:38:55Z JamesMorris 2 /* Day 1 (Monday 18th August) */ wikitext text/x-wiki = Description = The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions = Event = The Linux Security Summit for 2014 will be held across '''18 and 19 August''' in Chicago, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon], along with the Kernel Summit and other events. All attendees and presenters must be registered to attend LinuxCon. = Schedule = == Day 1 (Monday 18th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk'''</span> | [http://www.linux.com/news/special-feature/linux-developers/678568-30-linux-kernel-developers-in-30-weeks-james-bottomley James Bottomley], Parallels |- |''09:50'' |colspan="2"|''Break'' |- |10:00 | [[Linux_Security_Summit_2014/Abstracts/Cook_1|Verified Component Firmware]] | Kees Cook, Google |- |10:45 | [[Linux_Security_Summit_2014/Abstracts/Smalley|Protecting the Android TCB with SELinux]] | Stephen Smalley, NSA |- |''11:30'' |colspan="2"|''Break'' |- |11:45 | [[Linux_Security_Summit_2014/Abstracts/Schaufler|Tizen, Security and the Internet of Things]] | Casey Schaufler, Intel |- |''12:30'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | [[Linux_Security_Summit_2014/Abstracts/Drysdale|Capsicum on Linux]] | David Drysdale, Google |- |14:45 | [[Linux_Security_Summit_2014/Abstracts/Kurmus|Quantifying and Reducing the Kernel Attack Surface]] | Anil Kurmus, IBM |- |''15:30'' |colspan="2"|''Break'' |- |15:45 | [[Linux_Security_Summit_2014/Abstracts/Safford|Extending the Linux Integrity Subsystem for TCB Protection]] | David Safford & Mimi Zohar, IBM |- |16:30 | [[Linux_Security_Summit_2014/Abstracts/Cook_2|Trusted Kernel Lock-down Patch Series]] (discussion) | Kees Cook, Google |- |''17:00'' |colspan="2"|''Finish'' |} == Day 2 (Tuesday 19th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | SELinux update | Paul Moore, Red Hat |- |09:20 | AppArmor update | TBA |- |09:40 | Integrity update | Mimi Zohar, IBM |- |10:00 | Smack update | Casey Schaufler, Intel |- |''10:20'' |colspan="2"|''Break'' |- |10:30 |colspan="2"| Break-out Session #1 |- ||''12:00'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |13:30 | [[Linux_Security_Summit_2014/Abstracts/Halcrow|EXT4 Encryption]] (discussion) | Michael Halcrow & Ted Ts'o, Google |- |''14:30'' | colspan="2"|''Break'' |- |14:45 | [[Linux_Security_Summit_2014/Abstracts/Hallyn|Application Confinement with User Namespaces]] | Serge Hallyn & Stéphane Graber, Canonical |- |15:30 |colspan="2"| Break-out Session #2 |- |''17:00'' |colspan="2"|''Finish'' |} = Call for Participation = '''The CFP is now closed.''' The program committee currently seeks proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. * Discussion Topics: 30 minutes in length. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques Proposals should be submitted in plain text via email to the program committee at: lss-pc (_at_) ext.namei.org Abstracts should be approximately 150 words in total. = Program Committee= The Linux Security Summit for 2014 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Quark Security * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss-pc [at] lists.linuxfoundation.org c87ec8963b474c72f9aca998610d0682af63d8e5 3522 3521 2014-07-17T05:07:17Z JamesMorris 2 /* Call for Participation */ wikitext text/x-wiki = Description = The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions = Event = The Linux Security Summit for 2014 will be held across '''18 and 19 August''' in Chicago, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon], along with the Kernel Summit and other events. All attendees and presenters must be registered to attend LinuxCon. = Schedule = == Day 1 (Monday 18th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk'''</span> | [http://www.linux.com/news/special-feature/linux-developers/678568-30-linux-kernel-developers-in-30-weeks-james-bottomley James Bottomley], Parallels |- |''09:50'' |colspan="2"|''Break'' |- |10:00 | [[Linux_Security_Summit_2014/Abstracts/Cook_1|Verified Component Firmware]] | Kees Cook, Google |- |10:45 | [[Linux_Security_Summit_2014/Abstracts/Smalley|Protecting the Android TCB with SELinux]] | Stephen Smalley, NSA |- |''11:30'' |colspan="2"|''Break'' |- |11:45 | [[Linux_Security_Summit_2014/Abstracts/Schaufler|Tizen, Security and the Internet of Things]] | Casey Schaufler, Intel |- |''12:30'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | [[Linux_Security_Summit_2014/Abstracts/Drysdale|Capsicum on Linux]] | David Drysdale, Google |- |14:45 | [[Linux_Security_Summit_2014/Abstracts/Kurmus|Quantifying and Reducing the Kernel Attack Surface]] | Anil Kurmus, IBM |- |''15:30'' |colspan="2"|''Break'' |- |15:45 | [[Linux_Security_Summit_2014/Abstracts/Safford|Extending the Linux Integrity Subsystem for TCB Protection]] | David Safford & Mimi Zohar, IBM |- |16:30 | [[Linux_Security_Summit_2014/Abstracts/Cook_2|Trusted Kernel Lock-down Patch Series]] (discussion) | Kees Cook, Google |- |''17:00'' |colspan="2"|''Finish'' |} == Day 2 (Tuesday 19th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | SELinux update | Paul Moore, Red Hat |- |09:20 | AppArmor update | TBA |- |09:40 | Integrity update | Mimi Zohar, IBM |- |10:00 | Smack update | Casey Schaufler, Intel |- |''10:20'' |colspan="2"|''Break'' |- |10:30 |colspan="2"| Break-out Session #1 |- ||''12:00'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |13:30 | [[Linux_Security_Summit_2014/Abstracts/Halcrow|EXT4 Encryption]] (discussion) | Michael Halcrow & Ted Ts'o, Google |- |''14:30'' | colspan="2"|''Break'' |- |14:45 | [[Linux_Security_Summit_2014/Abstracts/Hallyn|Application Confinement with User Namespaces]] | Serge Hallyn & Stéphane Graber, Canonical |- |15:30 |colspan="2"| Break-out Session #2 |- |''17:00'' |colspan="2"|''Finish'' |} = Call for Participation = '''The CFP is now closed.''' The program committee <s>currently seeks</s> sought proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. * Discussion Topics: 30 minutes in length. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques Proposals should be submitted in plain text via email to the program committee at: lss-pc (_at_) ext.namei.org Abstracts should be approximately 150 words in total. = Program Committee= The Linux Security Summit for 2014 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Quark Security * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss-pc [at] lists.linuxfoundation.org e98e2695805bc67312c5a94a3f0d5fb0260a0270 3523 3522 2014-08-01T01:33:43Z JamesMorris 2 /* Day 2 (Tuesday 19th August) */ wikitext text/x-wiki = Description = The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions = Event = The Linux Security Summit for 2014 will be held across '''18 and 19 August''' in Chicago, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon], along with the Kernel Summit and other events. All attendees and presenters must be registered to attend LinuxCon. = Schedule = == Day 1 (Monday 18th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk'''</span> | [http://www.linux.com/news/special-feature/linux-developers/678568-30-linux-kernel-developers-in-30-weeks-james-bottomley James Bottomley], Parallels |- |''09:50'' |colspan="2"|''Break'' |- |10:00 | [[Linux_Security_Summit_2014/Abstracts/Cook_1|Verified Component Firmware]] | Kees Cook, Google |- |10:45 | [[Linux_Security_Summit_2014/Abstracts/Smalley|Protecting the Android TCB with SELinux]] | Stephen Smalley, NSA |- |''11:30'' |colspan="2"|''Break'' |- |11:45 | [[Linux_Security_Summit_2014/Abstracts/Schaufler|Tizen, Security and the Internet of Things]] | Casey Schaufler, Intel |- |''12:30'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | [[Linux_Security_Summit_2014/Abstracts/Drysdale|Capsicum on Linux]] | David Drysdale, Google |- |14:45 | [[Linux_Security_Summit_2014/Abstracts/Kurmus|Quantifying and Reducing the Kernel Attack Surface]] | Anil Kurmus, IBM |- |''15:30'' |colspan="2"|''Break'' |- |15:45 | [[Linux_Security_Summit_2014/Abstracts/Safford|Extending the Linux Integrity Subsystem for TCB Protection]] | David Safford & Mimi Zohar, IBM |- |16:30 | [[Linux_Security_Summit_2014/Abstracts/Cook_2|Trusted Kernel Lock-down Patch Series]] (discussion) | Kees Cook, Google |- |''17:00'' |colspan="2"|''Finish'' |} == Day 2 (Tuesday 19th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | SELinux update | Paul Moore, Red Hat |- |09:20 | AppArmor update | Tyler Hicks, Canonical |- |09:40 | Integrity update | Mimi Zohar, IBM |- |10:00 | Smack update | Casey Schaufler, Intel |- |''10:20'' |colspan="2"|''Break'' |- |10:30 |colspan="2"| Break-out Session #1 |- ||''12:00'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |13:30 | [[Linux_Security_Summit_2014/Abstracts/Halcrow|EXT4 Encryption]] (discussion) | Michael Halcrow & Ted Ts'o, Google |- |''14:30'' | colspan="2"|''Break'' |- |14:45 | [[Linux_Security_Summit_2014/Abstracts/Hallyn|Application Confinement with User Namespaces]] | Serge Hallyn & Stéphane Graber, Canonical |- |15:30 |colspan="2"| Break-out Session #2 |- |''17:00'' |colspan="2"|''Finish'' |} = Call for Participation = '''The CFP is now closed.''' The program committee <s>currently seeks</s> sought proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. * Discussion Topics: 30 minutes in length. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques Proposals should be submitted in plain text via email to the program committee at: lss-pc (_at_) ext.namei.org Abstracts should be approximately 150 words in total. = Program Committee= The Linux Security Summit for 2014 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Quark Security * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss-pc [at] lists.linuxfoundation.org 30394f942fc1409c60801544790c5aa38ac17747 3524 3523 2014-08-01T10:41:40Z JamesMorris 2 /* Day 2 (Tuesday 19th August) */ wikitext text/x-wiki = Description = The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions = Event = The Linux Security Summit for 2014 will be held across '''18 and 19 August''' in Chicago, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon], along with the Kernel Summit and other events. All attendees and presenters must be registered to attend LinuxCon. = Schedule = == Day 1 (Monday 18th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk'''</span> | [http://www.linux.com/news/special-feature/linux-developers/678568-30-linux-kernel-developers-in-30-weeks-james-bottomley James Bottomley], Parallels |- |''09:50'' |colspan="2"|''Break'' |- |10:00 | [[Linux_Security_Summit_2014/Abstracts/Cook_1|Verified Component Firmware]] | Kees Cook, Google |- |10:45 | [[Linux_Security_Summit_2014/Abstracts/Smalley|Protecting the Android TCB with SELinux]] | Stephen Smalley, NSA |- |''11:30'' |colspan="2"|''Break'' |- |11:45 | [[Linux_Security_Summit_2014/Abstracts/Schaufler|Tizen, Security and the Internet of Things]] | Casey Schaufler, Intel |- |''12:30'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | [[Linux_Security_Summit_2014/Abstracts/Drysdale|Capsicum on Linux]] | David Drysdale, Google |- |14:45 | [[Linux_Security_Summit_2014/Abstracts/Kurmus|Quantifying and Reducing the Kernel Attack Surface]] | Anil Kurmus, IBM |- |''15:30'' |colspan="2"|''Break'' |- |15:45 | [[Linux_Security_Summit_2014/Abstracts/Safford|Extending the Linux Integrity Subsystem for TCB Protection]] | David Safford & Mimi Zohar, IBM |- |16:30 | [[Linux_Security_Summit_2014/Abstracts/Cook_2|Trusted Kernel Lock-down Patch Series]] (discussion) | Kees Cook, Google |- |''17:00'' |colspan="2"|''Finish'' |} == Day 2 (Tuesday 19th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | SELinux update | Paul Moore, Red Hat |- |09:20 | AppArmor update | Tyler Hicks, Canonical |- |09:40 | Integrity update | Mimi Zohar, IBM |- |10:00 | Smack update | Casey Schaufler, Intel |- |''10:20'' |colspan="2"|''Break'' |- |10:30 | Crypto update | Herbert Xu, Red Hat |- |10:50 | Seccomp update | Kees Cook, Canonical |- |11:20 |colspan="2"| Break-out Session #1 |- |''12:30'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | [[Linux_Security_Summit_2014/Abstracts/Halcrow|EXT4 Encryption]] (discussion) | Michael Halcrow & Ted Ts'o, Google |- |''15:00'' | colspan="2"|''Break'' |- |15:15 | [[Linux_Security_Summit_2014/Abstracts/Hallyn|Application Confinement with User Namespaces]] | Serge Hallyn & Stéphane Graber, Canonical |- |16:00 |colspan="2"| Break-out Session #2 |- |''17:00'' |colspan="2"|''Finish'' |} = Call for Participation = '''The CFP is now closed.''' The program committee <s>currently seeks</s> sought proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. * Discussion Topics: 30 minutes in length. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques Proposals should be submitted in plain text via email to the program committee at: lss-pc (_at_) ext.namei.org Abstracts should be approximately 150 words in total. = Program Committee= The Linux Security Summit for 2014 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Quark Security * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss-pc [at] lists.linuxfoundation.org a86de8e116a16ee6f17e0c3c51a955a5821047f3 3525 3524 2014-08-14T00:23:05Z KeesCook 3 /* Day 2 (Tuesday 19th August) */ wikitext text/x-wiki = Description = The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions = Event = The Linux Security Summit for 2014 will be held across '''18 and 19 August''' in Chicago, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon], along with the Kernel Summit and other events. All attendees and presenters must be registered to attend LinuxCon. = Schedule = == Day 1 (Monday 18th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk'''</span> | [http://www.linux.com/news/special-feature/linux-developers/678568-30-linux-kernel-developers-in-30-weeks-james-bottomley James Bottomley], Parallels |- |''09:50'' |colspan="2"|''Break'' |- |10:00 | [[Linux_Security_Summit_2014/Abstracts/Cook_1|Verified Component Firmware]] | Kees Cook, Google |- |10:45 | [[Linux_Security_Summit_2014/Abstracts/Smalley|Protecting the Android TCB with SELinux]] | Stephen Smalley, NSA |- |''11:30'' |colspan="2"|''Break'' |- |11:45 | [[Linux_Security_Summit_2014/Abstracts/Schaufler|Tizen, Security and the Internet of Things]] | Casey Schaufler, Intel |- |''12:30'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | [[Linux_Security_Summit_2014/Abstracts/Drysdale|Capsicum on Linux]] | David Drysdale, Google |- |14:45 | [[Linux_Security_Summit_2014/Abstracts/Kurmus|Quantifying and Reducing the Kernel Attack Surface]] | Anil Kurmus, IBM |- |''15:30'' |colspan="2"|''Break'' |- |15:45 | [[Linux_Security_Summit_2014/Abstracts/Safford|Extending the Linux Integrity Subsystem for TCB Protection]] | David Safford & Mimi Zohar, IBM |- |16:30 | [[Linux_Security_Summit_2014/Abstracts/Cook_2|Trusted Kernel Lock-down Patch Series]] (discussion) | Kees Cook, Google |- |''17:00'' |colspan="2"|''Finish'' |} == Day 2 (Tuesday 19th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | SELinux update | Paul Moore, Red Hat |- |09:20 | AppArmor update | Tyler Hicks, Canonical |- |09:40 | Integrity update | Mimi Zohar, IBM |- |10:00 | Smack update | Casey Schaufler, Intel |- |''10:20'' |colspan="2"|''Break'' |- |10:30 | Crypto update | Herbert Xu, Red Hat |- |10:50 | Seccomp update | Kees Cook, Google |- |11:20 |colspan="2"| Break-out Session #1 |- |''12:30'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | [[Linux_Security_Summit_2014/Abstracts/Halcrow|EXT4 Encryption]] (discussion) | Michael Halcrow & Ted Ts'o, Google |- |''15:00'' | colspan="2"|''Break'' |- |15:15 | [[Linux_Security_Summit_2014/Abstracts/Hallyn|Application Confinement with User Namespaces]] | Serge Hallyn & Stéphane Graber, Canonical |- |16:00 |colspan="2"| Break-out Session #2 |- |''17:00'' |colspan="2"|''Finish'' |} = Call for Participation = '''The CFP is now closed.''' The program committee <s>currently seeks</s> sought proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. * Discussion Topics: 30 minutes in length. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques Proposals should be submitted in plain text via email to the program committee at: lss-pc (_at_) ext.namei.org Abstracts should be approximately 150 words in total. = Program Committee= The Linux Security Summit for 2014 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Quark Security * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss-pc [at] lists.linuxfoundation.org 7aa471e3cbd715d9f3e19030e71f9946a013adaa 3526 3525 2014-08-17T13:22:31Z JamesMorris 2 /* Event */ wikitext text/x-wiki = Description = The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions = Event = The Linux Security Summit for 2014 will be held across '''18 and 19 August''' in Chicago, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon], along with the Kernel Summit and other events. All attendees and presenters must be registered to attend LinuxCon. '''The location is the 2nd Floor, "Superior" room A (or B).''' = Schedule = == Day 1 (Monday 18th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk'''</span> | [http://www.linux.com/news/special-feature/linux-developers/678568-30-linux-kernel-developers-in-30-weeks-james-bottomley James Bottomley], Parallels |- |''09:50'' |colspan="2"|''Break'' |- |10:00 | [[Linux_Security_Summit_2014/Abstracts/Cook_1|Verified Component Firmware]] | Kees Cook, Google |- |10:45 | [[Linux_Security_Summit_2014/Abstracts/Smalley|Protecting the Android TCB with SELinux]] | Stephen Smalley, NSA |- |''11:30'' |colspan="2"|''Break'' |- |11:45 | [[Linux_Security_Summit_2014/Abstracts/Schaufler|Tizen, Security and the Internet of Things]] | Casey Schaufler, Intel |- |''12:30'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | [[Linux_Security_Summit_2014/Abstracts/Drysdale|Capsicum on Linux]] | David Drysdale, Google |- |14:45 | [[Linux_Security_Summit_2014/Abstracts/Kurmus|Quantifying and Reducing the Kernel Attack Surface]] | Anil Kurmus, IBM |- |''15:30'' |colspan="2"|''Break'' |- |15:45 | [[Linux_Security_Summit_2014/Abstracts/Safford|Extending the Linux Integrity Subsystem for TCB Protection]] | David Safford & Mimi Zohar, IBM |- |16:30 | [[Linux_Security_Summit_2014/Abstracts/Cook_2|Trusted Kernel Lock-down Patch Series]] (discussion) | Kees Cook, Google |- |''17:00'' |colspan="2"|''Finish'' |} == Day 2 (Tuesday 19th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | SELinux update | Paul Moore, Red Hat |- |09:20 | AppArmor update | Tyler Hicks, Canonical |- |09:40 | Integrity update | Mimi Zohar, IBM |- |10:00 | Smack update | Casey Schaufler, Intel |- |''10:20'' |colspan="2"|''Break'' |- |10:30 | Crypto update | Herbert Xu, Red Hat |- |10:50 | Seccomp update | Kees Cook, Google |- |11:20 |colspan="2"| Break-out Session #1 |- |''12:30'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | [[Linux_Security_Summit_2014/Abstracts/Halcrow|EXT4 Encryption]] (discussion) | Michael Halcrow & Ted Ts'o, Google |- |''15:00'' | colspan="2"|''Break'' |- |15:15 | [[Linux_Security_Summit_2014/Abstracts/Hallyn|Application Confinement with User Namespaces]] | Serge Hallyn & Stéphane Graber, Canonical |- |16:00 |colspan="2"| Break-out Session #2 |- |''17:00'' |colspan="2"|''Finish'' |} = Call for Participation = '''The CFP is now closed.''' The program committee <s>currently seeks</s> sought proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. * Discussion Topics: 30 minutes in length. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques Proposals should be submitted in plain text via email to the program committee at: lss-pc (_at_) ext.namei.org Abstracts should be approximately 150 words in total. = Program Committee= The Linux Security Summit for 2014 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Quark Security * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss-pc [at] lists.linuxfoundation.org 99b7c4830b5de429e200a723796d60e1de41a783 3527 3526 2014-08-18T07:32:14Z JamesMorris 2 /* Event */ wikitext text/x-wiki = Description = The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions = Event = The Linux Security Summit for 2014 will be held across '''18 and 19 August''' in Chicago, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon], along with the Kernel Summit and other events. All attendees and presenters must be registered to attend LinuxCon. '''The venue location is the 2nd Floor, "Superior" room A/B''' = Schedule = == Day 1 (Monday 18th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk'''</span> | [http://www.linux.com/news/special-feature/linux-developers/678568-30-linux-kernel-developers-in-30-weeks-james-bottomley James Bottomley], Parallels |- |''09:50'' |colspan="2"|''Break'' |- |10:00 | [[Linux_Security_Summit_2014/Abstracts/Cook_1|Verified Component Firmware]] | Kees Cook, Google |- |10:45 | [[Linux_Security_Summit_2014/Abstracts/Smalley|Protecting the Android TCB with SELinux]] | Stephen Smalley, NSA |- |''11:30'' |colspan="2"|''Break'' |- |11:45 | [[Linux_Security_Summit_2014/Abstracts/Schaufler|Tizen, Security and the Internet of Things]] | Casey Schaufler, Intel |- |''12:30'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | [[Linux_Security_Summit_2014/Abstracts/Drysdale|Capsicum on Linux]] | David Drysdale, Google |- |14:45 | [[Linux_Security_Summit_2014/Abstracts/Kurmus|Quantifying and Reducing the Kernel Attack Surface]] | Anil Kurmus, IBM |- |''15:30'' |colspan="2"|''Break'' |- |15:45 | [[Linux_Security_Summit_2014/Abstracts/Safford|Extending the Linux Integrity Subsystem for TCB Protection]] | David Safford & Mimi Zohar, IBM |- |16:30 | [[Linux_Security_Summit_2014/Abstracts/Cook_2|Trusted Kernel Lock-down Patch Series]] (discussion) | Kees Cook, Google |- |''17:00'' |colspan="2"|''Finish'' |} == Day 2 (Tuesday 19th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | SELinux update | Paul Moore, Red Hat |- |09:20 | AppArmor update | Tyler Hicks, Canonical |- |09:40 | Integrity update | Mimi Zohar, IBM |- |10:00 | Smack update | Casey Schaufler, Intel |- |''10:20'' |colspan="2"|''Break'' |- |10:30 | Crypto update | Herbert Xu, Red Hat |- |10:50 | Seccomp update | Kees Cook, Google |- |11:20 |colspan="2"| Break-out Session #1 |- |''12:30'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | [[Linux_Security_Summit_2014/Abstracts/Halcrow|EXT4 Encryption]] (discussion) | Michael Halcrow & Ted Ts'o, Google |- |''15:00'' | colspan="2"|''Break'' |- |15:15 | [[Linux_Security_Summit_2014/Abstracts/Hallyn|Application Confinement with User Namespaces]] | Serge Hallyn & Stéphane Graber, Canonical |- |16:00 |colspan="2"| Break-out Session #2 |- |''17:00'' |colspan="2"|''Finish'' |} = Call for Participation = '''The CFP is now closed.''' The program committee <s>currently seeks</s> sought proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. * Discussion Topics: 30 minutes in length. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques Proposals should be submitted in plain text via email to the program committee at: lss-pc (_at_) ext.namei.org Abstracts should be approximately 150 words in total. = Program Committee= The Linux Security Summit for 2014 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Quark Security * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss-pc [at] lists.linuxfoundation.org 63568dd323dcf5a9d8699fa35162fc07a931197b 3528 3527 2014-08-20T13:28:48Z JamesMorris 2 /* Day 1 (Monday 18th August) */ wikitext text/x-wiki = Description = The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions = Event = The Linux Security Summit for 2014 will be held across '''18 and 19 August''' in Chicago, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon], along with the Kernel Summit and other events. All attendees and presenters must be registered to attend LinuxCon. '''The venue location is the 2nd Floor, "Superior" room A/B''' = Schedule = == Day 1 (Monday 18th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk'''</span> | [http://www.linux.com/news/special-feature/linux-developers/678568-30-linux-kernel-developers-in-30-weeks-james-bottomley James Bottomley], Parallels |- |''09:50'' |colspan="2"|''Break'' |- |10:00 | [[Linux_Security_Summit_2014/Abstracts/Cook_1|Verified Component Firmware]] ''([http://kernsec.org/files/lss2014/cook_firmware.pdf slides])'' | Kees Cook, Google |- |10:45 | [[Linux_Security_Summit_2014/Abstracts/Smalley|Protecting the Android TCB with SELinux]] | Stephen Smalley, NSA |- |''11:30'' |colspan="2"|''Break'' |- |11:45 | [[Linux_Security_Summit_2014/Abstracts/Schaufler|Tizen, Security and the Internet of Things]] | Casey Schaufler, Intel |- |''12:30'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | [[Linux_Security_Summit_2014/Abstracts/Drysdale|Capsicum on Linux]] | David Drysdale, Google |- |14:45 | [[Linux_Security_Summit_2014/Abstracts/Kurmus|Quantifying and Reducing the Kernel Attack Surface]] | Anil Kurmus, IBM |- |''15:30'' |colspan="2"|''Break'' |- |15:45 | [[Linux_Security_Summit_2014/Abstracts/Safford|Extending the Linux Integrity Subsystem for TCB Protection]] | David Safford & Mimi Zohar, IBM |- |16:30 | [[Linux_Security_Summit_2014/Abstracts/Cook_2|Trusted Kernel Lock-down Patch Series]] (discussion) | Kees Cook, Google |- |''17:00'' |colspan="2"|''Finish'' |} == Day 2 (Tuesday 19th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | SELinux update | Paul Moore, Red Hat |- |09:20 | AppArmor update | Tyler Hicks, Canonical |- |09:40 | Integrity update | Mimi Zohar, IBM |- |10:00 | Smack update | Casey Schaufler, Intel |- |''10:20'' |colspan="2"|''Break'' |- |10:30 | Crypto update | Herbert Xu, Red Hat |- |10:50 | Seccomp update | Kees Cook, Google |- |11:20 |colspan="2"| Break-out Session #1 |- |''12:30'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | [[Linux_Security_Summit_2014/Abstracts/Halcrow|EXT4 Encryption]] (discussion) | Michael Halcrow & Ted Ts'o, Google |- |''15:00'' | colspan="2"|''Break'' |- |15:15 | [[Linux_Security_Summit_2014/Abstracts/Hallyn|Application Confinement with User Namespaces]] | Serge Hallyn & Stéphane Graber, Canonical |- |16:00 |colspan="2"| Break-out Session #2 |- |''17:00'' |colspan="2"|''Finish'' |} = Call for Participation = '''The CFP is now closed.''' The program committee <s>currently seeks</s> sought proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. * Discussion Topics: 30 minutes in length. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques Proposals should be submitted in plain text via email to the program committee at: lss-pc (_at_) ext.namei.org Abstracts should be approximately 150 words in total. = Program Committee= The Linux Security Summit for 2014 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Quark Security * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss-pc [at] lists.linuxfoundation.org 706035db7da0aebad4fb6c215ac3e35e402c5638 3529 3528 2014-08-20T13:34:57Z JamesMorris 2 /* Day 1 (Monday 18th August) */ wikitext text/x-wiki = Description = The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions = Event = The Linux Security Summit for 2014 will be held across '''18 and 19 August''' in Chicago, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon], along with the Kernel Summit and other events. All attendees and presenters must be registered to attend LinuxCon. '''The venue location is the 2nd Floor, "Superior" room A/B''' = Schedule = == Day 1 (Monday 18th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk'''</span> | [http://www.linux.com/news/special-feature/linux-developers/678568-30-linux-kernel-developers-in-30-weeks-james-bottomley James Bottomley], Parallels |- |''09:50'' |colspan="2"|''Break'' |- |10:00 | [[Linux_Security_Summit_2014/Abstracts/Cook_1|Verified Component Firmware]] ''([http://kernsec.org/files/lss2014/cook_firmware.pdf slides])'' | Kees Cook, Google |- |10:45 | [[Linux_Security_Summit_2014/Abstracts/Smalley|Protecting the Android TCB with SELinux]] ''([http://kernsec.org/files/lss2014/lss2014_androidtcb_smalley.pdf slides])'' | Stephen Smalley, NSA |- |''11:30'' |colspan="2"|''Break'' |- |11:45 | [[Linux_Security_Summit_2014/Abstracts/Schaufler|Tizen, Security and the Internet of Things]] | Casey Schaufler, Intel |- |''12:30'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | [[Linux_Security_Summit_2014/Abstracts/Drysdale|Capsicum on Linux]] ''([http://kernsec.org/files/lss2014/drysdale_CapsicumLSSSlides.pdf slides])'' | David Drysdale, Google |- |14:45 | [[Linux_Security_Summit_2014/Abstracts/Kurmus|Quantifying and Reducing the Kernel Attack Surface]] | Anil Kurmus, IBM |- |''15:30'' |colspan="2"|''Break'' |- |15:45 | [[Linux_Security_Summit_2014/Abstracts/Safford|Extending the Linux Integrity Subsystem for TCB Protection]] ''([http://kernsec.org/files/lss2014/safford_tcb_integrity.pdf slides])'' | David Safford & Mimi Zohar, IBM |- |16:30 | [[Linux_Security_Summit_2014/Abstracts/Cook_2|Trusted Kernel Lock-down Patch Series]] ''([http://kernsec.org/files/lss2014/cook_lockdown.pdf slides])'' (discussion) | Kees Cook, Google |- |''17:00'' |colspan="2"|''Finish'' |} == Day 2 (Tuesday 19th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | SELinux update | Paul Moore, Red Hat |- |09:20 | AppArmor update | Tyler Hicks, Canonical |- |09:40 | Integrity update | Mimi Zohar, IBM |- |10:00 | Smack update | Casey Schaufler, Intel |- |''10:20'' |colspan="2"|''Break'' |- |10:30 | Crypto update | Herbert Xu, Red Hat |- |10:50 | Seccomp update | Kees Cook, Google |- |11:20 |colspan="2"| Break-out Session #1 |- |''12:30'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | [[Linux_Security_Summit_2014/Abstracts/Halcrow|EXT4 Encryption]] (discussion) | Michael Halcrow & Ted Ts'o, Google |- |''15:00'' | colspan="2"|''Break'' |- |15:15 | [[Linux_Security_Summit_2014/Abstracts/Hallyn|Application Confinement with User Namespaces]] | Serge Hallyn & Stéphane Graber, Canonical |- |16:00 |colspan="2"| Break-out Session #2 |- |''17:00'' |colspan="2"|''Finish'' |} = Call for Participation = '''The CFP is now closed.''' The program committee <s>currently seeks</s> sought proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. * Discussion Topics: 30 minutes in length. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques Proposals should be submitted in plain text via email to the program committee at: lss-pc (_at_) ext.namei.org Abstracts should be approximately 150 words in total. = Program Committee= The Linux Security Summit for 2014 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Quark Security * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss-pc [at] lists.linuxfoundation.org 2cd50d543141611d5bae6013d88e9c91dfcbd388 3530 3529 2014-08-20T13:38:27Z JamesMorris 2 /* Day 2 (Tuesday 19th August) */ wikitext text/x-wiki = Description = The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions = Event = The Linux Security Summit for 2014 will be held across '''18 and 19 August''' in Chicago, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon], along with the Kernel Summit and other events. All attendees and presenters must be registered to attend LinuxCon. '''The venue location is the 2nd Floor, "Superior" room A/B''' = Schedule = == Day 1 (Monday 18th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk'''</span> | [http://www.linux.com/news/special-feature/linux-developers/678568-30-linux-kernel-developers-in-30-weeks-james-bottomley James Bottomley], Parallels |- |''09:50'' |colspan="2"|''Break'' |- |10:00 | [[Linux_Security_Summit_2014/Abstracts/Cook_1|Verified Component Firmware]] ''([http://kernsec.org/files/lss2014/cook_firmware.pdf slides])'' | Kees Cook, Google |- |10:45 | [[Linux_Security_Summit_2014/Abstracts/Smalley|Protecting the Android TCB with SELinux]] ''([http://kernsec.org/files/lss2014/lss2014_androidtcb_smalley.pdf slides])'' | Stephen Smalley, NSA |- |''11:30'' |colspan="2"|''Break'' |- |11:45 | [[Linux_Security_Summit_2014/Abstracts/Schaufler|Tizen, Security and the Internet of Things]] | Casey Schaufler, Intel |- |''12:30'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | [[Linux_Security_Summit_2014/Abstracts/Drysdale|Capsicum on Linux]] ''([http://kernsec.org/files/lss2014/drysdale_CapsicumLSSSlides.pdf slides])'' | David Drysdale, Google |- |14:45 | [[Linux_Security_Summit_2014/Abstracts/Kurmus|Quantifying and Reducing the Kernel Attack Surface]] | Anil Kurmus, IBM |- |''15:30'' |colspan="2"|''Break'' |- |15:45 | [[Linux_Security_Summit_2014/Abstracts/Safford|Extending the Linux Integrity Subsystem for TCB Protection]] ''([http://kernsec.org/files/lss2014/safford_tcb_integrity.pdf slides])'' | David Safford & Mimi Zohar, IBM |- |16:30 | [[Linux_Security_Summit_2014/Abstracts/Cook_2|Trusted Kernel Lock-down Patch Series]] ''([http://kernsec.org/files/lss2014/cook_lockdown.pdf slides])'' (discussion) | Kees Cook, Google |- |''17:00'' |colspan="2"|''Finish'' |} == Day 2 (Tuesday 19th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | SELinux update ''([http://kernsec.org/files/lss2014/lss-state_of_selinux-pmoore-082014-r1.pdf slides])'' | Paul Moore, Red Hat |- |09:20 | AppArmor update ''([http://kernsec.org/files/lss2014/hicks_lss-2014-apparmor-review.pdf slides])' | Tyler Hicks, Canonical |- |09:40 | Integrity update | Mimi Zohar, IBM |- |10:00 | Smack update | Casey Schaufler, Intel |- |''10:20'' |colspan="2"|''Break'' |- |10:30 | Crypto update ''([http://kernsec.org/files/lss2014/xu-crypto-201408.odp slides])'' | Herbert Xu, Red Hat |- |10:50 | Seccomp update ''([http://kernsec.org/files/lss2014/cook_seccomp.pdf slides])'' | Kees Cook, Google |- |11:20 |colspan="2"| Break-out Session #1 |- |''12:30'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | [[Linux_Security_Summit_2014/Abstracts/Halcrow|EXT4 Encryption]] ''([http://kernsec.org/files/lss2014/Halcrow_EXT4_Encryption.pdf slides])''(discussion) | Michael Halcrow & Ted Ts'o, Google |- |''15:00'' | colspan="2"|''Break'' |- |15:15 | [[Linux_Security_Summit_2014/Abstracts/Hallyn|Application Confinement with User Namespaces]] ''([http://kernsec.org/files/lss2014/hallyn_namespaces.pdf slides])'' | Serge Hallyn & Stéphane Graber, Canonical |- |16:00 |colspan="2"| Break-out Session #2 |- |''17:00'' |colspan="2"|''Finish'' |} = Call for Participation = '''The CFP is now closed.''' The program committee <s>currently seeks</s> sought proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. * Discussion Topics: 30 minutes in length. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques Proposals should be submitted in plain text via email to the program committee at: lss-pc (_at_) ext.namei.org Abstracts should be approximately 150 words in total. = Program Committee= The Linux Security Summit for 2014 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Quark Security * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss-pc [at] lists.linuxfoundation.org 75779a110532e48b60367d57ae427b6934be4f83 3531 3530 2014-08-20T13:39:14Z JamesMorris 2 /* Day 1 (Monday 18th August) */ wikitext text/x-wiki = Description = The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions = Event = The Linux Security Summit for 2014 will be held across '''18 and 19 August''' in Chicago, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon], along with the Kernel Summit and other events. All attendees and presenters must be registered to attend LinuxCon. '''The venue location is the 2nd Floor, "Superior" room A/B''' = Schedule = == Day 1 (Monday 18th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk'''</span> | [http://www.linux.com/news/special-feature/linux-developers/678568-30-linux-kernel-developers-in-30-weeks-james-bottomley James Bottomley], Parallels |- |''09:50'' |colspan="2"|''Break'' |- |10:00 | [[Linux_Security_Summit_2014/Abstracts/Cook_1|Verified Component Firmware]] ''([http://kernsec.org/files/lss2014/cook_firmware.pdf slides])'' | Kees Cook, Google |- |10:45 | [[Linux_Security_Summit_2014/Abstracts/Smalley|Protecting the Android TCB with SELinux]] ''([http://kernsec.org/files/lss2014/lss2014_androidtcb_smalley.pdf slides])'' | Stephen Smalley, NSA |- |''11:30'' |colspan="2"|''Break'' |- |11:45 | [[Linux_Security_Summit_2014/Abstracts/Schaufler|Tizen, Security and the Internet of Things]] | Casey Schaufler, Intel |- |''12:30'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | [[Linux_Security_Summit_2014/Abstracts/Drysdale|Capsicum on Linux]] ''([http://kernsec.org/files/lss2014/drysdale_CapsicumLSSSlides.pdf slides])'' | David Drysdale, Google |- |14:45 | [[Linux_Security_Summit_2014/Abstracts/Kurmus|Quantifying and Reducing the Kernel Attack Surface]] | Anil Kurmus, IBM |- |''15:30'' |colspan="2"|''Break'' |- |15:45 | [[Linux_Security_Summit_2014/Abstracts/Safford|Extending the Linux Integrity Subsystem for TCB Protection]] ''([http://kernsec.org/files/lss2014/safford_tcb_integrity.pdf slides])'' | David Safford & Mimi Zohar, IBM |- |16:30 | [[Linux_Security_Summit_2014/Abstracts/Cook_2|Trusted Kernel Lock-down Patch Series]] -- discussion ''([http://kernsec.org/files/lss2014/cook_lockdown.pdf slides])'' | Kees Cook, Google |- |''17:00'' |colspan="2"|''Finish'' |} == Day 2 (Tuesday 19th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | SELinux update ''([http://kernsec.org/files/lss2014/lss-state_of_selinux-pmoore-082014-r1.pdf slides])'' | Paul Moore, Red Hat |- |09:20 | AppArmor update ''([http://kernsec.org/files/lss2014/hicks_lss-2014-apparmor-review.pdf slides])' | Tyler Hicks, Canonical |- |09:40 | Integrity update | Mimi Zohar, IBM |- |10:00 | Smack update | Casey Schaufler, Intel |- |''10:20'' |colspan="2"|''Break'' |- |10:30 | Crypto update ''([http://kernsec.org/files/lss2014/xu-crypto-201408.odp slides])'' | Herbert Xu, Red Hat |- |10:50 | Seccomp update ''([http://kernsec.org/files/lss2014/cook_seccomp.pdf slides])'' | Kees Cook, Google |- |11:20 |colspan="2"| Break-out Session #1 |- |''12:30'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | [[Linux_Security_Summit_2014/Abstracts/Halcrow|EXT4 Encryption]] ''([http://kernsec.org/files/lss2014/Halcrow_EXT4_Encryption.pdf slides])''(discussion) | Michael Halcrow & Ted Ts'o, Google |- |''15:00'' | colspan="2"|''Break'' |- |15:15 | [[Linux_Security_Summit_2014/Abstracts/Hallyn|Application Confinement with User Namespaces]] ''([http://kernsec.org/files/lss2014/hallyn_namespaces.pdf slides])'' | Serge Hallyn & Stéphane Graber, Canonical |- |16:00 |colspan="2"| Break-out Session #2 |- |''17:00'' |colspan="2"|''Finish'' |} = Call for Participation = '''The CFP is now closed.''' The program committee <s>currently seeks</s> sought proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. * Discussion Topics: 30 minutes in length. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques Proposals should be submitted in plain text via email to the program committee at: lss-pc (_at_) ext.namei.org Abstracts should be approximately 150 words in total. = Program Committee= The Linux Security Summit for 2014 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Quark Security * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss-pc [at] lists.linuxfoundation.org 3279faddb8132e2935faf0a04c71dee31d8b01ce 3532 3531 2014-08-20T13:39:41Z JamesMorris 2 /* Day 2 (Tuesday 19th August) */ wikitext text/x-wiki = Description = The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions = Event = The Linux Security Summit for 2014 will be held across '''18 and 19 August''' in Chicago, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon], along with the Kernel Summit and other events. All attendees and presenters must be registered to attend LinuxCon. '''The venue location is the 2nd Floor, "Superior" room A/B''' = Schedule = == Day 1 (Monday 18th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk'''</span> | [http://www.linux.com/news/special-feature/linux-developers/678568-30-linux-kernel-developers-in-30-weeks-james-bottomley James Bottomley], Parallels |- |''09:50'' |colspan="2"|''Break'' |- |10:00 | [[Linux_Security_Summit_2014/Abstracts/Cook_1|Verified Component Firmware]] ''([http://kernsec.org/files/lss2014/cook_firmware.pdf slides])'' | Kees Cook, Google |- |10:45 | [[Linux_Security_Summit_2014/Abstracts/Smalley|Protecting the Android TCB with SELinux]] ''([http://kernsec.org/files/lss2014/lss2014_androidtcb_smalley.pdf slides])'' | Stephen Smalley, NSA |- |''11:30'' |colspan="2"|''Break'' |- |11:45 | [[Linux_Security_Summit_2014/Abstracts/Schaufler|Tizen, Security and the Internet of Things]] | Casey Schaufler, Intel |- |''12:30'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | [[Linux_Security_Summit_2014/Abstracts/Drysdale|Capsicum on Linux]] ''([http://kernsec.org/files/lss2014/drysdale_CapsicumLSSSlides.pdf slides])'' | David Drysdale, Google |- |14:45 | [[Linux_Security_Summit_2014/Abstracts/Kurmus|Quantifying and Reducing the Kernel Attack Surface]] | Anil Kurmus, IBM |- |''15:30'' |colspan="2"|''Break'' |- |15:45 | [[Linux_Security_Summit_2014/Abstracts/Safford|Extending the Linux Integrity Subsystem for TCB Protection]] ''([http://kernsec.org/files/lss2014/safford_tcb_integrity.pdf slides])'' | David Safford & Mimi Zohar, IBM |- |16:30 | [[Linux_Security_Summit_2014/Abstracts/Cook_2|Trusted Kernel Lock-down Patch Series]] -- discussion ''([http://kernsec.org/files/lss2014/cook_lockdown.pdf slides])'' | Kees Cook, Google |- |''17:00'' |colspan="2"|''Finish'' |} == Day 2 (Tuesday 19th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | SELinux update ''([http://kernsec.org/files/lss2014/lss-state_of_selinux-pmoore-082014-r1.pdf slides])'' | Paul Moore, Red Hat |- |09:20 | AppArmor update ''([http://kernsec.org/files/lss2014/hicks_lss-2014-apparmor-review.pdf slides])' | Tyler Hicks, Canonical |- |09:40 | Integrity update | Mimi Zohar, IBM |- |10:00 | Smack update | Casey Schaufler, Intel |- |''10:20'' |colspan="2"|''Break'' |- |10:30 | Crypto update ''([http://kernsec.org/files/lss2014/xu-crypto-201408.odp slides])'' | Herbert Xu, Red Hat |- |10:50 | Seccomp update ''([http://kernsec.org/files/lss2014/cook_seccomp.pdf slides])'' | Kees Cook, Google |- |11:20 |colspan="2"| Break-out Session #1 |- |''12:30'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | [[Linux_Security_Summit_2014/Abstracts/Halcrow|EXT4 Encryption]] - discussion ''([http://kernsec.org/files/lss2014/Halcrow_EXT4_Encryption.pdf slides])'' | Michael Halcrow & Ted Ts'o, Google |- |''15:00'' | colspan="2"|''Break'' |- |15:15 | [[Linux_Security_Summit_2014/Abstracts/Hallyn|Application Confinement with User Namespaces]] ''([http://kernsec.org/files/lss2014/hallyn_namespaces.pdf slides])'' | Serge Hallyn & Stéphane Graber, Canonical |- |16:00 |colspan="2"| Break-out Session #2 |- |''17:00'' |colspan="2"|''Finish'' |} = Call for Participation = '''The CFP is now closed.''' The program committee <s>currently seeks</s> sought proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. * Discussion Topics: 30 minutes in length. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques Proposals should be submitted in plain text via email to the program committee at: lss-pc (_at_) ext.namei.org Abstracts should be approximately 150 words in total. = Program Committee= The Linux Security Summit for 2014 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Quark Security * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss-pc [at] lists.linuxfoundation.org c777051823825f0857a18009cb5a64ab40d0d469 3533 3532 2014-08-20T13:54:06Z JamesMorris 2 /* Day 1 (Monday 18th August) */ wikitext text/x-wiki = Description = The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions = Event = The Linux Security Summit for 2014 will be held across '''18 and 19 August''' in Chicago, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon], along with the Kernel Summit and other events. All attendees and presenters must be registered to attend LinuxCon. '''The venue location is the 2nd Floor, "Superior" room A/B''' = Schedule = == Day 1 (Monday 18th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk: Security and Boundaries'''</span> '''([http://www.hansenpartnership.com/SecuritySummit2014/ slides])''' | [http://www.linux.com/news/special-feature/linux-developers/678568-30-linux-kernel-developers-in-30-weeks-james-bottomley James Bottomley], Parallels |- |''09:50'' |colspan="2"|''Break'' |- |10:00 | [[Linux_Security_Summit_2014/Abstracts/Cook_1|Verified Component Firmware]] ''([http://kernsec.org/files/lss2014/cook_firmware.pdf slides])'' | Kees Cook, Google |- |10:45 | [[Linux_Security_Summit_2014/Abstracts/Smalley|Protecting the Android TCB with SELinux]] ''([http://kernsec.org/files/lss2014/lss2014_androidtcb_smalley.pdf slides])'' | Stephen Smalley, NSA |- |''11:30'' |colspan="2"|''Break'' |- |11:45 | [[Linux_Security_Summit_2014/Abstracts/Schaufler|Tizen, Security and the Internet of Things]] | Casey Schaufler, Intel |- |''12:30'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | [[Linux_Security_Summit_2014/Abstracts/Drysdale|Capsicum on Linux]] ''([http://kernsec.org/files/lss2014/drysdale_CapsicumLSSSlides.pdf slides])'' | David Drysdale, Google |- |14:45 | [[Linux_Security_Summit_2014/Abstracts/Kurmus|Quantifying and Reducing the Kernel Attack Surface]] | Anil Kurmus, IBM |- |''15:30'' |colspan="2"|''Break'' |- |15:45 | [[Linux_Security_Summit_2014/Abstracts/Safford|Extending the Linux Integrity Subsystem for TCB Protection]] ''([http://kernsec.org/files/lss2014/safford_tcb_integrity.pdf slides])'' | David Safford & Mimi Zohar, IBM |- |16:30 | [[Linux_Security_Summit_2014/Abstracts/Cook_2|Trusted Kernel Lock-down Patch Series]] -- discussion ''([http://kernsec.org/files/lss2014/cook_lockdown.pdf slides])'' | Kees Cook, Google |- |''17:00'' |colspan="2"|''Finish'' |} == Day 2 (Tuesday 19th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | SELinux update ''([http://kernsec.org/files/lss2014/lss-state_of_selinux-pmoore-082014-r1.pdf slides])'' | Paul Moore, Red Hat |- |09:20 | AppArmor update ''([http://kernsec.org/files/lss2014/hicks_lss-2014-apparmor-review.pdf slides])' | Tyler Hicks, Canonical |- |09:40 | Integrity update | Mimi Zohar, IBM |- |10:00 | Smack update | Casey Schaufler, Intel |- |''10:20'' |colspan="2"|''Break'' |- |10:30 | Crypto update ''([http://kernsec.org/files/lss2014/xu-crypto-201408.odp slides])'' | Herbert Xu, Red Hat |- |10:50 | Seccomp update ''([http://kernsec.org/files/lss2014/cook_seccomp.pdf slides])'' | Kees Cook, Google |- |11:20 |colspan="2"| Break-out Session #1 |- |''12:30'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | [[Linux_Security_Summit_2014/Abstracts/Halcrow|EXT4 Encryption]] - discussion ''([http://kernsec.org/files/lss2014/Halcrow_EXT4_Encryption.pdf slides])'' | Michael Halcrow & Ted Ts'o, Google |- |''15:00'' | colspan="2"|''Break'' |- |15:15 | [[Linux_Security_Summit_2014/Abstracts/Hallyn|Application Confinement with User Namespaces]] ''([http://kernsec.org/files/lss2014/hallyn_namespaces.pdf slides])'' | Serge Hallyn & Stéphane Graber, Canonical |- |16:00 |colspan="2"| Break-out Session #2 |- |''17:00'' |colspan="2"|''Finish'' |} = Call for Participation = '''The CFP is now closed.''' The program committee <s>currently seeks</s> sought proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. * Discussion Topics: 30 minutes in length. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques Proposals should be submitted in plain text via email to the program committee at: lss-pc (_at_) ext.namei.org Abstracts should be approximately 150 words in total. = Program Committee= The Linux Security Summit for 2014 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Quark Security * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss-pc [at] lists.linuxfoundation.org 095a9aa798870162f77bc070e9d0a070d7fd6ed4 3534 3533 2014-08-20T20:11:41Z JamesMorris 2 /* Day 1 (Monday 18th August) */ wikitext text/x-wiki = Description = The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions = Event = The Linux Security Summit for 2014 will be held across '''18 and 19 August''' in Chicago, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon], along with the Kernel Summit and other events. All attendees and presenters must be registered to attend LinuxCon. '''The venue location is the 2nd Floor, "Superior" room A/B''' = Schedule = == Day 1 (Monday 18th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk: Security and Boundaries'''</span> '''([http://www.hansenpartnership.com/SecuritySummit2014/ slides])''' | [http://www.linux.com/news/special-feature/linux-developers/678568-30-linux-kernel-developers-in-30-weeks-james-bottomley James Bottomley], Parallels |- |''09:50'' |colspan="2"|''Break'' |- |10:00 | [[Linux_Security_Summit_2014/Abstracts/Cook_1|Verified Component Firmware]] ''([http://kernsec.org/files/lss2014/cook_firmware.pdf slides])'' | Kees Cook, Google |- |10:45 | [[Linux_Security_Summit_2014/Abstracts/Smalley|Protecting the Android TCB with SELinux]] ''([http://kernsec.org/files/lss2014/lss2014_androidtcb_smalley.pdf slides])'' | Stephen Smalley, NSA |- |''11:30'' |colspan="2"|''Break'' |- |11:45 | [[Linux_Security_Summit_2014/Abstracts/Schaufler|Tizen, Security and the Internet of Things]] ''((http://kernsec.org/files/lss2014/schaufler_201408-LinuxSecuritySummit-Tizen.pdf slides])'' | Casey Schaufler, Intel |- |''12:30'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | [[Linux_Security_Summit_2014/Abstracts/Drysdale|Capsicum on Linux]] ''([http://kernsec.org/files/lss2014/drysdale_CapsicumLSSSlides.pdf slides])'' | David Drysdale, Google |- |14:45 | [[Linux_Security_Summit_2014/Abstracts/Kurmus|Quantifying and Reducing the Kernel Attack Surface]] | Anil Kurmus, IBM |- |''15:30'' |colspan="2"|''Break'' |- |15:45 | [[Linux_Security_Summit_2014/Abstracts/Safford|Extending the Linux Integrity Subsystem for TCB Protection]] ''([http://kernsec.org/files/lss2014/safford_tcb_integrity.pdf slides])'' | David Safford & Mimi Zohar, IBM |- |16:30 | [[Linux_Security_Summit_2014/Abstracts/Cook_2|Trusted Kernel Lock-down Patch Series]] -- discussion ''([http://kernsec.org/files/lss2014/cook_lockdown.pdf slides])'' | Kees Cook, Google |- |''17:00'' |colspan="2"|''Finish'' |} == Day 2 (Tuesday 19th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | SELinux update ''([http://kernsec.org/files/lss2014/lss-state_of_selinux-pmoore-082014-r1.pdf slides])'' | Paul Moore, Red Hat |- |09:20 | AppArmor update ''([http://kernsec.org/files/lss2014/hicks_lss-2014-apparmor-review.pdf slides])' | Tyler Hicks, Canonical |- |09:40 | Integrity update | Mimi Zohar, IBM |- |10:00 | Smack update | Casey Schaufler, Intel |- |''10:20'' |colspan="2"|''Break'' |- |10:30 | Crypto update ''([http://kernsec.org/files/lss2014/xu-crypto-201408.odp slides])'' | Herbert Xu, Red Hat |- |10:50 | Seccomp update ''([http://kernsec.org/files/lss2014/cook_seccomp.pdf slides])'' | Kees Cook, Google |- |11:20 |colspan="2"| Break-out Session #1 |- |''12:30'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | [[Linux_Security_Summit_2014/Abstracts/Halcrow|EXT4 Encryption]] - discussion ''([http://kernsec.org/files/lss2014/Halcrow_EXT4_Encryption.pdf slides])'' | Michael Halcrow & Ted Ts'o, Google |- |''15:00'' | colspan="2"|''Break'' |- |15:15 | [[Linux_Security_Summit_2014/Abstracts/Hallyn|Application Confinement with User Namespaces]] ''([http://kernsec.org/files/lss2014/hallyn_namespaces.pdf slides])'' | Serge Hallyn & Stéphane Graber, Canonical |- |16:00 |colspan="2"| Break-out Session #2 |- |''17:00'' |colspan="2"|''Finish'' |} = Call for Participation = '''The CFP is now closed.''' The program committee <s>currently seeks</s> sought proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. * Discussion Topics: 30 minutes in length. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques Proposals should be submitted in plain text via email to the program committee at: lss-pc (_at_) ext.namei.org Abstracts should be approximately 150 words in total. = Program Committee= The Linux Security Summit for 2014 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Quark Security * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss-pc [at] lists.linuxfoundation.org 7fdaba10493139e07d1acd793ed48999bb62f8a4 3535 3534 2014-08-20T20:12:15Z JamesMorris 2 /* Day 1 (Monday 18th August) */ wikitext text/x-wiki = Description = The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions = Event = The Linux Security Summit for 2014 will be held across '''18 and 19 August''' in Chicago, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon], along with the Kernel Summit and other events. All attendees and presenters must be registered to attend LinuxCon. '''The venue location is the 2nd Floor, "Superior" room A/B''' = Schedule = == Day 1 (Monday 18th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk: Security and Boundaries'''</span> '''([http://www.hansenpartnership.com/SecuritySummit2014/ slides])''' | [http://www.linux.com/news/special-feature/linux-developers/678568-30-linux-kernel-developers-in-30-weeks-james-bottomley James Bottomley], Parallels |- |''09:50'' |colspan="2"|''Break'' |- |10:00 | [[Linux_Security_Summit_2014/Abstracts/Cook_1|Verified Component Firmware]] ''([http://kernsec.org/files/lss2014/cook_firmware.pdf slides])'' | Kees Cook, Google |- |10:45 | [[Linux_Security_Summit_2014/Abstracts/Smalley|Protecting the Android TCB with SELinux]] ''([http://kernsec.org/files/lss2014/lss2014_androidtcb_smalley.pdf slides])'' | Stephen Smalley, NSA |- |''11:30'' |colspan="2"|''Break'' |- |11:45 | [[Linux_Security_Summit_2014/Abstracts/Schaufler|Tizen, Security and the Internet of Things]] ''([http://kernsec.org/files/lss2014/schaufler_201408-LinuxSecuritySummit-Tizen.pdf slides])'' | Casey Schaufler, Intel |- |''12:30'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | [[Linux_Security_Summit_2014/Abstracts/Drysdale|Capsicum on Linux]] ''([http://kernsec.org/files/lss2014/drysdale_CapsicumLSSSlides.pdf slides])'' | David Drysdale, Google |- |14:45 | [[Linux_Security_Summit_2014/Abstracts/Kurmus|Quantifying and Reducing the Kernel Attack Surface]] | Anil Kurmus, IBM |- |''15:30'' |colspan="2"|''Break'' |- |15:45 | [[Linux_Security_Summit_2014/Abstracts/Safford|Extending the Linux Integrity Subsystem for TCB Protection]] ''([http://kernsec.org/files/lss2014/safford_tcb_integrity.pdf slides])'' | David Safford & Mimi Zohar, IBM |- |16:30 | [[Linux_Security_Summit_2014/Abstracts/Cook_2|Trusted Kernel Lock-down Patch Series]] -- discussion ''([http://kernsec.org/files/lss2014/cook_lockdown.pdf slides])'' | Kees Cook, Google |- |''17:00'' |colspan="2"|''Finish'' |} == Day 2 (Tuesday 19th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | SELinux update ''([http://kernsec.org/files/lss2014/lss-state_of_selinux-pmoore-082014-r1.pdf slides])'' | Paul Moore, Red Hat |- |09:20 | AppArmor update ''([http://kernsec.org/files/lss2014/hicks_lss-2014-apparmor-review.pdf slides])' | Tyler Hicks, Canonical |- |09:40 | Integrity update | Mimi Zohar, IBM |- |10:00 | Smack update | Casey Schaufler, Intel |- |''10:20'' |colspan="2"|''Break'' |- |10:30 | Crypto update ''([http://kernsec.org/files/lss2014/xu-crypto-201408.odp slides])'' | Herbert Xu, Red Hat |- |10:50 | Seccomp update ''([http://kernsec.org/files/lss2014/cook_seccomp.pdf slides])'' | Kees Cook, Google |- |11:20 |colspan="2"| Break-out Session #1 |- |''12:30'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | [[Linux_Security_Summit_2014/Abstracts/Halcrow|EXT4 Encryption]] - discussion ''([http://kernsec.org/files/lss2014/Halcrow_EXT4_Encryption.pdf slides])'' | Michael Halcrow & Ted Ts'o, Google |- |''15:00'' | colspan="2"|''Break'' |- |15:15 | [[Linux_Security_Summit_2014/Abstracts/Hallyn|Application Confinement with User Namespaces]] ''([http://kernsec.org/files/lss2014/hallyn_namespaces.pdf slides])'' | Serge Hallyn & Stéphane Graber, Canonical |- |16:00 |colspan="2"| Break-out Session #2 |- |''17:00'' |colspan="2"|''Finish'' |} = Call for Participation = '''The CFP is now closed.''' The program committee <s>currently seeks</s> sought proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. * Discussion Topics: 30 minutes in length. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques Proposals should be submitted in plain text via email to the program committee at: lss-pc (_at_) ext.namei.org Abstracts should be approximately 150 words in total. = Program Committee= The Linux Security Summit for 2014 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Quark Security * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss-pc [at] lists.linuxfoundation.org d185d30197dc4115eb5f1d3c8387653fb04d8288 3536 3535 2014-08-20T20:13:49Z JamesMorris 2 /* Day 2 (Tuesday 19th August) */ wikitext text/x-wiki = Description = The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions = Event = The Linux Security Summit for 2014 will be held across '''18 and 19 August''' in Chicago, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon], along with the Kernel Summit and other events. All attendees and presenters must be registered to attend LinuxCon. '''The venue location is the 2nd Floor, "Superior" room A/B''' = Schedule = == Day 1 (Monday 18th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk: Security and Boundaries'''</span> '''([http://www.hansenpartnership.com/SecuritySummit2014/ slides])''' | [http://www.linux.com/news/special-feature/linux-developers/678568-30-linux-kernel-developers-in-30-weeks-james-bottomley James Bottomley], Parallels |- |''09:50'' |colspan="2"|''Break'' |- |10:00 | [[Linux_Security_Summit_2014/Abstracts/Cook_1|Verified Component Firmware]] ''([http://kernsec.org/files/lss2014/cook_firmware.pdf slides])'' | Kees Cook, Google |- |10:45 | [[Linux_Security_Summit_2014/Abstracts/Smalley|Protecting the Android TCB with SELinux]] ''([http://kernsec.org/files/lss2014/lss2014_androidtcb_smalley.pdf slides])'' | Stephen Smalley, NSA |- |''11:30'' |colspan="2"|''Break'' |- |11:45 | [[Linux_Security_Summit_2014/Abstracts/Schaufler|Tizen, Security and the Internet of Things]] ''([http://kernsec.org/files/lss2014/schaufler_201408-LinuxSecuritySummit-Tizen.pdf slides])'' | Casey Schaufler, Intel |- |''12:30'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | [[Linux_Security_Summit_2014/Abstracts/Drysdale|Capsicum on Linux]] ''([http://kernsec.org/files/lss2014/drysdale_CapsicumLSSSlides.pdf slides])'' | David Drysdale, Google |- |14:45 | [[Linux_Security_Summit_2014/Abstracts/Kurmus|Quantifying and Reducing the Kernel Attack Surface]] | Anil Kurmus, IBM |- |''15:30'' |colspan="2"|''Break'' |- |15:45 | [[Linux_Security_Summit_2014/Abstracts/Safford|Extending the Linux Integrity Subsystem for TCB Protection]] ''([http://kernsec.org/files/lss2014/safford_tcb_integrity.pdf slides])'' | David Safford & Mimi Zohar, IBM |- |16:30 | [[Linux_Security_Summit_2014/Abstracts/Cook_2|Trusted Kernel Lock-down Patch Series]] -- discussion ''([http://kernsec.org/files/lss2014/cook_lockdown.pdf slides])'' | Kees Cook, Google |- |''17:00'' |colspan="2"|''Finish'' |} == Day 2 (Tuesday 19th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | SELinux update ''([http://kernsec.org/files/lss2014/lss-state_of_selinux-pmoore-082014-r1.pdf slides])'' | Paul Moore, Red Hat |- |09:20 | AppArmor update ''([http://kernsec.org/files/lss2014/hicks_lss-2014-apparmor-review.pdf slides])' | Tyler Hicks, Canonical |- |09:40 | Integrity update | Mimi Zohar, IBM |- |10:00 | Smack update | Casey Schaufler, Intel ''([http://kernsec.org/files/lss2014/schaufler_201408-LinuxSecuritySummit-Smack.pdf slides])'' |- |''10:20'' |colspan="2"|''Break'' |- |10:30 | Crypto update ''([http://kernsec.org/files/lss2014/xu-crypto-201408.odp slides])'' | Herbert Xu, Red Hat |- |10:50 | Seccomp update ''([http://kernsec.org/files/lss2014/cook_seccomp.pdf slides])'' | Kees Cook, Google |- |11:20 |colspan="2"| Break-out Session #1 |- |''12:30'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | [[Linux_Security_Summit_2014/Abstracts/Halcrow|EXT4 Encryption]] - discussion ''([http://kernsec.org/files/lss2014/Halcrow_EXT4_Encryption.pdf slides])'' | Michael Halcrow & Ted Ts'o, Google |- |''15:00'' | colspan="2"|''Break'' |- |15:15 | [[Linux_Security_Summit_2014/Abstracts/Hallyn|Application Confinement with User Namespaces]] ''([http://kernsec.org/files/lss2014/hallyn_namespaces.pdf slides])'' | Serge Hallyn & Stéphane Graber, Canonical |- |16:00 |colspan="2"| Break-out Session #2 |- |''17:00'' |colspan="2"|''Finish'' |} = Call for Participation = '''The CFP is now closed.''' The program committee <s>currently seeks</s> sought proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. * Discussion Topics: 30 minutes in length. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques Proposals should be submitted in plain text via email to the program committee at: lss-pc (_at_) ext.namei.org Abstracts should be approximately 150 words in total. = Program Committee= The Linux Security Summit for 2014 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Quark Security * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss-pc [at] lists.linuxfoundation.org bc44dc94db9a8532e659d5f1865ab313842a2ab3 3537 3536 2014-08-20T20:14:23Z JamesMorris 2 /* Day 2 (Tuesday 19th August) */ wikitext text/x-wiki = Description = The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions = Event = The Linux Security Summit for 2014 will be held across '''18 and 19 August''' in Chicago, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon], along with the Kernel Summit and other events. All attendees and presenters must be registered to attend LinuxCon. '''The venue location is the 2nd Floor, "Superior" room A/B''' = Schedule = == Day 1 (Monday 18th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk: Security and Boundaries'''</span> '''([http://www.hansenpartnership.com/SecuritySummit2014/ slides])''' | [http://www.linux.com/news/special-feature/linux-developers/678568-30-linux-kernel-developers-in-30-weeks-james-bottomley James Bottomley], Parallels |- |''09:50'' |colspan="2"|''Break'' |- |10:00 | [[Linux_Security_Summit_2014/Abstracts/Cook_1|Verified Component Firmware]] ''([http://kernsec.org/files/lss2014/cook_firmware.pdf slides])'' | Kees Cook, Google |- |10:45 | [[Linux_Security_Summit_2014/Abstracts/Smalley|Protecting the Android TCB with SELinux]] ''([http://kernsec.org/files/lss2014/lss2014_androidtcb_smalley.pdf slides])'' | Stephen Smalley, NSA |- |''11:30'' |colspan="2"|''Break'' |- |11:45 | [[Linux_Security_Summit_2014/Abstracts/Schaufler|Tizen, Security and the Internet of Things]] ''([http://kernsec.org/files/lss2014/schaufler_201408-LinuxSecuritySummit-Tizen.pdf slides])'' | Casey Schaufler, Intel |- |''12:30'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | [[Linux_Security_Summit_2014/Abstracts/Drysdale|Capsicum on Linux]] ''([http://kernsec.org/files/lss2014/drysdale_CapsicumLSSSlides.pdf slides])'' | David Drysdale, Google |- |14:45 | [[Linux_Security_Summit_2014/Abstracts/Kurmus|Quantifying and Reducing the Kernel Attack Surface]] | Anil Kurmus, IBM |- |''15:30'' |colspan="2"|''Break'' |- |15:45 | [[Linux_Security_Summit_2014/Abstracts/Safford|Extending the Linux Integrity Subsystem for TCB Protection]] ''([http://kernsec.org/files/lss2014/safford_tcb_integrity.pdf slides])'' | David Safford & Mimi Zohar, IBM |- |16:30 | [[Linux_Security_Summit_2014/Abstracts/Cook_2|Trusted Kernel Lock-down Patch Series]] -- discussion ''([http://kernsec.org/files/lss2014/cook_lockdown.pdf slides])'' | Kees Cook, Google |- |''17:00'' |colspan="2"|''Finish'' |} == Day 2 (Tuesday 19th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | SELinux update ''([http://kernsec.org/files/lss2014/lss-state_of_selinux-pmoore-082014-r1.pdf slides])'' | Paul Moore, Red Hat |- |09:20 | AppArmor update ''([http://kernsec.org/files/lss2014/hicks_lss-2014-apparmor-review.pdf slides])' | Tyler Hicks, Canonical |- |09:40 | Integrity update | Mimi Zohar, IBM |- |10:00 | Smack update ''([http://kernsec.org/files/lss2014/schaufler_201408-LinuxSecuritySummit-Smack.pdf slides])'' | Casey Schaufler, Intel |- |''10:20'' |colspan="2"|''Break'' |- |10:30 | Crypto update ''([http://kernsec.org/files/lss2014/xu-crypto-201408.odp slides])'' | Herbert Xu, Red Hat |- |10:50 | Seccomp update ''([http://kernsec.org/files/lss2014/cook_seccomp.pdf slides])'' | Kees Cook, Google |- |11:20 |colspan="2"| Break-out Session #1 |- |''12:30'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | [[Linux_Security_Summit_2014/Abstracts/Halcrow|EXT4 Encryption]] - discussion ''([http://kernsec.org/files/lss2014/Halcrow_EXT4_Encryption.pdf slides])'' | Michael Halcrow & Ted Ts'o, Google |- |''15:00'' | colspan="2"|''Break'' |- |15:15 | [[Linux_Security_Summit_2014/Abstracts/Hallyn|Application Confinement with User Namespaces]] ''([http://kernsec.org/files/lss2014/hallyn_namespaces.pdf slides])'' | Serge Hallyn & Stéphane Graber, Canonical |- |16:00 |colspan="2"| Break-out Session #2 |- |''17:00'' |colspan="2"|''Finish'' |} = Call for Participation = '''The CFP is now closed.''' The program committee <s>currently seeks</s> sought proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. * Discussion Topics: 30 minutes in length. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques Proposals should be submitted in plain text via email to the program committee at: lss-pc (_at_) ext.namei.org Abstracts should be approximately 150 words in total. = Program Committee= The Linux Security Summit for 2014 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Quark Security * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss-pc [at] lists.linuxfoundation.org 87d5308503a19733128232ce34032f1312d6ac2c 0 115 3501 2014-07-15T15:51:07Z JamesMorris 2 New page: == Title == Verified Component Firmware == Presenter == Kees Cook == Abstract == Privileged executable code running on a device is not limited to just the Boot Firmware and Kernel. On... wikitext text/x-wiki == Title == Verified Component Firmware == Presenter == Kees Cook == Abstract == Privileged executable code running on a device is not limited to just the Boot Firmware and Kernel. One major area that gets frequently overlooked is Component Firmware: firmware loaded on network interfaces, wifi and cellular wireless devices, hard drives, keyboards, etc. Some of these devices have direct DMA access to system physical memory, some have access to potentially sensitive information (keystrokes, network or storage data, etc). Presently, the Linux Kernel loads firmware from userspace via directly located files, data passed by uevent handlers, or by specialized updater tools that manipulate (potentially undocumented) device interfaces. There is no mechanism in place for the kernel to reason about the origin of the firmware, so it is possible for userspace to load malicious Component Firmware that could result in a compromised kernel or a component that persistently snoops on data. As was done for kernel module loading, I have introduced a new interface for firmware loading that operates on a file descriptor rather than arbitrary blobs passed from userspace. This allows a system to limit firmware loading to only known sources. For example, firmware loading could be limited to read-only crypto-verified storage, or with verified signatures. Additionally, I will present a methodology for evaluating Component Firmware risks based on the component's own level of firmware validation and the component's access to sensitive interfaces or data. With this, a plan for firmware that is loaded external to the kernel (entirely via userspace) can be developed, potentially leading to filtered device communication. 710cedea180722beceb92d5c91caa4c84e151aeb 3504 3501 2014-07-15T16:01:23Z JamesMorris 2 wikitext text/x-wiki == Title == Verified Component Firmware == Presenter == Kees Cook, Google == Abstract == Privileged executable code running on a device is not limited to just the Boot Firmware and Kernel. One major area that gets frequently overlooked is Component Firmware: firmware loaded on network interfaces, wifi and cellular wireless devices, hard drives, keyboards, etc. Some of these devices have direct DMA access to system physical memory, some have access to potentially sensitive information (keystrokes, network or storage data, etc). Presently, the Linux Kernel loads firmware from userspace via directly located files, data passed by uevent handlers, or by specialized updater tools that manipulate (potentially undocumented) device interfaces. There is no mechanism in place for the kernel to reason about the origin of the firmware, so it is possible for userspace to load malicious Component Firmware that could result in a compromised kernel or a component that persistently snoops on data. As was done for kernel module loading, I have introduced a new interface for firmware loading that operates on a file descriptor rather than arbitrary blobs passed from userspace. This allows a system to limit firmware loading to only known sources. For example, firmware loading could be limited to read-only crypto-verified storage, or with verified signatures. Additionally, I will present a methodology for evaluating Component Firmware risks based on the component's own level of firmware validation and the component's access to sensitive interfaces or data. With this, a plan for firmware that is loaded external to the kernel (entirely via userspace) can be developed, potentially leading to filtered device communication. cbb51675d69df6edd242f7f5178f9c029b761ff1 0 116 3502 2014-07-15T15:57:51Z JamesMorris 2 New page: == Title == Protecting the Android TCB with SELinux == Presenter == Stephen Smalley == Abstract == At last year's LSS, SELinux was already shipping in the Samsung Galaxy S4 smartphone... wikitext text/x-wiki == Title == Protecting the Android TCB with SELinux == Presenter == Stephen Smalley == Abstract == At last year's LSS, SELinux was already shipping in the Samsung Galaxy S4 smartphone and included in the official Android 4.3 release by Google, but was in permissive mode by default. Since last year's LSS, SELinux has been made enforcing by default in Samsung devices and in the official Android 4.4 / KitKat release by Google. As shipped in Android 4.4, SELinux was focused on protecting a set of root daemons in Android. This protection was successful in preventing exploitation of a long-standing root vulnerability in Android. Since the 4.4 release, significant work has gone into expanding the coverage of SELinux in Android to fully confine and protect all Android processes and to protect the Android Trusted Computing Base (TCB) against a number of practical, real-world threats. In this talk, we will describe how SELinux is being applied to Android to protect its TCB. The Android SELinux changes are already visible in the Android Open Source Project (AOSP) master branch and are expected to be included in the next major release of Android. We will also explain how we addressed various practical challenges to using SELinux effectively and summarize ongoing work to further improve the state of Android security. 53465f70c6fb6d8db6568958f308a8f29f2c2c41 3505 3502 2014-07-15T16:01:37Z JamesMorris 2 wikitext text/x-wiki == Title == Protecting the Android TCB with SELinux == Presenter == Stephen Smalley, NSA == Abstract == At last year's LSS, SELinux was already shipping in the Samsung Galaxy S4 smartphone and included in the official Android 4.3 release by Google, but was in permissive mode by default. Since last year's LSS, SELinux has been made enforcing by default in Samsung devices and in the official Android 4.4 / KitKat release by Google. As shipped in Android 4.4, SELinux was focused on protecting a set of root daemons in Android. This protection was successful in preventing exploitation of a long-standing root vulnerability in Android. Since the 4.4 release, significant work has gone into expanding the coverage of SELinux in Android to fully confine and protect all Android processes and to protect the Android Trusted Computing Base (TCB) against a number of practical, real-world threats. In this talk, we will describe how SELinux is being applied to Android to protect its TCB. The Android SELinux changes are already visible in the Android Open Source Project (AOSP) master branch and are expected to be included in the next major release of Android. We will also explain how we addressed various practical challenges to using SELinux effectively and summarize ongoing work to further improve the state of Android security. ebecf019c0a01f8bfa6f464af72918b69923dd06 0 117 3503 2014-07-15T16:00:57Z JamesMorris 2 New page: == Title == Tizen, Security and the Internet of Things == Presenter == Casey Schaufler, Intel == Abstract == The Internet Of Things (IOT) is upon us. Smart cars are the norm, smart te... wikitext text/x-wiki == Title == Tizen, Security and the Internet of Things == Presenter == Casey Schaufler, Intel == Abstract == The Internet Of Things (IOT) is upon us. Smart cars are the norm, smart televisions and watches are common and smart shirts are available. Smart phones are ubiquitous. The Tizen operating system is running on all of these devices. The security features of Tizen are heavily driven by the needs and requirements of the IOT. There is an organic, interactive and continuously surprising process driving both the expectations of security and the technology that provides it. This is the story of how Tizen is driving and responding to the other security drivers in the Internet Of Things. The talk begins with a brief description of the Tizen operating system. The kernel, service and web runtime security models are explained. An overview of the philosophy behind customizing the system for specific use profiles and products comes next. We move on to a discussion of the security issues inherent in a distributed, asymmetric, device oriented computing system. The problems that crop up when mixing communications technologies get mentioned, as do those associated with non-uniform policy. Finally, the Tizen approach to addressing the situation is presented. Standards from W3C, industry initiatives, and a veritable plethora of open source projects get identified and tied together. The strong points and shortcomings get approximately equal time in the spotlight. 372d79f7d66d16962299e454f6c9f7973b1788b3 0 118 3506 2014-07-15T16:06:43Z JamesMorris 2 New page: == Title == Capsicum on Linux == Presenter == David Drysdale, Google == Abstract == Capsicum is a lightweight security framework, blending concepts from object-capability security wit... wikitext text/x-wiki == Title == Capsicum on Linux == Presenter == David Drysdale, Google == Abstract == Capsicum is a lightweight security framework, blending concepts from object-capability security with POSIX operating system semantics. In particular, Capsicum allows the operations that can be performed on individual file descriptors to be restricted to those specified by a set of fine-grained rights. Capsicum also implements capability mode, which restricts a process from using system calls that access global namespaces (such as the directory hierarchy or IP:port space), and so prevents access to any new resources. The combination of these features allows security-aware applications to sandbox themselves in a precise manner, without relying on external policy. Capsicum was originally created at the University of Cambridge Computing Laboratory [1] and implemented in FreeBSD 9.0. Google is currently implementing equivalent functionality for the Linux kernel. This discussion topic covers the core concepts of Capsicum, together with the specific issues arising from the Linux kernel implementation. [1] http://www.cl.cam.ac.uk/research/security/capsicum/papers/2010usenix-security-capsicum-website.pdf 6827f1006907521e5d90e3fe6c236d6463bd8ddf 0 119 3507 2014-07-15T16:16:26Z JamesMorris 2 New page: == Title == Quantifying and Reducing the Kernel Attack Surface == Presenter == Anil Kurmus == Abstract == The Linux kernel ships with many features which can be, and are, exploited by... wikitext text/x-wiki == Title == Quantifying and Reducing the Kernel Attack Surface == Presenter == Anil Kurmus == Abstract == The Linux kernel ships with many features which can be, and are, exploited by attackers. In this talk, we explore two different approaches to reduce the kernel attack surface. One at compile-time, whereby execution traces of the kernel are taken into account to automatically generate a tailored kernel configuration. Another at run-time, whereby traces are directly used at run-time to detect the use of unnecessary functions by a subset of applications. Prior to that, we will give a precise definition of the attack surface and propose ways of measuring it, to be able to objectively evaluate the benefits of such approaches. Evaluation results show that attack surface reduction is an effective approach, whether we quantify attack surface in terms of CVEs that would have prevented, or reduction of the amount of reachable code under reasonable threat models. a2026b19beb3d8858f35c02aa3cab2437db90088 0 120 3508 2014-07-15T16:19:40Z JamesMorris 2 New page: == Title == Extending the Linux Integrity Subsystem for TCB Protection == Presenter == David Safford & Mimi Zohar, IBM == Abstract == The Linux Integrity Subsystem currently provides... wikitext text/x-wiki == Title == Extending the Linux Integrity Subsystem for TCB Protection == Presenter == David Safford & Mimi Zohar, IBM == Abstract == The Linux Integrity Subsystem currently provides basic file integrity measurement, attestation, and appraisal, combining both the trusted computing model based on hashes, and the secure computing model based on signatures. It has, however, limitations in its ability to protect all TCB files. For example, the appraisal policy cannot distinguish TCB regular files which are read and executed by an interpreter from files which are simply read. In addition, while IMA-appraisal-digsig provides some immutability for signed files, a root privileged attacker can (in some cases) simply delete and replace the file with an unsigned one. To overcome these limitations, we have extended IMA with a policy based locking that integrates a concept similar to BSD immutable files with the full power of the IMA policy language. The first part of the talk will describe the use of IMA audit data to determine which files are in the Fedora 20 desktop TCB, and show how the existing IMA is unable to distinguish and lock some of these files adequately. We will then detail the new extensions, and show how these extensions are able to protect the TCB. We will then demonstrate the overall subsystem in action, including package installation and update. As a bonus, we will show how to build a complementary multifunction usb hardware token for the truly paranoid. It combines the functionality of a TPM (for anchoring IMA attestation on systems with no TPM), of a signature authority (for signing all TCB files locally with _your_ key), and an authentication token (for remote access like ssh). The RSA private keys are generated on token, and never leave the token. (Some soldering required :-) d15b2ba560e91b4d43fcc2711514ccf7c759a797 0 121 3509 2014-07-15T16:31:15Z JamesMorris 2 New page: == Title == Trusted Kernel Lock-down Patch Series (discussion) == Presenter == Kees Cook, Google == Abstract == There is a need to lock down access to raw kernel memory and devices wh... wikitext text/x-wiki == Title == Trusted Kernel Lock-down Patch Series (discussion) == Presenter == Kees Cook, Google == Abstract == There is a need to lock down access to raw kernel memory and devices when running under certain conditions. UEFI Secure Boot, or Chrome OS Verified Boot, among other situations, wants to be sure that userspace (even privileged users) cannot change the running kernel. A patch series that implements this was written (and rewritten) by Matthew Garrett, but it has been bike-shed to death. We will discuss ways for this series to move forward, and document the prior objections and rebuttals so that future discussion can avoid resolved issues without distracting from progress. 69c03ddb13e42a926538a8fe0959f1bcc2e03d77 0 122 3510 2014-07-15T16:39:16Z JamesMorris 2 New page: == Day 1 (Monday 18th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk'''</span> | James Bottomley, Pa... wikitext text/x-wiki == Day 1 (Monday 18th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk'''</span> | James Bottomley, Parallels |- |''09:50'' |colspan="2"|''Break'' |- |10:00 | [[Linux_Security_Summit_2014/Abstracts/Cook_1|Verified Component Firmware]] | Kees Cook, Google |- |10:45 | [[Linux_Security_Summit_2014/Abstracts/Smalley|Protecting the Android TCB with SELinux]] | Stephen Smalley, NSA |- |''11:30'' |colspan="2"|''Break'' |- |11:45 | [[Linux_Security_Summit_2014/Abstracts/Schaufler|Tizen, Security and the Internet of Things]] | Casey Schaufler, Intel |- |''12:30'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | [[Linux_Security_Summit_2014/Abstracts/Drysdale|Capsicum on Linux]] | David Drysdale, Google |- |14:45 | [[Linux_Security_Summit_2014/Abstracts/Kurmus|Quantifying and Reducing the Kernel Attack Surface]] | Anil Kurmus, IBM |- |''15:30'' |colspan="2"|''Break'' |- |15:45 | [[Linux_Security_Summit_2014/Abstracts/Safford|Extending the Linux Integrity Subsystem for TCB Protection]] | David Safford & Mimi Zohar, IBM |- |16:30 | [[Linux_Security_Summit_2014/Abstracts/Cook_2|Trusted Kernel Lock-down Patch Series]] (discussion) | Kees Cook, Google |- |''17:00'' |colspan="2"|''Finish'' |} == Day 2 (Tuesday 19th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | SELinux update | Paul Moore |- |09:20 | AppArmor update | TBA |- |09:40 | Integrity update | Mimi Zohar |- |10:00 | Smack update | Casey Schaufler |- |''10:20'' |colspan="2"|''Break'' |- |10:30 |colspan="2"| Break-out Session #1 |- ||''12:00'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |13:30 | |''17:00'' |colspan="2"|''Finish'' |} cbfb0a73b425995e2725c940f50116b7fb273a16 3514 3510 2014-07-15T16:46:52Z JamesMorris 2 wikitext text/x-wiki == Day 1 (Monday 18th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk'''</span> | James Bottomley, Parallels |- |''09:50'' |colspan="2"|''Break'' |- |10:00 | [[Linux_Security_Summit_2014/Abstracts/Cook_1|Verified Component Firmware]] | Kees Cook, Google |- |10:45 | [[Linux_Security_Summit_2014/Abstracts/Smalley|Protecting the Android TCB with SELinux]] | Stephen Smalley, NSA |- |''11:30'' |colspan="2"|''Break'' |- |11:45 | [[Linux_Security_Summit_2014/Abstracts/Schaufler|Tizen, Security and the Internet of Things]] | Casey Schaufler, Intel |- |''12:30'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | [[Linux_Security_Summit_2014/Abstracts/Drysdale|Capsicum on Linux]] | David Drysdale, Google |- |14:45 | [[Linux_Security_Summit_2014/Abstracts/Kurmus|Quantifying and Reducing the Kernel Attack Surface]] | Anil Kurmus, IBM |- |''15:30'' |colspan="2"|''Break'' |- |15:45 | [[Linux_Security_Summit_2014/Abstracts/Safford|Extending the Linux Integrity Subsystem for TCB Protection]] | David Safford & Mimi Zohar, IBM |- |16:30 | [[Linux_Security_Summit_2014/Abstracts/Cook_2|Trusted Kernel Lock-down Patch Series]] (discussion) | Kees Cook, Google |- |''17:00'' |colspan="2"|''Finish'' |} == Day 2 (Tuesday 19th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | SELinux update | Paul Moore |- |09:20 | AppArmor update | TBA |- |09:40 | Integrity update | Mimi Zohar |- |10:00 | Smack update | Casey Schaufler |- |''10:20'' |colspan="2"|''Break'' |- |10:30 |colspan="2"| Break-out Session #1 |- ||''12:00'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |13:30 | [[Linux_Security_Summit_2014/Abstracts/Halcrow|EXT4 Encryption (discussion)]] | Michael Halcrow & Ted Ts'o, Google |''14:30'' | colspan="2"|''Break'' |- |14:45 | [[Linux_Security_Summit_2014/Abstracts/Hallyn|Application Confinement with User Namespaces] | Serge Hallyn & Stéphane Graber, Canonical |- |15:30 |colspan="2"| Break-out Session #2 |- |''17:00'' |colspan="2"|''Finish'' |} 7bdd29eb8250e7a0dc9f64de871241b137e0e5f3 3515 3514 2014-07-15T16:47:20Z JamesMorris 2 /* Day 2 (Tuesday 19th August) */ wikitext text/x-wiki == Day 1 (Monday 18th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk'''</span> | James Bottomley, Parallels |- |''09:50'' |colspan="2"|''Break'' |- |10:00 | [[Linux_Security_Summit_2014/Abstracts/Cook_1|Verified Component Firmware]] | Kees Cook, Google |- |10:45 | [[Linux_Security_Summit_2014/Abstracts/Smalley|Protecting the Android TCB with SELinux]] | Stephen Smalley, NSA |- |''11:30'' |colspan="2"|''Break'' |- |11:45 | [[Linux_Security_Summit_2014/Abstracts/Schaufler|Tizen, Security and the Internet of Things]] | Casey Schaufler, Intel |- |''12:30'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | [[Linux_Security_Summit_2014/Abstracts/Drysdale|Capsicum on Linux]] | David Drysdale, Google |- |14:45 | [[Linux_Security_Summit_2014/Abstracts/Kurmus|Quantifying and Reducing the Kernel Attack Surface]] | Anil Kurmus, IBM |- |''15:30'' |colspan="2"|''Break'' |- |15:45 | [[Linux_Security_Summit_2014/Abstracts/Safford|Extending the Linux Integrity Subsystem for TCB Protection]] | David Safford & Mimi Zohar, IBM |- |16:30 | [[Linux_Security_Summit_2014/Abstracts/Cook_2|Trusted Kernel Lock-down Patch Series]] (discussion) | Kees Cook, Google |- |''17:00'' |colspan="2"|''Finish'' |} == Day 2 (Tuesday 19th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | SELinux update | Paul Moore |- |09:20 | AppArmor update | TBA |- |09:40 | Integrity update | Mimi Zohar |- |10:00 | Smack update | Casey Schaufler |- |''10:20'' |colspan="2"|''Break'' |- |10:30 |colspan="2"| Break-out Session #1 |- ||''12:00'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |13:30 | [[Linux_Security_Summit_2014/Abstracts/Halcrow|EXT4 Encryption (discussion)]] | Michael Halcrow & Ted Ts'o, Google |''14:30'' | colspan="2"|''Break'' |- |14:45 | [[Linux_Security_Summit_2014/Abstracts/Hallyn|Application Confinement with User Namespaces]] | Serge Hallyn & Stéphane Graber, Canonical |- |15:30 |colspan="2"| Break-out Session #2 |- |''17:00'' |colspan="2"|''Finish'' |} 45c4eab90f7b1241a5ddfa9fb880fe5f137ebe8c 3516 3515 2014-07-15T16:48:05Z JamesMorris 2 /* Day 2 (Tuesday 19th August) */ wikitext text/x-wiki == Day 1 (Monday 18th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk'''</span> | James Bottomley, Parallels |- |''09:50'' |colspan="2"|''Break'' |- |10:00 | [[Linux_Security_Summit_2014/Abstracts/Cook_1|Verified Component Firmware]] | Kees Cook, Google |- |10:45 | [[Linux_Security_Summit_2014/Abstracts/Smalley|Protecting the Android TCB with SELinux]] | Stephen Smalley, NSA |- |''11:30'' |colspan="2"|''Break'' |- |11:45 | [[Linux_Security_Summit_2014/Abstracts/Schaufler|Tizen, Security and the Internet of Things]] | Casey Schaufler, Intel |- |''12:30'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | [[Linux_Security_Summit_2014/Abstracts/Drysdale|Capsicum on Linux]] | David Drysdale, Google |- |14:45 | [[Linux_Security_Summit_2014/Abstracts/Kurmus|Quantifying and Reducing the Kernel Attack Surface]] | Anil Kurmus, IBM |- |''15:30'' |colspan="2"|''Break'' |- |15:45 | [[Linux_Security_Summit_2014/Abstracts/Safford|Extending the Linux Integrity Subsystem for TCB Protection]] | David Safford & Mimi Zohar, IBM |- |16:30 | [[Linux_Security_Summit_2014/Abstracts/Cook_2|Trusted Kernel Lock-down Patch Series]] (discussion) | Kees Cook, Google |- |''17:00'' |colspan="2"|''Finish'' |} == Day 2 (Tuesday 19th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | SELinux update | Paul Moore |- |09:20 | AppArmor update | TBA |- |09:40 | Integrity update | Mimi Zohar |- |10:00 | Smack update | Casey Schaufler |- |''10:20'' |colspan="2"|''Break'' |- |10:30 |colspan="2"| Break-out Session #1 |- ||''12:00'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |13:30 | [[Linux_Security_Summit_2014/Abstracts/Halcrow|EXT4 Encryption]] (discussion) | Michael Halcrow & Ted Ts'o, Google |- |''14:30'' | colspan="2"|''Break'' |- |14:45 | [[Linux_Security_Summit_2014/Abstracts/Hallyn|Application Confinement with User Namespaces]] | Serge Hallyn & Stéphane Graber, Canonical |- |15:30 |colspan="2"| Break-out Session #2 |- |''17:00'' |colspan="2"|''Finish'' |} f8426e65d396e506b8f0a964d4bfbe755a27fbd3 3517 3516 2014-07-15T22:32:39Z JamesMorris 2 [[Linux Security Summit 2014/Schedule]] moved to [[Linux Security Summit 2014/Schedule draft]] wikitext text/x-wiki == Day 1 (Monday 18th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk'''</span> | James Bottomley, Parallels |- |''09:50'' |colspan="2"|''Break'' |- |10:00 | [[Linux_Security_Summit_2014/Abstracts/Cook_1|Verified Component Firmware]] | Kees Cook, Google |- |10:45 | [[Linux_Security_Summit_2014/Abstracts/Smalley|Protecting the Android TCB with SELinux]] | Stephen Smalley, NSA |- |''11:30'' |colspan="2"|''Break'' |- |11:45 | [[Linux_Security_Summit_2014/Abstracts/Schaufler|Tizen, Security and the Internet of Things]] | Casey Schaufler, Intel |- |''12:30'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | [[Linux_Security_Summit_2014/Abstracts/Drysdale|Capsicum on Linux]] | David Drysdale, Google |- |14:45 | [[Linux_Security_Summit_2014/Abstracts/Kurmus|Quantifying and Reducing the Kernel Attack Surface]] | Anil Kurmus, IBM |- |''15:30'' |colspan="2"|''Break'' |- |15:45 | [[Linux_Security_Summit_2014/Abstracts/Safford|Extending the Linux Integrity Subsystem for TCB Protection]] | David Safford & Mimi Zohar, IBM |- |16:30 | [[Linux_Security_Summit_2014/Abstracts/Cook_2|Trusted Kernel Lock-down Patch Series]] (discussion) | Kees Cook, Google |- |''17:00'' |colspan="2"|''Finish'' |} == Day 2 (Tuesday 19th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | SELinux update | Paul Moore |- |09:20 | AppArmor update | TBA |- |09:40 | Integrity update | Mimi Zohar |- |10:00 | Smack update | Casey Schaufler |- |''10:20'' |colspan="2"|''Break'' |- |10:30 |colspan="2"| Break-out Session #1 |- ||''12:00'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |13:30 | [[Linux_Security_Summit_2014/Abstracts/Halcrow|EXT4 Encryption]] (discussion) | Michael Halcrow & Ted Ts'o, Google |- |''14:30'' | colspan="2"|''Break'' |- |14:45 | [[Linux_Security_Summit_2014/Abstracts/Hallyn|Application Confinement with User Namespaces]] | Serge Hallyn & Stéphane Graber, Canonical |- |15:30 |colspan="2"| Break-out Session #2 |- |''17:00'' |colspan="2"|''Finish'' |} f8426e65d396e506b8f0a964d4bfbe755a27fbd3 0 123 3511 2014-07-15T16:41:57Z JamesMorris 2 New page: == Title == EXT4 Encryption == Presenter == Michael Halcrow & Ted Ts'o, Google == Abstract == eCryptfs has served its purpose reasonably well in the years since it was merged upstream... wikitext text/x-wiki == Title == EXT4 Encryption == Presenter == Michael Halcrow & Ted Ts'o, Google == Abstract == eCryptfs has served its purpose reasonably well in the years since it was merged upstream, but its extensive use in ChromeOS and Ubuntu has revealed several shortcomings, many related to inherent problems with stacked filesystems in Linux. Perhaps the most pertinent issue is that cryptanalysis has advanced since eCryptfs was designed almost a decade ago, and its susceptibility to Adaptive Chosen Ciphertext (CCA2) attacks is an increasing cause for concern. Furthermore, dm-crypt, loop-AES, TrueCrypt, etc. all lack cryptographically strong integrity. Linux users are left without any really great options. Changing the encryption mode to support both strong confidentiality and integrity carries with it additional complexity and performance challenges. We endeavor to leverage filesystem-layer intelligence in EXT4 to manage integrity data. Lukas Czerner at Red Hat plans to implement per-block metadata in 2014, a feature which we expect we can use to intelligently and efficiently store additional cryptographic data necessary to implement IND-CCA2-secure encryption modes like AES-GCM. We also have options available to us in the event per-block metadata isn't realized in the near future, which we would like to discuss at LSS 2014. eCryptfs suffers from a major correctness issue, in that a page dirty in the lower filesystem page cache cannot propagate to a page dirty in the eCryptfs page cache. Current deployments paper over this bug by attempting to mask lower filesystem dentry's with things like eCryptfs overlay mounts. We can eliminate this problem by implementing the encryption directly in the data path of EXT4. We will also incorporate customer feedback from years of eCryptfs use in the field to avoid many of the key management and usability pitfalls that users have reported. We will also address performance issues that eCryptfs suffers from due to its inherent disadvantage of being constrained to an entirely separate layer above another filesystem. eCryptfs has also notoriously had a sort of "stack once, debug everywhere" phenomenon, in that unintended interactions with nuances in behavior of various lower filesystems have prevented eCryptfs from either working at all or working reliably. eCryptfs is commonly stacked on EXT4, and so native EXT4 encryption will immediately resolve the performance, correctness, and security issues that the majority of eCryptfs users deal with today. 692d7b198256fe0723d2238203279f0c14f9c2f3 3512 3511 2014-07-15T16:42:18Z JamesMorris 2 wikitext text/x-wiki == Title == EXT4 Encryption (discussion) == Presenter == Michael Halcrow & Ted Ts'o, Google == Abstract == eCryptfs has served its purpose reasonably well in the years since it was merged upstream, but its extensive use in ChromeOS and Ubuntu has revealed several shortcomings, many related to inherent problems with stacked filesystems in Linux. Perhaps the most pertinent issue is that cryptanalysis has advanced since eCryptfs was designed almost a decade ago, and its susceptibility to Adaptive Chosen Ciphertext (CCA2) attacks is an increasing cause for concern. Furthermore, dm-crypt, loop-AES, TrueCrypt, etc. all lack cryptographically strong integrity. Linux users are left without any really great options. Changing the encryption mode to support both strong confidentiality and integrity carries with it additional complexity and performance challenges. We endeavor to leverage filesystem-layer intelligence in EXT4 to manage integrity data. Lukas Czerner at Red Hat plans to implement per-block metadata in 2014, a feature which we expect we can use to intelligently and efficiently store additional cryptographic data necessary to implement IND-CCA2-secure encryption modes like AES-GCM. We also have options available to us in the event per-block metadata isn't realized in the near future, which we would like to discuss at LSS 2014. eCryptfs suffers from a major correctness issue, in that a page dirty in the lower filesystem page cache cannot propagate to a page dirty in the eCryptfs page cache. Current deployments paper over this bug by attempting to mask lower filesystem dentry's with things like eCryptfs overlay mounts. We can eliminate this problem by implementing the encryption directly in the data path of EXT4. We will also incorporate customer feedback from years of eCryptfs use in the field to avoid many of the key management and usability pitfalls that users have reported. We will also address performance issues that eCryptfs suffers from due to its inherent disadvantage of being constrained to an entirely separate layer above another filesystem. eCryptfs has also notoriously had a sort of "stack once, debug everywhere" phenomenon, in that unintended interactions with nuances in behavior of various lower filesystems have prevented eCryptfs from either working at all or working reliably. eCryptfs is commonly stacked on EXT4, and so native EXT4 encryption will immediately resolve the performance, correctness, and security issues that the majority of eCryptfs users deal with today. 20e1ccab8c50716cfe29c8610aa6ce9f447f670d 0 124 3513 2014-07-15T16:45:30Z JamesMorris 2 New page: == Title == Application Confinement with User Namespaces == Presenter == Serge Hallyn & Stéphane Graber, Canonical == Abstract == Application sandboxing using MAC has become common-p... wikitext text/x-wiki == Title == Application Confinement with User Namespaces == Presenter == Serge Hallyn & Stéphane Graber, Canonical == Abstract == Application sandboxing using MAC has become common-place. SELinux and AppArmor policies to protect a user from things like browsers and bittorrent clients are available to most, even if they not as widely used as we would like. Some people use VMs to sandbox heavyweight applications, with an obviously greater performance penalty. Pure container sandboxing eschewed this penalty at the cost of reduced isolation. Combining container sandboxing with MAC, as was done by virt-sandbox-service and in default Ubuntu LXC containers, makes for a terrific tool for sandboxing untrusted applications. While privileged containers offer benefits by partially isolating applications using namespaces and cgroups, a whole new level of confinement is reached when adding user namespaces. By supporting creation and use of unprivileged containers by users who have no root access at all, this level of sandboxing is now more accessible than ever. We will begin by describing user namespaces in general, then proceed to demonstrate an unprivileged container plus apparmor confining gui applications. e4335acca4a59b498d0a8c1479a9d049a87af994 0 125 3518 2014-07-15T22:32:39Z JamesMorris 2 [[Linux Security Summit 2014/Schedule]] moved to [[Linux Security Summit 2014/Schedule draft]] wikitext text/x-wiki #REDIRECT [[Linux Security Summit 2014/Schedule draft]] 198ac2f1ce66e6e399c1b35b1aaf80592b1a7302 0 114 3538 3537 2014-08-20T20:14:36Z JamesMorris 2 /* Day 2 (Tuesday 19th August) */ wikitext text/x-wiki = Description = The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions = Event = The Linux Security Summit for 2014 will be held across '''18 and 19 August''' in Chicago, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon], along with the Kernel Summit and other events. All attendees and presenters must be registered to attend LinuxCon. '''The venue location is the 2nd Floor, "Superior" room A/B''' = Schedule = == Day 1 (Monday 18th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk: Security and Boundaries'''</span> '''([http://www.hansenpartnership.com/SecuritySummit2014/ slides])''' | [http://www.linux.com/news/special-feature/linux-developers/678568-30-linux-kernel-developers-in-30-weeks-james-bottomley James Bottomley], Parallels |- |''09:50'' |colspan="2"|''Break'' |- |10:00 | [[Linux_Security_Summit_2014/Abstracts/Cook_1|Verified Component Firmware]] ''([http://kernsec.org/files/lss2014/cook_firmware.pdf slides])'' | Kees Cook, Google |- |10:45 | [[Linux_Security_Summit_2014/Abstracts/Smalley|Protecting the Android TCB with SELinux]] ''([http://kernsec.org/files/lss2014/lss2014_androidtcb_smalley.pdf slides])'' | Stephen Smalley, NSA |- |''11:30'' |colspan="2"|''Break'' |- |11:45 | [[Linux_Security_Summit_2014/Abstracts/Schaufler|Tizen, Security and the Internet of Things]] ''([http://kernsec.org/files/lss2014/schaufler_201408-LinuxSecuritySummit-Tizen.pdf slides])'' | Casey Schaufler, Intel |- |''12:30'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | [[Linux_Security_Summit_2014/Abstracts/Drysdale|Capsicum on Linux]] ''([http://kernsec.org/files/lss2014/drysdale_CapsicumLSSSlides.pdf slides])'' | David Drysdale, Google |- |14:45 | [[Linux_Security_Summit_2014/Abstracts/Kurmus|Quantifying and Reducing the Kernel Attack Surface]] | Anil Kurmus, IBM |- |''15:30'' |colspan="2"|''Break'' |- |15:45 | [[Linux_Security_Summit_2014/Abstracts/Safford|Extending the Linux Integrity Subsystem for TCB Protection]] ''([http://kernsec.org/files/lss2014/safford_tcb_integrity.pdf slides])'' | David Safford & Mimi Zohar, IBM |- |16:30 | [[Linux_Security_Summit_2014/Abstracts/Cook_2|Trusted Kernel Lock-down Patch Series]] -- discussion ''([http://kernsec.org/files/lss2014/cook_lockdown.pdf slides])'' | Kees Cook, Google |- |''17:00'' |colspan="2"|''Finish'' |} == Day 2 (Tuesday 19th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | SELinux update ''([http://kernsec.org/files/lss2014/lss-state_of_selinux-pmoore-082014-r1.pdf slides])'' | Paul Moore, Red Hat |- |09:20 | AppArmor update ''([http://kernsec.org/files/lss2014/hicks_lss-2014-apparmor-review.pdf slides])'' | Tyler Hicks, Canonical |- |09:40 | Integrity update | Mimi Zohar, IBM |- |10:00 | Smack update ''([http://kernsec.org/files/lss2014/schaufler_201408-LinuxSecuritySummit-Smack.pdf slides])'' | Casey Schaufler, Intel |- |''10:20'' |colspan="2"|''Break'' |- |10:30 | Crypto update ''([http://kernsec.org/files/lss2014/xu-crypto-201408.odp slides])'' | Herbert Xu, Red Hat |- |10:50 | Seccomp update ''([http://kernsec.org/files/lss2014/cook_seccomp.pdf slides])'' | Kees Cook, Google |- |11:20 |colspan="2"| Break-out Session #1 |- |''12:30'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | [[Linux_Security_Summit_2014/Abstracts/Halcrow|EXT4 Encryption]] - discussion ''([http://kernsec.org/files/lss2014/Halcrow_EXT4_Encryption.pdf slides])'' | Michael Halcrow & Ted Ts'o, Google |- |''15:00'' | colspan="2"|''Break'' |- |15:15 | [[Linux_Security_Summit_2014/Abstracts/Hallyn|Application Confinement with User Namespaces]] ''([http://kernsec.org/files/lss2014/hallyn_namespaces.pdf slides])'' | Serge Hallyn & Stéphane Graber, Canonical |- |16:00 |colspan="2"| Break-out Session #2 |- |''17:00'' |colspan="2"|''Finish'' |} = Call for Participation = '''The CFP is now closed.''' The program committee <s>currently seeks</s> sought proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. * Discussion Topics: 30 minutes in length. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques Proposals should be submitted in plain text via email to the program committee at: lss-pc (_at_) ext.namei.org Abstracts should be approximately 150 words in total. = Program Committee= The Linux Security Summit for 2014 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Quark Security * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss-pc [at] lists.linuxfoundation.org 46a7fea6100ce65fcfb20b7d625d9066fabe85c9 3539 3538 2014-08-21T03:42:04Z JamesMorris 2 /* Day 2 (Tuesday 19th August) */ wikitext text/x-wiki = Description = The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions = Event = The Linux Security Summit for 2014 will be held across '''18 and 19 August''' in Chicago, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon], along with the Kernel Summit and other events. All attendees and presenters must be registered to attend LinuxCon. '''The venue location is the 2nd Floor, "Superior" room A/B''' = Schedule = == Day 1 (Monday 18th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk: Security and Boundaries'''</span> '''([http://www.hansenpartnership.com/SecuritySummit2014/ slides])''' | [http://www.linux.com/news/special-feature/linux-developers/678568-30-linux-kernel-developers-in-30-weeks-james-bottomley James Bottomley], Parallels |- |''09:50'' |colspan="2"|''Break'' |- |10:00 | [[Linux_Security_Summit_2014/Abstracts/Cook_1|Verified Component Firmware]] ''([http://kernsec.org/files/lss2014/cook_firmware.pdf slides])'' | Kees Cook, Google |- |10:45 | [[Linux_Security_Summit_2014/Abstracts/Smalley|Protecting the Android TCB with SELinux]] ''([http://kernsec.org/files/lss2014/lss2014_androidtcb_smalley.pdf slides])'' | Stephen Smalley, NSA |- |''11:30'' |colspan="2"|''Break'' |- |11:45 | [[Linux_Security_Summit_2014/Abstracts/Schaufler|Tizen, Security and the Internet of Things]] ''([http://kernsec.org/files/lss2014/schaufler_201408-LinuxSecuritySummit-Tizen.pdf slides])'' | Casey Schaufler, Intel |- |''12:30'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | [[Linux_Security_Summit_2014/Abstracts/Drysdale|Capsicum on Linux]] ''([http://kernsec.org/files/lss2014/drysdale_CapsicumLSSSlides.pdf slides])'' | David Drysdale, Google |- |14:45 | [[Linux_Security_Summit_2014/Abstracts/Kurmus|Quantifying and Reducing the Kernel Attack Surface]] | Anil Kurmus, IBM |- |''15:30'' |colspan="2"|''Break'' |- |15:45 | [[Linux_Security_Summit_2014/Abstracts/Safford|Extending the Linux Integrity Subsystem for TCB Protection]] ''([http://kernsec.org/files/lss2014/safford_tcb_integrity.pdf slides])'' | David Safford & Mimi Zohar, IBM |- |16:30 | [[Linux_Security_Summit_2014/Abstracts/Cook_2|Trusted Kernel Lock-down Patch Series]] -- discussion ''([http://kernsec.org/files/lss2014/cook_lockdown.pdf slides])'' | Kees Cook, Google |- |''17:00'' |colspan="2"|''Finish'' |} == Day 2 (Tuesday 19th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | SELinux update ''([http://kernsec.org/files/lss2014/lss-state_of_selinux-pmoore-082014-r1.pdf slides])'' | Paul Moore, Red Hat |- |09:20 | AppArmor update ''([http://kernsec.org/files/lss2014/hicks_lss-2014-apparmor-review.pdf slides])'' | Tyler Hicks, Canonical |- |09:40 | Integrity update ''([http://kernsec.org/files/lss2014/zohar_LSS2014-LinuxIntegritySubsystem-status.pdf slides])'' | Mimi Zohar, IBM |- |10:00 | Smack update ''([http://kernsec.org/files/lss2014/schaufler_201408-LinuxSecuritySummit-Smack.pdf slides])'' | Casey Schaufler, Intel |- |''10:20'' |colspan="2"|''Break'' |- |10:30 | Crypto update ''([http://kernsec.org/files/lss2014/xu-crypto-201408.odp slides])'' | Herbert Xu, Red Hat |- |10:50 | Seccomp update ''([http://kernsec.org/files/lss2014/cook_seccomp.pdf slides])'' | Kees Cook, Google |- |11:20 |colspan="2"| Break-out Session #1 |- |''12:30'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | [[Linux_Security_Summit_2014/Abstracts/Halcrow|EXT4 Encryption]] - discussion ''([http://kernsec.org/files/lss2014/Halcrow_EXT4_Encryption.pdf slides])'' | Michael Halcrow & Ted Ts'o, Google |- |''15:00'' | colspan="2"|''Break'' |- |15:15 | [[Linux_Security_Summit_2014/Abstracts/Hallyn|Application Confinement with User Namespaces]] ''([http://kernsec.org/files/lss2014/hallyn_namespaces.pdf slides])'' | Serge Hallyn & Stéphane Graber, Canonical |- |16:00 |colspan="2"| Break-out Session #2 |- |''17:00'' |colspan="2"|''Finish'' |} = Call for Participation = '''The CFP is now closed.''' The program committee <s>currently seeks</s> sought proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. * Discussion Topics: 30 minutes in length. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques Proposals should be submitted in plain text via email to the program committee at: lss-pc (_at_) ext.namei.org Abstracts should be approximately 150 words in total. = Program Committee= The Linux Security Summit for 2014 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Quark Security * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss-pc [at] lists.linuxfoundation.org df5ed4984af7a08548b035120c4970f76cc040a6 3540 3539 2014-08-21T03:45:54Z JamesMorris 2 /* Day 1 (Monday 18th August) */ wikitext text/x-wiki = Description = The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions = Event = The Linux Security Summit for 2014 will be held across '''18 and 19 August''' in Chicago, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon], along with the Kernel Summit and other events. All attendees and presenters must be registered to attend LinuxCon. '''The venue location is the 2nd Floor, "Superior" room A/B''' = Schedule = == Day 1 (Monday 18th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk: Security and Boundaries'''</span> '''([http://www.hansenpartnership.com/SecuritySummit2014/ slides]) (http://lwn.net/Articles/609003/ LWN coverage])''' | [http://www.linux.com/news/special-feature/linux-developers/678568-30-linux-kernel-developers-in-30-weeks-james-bottomley James Bottomley], Parallels |- |''09:50'' |colspan="2"|''Break'' |- |10:00 | [[Linux_Security_Summit_2014/Abstracts/Cook_1|Verified Component Firmware]] ''([http://kernsec.org/files/lss2014/cook_firmware.pdf slides])'' | Kees Cook, Google |- |10:45 | [[Linux_Security_Summit_2014/Abstracts/Smalley|Protecting the Android TCB with SELinux]] ''([http://kernsec.org/files/lss2014/lss2014_androidtcb_smalley.pdf slides])'' | Stephen Smalley, NSA |- |''11:30'' |colspan="2"|''Break'' |- |11:45 | [[Linux_Security_Summit_2014/Abstracts/Schaufler|Tizen, Security and the Internet of Things]] ''([http://kernsec.org/files/lss2014/schaufler_201408-LinuxSecuritySummit-Tizen.pdf slides])'' | Casey Schaufler, Intel |- |''12:30'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | [[Linux_Security_Summit_2014/Abstracts/Drysdale|Capsicum on Linux]] ''([http://kernsec.org/files/lss2014/drysdale_CapsicumLSSSlides.pdf slides])'' | David Drysdale, Google |- |14:45 | [[Linux_Security_Summit_2014/Abstracts/Kurmus|Quantifying and Reducing the Kernel Attack Surface]] | Anil Kurmus, IBM |- |''15:30'' |colspan="2"|''Break'' |- |15:45 | [[Linux_Security_Summit_2014/Abstracts/Safford|Extending the Linux Integrity Subsystem for TCB Protection]] ''([http://kernsec.org/files/lss2014/safford_tcb_integrity.pdf slides])'' | David Safford & Mimi Zohar, IBM |- |16:30 | [[Linux_Security_Summit_2014/Abstracts/Cook_2|Trusted Kernel Lock-down Patch Series]] -- discussion ''([http://kernsec.org/files/lss2014/cook_lockdown.pdf slides])'' | Kees Cook, Google |- |''17:00'' |colspan="2"|''Finish'' |} == Day 2 (Tuesday 19th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | SELinux update ''([http://kernsec.org/files/lss2014/lss-state_of_selinux-pmoore-082014-r1.pdf slides])'' | Paul Moore, Red Hat |- |09:20 | AppArmor update ''([http://kernsec.org/files/lss2014/hicks_lss-2014-apparmor-review.pdf slides])'' | Tyler Hicks, Canonical |- |09:40 | Integrity update ''([http://kernsec.org/files/lss2014/zohar_LSS2014-LinuxIntegritySubsystem-status.pdf slides])'' | Mimi Zohar, IBM |- |10:00 | Smack update ''([http://kernsec.org/files/lss2014/schaufler_201408-LinuxSecuritySummit-Smack.pdf slides])'' | Casey Schaufler, Intel |- |''10:20'' |colspan="2"|''Break'' |- |10:30 | Crypto update ''([http://kernsec.org/files/lss2014/xu-crypto-201408.odp slides])'' | Herbert Xu, Red Hat |- |10:50 | Seccomp update ''([http://kernsec.org/files/lss2014/cook_seccomp.pdf slides])'' | Kees Cook, Google |- |11:20 |colspan="2"| Break-out Session #1 |- |''12:30'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | [[Linux_Security_Summit_2014/Abstracts/Halcrow|EXT4 Encryption]] - discussion ''([http://kernsec.org/files/lss2014/Halcrow_EXT4_Encryption.pdf slides])'' | Michael Halcrow & Ted Ts'o, Google |- |''15:00'' | colspan="2"|''Break'' |- |15:15 | [[Linux_Security_Summit_2014/Abstracts/Hallyn|Application Confinement with User Namespaces]] ''([http://kernsec.org/files/lss2014/hallyn_namespaces.pdf slides])'' | Serge Hallyn & Stéphane Graber, Canonical |- |16:00 |colspan="2"| Break-out Session #2 |- |''17:00'' |colspan="2"|''Finish'' |} = Call for Participation = '''The CFP is now closed.''' The program committee <s>currently seeks</s> sought proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. * Discussion Topics: 30 minutes in length. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques Proposals should be submitted in plain text via email to the program committee at: lss-pc (_at_) ext.namei.org Abstracts should be approximately 150 words in total. = Program Committee= The Linux Security Summit for 2014 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Quark Security * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss-pc [at] lists.linuxfoundation.org 3fb15f97693cac9059c4a6648a952cbc7826bbc0 3541 3540 2014-08-21T03:46:11Z JamesMorris 2 /* Day 1 (Monday 18th August) */ wikitext text/x-wiki = Description = The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions = Event = The Linux Security Summit for 2014 will be held across '''18 and 19 August''' in Chicago, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon], along with the Kernel Summit and other events. All attendees and presenters must be registered to attend LinuxCon. '''The venue location is the 2nd Floor, "Superior" room A/B''' = Schedule = == Day 1 (Monday 18th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk: Security and Boundaries'''</span> '''([http://www.hansenpartnership.com/SecuritySummit2014/ slides]) ([http://lwn.net/Articles/609003/ LWN coverage])''' | [http://www.linux.com/news/special-feature/linux-developers/678568-30-linux-kernel-developers-in-30-weeks-james-bottomley James Bottomley], Parallels |- |''09:50'' |colspan="2"|''Break'' |- |10:00 | [[Linux_Security_Summit_2014/Abstracts/Cook_1|Verified Component Firmware]] ''([http://kernsec.org/files/lss2014/cook_firmware.pdf slides])'' | Kees Cook, Google |- |10:45 | [[Linux_Security_Summit_2014/Abstracts/Smalley|Protecting the Android TCB with SELinux]] ''([http://kernsec.org/files/lss2014/lss2014_androidtcb_smalley.pdf slides])'' | Stephen Smalley, NSA |- |''11:30'' |colspan="2"|''Break'' |- |11:45 | [[Linux_Security_Summit_2014/Abstracts/Schaufler|Tizen, Security and the Internet of Things]] ''([http://kernsec.org/files/lss2014/schaufler_201408-LinuxSecuritySummit-Tizen.pdf slides])'' | Casey Schaufler, Intel |- |''12:30'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | [[Linux_Security_Summit_2014/Abstracts/Drysdale|Capsicum on Linux]] ''([http://kernsec.org/files/lss2014/drysdale_CapsicumLSSSlides.pdf slides])'' | David Drysdale, Google |- |14:45 | [[Linux_Security_Summit_2014/Abstracts/Kurmus|Quantifying and Reducing the Kernel Attack Surface]] | Anil Kurmus, IBM |- |''15:30'' |colspan="2"|''Break'' |- |15:45 | [[Linux_Security_Summit_2014/Abstracts/Safford|Extending the Linux Integrity Subsystem for TCB Protection]] ''([http://kernsec.org/files/lss2014/safford_tcb_integrity.pdf slides])'' | David Safford & Mimi Zohar, IBM |- |16:30 | [[Linux_Security_Summit_2014/Abstracts/Cook_2|Trusted Kernel Lock-down Patch Series]] -- discussion ''([http://kernsec.org/files/lss2014/cook_lockdown.pdf slides])'' | Kees Cook, Google |- |''17:00'' |colspan="2"|''Finish'' |} == Day 2 (Tuesday 19th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | SELinux update ''([http://kernsec.org/files/lss2014/lss-state_of_selinux-pmoore-082014-r1.pdf slides])'' | Paul Moore, Red Hat |- |09:20 | AppArmor update ''([http://kernsec.org/files/lss2014/hicks_lss-2014-apparmor-review.pdf slides])'' | Tyler Hicks, Canonical |- |09:40 | Integrity update ''([http://kernsec.org/files/lss2014/zohar_LSS2014-LinuxIntegritySubsystem-status.pdf slides])'' | Mimi Zohar, IBM |- |10:00 | Smack update ''([http://kernsec.org/files/lss2014/schaufler_201408-LinuxSecuritySummit-Smack.pdf slides])'' | Casey Schaufler, Intel |- |''10:20'' |colspan="2"|''Break'' |- |10:30 | Crypto update ''([http://kernsec.org/files/lss2014/xu-crypto-201408.odp slides])'' | Herbert Xu, Red Hat |- |10:50 | Seccomp update ''([http://kernsec.org/files/lss2014/cook_seccomp.pdf slides])'' | Kees Cook, Google |- |11:20 |colspan="2"| Break-out Session #1 |- |''12:30'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | [[Linux_Security_Summit_2014/Abstracts/Halcrow|EXT4 Encryption]] - discussion ''([http://kernsec.org/files/lss2014/Halcrow_EXT4_Encryption.pdf slides])'' | Michael Halcrow & Ted Ts'o, Google |- |''15:00'' | colspan="2"|''Break'' |- |15:15 | [[Linux_Security_Summit_2014/Abstracts/Hallyn|Application Confinement with User Namespaces]] ''([http://kernsec.org/files/lss2014/hallyn_namespaces.pdf slides])'' | Serge Hallyn & Stéphane Graber, Canonical |- |16:00 |colspan="2"| Break-out Session #2 |- |''17:00'' |colspan="2"|''Finish'' |} = Call for Participation = '''The CFP is now closed.''' The program committee <s>currently seeks</s> sought proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. * Discussion Topics: 30 minutes in length. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques Proposals should be submitted in plain text via email to the program committee at: lss-pc (_at_) ext.namei.org Abstracts should be approximately 150 words in total. = Program Committee= The Linux Security Summit for 2014 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Quark Security * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss-pc [at] lists.linuxfoundation.org 17ad8b163055befb4a8186086fefb6de063f2ad6 3542 3541 2014-08-22T09:30:26Z JamesMorris 2 /* Day 1 (Monday 18th August) */ wikitext text/x-wiki = Description = The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions = Event = The Linux Security Summit for 2014 will be held across '''18 and 19 August''' in Chicago, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon], along with the Kernel Summit and other events. All attendees and presenters must be registered to attend LinuxCon. '''The venue location is the 2nd Floor, "Superior" room A/B''' = Schedule = == Day 1 (Monday 18th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk: Security and Boundaries'''</span> '''([http://www.hansenpartnership.com/SecuritySummit2014/ slides]) ([http://lwn.net/Articles/609003/ LWN coverage])''' | [http://www.linux.com/news/special-feature/linux-developers/678568-30-linux-kernel-developers-in-30-weeks-james-bottomley James Bottomley], Parallels |- |''09:50'' |colspan="2"|''Break'' |- |10:00 | [[Linux_Security_Summit_2014/Abstracts/Cook_1|Verified Component Firmware]] ''([http://kernsec.org/files/lss2014/cook_firmware.pdf slides])'' | Kees Cook, Google |- |10:45 | [[Linux_Security_Summit_2014/Abstracts/Smalley|Protecting the Android TCB with SELinux]] ''([http://kernsec.org/files/lss2014/lss2014_androidtcb_smalley.pdf slides])'' | Stephen Smalley, NSA |- |''11:30'' |colspan="2"|''Break'' |- |11:45 | [[Linux_Security_Summit_2014/Abstracts/Schaufler|Tizen, Security and the Internet of Things]] ''([http://kernsec.org/files/lss2014/schaufler_201408-LinuxSecuritySummit-Tizen.pdf slides])'' | Casey Schaufler, Intel |- |''12:30'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | [[Linux_Security_Summit_2014/Abstracts/Drysdale|Capsicum on Linux]] ''([http://kernsec.org/files/lss2014/drysdale_CapsicumLSSSlides.pdf slides])'' | David Drysdale, Google |- |14:45 | [[Linux_Security_Summit_2014/Abstracts/Kurmus|Quantifying and Reducing the Kernel Attack Surface]] ''([http://kernsec.org/files/lss2014/kurmus_quantify_reduce_kernel_attack_surface.pdf slides])'' | Anil Kurmus, IBM |- |''15:30'' |colspan="2"|''Break'' |- |15:45 | [[Linux_Security_Summit_2014/Abstracts/Safford|Extending the Linux Integrity Subsystem for TCB Protection]] ''([http://kernsec.org/files/lss2014/safford_tcb_integrity.pdf slides])'' | David Safford & Mimi Zohar, IBM |- |16:30 | [[Linux_Security_Summit_2014/Abstracts/Cook_2|Trusted Kernel Lock-down Patch Series]] -- discussion ''([http://kernsec.org/files/lss2014/cook_lockdown.pdf slides])'' | Kees Cook, Google |- |''17:00'' |colspan="2"|''Finish'' |} == Day 2 (Tuesday 19th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | SELinux update ''([http://kernsec.org/files/lss2014/lss-state_of_selinux-pmoore-082014-r1.pdf slides])'' | Paul Moore, Red Hat |- |09:20 | AppArmor update ''([http://kernsec.org/files/lss2014/hicks_lss-2014-apparmor-review.pdf slides])'' | Tyler Hicks, Canonical |- |09:40 | Integrity update ''([http://kernsec.org/files/lss2014/zohar_LSS2014-LinuxIntegritySubsystem-status.pdf slides])'' | Mimi Zohar, IBM |- |10:00 | Smack update ''([http://kernsec.org/files/lss2014/schaufler_201408-LinuxSecuritySummit-Smack.pdf slides])'' | Casey Schaufler, Intel |- |''10:20'' |colspan="2"|''Break'' |- |10:30 | Crypto update ''([http://kernsec.org/files/lss2014/xu-crypto-201408.odp slides])'' | Herbert Xu, Red Hat |- |10:50 | Seccomp update ''([http://kernsec.org/files/lss2014/cook_seccomp.pdf slides])'' | Kees Cook, Google |- |11:20 |colspan="2"| Break-out Session #1 |- |''12:30'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | [[Linux_Security_Summit_2014/Abstracts/Halcrow|EXT4 Encryption]] - discussion ''([http://kernsec.org/files/lss2014/Halcrow_EXT4_Encryption.pdf slides])'' | Michael Halcrow & Ted Ts'o, Google |- |''15:00'' | colspan="2"|''Break'' |- |15:15 | [[Linux_Security_Summit_2014/Abstracts/Hallyn|Application Confinement with User Namespaces]] ''([http://kernsec.org/files/lss2014/hallyn_namespaces.pdf slides])'' | Serge Hallyn & Stéphane Graber, Canonical |- |16:00 |colspan="2"| Break-out Session #2 |- |''17:00'' |colspan="2"|''Finish'' |} = Call for Participation = '''The CFP is now closed.''' The program committee <s>currently seeks</s> sought proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. * Discussion Topics: 30 minutes in length. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques Proposals should be submitted in plain text via email to the program committee at: lss-pc (_at_) ext.namei.org Abstracts should be approximately 150 words in total. = Program Committee= The Linux Security Summit for 2014 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Quark Security * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss-pc [at] lists.linuxfoundation.org acb7959cc561a99d93871f1d62bdf86b5540a32f 3544 3542 2014-09-05T01:22:32Z JamesMorris 2 /* Day 1 (Monday 18th August) */ wikitext text/x-wiki = Description = The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions = Event = The Linux Security Summit for 2014 will be held across '''18 and 19 August''' in Chicago, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon], along with the Kernel Summit and other events. All attendees and presenters must be registered to attend LinuxCon. '''The venue location is the 2nd Floor, "Superior" room A/B''' = Schedule = == Day 1 (Monday 18th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">'''Keynote Talk: Security and Boundaries'''</span> '''([http://www.hansenpartnership.com/SecuritySummit2014/ slides]) ([http://lwn.net/Articles/609003/ LWN coverage])''' | [http://www.linux.com/news/special-feature/linux-developers/678568-30-linux-kernel-developers-in-30-weeks-james-bottomley James Bottomley], Parallels |- |''09:50'' |colspan="2"|''Break'' |- |10:00 | [[Linux_Security_Summit_2014/Abstracts/Cook_1|Verified Component Firmware]] ''([http://kernsec.org/files/lss2014/cook_firmware.pdf slides])'' | Kees Cook, Google |- |10:45 | [[Linux_Security_Summit_2014/Abstracts/Smalley|Protecting the Android TCB with SELinux]] ''([http://kernsec.org/files/lss2014/lss2014_androidtcb_smalley.pdf slides]) ([http://lwn.net/Articles/609511/ LWN coverage])'' | Stephen Smalley, NSA |- |''11:30'' |colspan="2"|''Break'' |- |11:45 | [[Linux_Security_Summit_2014/Abstracts/Schaufler|Tizen, Security and the Internet of Things]] ''([http://kernsec.org/files/lss2014/schaufler_201408-LinuxSecuritySummit-Tizen.pdf slides])'' | Casey Schaufler, Intel |- |''12:30'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | [[Linux_Security_Summit_2014/Abstracts/Drysdale|Capsicum on Linux]] ''([http://kernsec.org/files/lss2014/drysdale_CapsicumLSSSlides.pdf slides])'' | David Drysdale, Google |- |14:45 | [[Linux_Security_Summit_2014/Abstracts/Kurmus|Quantifying and Reducing the Kernel Attack Surface]] ''([http://kernsec.org/files/lss2014/kurmus_quantify_reduce_kernel_attack_surface.pdf slides])'' | Anil Kurmus, IBM |- |''15:30'' |colspan="2"|''Break'' |- |15:45 | [[Linux_Security_Summit_2014/Abstracts/Safford|Extending the Linux Integrity Subsystem for TCB Protection]] ''([http://kernsec.org/files/lss2014/safford_tcb_integrity.pdf slides])'' | David Safford & Mimi Zohar, IBM |- |16:30 | [[Linux_Security_Summit_2014/Abstracts/Cook_2|Trusted Kernel Lock-down Patch Series]] -- discussion ''([http://kernsec.org/files/lss2014/cook_lockdown.pdf slides])'' | Kees Cook, Google |- |''17:00'' |colspan="2"|''Finish'' |} == Day 2 (Tuesday 19th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | SELinux update ''([http://kernsec.org/files/lss2014/lss-state_of_selinux-pmoore-082014-r1.pdf slides])'' | Paul Moore, Red Hat |- |09:20 | AppArmor update ''([http://kernsec.org/files/lss2014/hicks_lss-2014-apparmor-review.pdf slides])'' | Tyler Hicks, Canonical |- |09:40 | Integrity update ''([http://kernsec.org/files/lss2014/zohar_LSS2014-LinuxIntegritySubsystem-status.pdf slides])'' | Mimi Zohar, IBM |- |10:00 | Smack update ''([http://kernsec.org/files/lss2014/schaufler_201408-LinuxSecuritySummit-Smack.pdf slides])'' | Casey Schaufler, Intel |- |''10:20'' |colspan="2"|''Break'' |- |10:30 | Crypto update ''([http://kernsec.org/files/lss2014/xu-crypto-201408.odp slides])'' | Herbert Xu, Red Hat |- |10:50 | Seccomp update ''([http://kernsec.org/files/lss2014/cook_seccomp.pdf slides])'' | Kees Cook, Google |- |11:20 |colspan="2"| Break-out Session #1 |- |''12:30'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | [[Linux_Security_Summit_2014/Abstracts/Halcrow|EXT4 Encryption]] - discussion ''([http://kernsec.org/files/lss2014/Halcrow_EXT4_Encryption.pdf slides])'' | Michael Halcrow & Ted Ts'o, Google |- |''15:00'' | colspan="2"|''Break'' |- |15:15 | [[Linux_Security_Summit_2014/Abstracts/Hallyn|Application Confinement with User Namespaces]] ''([http://kernsec.org/files/lss2014/hallyn_namespaces.pdf slides])'' | Serge Hallyn & Stéphane Graber, Canonical |- |16:00 |colspan="2"| Break-out Session #2 |- |''17:00'' |colspan="2"|''Finish'' |} = Call for Participation = '''The CFP is now closed.''' The program committee <s>currently seeks</s> sought proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. * Discussion Topics: 30 minutes in length. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques Proposals should be submitted in plain text via email to the program committee at: lss-pc (_at_) ext.namei.org Abstracts should be approximately 150 words in total. = Program Committee= The Linux Security Summit for 2014 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Quark Security * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss-pc [at] lists.linuxfoundation.org 85b94a8b05f6cff6f32f5d96948fb7dfd2a23101 0 6 3543 3490 2014-08-22T09:38:13Z JamesMorris 2 wikitext text/x-wiki == Upcoming == Linux Security Summit 2015, TBA. == Past == ===2014=== * [[Linux Security Summit 2014]], 18-19 August, Chicago, USA. Co-located with [http://events.linuxfoundation.org/events/linuxcon LinuxCon]. === 2013 === * [[Linux Security Summit 2013]] New Orleans, USA. === 2012 === * [[Linux Security Summit 2012]], San Diego, CA, USA. ===2011=== * [[Linux Security Summit 2011]], Santa Rosa, CA, USA. ===2010=== * [https://security.wiki.kernel.org/index.php/LinuxSecuritySummit2010 Linux Security Summit 2010], Boston MA, USA. ===2009=== *Security Microconf at the Linux Plumbers Conference 2009, September, Portland OR, USA. **CFP **LWN discussion *SELinux Developer Summit at LinuxCon 2009, September, Portland OR, USA. **Event Details *Security BoF (Birds of Feather) meeting at the Japan Linux Symposium, October 2009. Tokyo, Japan. **Enhanced Securities: Where Should We Go Next *Kernel Conference Australia, July 2009, Brisbane, Australia. *LCA security miniconf 20 January 2009, Hobart, Australia. 1b8be7ec9870bfb98bfa71679b3d1b7d73efb0a2 3545 3543 2015-02-03T01:33:15Z JamesMorris 2 /* Upcoming */ wikitext text/x-wiki == Upcoming == [http://kernsec.org/files/logos/linux-security-summit_medium.png] Linux Security Summit 2015, TBA. == Past == ===2014=== * [[Linux Security Summit 2014]], 18-19 August, Chicago, USA. Co-located with [http://events.linuxfoundation.org/events/linuxcon LinuxCon]. === 2013 === * [[Linux Security Summit 2013]] New Orleans, USA. === 2012 === * [[Linux Security Summit 2012]], San Diego, CA, USA. ===2011=== * [[Linux Security Summit 2011]], Santa Rosa, CA, USA. ===2010=== * [https://security.wiki.kernel.org/index.php/LinuxSecuritySummit2010 Linux Security Summit 2010], Boston MA, USA. ===2009=== *Security Microconf at the Linux Plumbers Conference 2009, September, Portland OR, USA. **CFP **LWN discussion *SELinux Developer Summit at LinuxCon 2009, September, Portland OR, USA. **Event Details *Security BoF (Birds of Feather) meeting at the Japan Linux Symposium, October 2009. Tokyo, Japan. **Enhanced Securities: Where Should We Go Next *Kernel Conference Australia, July 2009, Brisbane, Australia. *LCA security miniconf 20 January 2009, Hobart, Australia. d2bea00df6cb4ec20604bdd49ce9c8a94bbecbf5 3546 3545 2015-02-03T01:34:52Z JamesMorris 2 /* Upcoming */ wikitext text/x-wiki == Upcoming == Linux Security Summit 2015, TBA. == Past == ===2014=== * [[Linux Security Summit 2014]], 18-19 August, Chicago, USA. Co-located with [http://events.linuxfoundation.org/events/linuxcon LinuxCon]. === 2013 === * [[Linux Security Summit 2013]] New Orleans, USA. === 2012 === * [[Linux Security Summit 2012]], San Diego, CA, USA. ===2011=== * [[Linux Security Summit 2011]], Santa Rosa, CA, USA. ===2010=== * [https://security.wiki.kernel.org/index.php/LinuxSecuritySummit2010 Linux Security Summit 2010], Boston MA, USA. ===2009=== *Security Microconf at the Linux Plumbers Conference 2009, September, Portland OR, USA. **CFP **LWN discussion *SELinux Developer Summit at LinuxCon 2009, September, Portland OR, USA. **Event Details *Security BoF (Birds of Feather) meeting at the Japan Linux Symposium, October 2009. Tokyo, Japan. **Enhanced Securities: Where Should We Go Next *Kernel Conference Australia, July 2009, Brisbane, Australia. *LCA security miniconf 20 January 2009, Hobart, Australia. a26363b32a8b013a2c8755ef1b7d02d19f4e4de0 3547 3546 2015-02-03T01:36:33Z JamesMorris 2 /* Upcoming */ wikitext text/x-wiki == Upcoming == <img src="http://kernsec.org/files/logos/linux-security-summit_medium.png" /> Linux Security Summit 2015, TBA. == Past == ===2014=== * [[Linux Security Summit 2014]], 18-19 August, Chicago, USA. Co-located with [http://events.linuxfoundation.org/events/linuxcon LinuxCon]. === 2013 === * [[Linux Security Summit 2013]] New Orleans, USA. === 2012 === * [[Linux Security Summit 2012]], San Diego, CA, USA. ===2011=== * [[Linux Security Summit 2011]], Santa Rosa, CA, USA. ===2010=== * [https://security.wiki.kernel.org/index.php/LinuxSecuritySummit2010 Linux Security Summit 2010], Boston MA, USA. ===2009=== *Security Microconf at the Linux Plumbers Conference 2009, September, Portland OR, USA. **CFP **LWN discussion *SELinux Developer Summit at LinuxCon 2009, September, Portland OR, USA. **Event Details *Security BoF (Birds of Feather) meeting at the Japan Linux Symposium, October 2009. Tokyo, Japan. **Enhanced Securities: Where Should We Go Next *Kernel Conference Australia, July 2009, Brisbane, Australia. *LCA security miniconf 20 January 2009, Hobart, Australia. 2d68ecf5e70d48cf1c3a0633b2e61d73d9a3e16a 3548 3547 2015-02-03T01:36:48Z JamesMorris 2 /* Upcoming */ wikitext text/x-wiki == Upcoming == Linux Security Summit 2015, TBA. == Past == ===2014=== * [[Linux Security Summit 2014]], 18-19 August, Chicago, USA. Co-located with [http://events.linuxfoundation.org/events/linuxcon LinuxCon]. === 2013 === * [[Linux Security Summit 2013]] New Orleans, USA. === 2012 === * [[Linux Security Summit 2012]], San Diego, CA, USA. ===2011=== * [[Linux Security Summit 2011]], Santa Rosa, CA, USA. ===2010=== * [https://security.wiki.kernel.org/index.php/LinuxSecuritySummit2010 Linux Security Summit 2010], Boston MA, USA. ===2009=== *Security Microconf at the Linux Plumbers Conference 2009, September, Portland OR, USA. **CFP **LWN discussion *SELinux Developer Summit at LinuxCon 2009, September, Portland OR, USA. **Event Details *Security BoF (Birds of Feather) meeting at the Japan Linux Symposium, October 2009. Tokyo, Japan. **Enhanced Securities: Where Should We Go Next *Kernel Conference Australia, July 2009, Brisbane, Australia. *LCA security miniconf 20 January 2009, Hobart, Australia. 19eda0b77812dd6427cfa747a01935988d93ce8a 3549 3548 2015-02-13T03:05:06Z JamesMorris 2 /* Upcoming */ wikitext text/x-wiki == Upcoming == [http://events.linuxfoundation.org/#events-list Linux Security Summit 2015], Seattle, WA, USA. August 20-21. == Past == ===2014=== * [[Linux Security Summit 2014]], 18-19 August, Chicago, USA. Co-located with [http://events.linuxfoundation.org/events/linuxcon LinuxCon]. === 2013 === * [[Linux Security Summit 2013]] New Orleans, USA. === 2012 === * [[Linux Security Summit 2012]], San Diego, CA, USA. ===2011=== * [[Linux Security Summit 2011]], Santa Rosa, CA, USA. ===2010=== * [https://security.wiki.kernel.org/index.php/LinuxSecuritySummit2010 Linux Security Summit 2010], Boston MA, USA. ===2009=== *Security Microconf at the Linux Plumbers Conference 2009, September, Portland OR, USA. **CFP **LWN discussion *SELinux Developer Summit at LinuxCon 2009, September, Portland OR, USA. **Event Details *Security BoF (Birds of Feather) meeting at the Japan Linux Symposium, October 2009. Tokyo, Japan. **Enhanced Securities: Where Should We Go Next *Kernel Conference Australia, July 2009, Brisbane, Australia. *LCA security miniconf 20 January 2009, Hobart, Australia. beee08f5d2d49a31d2032e8e241903adfa7e30f7 3550 3549 2015-02-13T03:05:19Z JamesMorris 2 /* Upcoming */ wikitext text/x-wiki == Upcoming == * [http://events.linuxfoundation.org/#events-list Linux Security Summit 2015], Seattle, WA, USA. August 20-21. == Past == ===2014=== * [[Linux Security Summit 2014]], 18-19 August, Chicago, USA. Co-located with [http://events.linuxfoundation.org/events/linuxcon LinuxCon]. === 2013 === * [[Linux Security Summit 2013]] New Orleans, USA. === 2012 === * [[Linux Security Summit 2012]], San Diego, CA, USA. ===2011=== * [[Linux Security Summit 2011]], Santa Rosa, CA, USA. ===2010=== * [https://security.wiki.kernel.org/index.php/LinuxSecuritySummit2010 Linux Security Summit 2010], Boston MA, USA. ===2009=== *Security Microconf at the Linux Plumbers Conference 2009, September, Portland OR, USA. **CFP **LWN discussion *SELinux Developer Summit at LinuxCon 2009, September, Portland OR, USA. **Event Details *Security BoF (Birds of Feather) meeting at the Japan Linux Symposium, October 2009. Tokyo, Japan. **Enhanced Securities: Where Should We Go Next *Kernel Conference Australia, July 2009, Brisbane, Australia. *LCA security miniconf 20 January 2009, Hobart, Australia. b3084489919e80c5caec87a316dc4b901149069b 3551 3550 2015-02-13T03:06:20Z JamesMorris 2 /* Upcoming */ wikitext text/x-wiki == Upcoming == * [http://events.linuxfoundation.org/events/linux-security-summit Linux Security Summit 2015], Seattle, WA, USA. August 20-21. == Past == ===2014=== * [[Linux Security Summit 2014]], 18-19 August, Chicago, USA. Co-located with [http://events.linuxfoundation.org/events/linuxcon LinuxCon]. === 2013 === * [[Linux Security Summit 2013]] New Orleans, USA. === 2012 === * [[Linux Security Summit 2012]], San Diego, CA, USA. ===2011=== * [[Linux Security Summit 2011]], Santa Rosa, CA, USA. ===2010=== * [https://security.wiki.kernel.org/index.php/LinuxSecuritySummit2010 Linux Security Summit 2010], Boston MA, USA. ===2009=== *Security Microconf at the Linux Plumbers Conference 2009, September, Portland OR, USA. **CFP **LWN discussion *SELinux Developer Summit at LinuxCon 2009, September, Portland OR, USA. **Event Details *Security BoF (Birds of Feather) meeting at the Japan Linux Symposium, October 2009. Tokyo, Japan. **Enhanced Securities: Where Should We Go Next *Kernel Conference Australia, July 2009, Brisbane, Australia. *LCA security miniconf 20 January 2009, Hobart, Australia. 171ad9e70183b3a36f3ba5a10619906b8e97afa4 3558 3551 2015-05-08T01:21:20Z JamesMorris 2 /* Upcoming */ wikitext text/x-wiki == Upcoming == * [[http://kernsec.org/wiki/index.php/Linux_Security_Summit_2015]], Seattle, WA, USA. August 20-21. == Past == ===2014=== * [[Linux Security Summit 2014]], 18-19 August, Chicago, USA. Co-located with [http://events.linuxfoundation.org/events/linuxcon LinuxCon]. === 2013 === * [[Linux Security Summit 2013]] New Orleans, USA. === 2012 === * [[Linux Security Summit 2012]], San Diego, CA, USA. ===2011=== * [[Linux Security Summit 2011]], Santa Rosa, CA, USA. ===2010=== * [https://security.wiki.kernel.org/index.php/LinuxSecuritySummit2010 Linux Security Summit 2010], Boston MA, USA. ===2009=== *Security Microconf at the Linux Plumbers Conference 2009, September, Portland OR, USA. **CFP **LWN discussion *SELinux Developer Summit at LinuxCon 2009, September, Portland OR, USA. **Event Details *Security BoF (Birds of Feather) meeting at the Japan Linux Symposium, October 2009. Tokyo, Japan. **Enhanced Securities: Where Should We Go Next *Kernel Conference Australia, July 2009, Brisbane, Australia. *LCA security miniconf 20 January 2009, Hobart, Australia. 5ef7aaf80e2f3c870c9f04064430f5ca57331cad 3559 3558 2015-05-08T01:21:47Z JamesMorris 2 /* Upcoming */ wikitext text/x-wiki == Upcoming == * [[Linux_Security_Summit_2015]], Seattle, WA, USA. August 20-21. == Past == ===2014=== * [[Linux Security Summit 2014]], 18-19 August, Chicago, USA. Co-located with [http://events.linuxfoundation.org/events/linuxcon LinuxCon]. === 2013 === * [[Linux Security Summit 2013]] New Orleans, USA. === 2012 === * [[Linux Security Summit 2012]], San Diego, CA, USA. ===2011=== * [[Linux Security Summit 2011]], Santa Rosa, CA, USA. ===2010=== * [https://security.wiki.kernel.org/index.php/LinuxSecuritySummit2010 Linux Security Summit 2010], Boston MA, USA. ===2009=== *Security Microconf at the Linux Plumbers Conference 2009, September, Portland OR, USA. **CFP **LWN discussion *SELinux Developer Summit at LinuxCon 2009, September, Portland OR, USA. **Event Details *Security BoF (Birds of Feather) meeting at the Japan Linux Symposium, October 2009. Tokyo, Japan. **Enhanced Securities: Where Should We Go Next *Kernel Conference Australia, July 2009, Brisbane, Australia. *LCA security miniconf 20 January 2009, Hobart, Australia. b8b5b74c2042c98de18a4678bcf799ef739a4bef 3560 3559 2015-05-08T01:22:05Z JamesMorris 2 /* Upcoming */ wikitext text/x-wiki == Upcoming == * [[Linux_Security_Summit_2015 Linux Security Summit 2015]], Seattle, WA, USA. August 20-21. == Past == ===2014=== * [[Linux Security Summit 2014]], 18-19 August, Chicago, USA. Co-located with [http://events.linuxfoundation.org/events/linuxcon LinuxCon]. === 2013 === * [[Linux Security Summit 2013]] New Orleans, USA. === 2012 === * [[Linux Security Summit 2012]], San Diego, CA, USA. ===2011=== * [[Linux Security Summit 2011]], Santa Rosa, CA, USA. ===2010=== * [https://security.wiki.kernel.org/index.php/LinuxSecuritySummit2010 Linux Security Summit 2010], Boston MA, USA. ===2009=== *Security Microconf at the Linux Plumbers Conference 2009, September, Portland OR, USA. **CFP **LWN discussion *SELinux Developer Summit at LinuxCon 2009, September, Portland OR, USA. **Event Details *Security BoF (Birds of Feather) meeting at the Japan Linux Symposium, October 2009. Tokyo, Japan. **Enhanced Securities: Where Should We Go Next *Kernel Conference Australia, July 2009, Brisbane, Australia. *LCA security miniconf 20 January 2009, Hobart, Australia. 586acd76d149a6654e93d20037091139c5baa1be 3561 3560 2015-05-08T01:22:30Z JamesMorris 2 wikitext text/x-wiki == Upcoming == * [[Linux Security Summit 2015]], Seattle, WA, USA. August 20-21. == Past == ===2014=== * [[Linux Security Summit 2014]], 18-19 August, Chicago, USA. Co-located with [http://events.linuxfoundation.org/events/linuxcon LinuxCon]. === 2013 === * [[Linux Security Summit 2013]] New Orleans, USA. === 2012 === * [[Linux Security Summit 2012]], San Diego, CA, USA. ===2011=== * [[Linux Security Summit 2011]], Santa Rosa, CA, USA. ===2010=== * [https://security.wiki.kernel.org/index.php/LinuxSecuritySummit2010 Linux Security Summit 2010], Boston MA, USA. ===2009=== *Security Microconf at the Linux Plumbers Conference 2009, September, Portland OR, USA. **CFP **LWN discussion *SELinux Developer Summit at LinuxCon 2009, September, Portland OR, USA. **Event Details *Security BoF (Birds of Feather) meeting at the Japan Linux Symposium, October 2009. Tokyo, Japan. **Enhanced Securities: Where Should We Go Next *Kernel Conference Australia, July 2009, Brisbane, Australia. *LCA security miniconf 20 January 2009, Hobart, Australia. f288a797a5c21618ff963f11a314526aabe944e0 0 126 3552 2015-05-08T01:16:30Z JamesMorris 2 Created page with "= Description = The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster com..." wikitext text/x-wiki = Description = The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions = Event = The Linux Security Summit for 2015 will be held across '''20 and 21 August''' in Seattle, WA, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon] and other events. All attendees and presenters must be registered to attend LinuxCon. = Call for Participation = The program committee currently seeks proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. * Discussion Topics: 30 minutes in length. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques Proposals should be submitted in plain text via email to the program committee at: lss-pc@lists.linuxfoundation.org Abstracts should be approximately 150 words in total. == Program Committee== The Linux Security Summit for 2015 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Quark Security * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss-pc@lists.linuxfoundation.org 3d0e4be1f1a483a4653e99aa00fb7e21633cd754 3553 3552 2015-05-08T01:17:20Z JamesMorris 2 wikitext text/x-wiki = Description = The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions = Event = The Linux Security Summit for 2015 will be held across '''20 and 21 August''' in Seattle, WA, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon] and other events. All attendees and presenters must be registered to attend LinuxCon. = Call for Participation = The program committee currently seeks proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. * Discussion Topics: 30 minutes in length. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques Proposals should be submitted in plain text via email to the program committee at: lss-pc@lists.linuxfoundation.org Abstracts should be approximately 150 words in total. == Program Committee== The Linux Security Summit for 2015 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Quark Security * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss-pc@lists.linuxfoundation.org 45b8a88893e504f1e7de1c444e557869672df941 3554 3553 2015-05-08T01:17:47Z JamesMorris 2 wikitext text/x-wiki = Description = The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions = Event = The Linux Security Summit for 2015 will be held across '''20 and 21 August''' in Seattle, WA, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon] and other events. All attendees and presenters must be registered to attend LinuxCon. = Call for Participation = The program committee currently seeks proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. * Discussion Topics: 30 minutes in length. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques Proposals should be submitted in plain text via email to the program committee at: lss-pc@lists.linuxfoundation.org Abstracts should be approximately 150 words in total. == Program Committee== The Linux Security Summit for 2015 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Quark Security * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss-pc@lists.linuxfoundation.org 9bd94e4119101cf1f06272c10cd5b814892cae64 3555 3554 2015-05-08T01:18:27Z JamesMorris 2 wikitext text/x-wiki = Description = The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions = Event = The Linux Security Summit for 2015 will be held across '''20 and 21 August''' in Seattle, WA, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon] and other events. All attendees and presenters must be registered to attend LinuxCon. = Call for Participation = The program committee currently seeks proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. * Discussion Topics: 30 minutes in length. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques Proposals should be submitted in plain text via email to the program committee at: lss-pc@lists.linuxfoundation.org Abstracts should be approximately 150 words in total. == Program Committee== The Linux Security Summit for 2015 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Quark Security * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss-pc@lists.linuxfoundation.org fe821dfb4a61634eb01b48788c195dcc7b49e1e7 3556 3555 2015-05-08T01:19:52Z JamesMorris 2 /* Event */ wikitext text/x-wiki = Description = The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions = Event = The Linux Security Summit for 2015 will be held across '''20 and 21 August''' in Seattle, WA, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon] and other events. All attendees and presenters must be registered to attend LinuxCon. Registration and general event details may be found here: [http://events.linuxfoundation.org/events/linux-security-summit http://events.linuxfoundation.org/events/linux-security-summit] = Call for Participation = The program committee currently seeks proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. * Discussion Topics: 30 minutes in length. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques Proposals should be submitted in plain text via email to the program committee at: lss-pc@lists.linuxfoundation.org Abstracts should be approximately 150 words in total. == Program Committee== The Linux Security Summit for 2015 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Quark Security * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss-pc@lists.linuxfoundation.org ad39c4453f04c3d334a73d98998eeae6f17b9752 3557 3556 2015-05-08T01:20:22Z JamesMorris 2 wikitext text/x-wiki = Description = The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions = Event = The Linux Security Summit for 2015 will be held across '''20 and 21 August''' in Seattle, WA, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon] and other events. All attendees and presenters must be registered to attend LinuxCon. Registration and general event details may be found here: [http://events.linuxfoundation.org/events/linux-security-summit http://events.linuxfoundation.org/events/linux-security-summit] = Call for Participation = The program committee currently seeks proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. * Discussion Topics: 30 minutes in length. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques Proposals should be submitted in plain text via email to the program committee at: lss-pc@lists.linuxfoundation.org Abstracts should be approximately 150 words in total. == Program Committee== The Linux Security Summit for 2015 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Quark Security * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss-pc@lists.linuxfoundation.org c3ddd3034dca86f16cb0ae218b217b7d59ee2068 3562 3557 2015-05-08T01:31:12Z JamesMorris 2 /* Call for Participation */ wikitext text/x-wiki = Description = The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions = Event = The Linux Security Summit for 2015 will be held across '''20 and 21 August''' in Seattle, WA, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon] and other events. All attendees and presenters must be registered to attend LinuxCon. Registration and general event details may be found here: [http://events.linuxfoundation.org/events/linux-security-summit http://events.linuxfoundation.org/events/linux-security-summit] = Call for Participation = The program committee currently seeks proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. * Discussion Topics: 30 minutes in length. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques '''The CFP is open until 5th June. Accepted speakers will be notified by 12th June. ''' Proposals should be submitted in plain text via email to the program committee at: lss-pc@lists.linuxfoundation.org Abstracts should be approximately 150 words in total. == Program Committee== The Linux Security Summit for 2015 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Quark Security * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss-pc@lists.linuxfoundation.org bc8a5ee0619f544628532e94e4350caaa964df31 3563 3562 2015-05-08T01:31:48Z JamesMorris 2 /* Call for Participation */ wikitext text/x-wiki = Description = The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions = Event = The Linux Security Summit for 2015 will be held across '''20 and 21 August''' in Seattle, WA, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon] and other events. All attendees and presenters must be registered to attend LinuxCon. Registration and general event details may be found here: [http://events.linuxfoundation.org/events/linux-security-summit http://events.linuxfoundation.org/events/linux-security-summit] = Call for Participation = '''The CFP is open until 5th June. Accepted speakers will be notified by 12th June.''' The program committee currently seeks proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. * Discussion Topics: 30 minutes in length. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques Proposals should be submitted in plain text via email to the program committee at: lss-pc@lists.linuxfoundation.org Abstracts should be approximately 150 words in total. == Program Committee== The Linux Security Summit for 2015 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Quark Security * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss-pc@lists.linuxfoundation.org 3daedf645e97c2da0a5f8549241c88e0df125231 3564 3563 2015-05-08T01:32:12Z JamesMorris 2 /* Call for Participation */ wikitext text/x-wiki = Description = The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions = Event = The Linux Security Summit for 2015 will be held across '''20 and 21 August''' in Seattle, WA, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon] and other events. All attendees and presenters must be registered to attend LinuxCon. Registration and general event details may be found here: [http://events.linuxfoundation.org/events/linux-security-summit http://events.linuxfoundation.org/events/linux-security-summit] = Call for Participation = '''The CFP is open until 5th June. Accepted speakers will be notified by 12th June.''' The program committee currently seeks proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. * Discussion Topics: 30 minutes in length. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques Proposals should be submitted in plain text via email to the program committee at: lss-pc@lists.linuxfoundation.org Abstracts should be approximately 150 words in total. == Program Committee== The Linux Security Summit for 2015 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Quark Security * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss-pc@lists.linuxfoundation.org 6d2272de992974b55eea1511da32b054ed3af6a9 3565 3564 2015-06-09T08:33:08Z JamesMorris 2 /* Call for Participation */ wikitext text/x-wiki = Description = The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions = Event = The Linux Security Summit for 2015 will be held across '''20 and 21 August''' in Seattle, WA, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon] and other events. All attendees and presenters must be registered to attend LinuxCon. Registration and general event details may be found here: [http://events.linuxfoundation.org/events/linux-security-summit http://events.linuxfoundation.org/events/linux-security-summit] = Call for Participation = '''The CFP is <s>open until 5th June</s> closed. Accepted speakers will be notified by 12th June.''' The program committee sought proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. * Discussion Topics: 30 minutes in length. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques == Program Committee== The Linux Security Summit for 2015 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Quark Security * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss-pc@lists.linuxfoundation.org ff5a904184e9509a7e6d22be2c2ca2d1fe3917ac 3566 3565 2015-07-01T06:01:29Z JamesMorris 2 wikitext text/x-wiki = Description = The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions = Event = The Linux Security Summit for 2015 will be held across '''20 and 21 August''' in Seattle, WA, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon] and other events. All attendees and presenters must be registered to attend LinuxCon. Registration and general event details may be found here: [http://events.linuxfoundation.org/events/linux-security-summit http://events.linuxfoundation.org/events/linux-security-summit] = Call for Participation = '''The CFP is now closed.''' The program committee sought proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. * Discussion Topics: 30 minutes in length. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques == Program Committee== The Linux Security Summit for 2015 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Quark Security * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss-pc@lists.linuxfoundation.org 5fe7d11b323b4a3ce852fca74812431f34342138 0 127 3567 2015-07-01T06:01:52Z JamesMorris 2 Created page with "= Schedule = == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy"> | ... |- |''09:50..." wikitext text/x-wiki = Schedule = == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy"> | ... |- |''09:50'' |colspan="2"|''Break'' |- |10:00 | AAA | XXX, YYY |- |10:45 |AAA | BBB |- |''11:30'' |colspan="2"|''Break'' |- |11:45 | AAA | BBB |- |''12:30'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | AAA | BBB |- |14:45 | AAA | BBB |- |''15:30'' |colspan="2"|''Break'' |- |15:45 | AAA | BBB |- |16:30 | AAA | BBB |- |''17:00'' |colspan="2"|''Finish'' |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | SELinux update | TBA |- |09:20 | AppArmor update | TBA |- |09:40 | Integrity update | TBA |- |10:00 | Smack update | TBA |- |''10:20'' |colspan="2"|''Break'' |- |10:30 | Crypto / Keys update | TBA |- |10:50 | Seccomp update | TBA |- |11:20 |colspan="2"| Break-out Session #1 |- |''12:30'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | AAA | BBB |- |''15:00'' | colspan="2"|''Break'' |- |15:15 | AAA | BBB |- |16:00 |colspan="2"| Break-out Session #2 |- |''17:00'' |colspan="2"|''Finish'' |} 60616964f3b2d464c7f31463800d06382e092334 3568 3567 2015-07-01T06:02:19Z JamesMorris 2 wikitext text/x-wiki = Schedule = == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">Keynote (TBA)</span> | ... |- |''09:50'' |colspan="2"|''Break'' |- |10:00 | AAA | XXX, YYY |- |10:45 |AAA | BBB |- |''11:30'' |colspan="2"|''Break'' |- |11:45 | AAA | BBB |- |''12:30'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | AAA | BBB |- |14:45 | AAA | BBB |- |''15:30'' |colspan="2"|''Break'' |- |15:45 | AAA | BBB |- |16:30 | AAA | BBB |- |''17:00'' |colspan="2"|''Finish'' |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | SELinux update | TBA |- |09:20 | AppArmor update | TBA |- |09:40 | Integrity update | TBA |- |10:00 | Smack update | TBA |- |''10:20'' |colspan="2"|''Break'' |- |10:30 | Crypto / Keys update | TBA |- |10:50 | Seccomp update | TBA |- |11:20 |colspan="2"| Break-out Session #1 |- |''12:30'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | AAA | BBB |- |''15:00'' | colspan="2"|''Break'' |- |15:15 | AAA | BBB |- |16:00 |colspan="2"| Break-out Session #2 |- |''17:00'' |colspan="2"|''Finish'' |} 87a94fc06708cff31032671f19d66507611112fe 3584 3568 2015-07-01T14:20:23Z JamesMorris 2 wikitext text/x-wiki = Schedule = == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">Keynote (TBA)</span> | ... |- |''09:50'' |colspan="2"|''Break'' |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Stiller|Linux Incident Response]] | Mike Scutt and Tim Stiller, Rapid7 |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] | Greg Wettstein, IDfusion |- |''11:30'' |colspan="2"|''Break'' |- |11:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M] | Stephen Smalley, NSA |- |''12:30'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | [[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] (To be confirmed...) | Elena Reshetova, Intel |- |14:45 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] | Lukasz Wojciechowski, Samsung |- |''15:30'' |colspan="2"|''Break'' |- |16:00 | AAA | BBB |- |16:30 | AAA | BBB |- |''17:00'' |colspan="2"|''Finish'' |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | SELinux update | TBA |- |09:20 | AppArmor update | TBA |- |09:40 | Integrity update | TBA |- |10:00 | Smack update | TBA |- |''10:20'' |colspan="2"|''Break'' |- |10:30 | Crypto / Keys update | TBA |- |10:50 | Seccomp update | TBA |- |11:20 |colspan="2"| Break-out Session #1 |- |''12:30'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | AAA | BBB |- |''15:00'' | colspan="2"|''Break'' |- |15:15 | AAA | BBB |- |16:00 |colspan="2"| Break-out Session #2 |- |''17:00'' |colspan="2"|''Finish'' |} 8d4f7308ec93fdea18aaaa8d06bbc4e02aa6cdf0 3585 3584 2015-07-01T14:20:49Z JamesMorris 2 wikitext text/x-wiki = Schedule = == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">Keynote (TBA)</span> | ... |- |''09:50'' |colspan="2"|''Break'' |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Stiller|Linux Incident Response]] | Mike Scutt and Tim Stiller, Rapid7 |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] | Greg Wettstein, IDfusion |- |''11:30'' |colspan="2"|''Break'' |- |11:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] | Stephen Smalley, NSA |- |''12:30'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | [[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] (To be confirmed...) | Elena Reshetova, Intel |- |14:45 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] | Lukasz Wojciechowski, Samsung |- |''15:30'' |colspan="2"|''Break'' |- |16:00 | AAA | BBB |- |16:30 | AAA | BBB |- |''17:00'' |colspan="2"|''Finish'' |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | SELinux update | TBA |- |09:20 | AppArmor update | TBA |- |09:40 | Integrity update | TBA |- |10:00 | Smack update | TBA |- |''10:20'' |colspan="2"|''Break'' |- |10:30 | Crypto / Keys update | TBA |- |10:50 | Seccomp update | TBA |- |11:20 |colspan="2"| Break-out Session #1 |- |''12:30'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | AAA | BBB |- |''15:00'' | colspan="2"|''Break'' |- |15:15 | AAA | BBB |- |16:00 |colspan="2"| Break-out Session #2 |- |''17:00'' |colspan="2"|''Finish'' |} 795668f24ecdb6bd6649efba30ae5ee38fdea3ab 3586 3585 2015-07-01T14:28:47Z JamesMorris 2 wikitext text/x-wiki = Schedule = == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">Keynote (TBA)</span> | ... |- |''09:50'' |colspan="2"|''Break'' |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] | Greg Wettstein, IDfusion |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] | Stephen Smalley, NSA |- |''11:30'' |colspan="2"|''Break'' |- |11:45 | [[Linux_Security_Summit_2015/Abstracts/Stiller|Linux Incident Response]] | Mike Scutt and Tim Stiller, Rapid7 |- |''12:45'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | [[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] (To be confirmed...) | Elena Reshetova, Intel |- |14:45 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] | Lukasz Wojciechowski, Samsung |- |''15:30'' |colspan="2"|''Break'' |- |16:00 | Discussion: [[Linux_Security_Summit_2015/Abstracts/Ratliff| Core Infrastructure Initiative]] | Emily Ratliff, Linux Foundation |- |16:30 | AAA | BBB |- |''17:00'' |colspan="2"|''Finish'' |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | SELinux update | TBA |- |09:20 | AppArmor update | TBA |- |09:40 | Integrity update | TBA |- |10:00 | Smack update | TBA |- |''10:20'' |colspan="2"|''Break'' |- |10:30 | Crypto / Keys update | TBA |- |10:50 | Seccomp update | TBA |- |11:20 |colspan="2"| Break-out Session #1 |- |''12:30'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | AAA | BBB |- |''15:00'' | colspan="2"|''Break'' |- |15:15 | AAA | BBB |- |16:00 |colspan="2"| Break-out Session #2 |- |''17:00'' |colspan="2"|''Finish'' |} ee5c5d958c7992f34ae2da396a31ce24efbdae83 3587 3586 2015-07-01T14:29:10Z JamesMorris 2 wikitext text/x-wiki = Schedule = == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">Keynote (TBA)</span> | Some Person, Somewhere |- |''09:50'' |colspan="2"|''Break'' |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] | Greg Wettstein, IDfusion |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] | Stephen Smalley, NSA |- |''11:30'' |colspan="2"|''Break'' |- |11:45 | [[Linux_Security_Summit_2015/Abstracts/Stiller|Linux Incident Response]] | Mike Scutt and Tim Stiller, Rapid7 |- |''12:45'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | [[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] (To be confirmed...) | Elena Reshetova, Intel |- |14:45 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] | Lukasz Wojciechowski, Samsung |- |''15:30'' |colspan="2"|''Break'' |- |16:00 | Discussion: [[Linux_Security_Summit_2015/Abstracts/Ratliff| Core Infrastructure Initiative]] | Emily Ratliff, Linux Foundation |- |16:30 | AAA | BBB |- |''17:00'' |colspan="2"|''Finish'' |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | SELinux update | TBA |- |09:20 | AppArmor update | TBA |- |09:40 | Integrity update | TBA |- |10:00 | Smack update | TBA |- |''10:20'' |colspan="2"|''Break'' |- |10:30 | Crypto / Keys update | TBA |- |10:50 | Seccomp update | TBA |- |11:20 |colspan="2"| Break-out Session #1 |- |''12:30'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | AAA | BBB |- |''15:00'' | colspan="2"|''Break'' |- |15:15 | AAA | BBB |- |16:00 |colspan="2"| Break-out Session #2 |- |''17:00'' |colspan="2"|''Finish'' |} f570b91ab8c3a7d2e466c00f425051b1f522ac0e 0 128 3569 2015-07-01T13:26:37Z JamesMorris 2 Created page with "== Title == Assembling Secure OS Images == Presenter == Elena Reshetova, Intel == Abstract == With the ongoing explosion of different embedded and mobile devices, both bi..." wikitext text/x-wiki == Title == Assembling Secure OS Images == Presenter == Elena Reshetova, Intel == Abstract == With the ongoing explosion of different embedded and mobile devices, both big vendors and small companies are attempting to create their flavour of Linux-based operating system that these devices will be running. Typically these OSes consist from a set of separate packages that have been put together and configured by different scripts running during the image build process. The question that can be raised in this environment is "How much can we tell about the security of the OS image just by analysing its parts at different stages of build process in an automated fashion?" There are many existing guides and tutorials for Linux-based systems that attempts to create some checklist of things that a system administrator needs to verify to ensure that OS has certain hardening mechanisms in place, as well as there are commercial solutions that attempt to analyse the running OS image and determine its security. However, to the author's knowledge there are no mechanisms available in open source that can provide analyse the security during the image build process and at the same time be easily integrated to build systems, easily extendable and configurable to reflect the security needs of the organization. The goal of the talk is to present a new project and initial prototype that attempts to address the gap described above, as well as to get a community feedback in order to determine the future direction of the project. 1c85511e53db4238c65358d233ee82ae39708c87 0 129 3570 2015-07-01T13:28:08Z JamesMorris 2 Created page with "== Title == Linux Incident Response == Presenter == Mike Scutt and Tim Stiller, Rapid7 == Abstract == While Windows is still the dominating operating system, Linux has se..." wikitext text/x-wiki == Title == Linux Incident Response == Presenter == Mike Scutt and Tim Stiller, Rapid7 == Abstract == While Windows is still the dominating operating system, Linux has seen a steady increase of adoption by many organizations in both the private and public sectors. This adoption opens up new avenues to attackers and can increase the companies attack footprint if not properly hardened. Many companies commonly deploy these hosts without any hardening, patching or isolation to the Internet resulting in unauthorized access and potential data loss. Performing IR on a compromised Linux host involves the capture of volatile data (memory snapshots, processes, ports) and non-volatile data (log files, dropped files, file based persistence). Analysis may also contain logs from proxies, intrusion detection systems and firewalls. In addition to forensics analysis, the responder must provide thorough documentation and timeline of events based upon the completed analysis. With this data, the organization can begin the remediation process and incorporate better detections to further mitigate the threat. 7f042cab41083427791ad9c0930a17865365de34 0 130 3571 2015-07-01T13:33:54Z JamesMorris 2 Created page with "== Title == TBA == Presenter == Lukasz Wojciechowski, Samsung == Abstract == Imagine that you install a game. How do you know that it won't read your emails or web brows..." wikitext text/x-wiki == Title == TBA == Presenter == Lukasz Wojciechowski, Samsung == Abstract == Imagine that you install a game. How do you know that it won't read your emails or web browser history? It could – in typical Linux distribution application runs with your user's privileges. This talk explains, how to constrain 3rd party application privileges in the system. Presented solution allows to configure and control application security environment as a whole – it does not only setup privileges, an application needs, but also configures MAC policy, DAC policy, properly labels all installed files and setups security context before launch. Proposed framework provides all the tools needed to achieve that – installation and launch support (Security-Manager), privilege/policy checker (Cynara), network privilege handling in interactive way (Nether). It's also integrated with LXC-based container framework (Vasum) – so that launching a sandboxed application in a container is also covered. All modules are open source, available on both tizen.org and github.com. The talk describes general idea and some interesting challenges, that were encountered during development for Tizen 3.0 platform 6594f82c34b04005832bc3ac5658a36a0b6d2a5a 3583 3571 2015-07-01T14:18:40Z JamesMorris 2 /* Title */ wikitext text/x-wiki == Title == Security framework for constraining applications' privileges == Presenter == Lukasz Wojciechowski, Samsung == Abstract == Imagine that you install a game. How do you know that it won't read your emails or web browser history? It could – in typical Linux distribution application runs with your user's privileges. This talk explains, how to constrain 3rd party application privileges in the system. Presented solution allows to configure and control application security environment as a whole – it does not only setup privileges, an application needs, but also configures MAC policy, DAC policy, properly labels all installed files and setups security context before launch. Proposed framework provides all the tools needed to achieve that – installation and launch support (Security-Manager), privilege/policy checker (Cynara), network privilege handling in interactive way (Nether). It's also integrated with LXC-based container framework (Vasum) – so that launching a sandboxed application in a container is also covered. All modules are open source, available on both tizen.org and github.com. The talk describes general idea and some interesting challenges, that were encountered during development for Tizen 3.0 platform 5a049719231833660572876c6061c3bbe51a3269 0 131 3572 2015-07-01T13:35:31Z JamesMorris 2 Created page with "== Title == Discussion: Linux Security Module Stacking Next Steps == Presenter == Casey Schaufler == Abstract == The basic underpinnings for security module stacking went..." wikitext text/x-wiki == Title == Discussion: Linux Security Module Stacking Next Steps == Presenter == Casey Schaufler == Abstract == The basic underpinnings for security module stacking went into Linux 4.2. It is now possible to use multiple simple modules at the same time as a single sophisticated one. But there are serious limitations. Simple modules can't use any of the managed security blobs. There is no way to specify which modules you want on the boot line. There are many things to discuss: Format of the security= boot option Security blobs A "context" that allows for more than one module /proc interfaces The impact on audit Secids Networking and we'll ask for any additional topics at the beginning. 84758300ecea5fe547d568be0526e973c28f7c68 3573 3572 2015-07-01T13:36:15Z JamesMorris 2 /* Abstract */ wikitext text/x-wiki == Title == Discussion: Linux Security Module Stacking Next Steps == Presenter == Casey Schaufler == Abstract == The basic underpinnings for security module stacking went into Linux 4.2. It is now possible to use multiple simple modules at the same time as a single sophisticated one. But there are serious limitations. Simple modules can't use any of the managed security blobs. There is no way to specify which modules you want on the boot line. There are many things to discuss: * Format of the security= boot option * Security blobs * A "context" that allows for more than one module * /proc interfaces * The impact on audit * Secids * Networking and we'll ask for any additional topics at the beginning. 43928128bbe5b386a968ade39d39fe2583597b5c 0 132 3574 2015-07-01T13:37:05Z JamesMorris 2 Created page with "== Title == SELinux in Android Lollipop and Android M == Presenter == Stephen Smalley, NSA == Abstract == At last year's LSS, we looked at how SELinux had been applied to..." wikitext text/x-wiki == Title == SELinux in Android Lollipop and Android M == Presenter == Stephen Smalley, NSA == Abstract == At last year's LSS, we looked at how SELinux had been applied to protect the Android Trusted Computing Base (TCB), starting with selective root daemon confinement in the Android 4.4 KitKat release and then working toward full confinement and enforcing a core set of TCB protection goals in what was then referred to as Android L, subsequently released as Android 5.0 Lollipop in early November of last year. Android 5.0 Lollipop is the first mainline Android release to ship with SELinux enforcing for all processes, although a number of Samsung devices were shipping with SELinux enforcing for all processes as early as Android 4.3. In this talk, we will first briefly review the final state of SELinux in the Android 5.0 Lollipop release, including any changes made in subsequent Lollipop updates (e.g. Android 5.1). We will then look at how the Android SELinux support has advanced in the Android Open Source Project (AOSP) master branch since Lollipop was forked and what we expect to be present in the upcoming Android M release later this year (a preview of the M release was just made available and announced at Google I/O). The talk will include discussion of how SELinux has been applied to reinforce user isolation for Android's multi-user model and how SELinux has been applied to strengthen the Chrome sandbox among other hardening improvements. We will also examine enhancements to the Android Compatibility Test Suite (CTS) to validate the Android SELinux policy for all Android devices and how these tests reduce the risk that OEMs will undermine the system security goals. 19107a550a956f8bf08a12e4095ef13734996959 0 133 3575 2015-07-01T13:44:29Z JamesMorris 2 Created page with "== Title == Discussion: Linux and Mobile Device Encryption == Presenter == Paul Lawrence and Mike Halcrow, Google. == Abstract == Paul Lawrence and Mike Halcrow will disc..." wikitext text/x-wiki == Title == Discussion: Linux and Mobile Device Encryption == Presenter == Paul Lawrence and Mike Halcrow, Google. == Abstract == Paul Lawrence and Mike Halcrow will discuss Google's efforts in transitioning Android data partition encryption from dm-crypt to ext4 encryption. They will cover some of the pain points with full disk encryption on Android, and they'll talk about how the issues motivated the transition to file system level encryption. Paul and Mike will explore new Android platform features that ext4 encryption enables. They'll also give their thoughts on performance, security, and usability issues relating to encryption on mobile devices. ef57f457d72685f21a8a03e370cddb0c5c2fd44b 0 134 3576 2015-07-01T13:47:32Z JamesMorris 2 Created page with "== Title == CC3: An Identity Attested Linux Security Supervisor Architecture == Presenter == Greg Wettstein, IDfusion == Abstract == Ubiquitous global networking and the ..." wikitext text/x-wiki == Title == CC3: An Identity Attested Linux Security Supervisor Architecture == Presenter == Greg Wettstein, IDfusion == Abstract == Ubiquitous global networking and the economic incentives of commodity hardware and operating systems have conspired to produce a crisis of unprecedented status in information security. Of particular concern is security for systems controlling infrastructure or containing data, such as healthcare information, where no ex-post-facto redress is available for information disclosure. Recent compromises suggest classic defensive systems based on intrusion protection and detection technologies are failing, by leaving systems compromised for months before detection. Emerging technologies such as containerization address isolation, but do not address intrinsic system compromise detection. Integrity measurement architectures (IMA), in combination with dynamic root of trust offer the means to implement compromise detection. The challenge is implementing IMA determinism and platform management, particularly in environments involving thousands of system deployments. This presentation and paper discuss a Linux security supervisor architecture, under active development and deployment, based on a device identity mutual attestation model which addresses these issues. 7f23def26570a0c3fc1f735728888dad2f94e23f 3577 3576 2015-07-01T13:48:19Z JamesMorris 2 wikitext text/x-wiki == Title == CC3: An Identity Attested Linux Security Supervisor Architecture == Presenter == Richard Engen MSFS, Johannes Grosen MS Scott Stofferahn, Greg Wettstein R.Ph., Ph.D. IDfusion, LLC == Abstract == Ubiquitous global networking and the economic incentives of commodity hardware and operating systems have conspired to produce a crisis of unprecedented status in information security. Of particular concern is security for systems controlling infrastructure or containing data, such as healthcare information, where no ex-post-facto redress is available for information disclosure. Recent compromises suggest classic defensive systems based on intrusion protection and detection technologies are failing, by leaving systems compromised for months before detection. Emerging technologies such as containerization address isolation, but do not address intrinsic system compromise detection. Integrity measurement architectures (IMA), in combination with dynamic root of trust offer the means to implement compromise detection. The challenge is implementing IMA determinism and platform management, particularly in environments involving thousands of system deployments. This presentation and paper discuss a Linux security supervisor architecture, under active development and deployment, based on a device identity mutual attestation model which addresses these issues. c881cccb29504b1ec9d9f09932e4816eac3873ff 0 135 3578 2015-07-01T13:49:53Z JamesMorris 2 Created page with "== Title == Rethinking Audit == Presenter == Paul Moore, Red Hat == Abstract == The kernel's audit subsystem is an interesting thing: it is a must have for many security ..." wikitext text/x-wiki == Title == Rethinking Audit == Presenter == Paul Moore, Red Hat == Abstract == The kernel's audit subsystem is an interesting thing: it is a must have for many security conscious users, but it is largely unloved by kernel developers, even the security focused developers. Due to this lack of interest by kernel developers the kernel's audit code and interfaces have become a bit of a mess. This discussion topic will identify some of these problem areas for audit and present some possible solutions. 493b87a9eca770edd1f2b5d57708cfcf028923b8 0 136 3579 2015-07-01T13:51:14Z JamesMorris 2 Created page with "== Title == IMA/EVM on Android Device == Presenter == Dmitry Kasatkin, Huawei Technologies == Abstract == I would like to make a presentation and demo about running IMA/E..." wikitext text/x-wiki == Title == IMA/EVM on Android Device == Presenter == Dmitry Kasatkin, Huawei Technologies == Abstract == I would like to make a presentation and demo about running IMA/EVM on Android devices. While having IMA/EVM enabled kernel is not a big deal, labeling filesystem and initializing kernel with keys have certain a challenges on Android. We have made modifications to Android build system and file system creation tools to facilitate that. My presentation will present how to run IMA/EVM on Android and I will make a demo using Google Nexus phone using IMA/EVM to protect certain filesystem partitions. 5d8879a8facd45488a56b1cea5aff2a443adcd54 0 137 3580 2015-07-01T13:52:38Z JamesMorris 2 Created page with "== Title == Ioctl Command Whitelisting in SELinux == Presenter == Jeffrey Vander Stoep, Google == Abstract == Ioctls provide many of the capabilities necessary for device..." wikitext text/x-wiki == Title == Ioctl Command Whitelisting in SELinux == Presenter == Jeffrey Vander Stoep, Google == Abstract == Ioctls provide many of the capabilities necessary for device control, ranging from benign functionality to critical operations or access to sensitive information. Some system capabilities, e.g. chown, kill, setuid, ipc_lock, etc are granted on a per capability basis. Ioctls on the other hand are granted on a per file descriptor basis, meaning that the set of ioctl capabilities provided by the file descriptor are granted all-or-nothing, even when only a subset may be needed. A single file descriptor may provide access to hundreds of capabilities. To restrict applications to their needed subset of capabilities, selinux permissions have been extended to allow per-command whitelisting of ioctls. The discussion will include demonstration of attack surface reduction, bugs made unreachable, and improvements for user privacy. We will also share challenges and findings from deployment in Android M-preview. 4c4ede694d89991be7afce906a99d58d2d2b469b 0 138 3581 2015-07-01T13:57:49Z JamesMorris 2 Created page with "== Title == IMA/EVM: Real Applications for Embedded Networking Systems == Presenter == Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks == Abstract == I..." wikitext text/x-wiki == Title == IMA/EVM: Real Applications for Embedded Networking Systems == Presenter == Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks == Abstract == I am working on a project that requires integration of Linux IMA in a large scale networking equipment. These are the basic ideas behind the talk: * Provide a way for a platform supplier to delegate a Certificate Authority or building and IMA/EVM signing software to a third-party. * The Kernel Keyring needs to be able to add new CAs or certificate chains to provide a root of trust for all software from platform and other third-parties. * There should be a method (OCSP or CRL) for being able to revoke a particular CA from the kernel keyring. We will discuss experiments performed on the Linux kernel with different kinds of X509 certificate hierarchies for the validation of software being run. a32231386c6e5e178a03e4053d4c9d210edf5651 0 139 3582 2015-07-01T13:59:13Z JamesMorris 2 Created page with "== Title == Discussion: Core Infrastructure Initiative == Presenter == Emily Ratliff, Linux Foundation == Abstract == The Linux Foundation announced the Core Infrastructu..." wikitext text/x-wiki == Title == Discussion: Core Infrastructure Initiative == Presenter == Emily Ratliff, Linux Foundation == Abstract == The Linux Foundation announced the Core Infrastructure Initiative on April 24 of last year to “fund and support critical elements of the global information infrastructure” and famously funded two OpenSSL developers. What else has the project achieved since then? Has the initiative made an impact? This topic will present an update of what the initiative is doing, including a brief description of the open source Census project and the goals behind the Best Practices project. We invite a discussion about what more needs to be done and how we can pull together as a community to improve internet security for everybody. 6a8c3ce66fa79c4d2d613c7d45934b81678c0307 0 127 3588 3587 2015-07-01T14:34:26Z JamesMorris 2 wikitext text/x-wiki = Schedule = == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">Keynote (TBA)</span> | Some Person, Somewhere |- |''09:50'' |colspan="2"|''Break'' |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] | Greg Wettstein, IDfusion |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] | Stephen Smalley, NSA |- |''11:30'' |colspan="2"|''Break'' |- |11:45 | [[Linux_Security_Summit_2015/Abstracts/Stiller|Linux Incident Response]] | Mike Scutt and Tim Stiller, Rapid7 |- |''12:45'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | [[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] (To be confirmed...) | Elena Reshetova, Intel |- |14:45 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] | Lukasz Wojciechowski, Samsung |- |''15:30'' |colspan="2"|''Break'' |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] | Emily Ratliff, Linux Foundation |- |''17:00'' |colspan="2"|''Finish'' |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | SELinux update | TBA |- |09:20 | AppArmor update | TBA |- |09:40 | Integrity update | TBA |- |10:00 | Smack update | TBA |- |''10:20'' |colspan="2"|''Break'' |- |10:30 | Crypto / Keys update | TBA |- |10:50 | Seccomp update | TBA |- |11:20 |colspan="2"| Break-out Session #1 |- |''12:30'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | AAA | BBB |- |''15:00'' | colspan="2"|''Break'' |- |15:15 | AAA | BBB |- |16:00 |colspan="2"| Break-out Session #2 |- |''17:00'' |colspan="2"|''Finish'' |} 8b7da8514ce9bb61cdc57a3075363dfa45851d53 3589 3588 2015-07-01T14:59:43Z JamesMorris 2 /* Day 2 (Friday 21st August) */ wikitext text/x-wiki = Schedule = == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">Keynote (TBA)</span> | Some Person, Somewhere |- |''09:50'' |colspan="2"|''Break'' |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] | Greg Wettstein, IDfusion |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] | Stephen Smalley, NSA |- |''11:30'' |colspan="2"|''Break'' |- |11:45 | [[Linux_Security_Summit_2015/Abstracts/Stiller|Linux Incident Response]] | Mike Scutt and Tim Stiller, Rapid7 |- |''12:45'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | [[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] (To be confirmed...) | Elena Reshetova, Intel |- |14:45 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] | Lukasz Wojciechowski, Samsung |- |''15:30'' |colspan="2"|''Break'' |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] | Emily Ratliff, Linux Foundation |- |''17:00'' |colspan="2"|''Finish'' |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | SELinux Update | Paul Moore, Red Hat |- |09:20 | AppArmor Update | John Johansen, Canonical |- |09:40 | Integrity Update | Mimi Zohar, IBM |- |10:00 | Smack Update | Casey Schaufler, Intel |- |''10:20'' |colspan="2"|''Break'' |- |10:40 | Crypto / Keys update | TBA |- |11:00 | Seccomp Update | TBA |- |11:20 | Capabilities Update | Serge Hallyn, Canonical |- |- |11:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] | Casey Schaufler, Intel |''12:15'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | AAA | BBB |- |''15:00'' | colspan="2"|''Break'' |- |15:15 | AAA | BBB |- |16:00 |colspan="2"| Break-out Session #2 |- |''17:00'' |colspan="2"|''Finish'' |} d51fbdbc4c44527a1595b5637d545d22b8e8f64d 3590 3589 2015-07-01T15:18:48Z JamesMorris 2 /* Day 2 (Friday 21st August) */ wikitext text/x-wiki = Schedule = == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">Keynote (TBA)</span> | Some Person, Somewhere |- |''09:50'' |colspan="2"|''Break'' |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] | Greg Wettstein, IDfusion |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] | Stephen Smalley, NSA |- |''11:30'' |colspan="2"|''Break'' |- |11:45 | [[Linux_Security_Summit_2015/Abstracts/Stiller|Linux Incident Response]] | Mike Scutt and Tim Stiller, Rapid7 |- |''12:45'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | [[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] (To be confirmed...) | Elena Reshetova, Intel |- |14:45 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] | Lukasz Wojciechowski, Samsung |- |''15:30'' |colspan="2"|''Break'' |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] | Emily Ratliff, Linux Foundation |- |''17:00'' |colspan="2"|''Finish'' |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] (TBC) | Elena Reshetova, Intel (TBC) |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] | Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks |- |''10:30'' |colspan="2"|''Break'' |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] |Jeffrey Vander Stoep, Google |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |- |''12:15'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |13:30 | SELinux Update | Paul Moore, Red Hat |- |13:50 | AppArmor Update | John Johansen, Canonical |- |14:20 | Integrity Update | Mimi Zohar, IBM |- |14:40 | Smack Update | Casey Schaufler, Intel |- |''15:00'' |colspan="2"|''Break'' |- |15:20 | Seccomp Update | TBA |- |15:40 | Capabilities Update | Serge Hallyn, Canonical |- |11:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] | Casey Schaufler, Intel |- |- |13:30 | AAA | BBB |- |''15:00'' | colspan="2"|''Break'' |- |15:15 | AAA | BBB |- |16:00 |colspan="2"| Break-out Session #2 |- |''17:00'' |colspan="2"|''Finish'' |} 9e873c7b637f5f60d5dcf8728f3192e2104cbf1d 3591 3590 2015-07-01T15:33:45Z JamesMorris 2 /* Day 2 (Friday 21st August) */ wikitext text/x-wiki = Schedule = == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">Keynote (TBA)</span> | Some Person, Somewhere |- |''09:50'' |colspan="2"|''Break'' |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] | Greg Wettstein, IDfusion |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] | Stephen Smalley, NSA |- |''11:30'' |colspan="2"|''Break'' |- |11:45 | [[Linux_Security_Summit_2015/Abstracts/Stiller|Linux Incident Response]] | Mike Scutt and Tim Stiller, Rapid7 |- |''12:45'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | [[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] (To be confirmed...) | Elena Reshetova, Intel |- |14:45 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] | Lukasz Wojciechowski, Samsung |- |''15:30'' |colspan="2"|''Break'' |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] | Emily Ratliff, Linux Foundation |- |''17:00'' |colspan="2"|''Finish'' |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] (TBC) | Elena Reshetova, Intel (TBC) |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] | Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks |- |''10:30'' |colspan="2"|''Break'' |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] |Jeffrey Vander Stoep, Google |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |Dmitry Kasatkin, Huawei Technologies |- |''12:15'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |13:30 |Subsystem Update: SELinux |Paul Moore, Red Hat |- |13:50 |Subsystem Update: AppArmor |John Johansen, Canonical |- |14:10 |Subsystem Update: Integrity | Mimi Zohar, IBM |- |''14:30'' |colspan="2"|''Break'' |- |14:50 |Subsystem Update: Smack | Casey Schaufler, Intel |- |15:10 |Subsystem Update: Capabilities | Serge Hallyn, Canonical |- |11:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] | Casey Schaufler, Intel |- |- |13:30 | AAA | BBB |- |''15:00'' | colspan="2"|''Break'' |- |15:15 | AAA | BBB |- |16:00 |colspan="2"| Break-out Session #2 |- |''17:00'' |colspan="2"|''Finish'' |} 73ab54a86c59a0120a61587cd8aec409d3fed1c2 3592 3591 2015-07-01T15:36:03Z JamesMorris 2 /* Day 2 (Friday 21st August) */ wikitext text/x-wiki = Schedule = == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">Keynote (TBA)</span> | Some Person, Somewhere |- |''09:50'' |colspan="2"|''Break'' |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] | Greg Wettstein, IDfusion |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] | Stephen Smalley, NSA |- |''11:30'' |colspan="2"|''Break'' |- |11:45 | [[Linux_Security_Summit_2015/Abstracts/Stiller|Linux Incident Response]] | Mike Scutt and Tim Stiller, Rapid7 |- |''12:45'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | [[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] (To be confirmed...) | Elena Reshetova, Intel |- |14:45 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] | Lukasz Wojciechowski, Samsung |- |''15:30'' |colspan="2"|''Break'' |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] | Emily Ratliff, Linux Foundation |- |''17:00'' |colspan="2"|''Finish'' |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] (TBC) | Elena Reshetova, Intel (TBC) |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] | Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks |- |''10:30'' |colspan="2"|''Break'' |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] |Jeffrey Vander Stoep, Google |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |Dmitry Kasatkin, Huawei Technologies |- |''12:15'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |13:30 |Subsystem Update: SELinux |Paul Moore, Red Hat |- |13:50 |Subsystem Update: AppArmor |John Johansen, Canonical |- |14:10 |Subsystem Update: Integrity | Mimi Zohar, IBM |- |''14:30'' |colspan="2"|''Break'' |- |14:50 |Subsystem Update: Smack | Casey Schaufler, Intel |- |15:10 |Subsystem Update: Capabilities | Serge Hallyn, Canonical |- |15:30 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] | Casey Schaufler, Intel |- |''16:00'' | colspan="2"|''Break'' |- |15:15 | AAA | BBB |- |''17:00'' |colspan="2"|''Finish'' |} a2ea378448f4577e9aa65fa859d4b5ad34cd6a57 3593 3592 2015-07-01T15:38:17Z JamesMorris 2 wikitext text/x-wiki = Schedule = == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">Keynote (TBA)</span> | Some Person, Somewhere |- |''09:50'' |colspan="2"|''Break'' |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] | Greg Wettstein, IDfusion |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] | Stephen Smalley, NSA |- |''11:30'' |colspan="2"|''Break'' |- |11:45 | [[Linux_Security_Summit_2015/Abstracts/Stiller|Linux Incident Response]] | Mike Scutt and Tim Stiller, Rapid7 |- |''12:45'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | [[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] (To be confirmed...) | Elena Reshetova, Intel |- |14:45 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] | Lukasz Wojciechowski, Samsung |- |''15:30'' |colspan="2"|''Break'' |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] | Emily Ratliff, Linux Foundation |- |''17:00'' |colspan="2"|''Finish'' |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] (TBC) | Elena Reshetova, Intel (TBC) |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] | Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks |- |''10:30'' |colspan="2"|''Break'' |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] |Jeffrey Vander Stoep, Google |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |Dmitry Kasatkin, Huawei Technologies |- |''12:15'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |13:30 |Subsystem Update: SELinux |Paul Moore, Red Hat |- |13:50 |Subsystem Update: AppArmor |John Johansen, Canonical |- |14:10 |Subsystem Update: Integrity | Mimi Zohar, IBM |- |''14:30'' |colspan="2"|''Break'' |- |14:50 |Subsystem Update: Smack | Casey Schaufler, Intel |- |15:10 |Subsystem Update: Capabilities | Serge Hallyn, Canonical |- |15:30 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] | Casey Schaufler, Intel |- |''16:00'' | colspan="2"|''Break'' |- |16:30 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Discussion: Linux and Mobile Device Encryption]] |Paul Lawrence and Mike Halcrow, Google. |- |''17:00'' |colspan="2"|''Finish'' |} 39c960ce240208fe7ff0d53761a84cb23ab53169 3595 3593 2015-07-01T15:41:01Z JamesMorris 2 wikitext text/x-wiki = Schedule = == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">Keynote (TBA)</span> | Some Person, Somewhere |- |''09:50'' |colspan="2"|''Break'' |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] | Greg Wettstein, IDfusion |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] | Stephen Smalley, NSA |- |''11:30'' |colspan="2"|''Break'' |- |11:45 | [[Linux_Security_Summit_2015/Abstracts/Stiller|Linux Incident Response]] | Mike Scutt and Tim Stiller, Rapid7 |- |''12:45'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 | [[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] (To be confirmed...) | Elena Reshetova, Intel |- |14:45 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] | Lukasz Wojciechowski, Samsung |- |''15:30'' |colspan="2"|''Break'' |- |16:00 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Discussion: Linux and Mobile Device Encryption]] |Paul Lawrence and Mike Halcrow, Google. |- |16:30 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] | Emily Ratliff, Linux Foundation |- |''17:00'' |colspan="2"|''Finish'' |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] (TBC) | Elena Reshetova, Intel (TBC) |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] | Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks |- |''10:30'' |colspan="2"|''Break'' |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] |Jeffrey Vander Stoep, Google |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |Dmitry Kasatkin, Huawei Technologies |- |''12:15'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |13:30 |Subsystem Update: SELinux |Paul Moore, Red Hat |- |13:50 |Subsystem Update: AppArmor |John Johansen, Canonical |- |14:10 |Subsystem Update: Integrity | Mimi Zohar, IBM |- |''14:30'' |colspan="2"|''Break'' |- |14:50 |Subsystem Update: Smack | Casey Schaufler, Intel |- |15:10 |Subsystem Update: Capabilities | Serge Hallyn, Canonical |- |15:30 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] | Casey Schaufler, Intel |- |''16:00'' | colspan="2"|''Break'' |- |16:30 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] |Paul Moore, Red Hat |- |''17:00'' |colspan="2"|''Finish'' |} 515963dc7f378e245fb2e4f84c100313a3a67f0c 3596 3595 2015-07-01T15:43:15Z JamesMorris 2 /* Day 1 (Thursday 20th August) */ wikitext text/x-wiki = Schedule = == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">Keynote (TBA)</span> | Some Person, Somewhere |- |''09:50'' |colspan="2"|''Break'' |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] | Greg Wettstein, IDfusion |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] | Stephen Smalley, NSA |- |''11:30'' |colspan="2"|''Break'' |- |11:45 | [[Linux_Security_Summit_2015/Abstracts/Stiller|Linux Incident Response]] | Mike Scutt and Tim Stiller, Rapid7 |- |''12:45'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] |Paul Lawrence and Mike Halcrow, Google. |- |14:45 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] | Lukasz Wojciechowski, Samsung |- |''15:30'' |colspan="2"|''Break'' |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] | Emily Ratliff, Linux Foundation |- |''17:00'' |colspan="2"|''Finish'' |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] (TBC) | Elena Reshetova, Intel (TBC) |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] | Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks |- |''10:30'' |colspan="2"|''Break'' |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] |Jeffrey Vander Stoep, Google |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |Dmitry Kasatkin, Huawei Technologies |- |''12:15'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |13:30 |Subsystem Update: SELinux |Paul Moore, Red Hat |- |13:50 |Subsystem Update: AppArmor |John Johansen, Canonical |- |14:10 |Subsystem Update: Integrity | Mimi Zohar, IBM |- |''14:30'' |colspan="2"|''Break'' |- |14:50 |Subsystem Update: Smack | Casey Schaufler, Intel |- |15:10 |Subsystem Update: Capabilities | Serge Hallyn, Canonical |- |15:30 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] | Casey Schaufler, Intel |- |''16:00'' | colspan="2"|''Break'' |- |16:30 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] |Paul Moore, Red Hat |- |''17:00'' |colspan="2"|''Finish'' |} 8e6ea68f16d4fcc58555d12a038381f78d103f8f 3597 3596 2015-07-01T15:44:00Z JamesMorris 2 /* Schedule */ wikitext text/x-wiki = Schedule = == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">Keynote (TBA)</span> | Some Person, Somewhere |- |''09:50'' |colspan="2"|''Break'' |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] | Greg Wettstein, IDfusion |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] | Stephen Smalley, NSA |- |''11:30'' |colspan="2"|''Break'' |- |11:45 | [[Linux_Security_Summit_2015/Abstracts/Stiller|Linux Incident Response]] | Mike Scutt and Tim Stiller, Rapid7 |- |''12:45'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] |Paul Lawrence and Mike Halcrow, Google |- |14:45 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] | Lukasz Wojciechowski, Samsung |- |''15:30'' |colspan="2"|''Break'' |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] | Emily Ratliff, Linux Foundation |- |''17:00'' |colspan="2"|''Finish'' |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] (TBC) | Elena Reshetova, Intel (TBC) |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] | Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks |- |''10:30'' |colspan="2"|''Break'' |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] |Jeffrey Vander Stoep, Google |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |Dmitry Kasatkin, Huawei Technologies |- |''12:15'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |13:30 |Subsystem Update: SELinux |Paul Moore, Red Hat |- |13:50 |Subsystem Update: AppArmor |John Johansen, Canonical |- |14:10 |Subsystem Update: Integrity | Mimi Zohar, IBM |- |''14:30'' |colspan="2"|''Break'' |- |14:50 |Subsystem Update: Smack | Casey Schaufler, Intel |- |15:10 |Subsystem Update: Capabilities | Serge Hallyn, Canonical |- |15:30 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] | Casey Schaufler, Intel |- |''16:00'' | colspan="2"|''Break'' |- |16:30 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] |Paul Moore, Red Hat |- |''17:00'' |colspan="2"|''Finish'' |} a342c81719c0ac426f1052c161e78b9fc8e34410 3598 3597 2015-07-02T03:02:58Z JamesMorris 2 /* Day 2 (Friday 21st August) */ wikitext text/x-wiki = Schedule = == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">Keynote (TBA)</span> | Some Person, Somewhere |- |''09:50'' |colspan="2"|''Break'' |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] | Greg Wettstein, IDfusion |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] | Stephen Smalley, NSA |- |''11:30'' |colspan="2"|''Break'' |- |11:45 | [[Linux_Security_Summit_2015/Abstracts/Stiller|Linux Incident Response]] | Mike Scutt and Tim Stiller, Rapid7 |- |''12:45'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] |Paul Lawrence and Mike Halcrow, Google |- |14:45 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] | Lukasz Wojciechowski, Samsung |- |''15:30'' |colspan="2"|''Break'' |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] | Emily Ratliff, Linux Foundation |- |''17:00'' |colspan="2"|''Finish'' |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] (TBC) | Elena Reshetova, Intel (TBC) |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] | Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks |- |''10:30'' |colspan="2"|''Break'' |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] |Jeffrey Vander Stoep, Google |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |Dmitry Kasatkin, Huawei Technologies |- |''12:15'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |13:30 |Subsystem Update: Smack |Casey Schaufler, Intel |- |13:50 |Subsystem Update: AppArmor |John Johansen, Canonical |- |14:10 |Subsystem Update: Integrity | Mimi Zohar, IBM |- |''14:30'' |colspan="2"|''Break'' |- |14:50 |Subsystem Update: SELinux |Paul Moore, Red Hat |- |15:10 |Subsystem Update: Capabilities | Serge Hallyn, Canonical |- |15:30 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] | Casey Schaufler, Intel |- |''16:00'' | colspan="2"|''Break'' |- |16:30 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] |Paul Moore, Red Hat |- |''17:00'' |colspan="2"|''Finish'' |} 541c6f09e360ea586576e03afdc9835991f2f6c3 3599 3598 2015-07-02T03:09:08Z JamesMorris 2 /* Day 2 (Friday 21st August) */ wikitext text/x-wiki = Schedule = == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">Keynote (TBA)</span> | Some Person, Somewhere |- |''09:50'' |colspan="2"|''Break'' |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] | Greg Wettstein, IDfusion |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] | Stephen Smalley, NSA |- |''11:30'' |colspan="2"|''Break'' |- |11:45 | [[Linux_Security_Summit_2015/Abstracts/Stiller|Linux Incident Response]] | Mike Scutt and Tim Stiller, Rapid7 |- |''12:45'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] |Paul Lawrence and Mike Halcrow, Google |- |14:45 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] | Lukasz Wojciechowski, Samsung |- |''15:30'' |colspan="2"|''Break'' |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] | Emily Ratliff, Linux Foundation |- |''17:00'' |colspan="2"|''Finish'' |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] (TBC) | Elena Reshetova, Intel (TBC) |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] | Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks |- |''10:30'' |colspan="2"|''Break'' |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] |Jeffrey Vander Stoep, Google |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |Dmitry Kasatkin, Huawei Technologies |- |''12:15'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |13:30 |Subsystem Update: Smack |Casey Schaufler, Intel |- |13:50 |Subsystem Update: AppArmor |John Johansen, Canonical |- |14:10 |Subsystem Update: Integrity | Mimi Zohar, IBM |- |''14:30'' |colspan="2"|''Break'' |- |14:40 |Subsystem Update: SELinux |Paul Moore, Red Hat |- |15:00 |Subsystem Update: Capabilities | Serge Hallyn, Canonical |- |15:20 |Subsystem Update: Seccomp |Kees Cook, Google | |15:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] | Casey Schaufler, Intel |- |''16:10'' | colspan="2"|''Break'' |- |16:30 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] |Paul Moore, Red Hat |- |''17:00'' |colspan="2"|''Finish'' |} 980d6721048abeba71ed58a89ef811b0f542a86e 3600 3599 2015-07-02T03:09:23Z JamesMorris 2 /* Day 2 (Friday 21st August) */ wikitext text/x-wiki = Schedule = == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">Keynote (TBA)</span> | Some Person, Somewhere |- |''09:50'' |colspan="2"|''Break'' |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] | Greg Wettstein, IDfusion |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] | Stephen Smalley, NSA |- |''11:30'' |colspan="2"|''Break'' |- |11:45 | [[Linux_Security_Summit_2015/Abstracts/Stiller|Linux Incident Response]] | Mike Scutt and Tim Stiller, Rapid7 |- |''12:45'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] |Paul Lawrence and Mike Halcrow, Google |- |14:45 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] | Lukasz Wojciechowski, Samsung |- |''15:30'' |colspan="2"|''Break'' |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] | Emily Ratliff, Linux Foundation |- |''17:00'' |colspan="2"|''Finish'' |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] (TBC) | Elena Reshetova, Intel (TBC) |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] | Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks |- |''10:30'' |colspan="2"|''Break'' |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] |Jeffrey Vander Stoep, Google |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |Dmitry Kasatkin, Huawei Technologies |- |''12:15'' |colspan="2"|''Lunch (self-funded at a nearby location)'' |- |13:30 |Subsystem Update: Smack |Casey Schaufler, Intel |- |13:50 |Subsystem Update: AppArmor |John Johansen, Canonical |- |14:10 |Subsystem Update: Integrity | Mimi Zohar, IBM |- |''14:30'' |colspan="2"|''Break'' |- |14:40 |Subsystem Update: SELinux |Paul Moore, Red Hat |- |15:00 |Subsystem Update: Capabilities | Serge Hallyn, Canonical |- |15:20 |Subsystem Update: Seccomp |Kees Cook, Google |- |15:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] | Casey Schaufler, Intel |- |''16:10'' | colspan="2"|''Break'' |- |16:30 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] |Paul Moore, Red Hat |- |''17:00'' |colspan="2"|''Finish'' |} dbdfdc41a49da77d8e2a9ac30a654a2eade52212 3601 3600 2015-07-02T03:13:21Z JamesMorris 2 wikitext text/x-wiki = Schedule = == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">Keynote (TBA)</span> | Some Person, Somewhere |- |''09:50'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] | Greg Wettstein, IDfusion |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] | Stephen Smalley, NSA |- |''11:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |11:45 | [[Linux_Security_Summit_2015/Abstracts/Stiller|Linux Incident Response]] | Mike Scutt and Tim Stiller, Rapid7 |- |''12:45'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] |Paul Lawrence and Mike Halcrow, Google |- |14:45 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] | Lukasz Wojciechowski, Samsung |- |''15:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] | Emily Ratliff, Linux Foundation |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] (TBC) | Elena Reshetova, Intel (TBC) |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] | Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks |- |''10:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] |Jeffrey Vander Stoep, Google |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |Dmitry Kasatkin, Huawei Technologies |- |''12:15'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |13:30 |Subsystem Update: Smack |Casey Schaufler, Intel |- |13:50 |Subsystem Update: AppArmor |John Johansen, Canonical |- |14:10 |Subsystem Update: Integrity | Mimi Zohar, IBM |- |''14:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |14:40 |Subsystem Update: SELinux |Paul Moore, Red Hat |- |15:00 |Subsystem Update: Capabilities | Serge Hallyn, Canonical |- |15:20 |Subsystem Update: Seccomp |Kees Cook, Google |- |15:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] | Casey Schaufler, Intel |- |''16:10'' | colspan="2"|<span style="color:darkgreen">''Break''</span> |- |16:30 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] |Paul Moore, Red Hat |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} e6495cb4d43a143994181fcc953953dd88ccd133 3603 3601 2015-07-02T03:15:34Z JamesMorris 2 wikitext text/x-wiki = Schedule = == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">Keynote (TBA)</span> | Some Person, Somewhere |- |''09:50'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] | Greg Wettstein, IDfusion |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] | Stephen Smalley, NSA |- |''11:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |11:45 | [[Linux_Security_Summit_2015/Abstracts/Stiller|Linux Incident Response]] | Mike Scutt and Tim Stiller, Rapid7 |- |''12:45'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] |Paul Lawrence and Mike Halcrow, Google |- |14:45 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] | Lukasz Wojciechowski, Samsung |- |''15:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] | Emily Ratliff, Linux Foundation |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] (TBC) | Elena Reshetova, Intel (TBC) |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] | Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks |- |''10:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] |Jeffrey Vander Stoep, Google |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |Dmitry Kasatkin, Huawei Technologies |- |''12:15'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |13:30 |Subsystem Update: Smack |[[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |13:50 |Subsystem Update: AppArmor |John Johansen, Canonical |- |14:10 |Subsystem Update: Integrity | Mimi Zohar, IBM |- |''14:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |14:40 |Subsystem Update: SELinux |Paul Moore, Red Hat |- |15:00 |Subsystem Update: Capabilities | Serge Hallyn, Canonical |- |15:20 |Subsystem Update: Seccomp |Kees Cook, Google |- |15:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] | Casey Schaufler, Intel |- |''16:10'' | colspan="2"|<span style="color:darkgreen">''Break''</span> |- |16:30 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] |Paul Moore, Red Hat |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} c21b47ba6886cd629b01ddbb9a490f5f03060333 3604 3603 2015-07-02T03:16:05Z JamesMorris 2 /* Day 2 (Friday 21st August) */ wikitext text/x-wiki = Schedule = == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">Keynote (TBA)</span> | Some Person, Somewhere |- |''09:50'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] | Greg Wettstein, IDfusion |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] | Stephen Smalley, NSA |- |''11:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |11:45 | [[Linux_Security_Summit_2015/Abstracts/Stiller|Linux Incident Response]] | Mike Scutt and Tim Stiller, Rapid7 |- |''12:45'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] |Paul Lawrence and Mike Halcrow, Google |- |14:45 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] | Lukasz Wojciechowski, Samsung |- |''15:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] | Emily Ratliff, Linux Foundation |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] (TBC) | Elena Reshetova, Intel (TBC) |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] | Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks |- |''10:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] |Jeffrey Vander Stoep, Google |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |Dmitry Kasatkin, Huawei Technologies |- |''12:15'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |13:30 |Subsystem Update: Smack |[[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |13:50 |Subsystem Update: AppArmor |John Johansen, Canonical |- |14:10 |Subsystem Update: Integrity | Mimi Zohar, IBM |- |''14:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |14:40 |Subsystem Update: SELinux |Paul Moore, Red Hat |- |15:00 |Subsystem Update: Capabilities | Serge Hallyn, Canonical |- |15:20 |Subsystem Update: Seccomp |Kees Cook, Google |- |15:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] | [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel] |- |''16:10'' | colspan="2"|<span style="color:darkgreen">''Break''</span> |- |16:30 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] |Paul Moore, Red Hat |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} 07277aa8a66a6c9b1b3eb95807bdabfc77722d3d 3605 3604 2015-07-02T03:16:19Z JamesMorris 2 /* Day 2 (Friday 21st August) */ wikitext text/x-wiki = Schedule = == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">Keynote (TBA)</span> | Some Person, Somewhere |- |''09:50'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] | Greg Wettstein, IDfusion |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] | Stephen Smalley, NSA |- |''11:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |11:45 | [[Linux_Security_Summit_2015/Abstracts/Stiller|Linux Incident Response]] | Mike Scutt and Tim Stiller, Rapid7 |- |''12:45'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] |Paul Lawrence and Mike Halcrow, Google |- |14:45 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] | Lukasz Wojciechowski, Samsung |- |''15:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] | Emily Ratliff, Linux Foundation |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] (TBC) | Elena Reshetova, Intel (TBC) |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] | Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks |- |''10:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] |Jeffrey Vander Stoep, Google |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |Dmitry Kasatkin, Huawei Technologies |- |''12:15'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |13:30 |Subsystem Update: Smack |[[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |13:50 |Subsystem Update: AppArmor |John Johansen, Canonical |- |14:10 |Subsystem Update: Integrity | Mimi Zohar, IBM |- |''14:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |14:40 |Subsystem Update: SELinux |Paul Moore, Red Hat |- |15:00 |Subsystem Update: Capabilities | Serge Hallyn, Canonical |- |15:20 |Subsystem Update: Seccomp |Kees Cook, Google |- |15:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] | [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |''16:10'' | colspan="2"|<span style="color:darkgreen">''Break''</span> |- |16:30 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] |Paul Moore, Red Hat |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} 7c9cea446ae4783b16b5ce4591f1ed3168c0c223 3611 3605 2015-07-02T03:22:04Z JamesMorris 2 /* Day 2 (Friday 21st August) */ wikitext text/x-wiki = Schedule = == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">Keynote (TBA)</span> | Some Person, Somewhere |- |''09:50'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] | Greg Wettstein, IDfusion |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] | Stephen Smalley, NSA |- |''11:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |11:45 | [[Linux_Security_Summit_2015/Abstracts/Stiller|Linux Incident Response]] | Mike Scutt and Tim Stiller, Rapid7 |- |''12:45'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] |Paul Lawrence and Mike Halcrow, Google |- |14:45 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] | Lukasz Wojciechowski, Samsung |- |''15:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] | Emily Ratliff, Linux Foundation |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] (TBC) | Elena Reshetova, Intel (TBC) |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] | Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks |- |''10:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] |Jeffrey Vander Stoep, Google |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |Dmitry Kasatkin, Huawei Technologies |- |''12:15'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |13:30 |Subsystem Update: Smack |[[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |13:50 |Subsystem Update: AppArmor |John Johansen, Canonical |- |14:10 |Subsystem Update: Integrity | Mimi Zohar, IBM |- |''14:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |14:40 |Subsystem Update: SELinux |Paul Moore, Red Hat |- |15:00 |Subsystem Update: Capabilities | [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] |- |15:20 |Subsystem Update: Seccomp |Kees Cook, Google |- |15:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] | [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |''16:10'' | colspan="2"|<span style="color:darkgreen">''Break''</span> |- |16:30 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] |Paul Moore, Red Hat |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} e15aa1617e93911a2eeda9b86047f2afbe5b0830 3614 3611 2015-07-02T03:45:36Z JamesMorris 2 /* Day 2 (Friday 21st August) */ wikitext text/x-wiki = Schedule = == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | <span style="color:navy">Keynote (TBA)</span> | Some Person, Somewhere |- |''09:50'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] | Greg Wettstein, IDfusion |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] | Stephen Smalley, NSA |- |''11:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |11:45 | [[Linux_Security_Summit_2015/Abstracts/Stiller|Linux Incident Response]] | Mike Scutt and Tim Stiller, Rapid7 |- |''12:45'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] |Paul Lawrence and Mike Halcrow, Google |- |14:45 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] | Lukasz Wojciechowski, Samsung |- |''15:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] | Emily Ratliff, Linux Foundation |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] (TBC) | Elena Reshetova, Intel (TBC) |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] | Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks |- |''10:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] |Jeffrey Vander Stoep, Google |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |Dmitry Kasatkin, Huawei Technologies |- |''12:15'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |13:30 |Subsystem Update: Smack |[[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |13:50 |Subsystem Update: AppArmor |John Johansen, Canonical |- |14:10 |Subsystem Update: Integrity | Mimi Zohar, IBM |- |''14:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |14:40 |Subsystem Update: SELinux |Paul Moore, Red Hat |- |15:00 |Subsystem Update: Capabilities | [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] |- |15:20 |Subsystem Update: Seccomp |[[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] |- |15:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] | [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |''16:10'' | colspan="2"|<span style="color:darkgreen">''Break''</span> |- |16:30 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] |Paul Moore, Red Hat |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} 3bda0468c96e3a82e9a5f815116da73939b24289 3619 3614 2015-07-02T05:14:48Z JamesMorris 2 /* Day 1 (Thursday 20th August) */ wikitext text/x-wiki = Schedule = == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |Welcome |[[Linux_Security_Summit_2015/Bio/Morris|James Morris, Oracle]] |- |09:05 | <span style="color:navy">Keynote (TBA)</span> | Some Person, Somewhere |- |''09:55'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] | Greg Wettstein, IDfusion |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] | Stephen Smalley, NSA |- |''11:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |11:45 | [[Linux_Security_Summit_2015/Abstracts/Stiller|Linux Incident Response]] | Mike Scutt and Tim Stiller, Rapid7 |- |''12:45'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] |Paul Lawrence and Mike Halcrow, Google |- |14:45 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] | Lukasz Wojciechowski, Samsung |- |''15:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] | Emily Ratliff, Linux Foundation |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] (TBC) | Elena Reshetova, Intel (TBC) |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] | Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks |- |''10:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] |Jeffrey Vander Stoep, Google |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |Dmitry Kasatkin, Huawei Technologies |- |''12:15'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |13:30 |Subsystem Update: Smack |[[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |13:50 |Subsystem Update: AppArmor |John Johansen, Canonical |- |14:10 |Subsystem Update: Integrity | Mimi Zohar, IBM |- |''14:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |14:40 |Subsystem Update: SELinux |Paul Moore, Red Hat |- |15:00 |Subsystem Update: Capabilities | [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] |- |15:20 |Subsystem Update: Seccomp |[[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] |- |15:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] | [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |''16:10'' | colspan="2"|<span style="color:darkgreen">''Break''</span> |- |16:30 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] |Paul Moore, Red Hat |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} 51a3a60f563e736eca23a3bcd2acd48527071ea8 3624 3619 2015-07-02T11:56:23Z JamesMorris 2 /* Day 2 (Friday 21st August) */ wikitext text/x-wiki = Schedule = == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |Welcome |[[Linux_Security_Summit_2015/Bio/Morris|James Morris, Oracle]] |- |09:05 | <span style="color:navy">Keynote (TBA)</span> | Some Person, Somewhere |- |''09:55'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] | Greg Wettstein, IDfusion |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] | Stephen Smalley, NSA |- |''11:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |11:45 | [[Linux_Security_Summit_2015/Abstracts/Stiller|Linux Incident Response]] | Mike Scutt and Tim Stiller, Rapid7 |- |''12:45'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] |Paul Lawrence and Mike Halcrow, Google |- |14:45 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] | Lukasz Wojciechowski, Samsung |- |''15:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] | Emily Ratliff, Linux Foundation |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] (TBC) | Elena Reshetova, Intel (TBC) |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] | Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks |- |''10:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] |Jeffrey Vander Stoep, Google |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |Dmitry Kasatkin, Huawei Technologies |- |''12:15'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |13:30 |Subsystem Update: Smack |[[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |13:50 |Subsystem Update: AppArmor |John Johansen, Canonical |- |14:10 |Subsystem Update: Integrity |[[Linux_Security_Summit_2015/Bio/Zohar|Mimi Zohar, IBM]] |- |''14:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |14:40 |Subsystem Update: SELinux |Paul Moore, Red Hat |- |15:00 |Subsystem Update: Capabilities | [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] |- |15:20 |Subsystem Update: Seccomp |[[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] |- |15:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] | [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |''16:10'' | colspan="2"|<span style="color:darkgreen">''Break''</span> |- |16:30 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] |Paul Moore, Red Hat |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} e54d6f29143fa1a1128a19fa1a64a1b847449e21 3625 3624 2015-07-03T01:18:15Z JamesMorris 2 wikitext text/x-wiki = Schedule = == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |Welcome |[[Linux_Security_Summit_2015/Bio/Morris|James Morris, Oracle]] |- |09:05 | <span style="color:navy">Keynote (TBA)</span> | Some Person, Somewhere |- |''09:55'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] | Greg Wettstein, IDfusion |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] | Stephen Smalley, NSA |- |''11:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |11:45 | [[Linux_Security_Summit_2015/Abstracts/Stiller|Linux Incident Response]] | Mike Scutt and Tim Stiller, Rapid7 |- |''12:45'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] |Paul Lawrence and Mike Halcrow, Google |- |14:45 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] | Elena Reshetova, Intel |- |''15:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] | Emily Ratliff, Linux Foundation |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] | Lukasz Wojciechowski, Samsung |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] | Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks |- |''10:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] |Jeffrey Vander Stoep, Google |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |Dmitry Kasatkin, Huawei Technologies |- |''12:15'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |13:30 |Subsystem Update: Smack |[[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |13:50 |Subsystem Update: AppArmor |John Johansen, Canonical |- |14:10 |Subsystem Update: Integrity |[[Linux_Security_Summit_2015/Bio/Zohar|Mimi Zohar, IBM]] |- |''14:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |14:40 |Subsystem Update: SELinux |Paul Moore, Red Hat |- |15:00 |Subsystem Update: Capabilities | [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] |- |15:20 |Subsystem Update: Seccomp |[[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] |- |15:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] | [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |''16:10'' | colspan="2"|<span style="color:darkgreen">''Break''</span> |- |16:30 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] |Paul Moore, Red Hat |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} 295d9b87ffb799945805ec58833a2d5c01b68d8e 3626 3625 2015-07-03T01:19:12Z JamesMorris 2 /* Day 1 (Thursday 20th August) */ wikitext text/x-wiki = Schedule = == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |Welcome |[[Linux_Security_Summit_2015/Bio/Morris|James Morris, Oracle]] |- |09:05 | <span style="color:navy">Keynote (TBA)</span> | Some Person, Somewhere |- |''09:55'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] | Greg Wettstein, IDfusion |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] | Stephen Smalley, NSA |- |''11:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |11:45 | [[Linux_Security_Summit_2015/Abstracts/Stiller|Linux Incident Response]] | Mike Scutt and Tim Stiller, Rapid7 |- |''12:45'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] | Elena Reshetova, Intel |- |14:45 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] |Paul Lawrence and Mike Halcrow, Google |- |''15:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] | Emily Ratliff, Linux Foundation |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] | Lukasz Wojciechowski, Samsung |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] | Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks |- |''10:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] |Jeffrey Vander Stoep, Google |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |Dmitry Kasatkin, Huawei Technologies |- |''12:15'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |13:30 |Subsystem Update: Smack |[[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |13:50 |Subsystem Update: AppArmor |John Johansen, Canonical |- |14:10 |Subsystem Update: Integrity |[[Linux_Security_Summit_2015/Bio/Zohar|Mimi Zohar, IBM]] |- |''14:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |14:40 |Subsystem Update: SELinux |Paul Moore, Red Hat |- |15:00 |Subsystem Update: Capabilities | [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] |- |15:20 |Subsystem Update: Seccomp |[[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] |- |15:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] | [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |''16:10'' | colspan="2"|<span style="color:darkgreen">''Break''</span> |- |16:30 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] |Paul Moore, Red Hat |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} b65656893f2ba4c3454d47aa112b75f9905a6633 3628 3626 2015-07-03T01:21:26Z JamesMorris 2 /* Day 1 (Thursday 20th August) */ wikitext text/x-wiki = Schedule = == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |Welcome |[[Linux_Security_Summit_2015/Bio/Morris|James Morris, Oracle]] |- |09:05 | <span style="color:navy">Keynote (TBA)</span> | Some Person, Somewhere |- |''09:55'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] | Greg Wettstein, IDfusion |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] | Stephen Smalley, NSA |- |''11:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |11:45 | [[Linux_Security_Summit_2015/Abstracts/Stiller|Linux Incident Response]] | Mike Scutt and Tim Stiller, Rapid7 |- |''12:45'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] |[[Linux_Security_Summit_2015/Bio/Reshetova|Elena Reshetova, Intel]] |- |14:45 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] |Paul Lawrence and Mike Halcrow, Google |- |''15:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] | Emily Ratliff, Linux Foundation |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] | Lukasz Wojciechowski, Samsung |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] | Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks |- |''10:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] |Jeffrey Vander Stoep, Google |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |Dmitry Kasatkin, Huawei Technologies |- |''12:15'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |13:30 |Subsystem Update: Smack |[[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |13:50 |Subsystem Update: AppArmor |John Johansen, Canonical |- |14:10 |Subsystem Update: Integrity |[[Linux_Security_Summit_2015/Bio/Zohar|Mimi Zohar, IBM]] |- |''14:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |14:40 |Subsystem Update: SELinux |Paul Moore, Red Hat |- |15:00 |Subsystem Update: Capabilities | [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] |- |15:20 |Subsystem Update: Seccomp |[[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] |- |15:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] | [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |''16:10'' | colspan="2"|<span style="color:darkgreen">''Break''</span> |- |16:30 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] |Paul Moore, Red Hat |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} 51e4b3f6700d053ac4282e101dba34a84799d7ff 3630 3628 2015-07-03T01:27:51Z JamesMorris 2 /* Day 2 (Friday 21st August) */ wikitext text/x-wiki = Schedule = == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |Welcome |[[Linux_Security_Summit_2015/Bio/Morris|James Morris, Oracle]] |- |09:05 | <span style="color:navy">Keynote (TBA)</span> | Some Person, Somewhere |- |''09:55'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] | Greg Wettstein, IDfusion |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] | Stephen Smalley, NSA |- |''11:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |11:45 | [[Linux_Security_Summit_2015/Abstracts/Stiller|Linux Incident Response]] | Mike Scutt and Tim Stiller, Rapid7 |- |''12:45'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] |[[Linux_Security_Summit_2015/Bio/Reshetova|Elena Reshetova, Intel]] |- |14:45 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] |Paul Lawrence and Mike Halcrow, Google |- |''15:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] | Emily Ratliff, Linux Foundation |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] | [[Bio/Wojciechowski|Lukasz Wojciechowski, Samsung]] |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] | Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks |- |''10:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] |Jeffrey Vander Stoep, Google |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |Dmitry Kasatkin, Huawei Technologies |- |''12:15'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |13:30 |Subsystem Update: Smack |[[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |13:50 |Subsystem Update: AppArmor |John Johansen, Canonical |- |14:10 |Subsystem Update: Integrity |[[Linux_Security_Summit_2015/Bio/Zohar|Mimi Zohar, IBM]] |- |''14:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |14:40 |Subsystem Update: SELinux |Paul Moore, Red Hat |- |15:00 |Subsystem Update: Capabilities | [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] |- |15:20 |Subsystem Update: Seccomp |[[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] |- |15:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] | [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |''16:10'' | colspan="2"|<span style="color:darkgreen">''Break''</span> |- |16:30 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] |Paul Moore, Red Hat |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} 04e190f232f6a35bb4265c739b835c342135b5b8 3631 3630 2015-07-03T01:28:07Z JamesMorris 2 /* Day 1 (Thursday 20th August) */ wikitext text/x-wiki = Schedule = == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |Welcome |[[Linux_Security_Summit_2015/Bio/Morris|James Morris, Oracle]] |- |09:05 | <span style="color:navy">Keynote (TBA)</span> | TBA |- |''09:55'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] | Greg Wettstein, IDfusion |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] | Stephen Smalley, NSA |- |''11:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |11:45 | [[Linux_Security_Summit_2015/Abstracts/Stiller|Linux Incident Response]] | Mike Scutt and Tim Stiller, Rapid7 |- |''12:45'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] |[[Linux_Security_Summit_2015/Bio/Reshetova|Elena Reshetova, Intel]] |- |14:45 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] |Paul Lawrence and Mike Halcrow, Google |- |''15:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] | Emily Ratliff, Linux Foundation |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] | [[Bio/Wojciechowski|Lukasz Wojciechowski, Samsung]] |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] | Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks |- |''10:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] |Jeffrey Vander Stoep, Google |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |Dmitry Kasatkin, Huawei Technologies |- |''12:15'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |13:30 |Subsystem Update: Smack |[[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |13:50 |Subsystem Update: AppArmor |John Johansen, Canonical |- |14:10 |Subsystem Update: Integrity |[[Linux_Security_Summit_2015/Bio/Zohar|Mimi Zohar, IBM]] |- |''14:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |14:40 |Subsystem Update: SELinux |Paul Moore, Red Hat |- |15:00 |Subsystem Update: Capabilities | [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] |- |15:20 |Subsystem Update: Seccomp |[[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] |- |15:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] | [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |''16:10'' | colspan="2"|<span style="color:darkgreen">''Break''</span> |- |16:30 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] |Paul Moore, Red Hat |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} d14a8a281b4b2f892d83ba015907f50a1dee2ef1 3633 3631 2015-07-03T10:06:59Z JamesMorris 2 /* Day 2 (Friday 21st August) */ wikitext text/x-wiki = Schedule = == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |Welcome |[[Linux_Security_Summit_2015/Bio/Morris|James Morris, Oracle]] |- |09:05 | <span style="color:navy">Keynote (TBA)</span> | TBA |- |''09:55'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] | Greg Wettstein, IDfusion |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] | Stephen Smalley, NSA |- |''11:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |11:45 | [[Linux_Security_Summit_2015/Abstracts/Stiller|Linux Incident Response]] | Mike Scutt and Tim Stiller, Rapid7 |- |''12:45'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] |[[Linux_Security_Summit_2015/Bio/Reshetova|Elena Reshetova, Intel]] |- |14:45 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] |Paul Lawrence and Mike Halcrow, Google |- |''15:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] | Emily Ratliff, Linux Foundation |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] | [[Bio/Wojciechowski|Lukasz Wojciechowski, Samsung]] |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] | Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks |- |''10:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] |Jeffrey Vander Stoep, Google |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |[[Linux_Security_Summit_2015/Bio/Kasatkin|Dmitry Kasatkin, Huawei Technologies]] |- |''12:15'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |13:30 |Subsystem Update: Smack |[[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |13:50 |Subsystem Update: AppArmor |John Johansen, Canonical |- |14:10 |Subsystem Update: Integrity |[[Linux_Security_Summit_2015/Bio/Zohar|Mimi Zohar, IBM]] |- |''14:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |14:40 |Subsystem Update: SELinux |Paul Moore, Red Hat |- |15:00 |Subsystem Update: Capabilities | [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] |- |15:20 |Subsystem Update: Seccomp |[[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] |- |15:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] | [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |''16:10'' | colspan="2"|<span style="color:darkgreen">''Break''</span> |- |16:30 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] |Paul Moore, Red Hat |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} 28e231c28be03240060d0beda97b3fd91f437312 3634 3633 2015-07-03T10:08:12Z JamesMorris 2 /* Day 2 (Friday 21st August) */ wikitext text/x-wiki = Schedule = == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |Welcome |[[Linux_Security_Summit_2015/Bio/Morris|James Morris, Oracle]] |- |09:05 | <span style="color:navy">Keynote (TBA)</span> | TBA |- |''09:55'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] | Greg Wettstein, IDfusion |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] | Stephen Smalley, NSA |- |''11:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |11:45 | [[Linux_Security_Summit_2015/Abstracts/Stiller|Linux Incident Response]] | Mike Scutt and Tim Stiller, Rapid7 |- |''12:45'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] |[[Linux_Security_Summit_2015/Bio/Reshetova|Elena Reshetova, Intel]] |- |14:45 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] |Paul Lawrence and Mike Halcrow, Google |- |''15:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] | Emily Ratliff, Linux Foundation |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] | [[Linux_Security_Summit_2015/Bio/Wojciechowski|Lukasz Wojciechowski, Samsung]] |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] | Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks |- |''10:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] |Jeffrey Vander Stoep, Google |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |[[Linux_Security_Summit_2015/Bio/Kasatkin|Dmitry Kasatkin, Huawei Technologies]] |- |''12:15'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |13:30 |Subsystem Update: Smack |[[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |13:50 |Subsystem Update: AppArmor |John Johansen, Canonical |- |14:10 |Subsystem Update: Integrity |[[Linux_Security_Summit_2015/Bio/Zohar|Mimi Zohar, IBM]] |- |''14:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |14:40 |Subsystem Update: SELinux |Paul Moore, Red Hat |- |15:00 |Subsystem Update: Capabilities | [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] |- |15:20 |Subsystem Update: Seccomp |[[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] |- |15:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] | [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |''16:10'' | colspan="2"|<span style="color:darkgreen">''Break''</span> |- |16:30 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] |Paul Moore, Red Hat |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} 348598e791daded4b7b9156204c2a17b8c8e53d7 3636 3634 2015-07-04T02:37:22Z JamesMorris 2 /* Day 2 (Friday 21st August) */ wikitext text/x-wiki = Schedule = == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |Welcome |[[Linux_Security_Summit_2015/Bio/Morris|James Morris, Oracle]] |- |09:05 | <span style="color:navy">Keynote (TBA)</span> | TBA |- |''09:55'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] | Greg Wettstein, IDfusion |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] | Stephen Smalley, NSA |- |''11:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |11:45 | [[Linux_Security_Summit_2015/Abstracts/Stiller|Linux Incident Response]] | Mike Scutt and Tim Stiller, Rapid7 |- |''12:45'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] |[[Linux_Security_Summit_2015/Bio/Reshetova|Elena Reshetova, Intel]] |- |14:45 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] |Paul Lawrence and Mike Halcrow, Google |- |''15:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] | Emily Ratliff, Linux Foundation |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] | [[Linux_Security_Summit_2015/Bio/Wojciechowski|Lukasz Wojciechowski, Samsung]] |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] | Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks |- |''10:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] |Jeffrey Vander Stoep, Google |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |[[Linux_Security_Summit_2015/Bio/Kasatkin|Dmitry Kasatkin, Huawei Technologies]] |- |''12:15'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |13:30 |Subsystem Update: Smack |[[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |13:50 |Subsystem Update: AppArmor |John Johansen, Canonical |- |14:10 |Subsystem Update: Integrity |[[Linux_Security_Summit_2015/Bio/Zohar|Mimi Zohar, IBM]] |- |''14:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |14:40 |Subsystem Update: SELinux |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |15:00 |Subsystem Update: Capabilities | [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] |- |15:20 |Subsystem Update: Seccomp |[[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] |- |15:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] | [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |''16:10'' | colspan="2"|<span style="color:darkgreen">''Break''</span> |- |16:30 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} b926c861848723acd38f3b88b774263705013dc8 0 135 3594 3578 2015-07-01T15:40:41Z JamesMorris 2 /* Title */ wikitext text/x-wiki == Title == Discussion: Rethinking Audit == Presenter == Paul Moore, Red Hat == Abstract == The kernel's audit subsystem is an interesting thing: it is a must have for many security conscious users, but it is largely unloved by kernel developers, even the security focused developers. Due to this lack of interest by kernel developers the kernel's audit code and interfaces have become a bit of a mess. This discussion topic will identify some of these problem areas for audit and present some possible solutions. c90436177375d7f3c069fca82db071516e37e24e 0 140 3602 2015-07-02T03:14:39Z JamesMorris 2 Created page with "Casey Schaufler started programing Unix kernels at the end of the 1970's, when megabytes were for disc drives and C was still written in K&R style. He started working on syste..." wikitext text/x-wiki Casey Schaufler started programing Unix kernels at the end of the 1970's, when megabytes were for disc drives and C was still written in K&R style. He started working on system security in the Orange Book era, contributing to SunOS/MLS, Trusted Irix and the POSIX P1003.1e/2c drafts. During this time he implemented access control lists, mandatory access control, extended filesystem attributes, X11 access controls, network protocols and more audit systems than is really healthy. His involvement in Linux began with the Linux Security Module work at the turn of the century, but was off the mainstream until he introduced the Smack LSM in 2007. Casey has worked on MeeGo, Tizen and other lesser known system products. Most recently, he reworked the LSM infrastructure as the initial stage in supporting multiple concurrent modules. Casey lives on the California coast, just south of San Francisco. He is employed at Intel's Open Source Technology Center. 5e225340cf3a5b791735176860a24ced88b3209d 3609 3602 2015-07-02T03:21:08Z JamesMorris 2 wikitext text/x-wiki '''Casey Schaufler''' started programing Unix kernels at the end of the 1970's, when megabytes were for disc drives and C was still written in K&R style. He started working on system security in the Orange Book era, contributing to SunOS/MLS, Trusted Irix and the POSIX P1003.1e/2c drafts. During this time he implemented access control lists, mandatory access control, extended filesystem attributes, X11 access controls, network protocols and more audit systems than is really healthy. His involvement in Linux began with the Linux Security Module work at the turn of the century, but was off the mainstream until he introduced the Smack LSM in 2007. Casey has worked on MeeGo, Tizen and other lesser known system products. Most recently, he reworked the LSM infrastructure as the initial stage in supporting multiple concurrent modules. Casey lives on the California coast, just south of San Francisco. He is employed at Intel's Open Source Technology Center. cb953e7419f9a9ac7a93956745611147ca684719 0 126 3606 3566 2015-07-02T03:17:06Z JamesMorris 2 /* Program Committee */ wikitext text/x-wiki = Description = The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions = Event = The Linux Security Summit for 2015 will be held across '''20 and 21 August''' in Seattle, WA, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon] and other events. All attendees and presenters must be registered to attend LinuxCon. Registration and general event details may be found here: [http://events.linuxfoundation.org/events/linux-security-summit http://events.linuxfoundation.org/events/linux-security-summit] = Call for Participation = '''The CFP is now closed.''' The program committee sought proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. * Discussion Topics: 30 minutes in length. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques == Program Committee== The Linux Security Summit for 2015 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Quark Security * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss-pc@lists.linuxfoundation.org d24f90237ccd5c674b5e2e776588d523f6507c05 3610 3606 2015-07-02T03:21:28Z JamesMorris 2 /* Program Committee */ wikitext text/x-wiki = Description = The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions = Event = The Linux Security Summit for 2015 will be held across '''20 and 21 August''' in Seattle, WA, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon] and other events. All attendees and presenters must be registered to attend LinuxCon. Registration and general event details may be found here: [http://events.linuxfoundation.org/events/linux-security-summit http://events.linuxfoundation.org/events/linux-security-summit] = Call for Participation = '''The CFP is now closed.''' The program committee sought proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. * Discussion Topics: 30 minutes in length. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques == Program Committee== The Linux Security Summit for 2015 is organized by: * James Morris, Oracle * [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Quark Security * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss-pc@lists.linuxfoundation.org 8982c7707a640fa5e2277fabe365e03a05d1eafa 3613 3610 2015-07-02T03:45:11Z JamesMorris 2 /* Program Committee */ wikitext text/x-wiki = Description = The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions = Event = The Linux Security Summit for 2015 will be held across '''20 and 21 August''' in Seattle, WA, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon] and other events. All attendees and presenters must be registered to attend LinuxCon. Registration and general event details may be found here: [http://events.linuxfoundation.org/events/linux-security-summit http://events.linuxfoundation.org/events/linux-security-summit] = Call for Participation = '''The CFP is now closed.''' The program committee sought proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. * Discussion Topics: 30 minutes in length. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques == Program Committee== The Linux Security Summit for 2015 is organized by: * James Morris, Oracle * [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Quark Security * Herbert Xu, Red Hat * John Johansen, Canonical * [[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] * [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss-pc@lists.linuxfoundation.org d1c72dc8137eb2d91625daf275f2b09f6aa3dbb8 3618 3613 2015-07-02T05:12:38Z JamesMorris 2 /* Program Committee */ wikitext text/x-wiki = Description = The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions = Event = The Linux Security Summit for 2015 will be held across '''20 and 21 August''' in Seattle, WA, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon] and other events. All attendees and presenters must be registered to attend LinuxCon. Registration and general event details may be found here: [http://events.linuxfoundation.org/events/linux-security-summit http://events.linuxfoundation.org/events/linux-security-summit] = Call for Participation = '''The CFP is now closed.''' The program committee sought proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. * Discussion Topics: 30 minutes in length. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques == Program Committee== The Linux Security Summit for 2015 is organized by: * [[Linux_Security_Summit_2015/Bio/Morris|James Morris, Oracle]] * [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Quark Security * Herbert Xu, Red Hat * John Johansen, Canonical * [[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] * [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss-pc@lists.linuxfoundation.org 9f2d485eb43ba75d982d33f7e35fc40be88990f4 3623 3618 2015-07-02T11:55:34Z JamesMorris 2 /* Program Committee */ wikitext text/x-wiki = Description = The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions = Event = The Linux Security Summit for 2015 will be held across '''20 and 21 August''' in Seattle, WA, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon] and other events. All attendees and presenters must be registered to attend LinuxCon. Registration and general event details may be found here: [http://events.linuxfoundation.org/events/linux-security-summit http://events.linuxfoundation.org/events/linux-security-summit] = Call for Participation = '''The CFP is now closed.''' The program committee sought proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. * Discussion Topics: 30 minutes in length. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques == Program Committee== The Linux Security Summit for 2015 is organized by: * [[Linux_Security_Summit_2015/Bio/Morris|James Morris, Oracle]] * [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Quark Security * Herbert Xu, Red Hat * John Johansen, Canonical * [[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] * [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] * [[Linux_Security_Summit_2015/Bio/Zohar|Mimi Zohar, IBM]] The program committee may be contacted as a group via email: lss-pc@lists.linuxfoundation.org 9b95ef3833feee79c93482bf9bcb2b01674e5718 3637 3623 2015-07-04T02:38:13Z JamesMorris 2 /* Program Committee */ wikitext text/x-wiki = Description = The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions = Event = The Linux Security Summit for 2015 will be held across '''20 and 21 August''' in Seattle, WA, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon] and other events. All attendees and presenters must be registered to attend LinuxCon. Registration and general event details may be found here: [http://events.linuxfoundation.org/events/linux-security-summit http://events.linuxfoundation.org/events/linux-security-summit] = Call for Participation = '''The CFP is now closed.''' The program committee sought proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. * Discussion Topics: 30 minutes in length. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques == Program Committee== The Linux Security Summit for 2015 is organized by: * [[Linux_Security_Summit_2015/Bio/Morris|James Morris, Oracle]] * [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] * [[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] * Stephen Smalley, NSA * Joshua Brindle, Quark Security * Herbert Xu, Red Hat * John Johansen, Canonical * [[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] * [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] * [[Linux_Security_Summit_2015/Bio/Zohar|Mimi Zohar, IBM]] The program committee may be contacted as a group via email: lss-pc@lists.linuxfoundation.org 52bc74489c500a20268d5b756543e05adf64c348 0 141 3607 2015-07-02T03:17:54Z JamesMorris 2 Created page with "Serge Hallyn works for Canonical as a member of the Ubuntu Server team, with a particular focus on the virtualization stack. He has been involved with containers since the fir..." wikitext text/x-wiki Serge Hallyn works for Canonical as a member of the Ubuntu Server team, with a particular focus on the virtualization stack. He has been involved with containers since the first upstream kernel patches for uts and pid namespaces. He was involved with LSM from the start, is listed as co-maintainer of the security subsystem and capabilities, and is a core maintainer of the LXC project. eaaff5e97b6852f7c3adbea35f085b7566252fb0 3608 3607 2015-07-02T03:19:34Z JamesMorris 2 wikitext text/x-wiki '''Serge Hallyn''' works for Canonical as a member of the Ubuntu Server team, with a particular focus on the virtualization stack. He has been involved with containers since the first upstream kernel patches for uts and pid namespaces. He was involved with LSM from the start, is listed as co-maintainer of the security subsystem and capabilities, and is a core maintainer of the LXC project. a622392ff96dc4444c16fefbe6d7ee59c7d090c7 0 142 3612 2015-07-02T03:44:11Z JamesMorris 2 Created page with "Kees Cook has been working with Free Software since 1994, and has been a Debian Developer since 2007. He is currently employed by Google to work on Chrome OS Security. From 20..." wikitext text/x-wiki Kees Cook has been working with Free Software since 1994, and has been a Debian Developer since 2007. He is currently employed by Google to work on Chrome OS Security. From 2006 through 2011 he worked for Canonical as the Ubuntu Security Team's Tech Lead, and remains on the Ubuntu Technical Board. Before that, he worked at OSDL where he helped admin the mirrors at kernel.org, and sometimes hacked on Inkscape. He has written various utilities including GOPchop and Sendpage, and contributes randomly to other projects including fun chunks of code in Wine, MPlayer, OpenSSH, and Wireshark. He's been spending most of his time lately focused on security features in the Linux Kernel. b5df4a231262a9590ac796ebbbee21f626ffacc5 3615 3612 2015-07-02T04:56:03Z JamesMorris 2 wikitext text/x-wiki '''Kees Cook''' has been working with Free Software since 1994, and has been a Debian Developer since 2007. He is currently employed by Google to work on Chrome OS Security. From 2006 through 2011 he worked for Canonical as the Ubuntu Security Team's Tech Lead, and remains on the Ubuntu Technical Board. Before that, he worked at OSDL where he helped admin the mirrors at kernel.org, and sometimes hacked on Inkscape. He has written various utilities including GOPchop and Sendpage, and contributes randomly to other projects including fun chunks of code in Wine, MPlayer, OpenSSH, and Wireshark. He's been spending most of his time lately focused on security features in the Linux Kernel. e9b5d629c0c6eca16510c52f71fd8fd01e434dd9 0 143 3616 2015-07-02T05:08:33Z JamesMorris 2 Created page with "'''James Morris''' is a Linux kernel developer. He currently works as Director of Mainline Linux Kernel Engineering at Oracle, leading the upstream kernel development team. ..." wikitext text/x-wiki '''James Morris''' is a Linux kernel developer. He currently works as Director of Mainline Linux Kernel Engineering at Oracle, leading the upstream kernel development team. He is also the lead maintainer of the Linux kernel security subsystem, and chair of the Linux Security Summit program committee. James was an original member of the Netfilter Core Team, and lead developer of the Linux kernel cryptographic API. He was previously a maintainer of the networking subsystem, the cryptographic API, and SELinux. He previously worked at Red Hat, leading the SELinux kernel development effort, as well as creating Multi-Category Security (MCS) and sVirt (Secure Virtualization for Linux). James is based in Sydney, Australia. His non-Linux interests include amateur radio (microwave, weak signal, and space communications), and film photography. e2e62f0fffdf2d098addebe75f5536b801e5e0d0 3617 3616 2015-07-02T05:11:35Z JamesMorris 2 wikitext text/x-wiki [http://blog.namei.org/ '''James Morris'''] is a Linux kernel developer. He currently works as Director of Mainline Linux Kernel Engineering at Oracle, leading the [https://blogs.oracle.com/linuxkernel/ upstream kernel development team]. He is also the lead maintainer of the [http://kernsec.org/wiki/index.php/Main_Page Linux kernel security subsystem], and chair of the Linux Security Summit program committee. James was an original member of the Netfilter Core Team, and was the lead developer of the Linux kernel cryptographic API. He was previously a Linux kernel maintainer of the networking subsystem, the cryptographic API, and SELinux. He previously worked at Red Hat, leading the SELinux kernel development effort, as well as creating Multi-Category Security (MCS) and sVirt (Secure Virtualization for Linux). James is based in Sydney, Australia. His non-Linux interests include amateur radio (microwave, weak signal, and space communications), and film photography. 6bf6de814a843fe756d98b624577f8440639e701 3620 3617 2015-07-02T08:38:13Z JamesMorris 2 wikitext text/x-wiki [http://blog.namei.org/ '''James Morris'''] is a Linux kernel developer. He currently works as Director of Mainline Linux Kernel Engineering at Oracle, leading the [https://blogs.oracle.com/linuxkernel/ upstream kernel development team]. He is also the lead maintainer of the [http://kernsec.org/wiki/index.php/Main_Page Linux kernel security subsystem], and chair of the Linux Security Summit program committee. James was an original member of the Netfilter Core Team, and was the lead developer of the Linux kernel cryptographic API. He was previously a Linux kernel maintainer of the networking subsystem, the cryptographic API, and SELinux. He previously worked at Red Hat, leading the SELinux kernel development effort, as well as creating Multi-Category Security (MCS) and sVirt (Secure Virtualization for Linux). James is based in Sydney, Australia. 74af7a5c18c5383870eb325bafee375820b7fb97 0 144 3621 2015-07-02T11:55:01Z JamesMorris 2 Created page with "'''Mimi Zohar'' is a member of the Secure Systems Group at the IBM T.J. Watson Research Center. Her current interests are in the areas of system security and integrity, a natu..." wikitext text/x-wiki '''Mimi Zohar'' is a member of the Secure Systems Group at the IBM T.J. Watson Research Center. Her current interests are in the areas of system security and integrity, a natural progression from prior work in firewall design for perimeter security. She is the linux-integrity subsystem maintainer. 3083a52b27a798d57999b4b945e2d788c45fde62 3622 3621 2015-07-02T11:55:11Z JamesMorris 2 wikitext text/x-wiki '''Mimi Zohar''' is a member of the Secure Systems Group at the IBM T.J. Watson Research Center. Her current interests are in the areas of system security and integrity, a natural progression from prior work in firewall design for perimeter security. She is the linux-integrity subsystem maintainer. f7e104b870844c81b91569c4974f8fb993618079 0 145 3627 2015-07-03T01:20:40Z JamesMorris 2 Created page with "'''Elena Reshetova''' is a Security Architect and researcher at the Intel Open Source Technology Centre working with various Open Source platform security projects across the ..." wikitext text/x-wiki '''Elena Reshetova''' is a Security Architect and researcher at the Intel Open Source Technology Centre working with various Open Source platform security projects across the whole Linux platform security community. Prior to working for Intel, Elena was employed by Nokia to act as a Security Architect for the Meego platform. Elena is also a postgraduate student at the Aalto University. Her current research area involves exploring various OS virtualization solutions and their applicability for mobile or embedded security use cases. c95d12151825ef3f69ac9836aee1836acb907fd8 0 146 3629 2015-07-03T01:27:21Z JamesMorris 2 Created page with "'''Lukasz Wojciechowski''' studied Computer Science and than worked as a professor assistant at Warsaw University of Technology. Professional carrier begun as Software Enginee..." wikitext text/x-wiki '''Lukasz Wojciechowski''' studied Computer Science and than worked as a professor assistant at Warsaw University of Technology. Professional carrier begun as Software Engineer in company designing and leading projects for military devices (communication, networking and security) and software (force tracking, combat field management). Since November 2013 works for Samsung R&D Institute Poland in Tizen security project, being technical leader of [https://wiki.tizen.org/wiki/Security:Cynara Cynara]. dd8e39afc82b7c3af715f8083cbfbb3d281d6ea2 0 147 3632 2015-07-03T10:06:04Z JamesMorris 2 Created page with "'''Dmitry Kasatkin''' has been a Linux user since 1996 and a developer since 1999. His first major open source project was the Affix Bluetooth stack for Linux, which includes ..." wikitext text/x-wiki '''Dmitry Kasatkin''' has been a Linux user since 1996 and a developer since 1999. His first major open source project was the Affix Bluetooth stack for Linux, which includes kernel space and user space components and was the first Nokia Open Source GPL project. In 2008 Dmitry's focus shifted towards security and cryptography software. He implemented TI OMAP crypto drivers and is currently the major contributor and co-maintainer of the Linux kernel Integrity Subsystem. Dmitry works at Huawei Technologies, Security Competence Center, Finland. Previously he worked at Samsung Electronics, Intel and Nokia. ca6b2d1c4f5b2f146a9d414229e5e38bbac598c2 0 148 3635 2015-07-04T02:36:06Z JamesMorris 2 Created page with "Paul Moore has been involved in various Linux security efforts since 2004, first at Hewlett-Packard and now at Red Hat. He currently maintains the SELinux, audit, and labeled..." wikitext text/x-wiki Paul Moore has been involved in various Linux security efforts since 2004, first at Hewlett-Packard and now at Red Hat. He currently maintains the SELinux, audit, and labeled networking subsystems in the Linux Kernel as well as leading development of the libseccomp library. 27bf912f053189c0a5f12c04406d9565cf66ed5c 0 148 3638 3635 2015-07-04T02:39:22Z JamesMorris 2 wikitext text/x-wiki ''Paul Moore'' has been involved in various Linux security efforts since 2004, first at Hewlett-Packard and now at Red Hat. He currently maintains the SELinux, audit, and labeled networking subsystems in the Linux Kernel as well as leading development of the libseccomp library. 466f4238f798d2b64719493b391ef4bfad35fef3 3639 3638 2015-07-04T02:39:36Z JamesMorris 2 wikitext text/x-wiki '''Paul Moore''' has been involved in various Linux security efforts since 2004, first at Hewlett-Packard and now at Red Hat. He currently maintains the SELinux, audit, and labeled networking subsystems in the Linux Kernel as well as leading development of the libseccomp library. 48961b69bb24d08d3dd57ddf01e7cb1db9b024a2 0 149 3640 2015-07-04T02:40:53Z JamesMorris 2 Created page with "'''Mike Halcrow''' was the project lead for the ext4 encryption feature that was merged into the 4.1 release of the Linux kernel. A few years ago he built native disk encrypti..." wikitext text/x-wiki '''Mike Halcrow''' was the project lead for the ext4 encryption feature that was merged into the 4.1 release of the Linux kernel. A few years ago he built native disk encryption into Google Compute Engine, and he now spends much of his time working with various teams at Google as they integrate and deploy encryption. He's been a senior developer on the Microsoft BitLocker team, where he delivered key management features for Windows and maintained EFS. In the seemingly-distant past he was the original eCryptfs project lead at the IBM Linux Technology Center. He's recently taken an interest in tackling storage encryption challenges on mobile platforms. d7ae509a9081387134bbdded081e2d2824f96574 3667 3640 2015-07-28T02:34:14Z JamesMorris 2 wikitext text/x-wiki '''Mike Halcrow''' was the project lead for the ext4 encryption feature that was merged into the 4.1 release of the Linux kernel. A few years ago he built native disk encryption into Google Compute Engine, and he now spends much of his time working with various teams at Google as they integrate and deploy encryption. He's been a senior developer on the Microsoft BitLocker team, where he delivered key management features for Windows and maintained EFS. In the seemingly-distant past he was the original eCryptfs project lead at the IBM Linux Technology Center. He's recently taken an interest in tackling storage encryption challenges on mobile platforms. '''Paul Lawrence''' is a software engineer at Google working in the Android security team, specializing in disk encryption for Android devices. He is a graduate of Cambridge University and holds a PhD from the University of Manchester. c99593eaa723da3ac6fea10ee6dca88f997cc283 0 127 3641 3636 2015-07-04T02:41:34Z JamesMorris 2 /* Day 1 (Thursday 20th August) */ wikitext text/x-wiki = Schedule = == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |Welcome |[[Linux_Security_Summit_2015/Bio/Morris|James Morris, Oracle]] |- |09:05 | <span style="color:navy">Keynote (TBA)</span> | TBA |- |''09:55'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] | Greg Wettstein, IDfusion |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] | Stephen Smalley, NSA |- |''11:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |11:45 | [[Linux_Security_Summit_2015/Abstracts/Stiller|Linux Incident Response]] | Mike Scutt and Tim Stiller, Rapid7 |- |''12:45'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] |[[Linux_Security_Summit_2015/Bio/Reshetova|Elena Reshetova, Intel]] |- |14:45 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] |[[Linux_Security_Summit_2015/Bio/Halcrow|Paul Lawrence and Mike Halcrow, Google]] |- |''15:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] | Emily Ratliff, Linux Foundation |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] | [[Linux_Security_Summit_2015/Bio/Wojciechowski|Lukasz Wojciechowski, Samsung]] |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] | Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks |- |''10:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] |Jeffrey Vander Stoep, Google |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |[[Linux_Security_Summit_2015/Bio/Kasatkin|Dmitry Kasatkin, Huawei Technologies]] |- |''12:15'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |13:30 |Subsystem Update: Smack |[[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |13:50 |Subsystem Update: AppArmor |John Johansen, Canonical |- |14:10 |Subsystem Update: Integrity |[[Linux_Security_Summit_2015/Bio/Zohar|Mimi Zohar, IBM]] |- |''14:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |14:40 |Subsystem Update: SELinux |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |15:00 |Subsystem Update: Capabilities | [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] |- |15:20 |Subsystem Update: Seccomp |[[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] |- |15:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] | [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |''16:10'' | colspan="2"|<span style="color:darkgreen">''Break''</span> |- |16:30 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} 7e3d05d9f23fcbec856a6afb00f9202a394e1664 3646 3641 2015-07-07T02:16:10Z JamesMorris 2 /* Day 1 (Thursday 20th August) */ wikitext text/x-wiki = Schedule = == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |Welcome |[[Linux_Security_Summit_2015/Bio/Morris|James Morris, Oracle]] |- |09:05 | <span style="color:navy">Keynote (TBA)</span> | TBA |- |''09:55'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] | Greg Wettstein, IDfusion |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] | [[Linux_Security_Summit_2015/Bio/Smalley|Stephen Smalley, NSA]] |- |''11:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |11:45 | [[Linux_Security_Summit_2015/Abstracts/Stiller|Linux Incident Response]] | Mike Scutt and Tim Stiller, Rapid7 |- |''12:45'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] |[[Linux_Security_Summit_2015/Bio/Reshetova|Elena Reshetova, Intel]] |- |14:45 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] |[[Linux_Security_Summit_2015/Bio/Halcrow|Paul Lawrence and Mike Halcrow, Google]] |- |''15:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] | Emily Ratliff, Linux Foundation |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] | [[Linux_Security_Summit_2015/Bio/Wojciechowski|Lukasz Wojciechowski, Samsung]] |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] | Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks |- |''10:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] |Jeffrey Vander Stoep, Google |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |[[Linux_Security_Summit_2015/Bio/Kasatkin|Dmitry Kasatkin, Huawei Technologies]] |- |''12:15'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |13:30 |Subsystem Update: Smack |[[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |13:50 |Subsystem Update: AppArmor |John Johansen, Canonical |- |14:10 |Subsystem Update: Integrity |[[Linux_Security_Summit_2015/Bio/Zohar|Mimi Zohar, IBM]] |- |''14:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |14:40 |Subsystem Update: SELinux |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |15:00 |Subsystem Update: Capabilities | [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] |- |15:20 |Subsystem Update: Seccomp |[[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] |- |15:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] | [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |''16:10'' | colspan="2"|<span style="color:darkgreen">''Break''</span> |- |16:30 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} 84a910bb2e37c6cd618699785f2ad9b3566d2331 3649 3646 2015-07-07T02:20:18Z JamesMorris 2 /* Day 2 (Friday 21st August) */ wikitext text/x-wiki = Schedule = == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |Welcome |[[Linux_Security_Summit_2015/Bio/Morris|James Morris, Oracle]] |- |09:05 | <span style="color:navy">Keynote (TBA)</span> | TBA |- |''09:55'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] | Greg Wettstein, IDfusion |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] | [[Linux_Security_Summit_2015/Bio/Smalley|Stephen Smalley, NSA]] |- |''11:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |11:45 | [[Linux_Security_Summit_2015/Abstracts/Stiller|Linux Incident Response]] | Mike Scutt and Tim Stiller, Rapid7 |- |''12:45'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] |[[Linux_Security_Summit_2015/Bio/Reshetova|Elena Reshetova, Intel]] |- |14:45 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] |[[Linux_Security_Summit_2015/Bio/Halcrow|Paul Lawrence and Mike Halcrow, Google]] |- |''15:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] | Emily Ratliff, Linux Foundation |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] | [[Linux_Security_Summit_2015/Bio/Wojciechowski|Lukasz Wojciechowski, Samsung]] |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] | Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks |- |''10:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] |[[Linux_Security_Summit_2015/Bio/VanderStoep|Jeffrey Vander Stoep, Google]] |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |[[Linux_Security_Summit_2015/Bio/Kasatkin|Dmitry Kasatkin, Huawei Technologies]] |- |''12:15'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |13:30 |Subsystem Update: Smack |[[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |13:50 |Subsystem Update: AppArmor |John Johansen, Canonical |- |14:10 |Subsystem Update: Integrity |[[Linux_Security_Summit_2015/Bio/Zohar|Mimi Zohar, IBM]] |- |''14:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |14:40 |Subsystem Update: SELinux |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |15:00 |Subsystem Update: Capabilities | [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] |- |15:20 |Subsystem Update: Seccomp |[[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] |- |15:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] | [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |''16:10'' | colspan="2"|<span style="color:darkgreen">''Break''</span> |- |16:30 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} 69f05b067b465596f34f5d71dcc0e7262354dad6 3650 3649 2015-07-07T02:22:00Z JamesMorris 2 /* Day 1 (Thursday 20th August) */ wikitext text/x-wiki = Schedule = == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |Welcome |[[Linux_Security_Summit_2015/Bio/Morris|James Morris, Oracle]] |- |09:05 | <span style="color:navy">Keynote</span> | Konstantin Ryabitsev, Linux Foundation |- |''09:55'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] | Greg Wettstein, IDfusion |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] | [[Linux_Security_Summit_2015/Bio/Smalley|Stephen Smalley, NSA]] |- |''11:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |11:45 | [[Linux_Security_Summit_2015/Abstracts/Stiller|Linux Incident Response]] | Mike Scutt and Tim Stiller, Rapid7 |- |''12:45'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] |[[Linux_Security_Summit_2015/Bio/Reshetova|Elena Reshetova, Intel]] |- |14:45 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] |[[Linux_Security_Summit_2015/Bio/Halcrow|Paul Lawrence and Mike Halcrow, Google]] |- |''15:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] | Emily Ratliff, Linux Foundation |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] | [[Linux_Security_Summit_2015/Bio/Wojciechowski|Lukasz Wojciechowski, Samsung]] |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] | Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks |- |''10:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] |[[Linux_Security_Summit_2015/Bio/VanderStoep|Jeffrey Vander Stoep, Google]] |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |[[Linux_Security_Summit_2015/Bio/Kasatkin|Dmitry Kasatkin, Huawei Technologies]] |- |''12:15'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |13:30 |Subsystem Update: Smack |[[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |13:50 |Subsystem Update: AppArmor |John Johansen, Canonical |- |14:10 |Subsystem Update: Integrity |[[Linux_Security_Summit_2015/Bio/Zohar|Mimi Zohar, IBM]] |- |''14:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |14:40 |Subsystem Update: SELinux |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |15:00 |Subsystem Update: Capabilities | [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] |- |15:20 |Subsystem Update: Seccomp |[[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] |- |15:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] | [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |''16:10'' | colspan="2"|<span style="color:darkgreen">''Break''</span> |- |16:30 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} d093b42cdb52aa33bc26595439acff54552d0696 3651 3650 2015-07-07T02:22:38Z JamesMorris 2 /* Day 1 (Thursday 20th August) */ wikitext text/x-wiki = Schedule = == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |Welcome |[[Linux_Security_Summit_2015/Bio/Morris|James Morris, Oracle]] |- |09:05 | '''<span style="color:navy">Keynote</span>''' | Konstantin Ryabitsev, Linux Foundation |- |''09:55'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] | Greg Wettstein, IDfusion |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] | [[Linux_Security_Summit_2015/Bio/Smalley|Stephen Smalley, NSA]] |- |''11:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |11:45 | [[Linux_Security_Summit_2015/Abstracts/Stiller|Linux Incident Response]] | Mike Scutt and Tim Stiller, Rapid7 |- |''12:45'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] |[[Linux_Security_Summit_2015/Bio/Reshetova|Elena Reshetova, Intel]] |- |14:45 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] |[[Linux_Security_Summit_2015/Bio/Halcrow|Paul Lawrence and Mike Halcrow, Google]] |- |''15:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] | Emily Ratliff, Linux Foundation |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] | [[Linux_Security_Summit_2015/Bio/Wojciechowski|Lukasz Wojciechowski, Samsung]] |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] | Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks |- |''10:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] |[[Linux_Security_Summit_2015/Bio/VanderStoep|Jeffrey Vander Stoep, Google]] |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |[[Linux_Security_Summit_2015/Bio/Kasatkin|Dmitry Kasatkin, Huawei Technologies]] |- |''12:15'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |13:30 |Subsystem Update: Smack |[[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |13:50 |Subsystem Update: AppArmor |John Johansen, Canonical |- |14:10 |Subsystem Update: Integrity |[[Linux_Security_Summit_2015/Bio/Zohar|Mimi Zohar, IBM]] |- |''14:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |14:40 |Subsystem Update: SELinux |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |15:00 |Subsystem Update: Capabilities | [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] |- |15:20 |Subsystem Update: Seccomp |[[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] |- |15:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] | [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |''16:10'' | colspan="2"|<span style="color:darkgreen">''Break''</span> |- |16:30 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} 1b1001d9172caab53fc0ab5d9d93c59d9ea08da1 3652 3651 2015-07-07T02:31:10Z JamesMorris 2 JamesMorris moved page [[Linux Security Summit 2015/Draft Schedule]] to [[Linux Security Summit 2015/Schedule]] wikitext text/x-wiki = Schedule = == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |Welcome |[[Linux_Security_Summit_2015/Bio/Morris|James Morris, Oracle]] |- |09:05 | '''<span style="color:navy">Keynote</span>''' | Konstantin Ryabitsev, Linux Foundation |- |''09:55'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] | Greg Wettstein, IDfusion |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] | [[Linux_Security_Summit_2015/Bio/Smalley|Stephen Smalley, NSA]] |- |''11:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |11:45 | [[Linux_Security_Summit_2015/Abstracts/Stiller|Linux Incident Response]] | Mike Scutt and Tim Stiller, Rapid7 |- |''12:45'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] |[[Linux_Security_Summit_2015/Bio/Reshetova|Elena Reshetova, Intel]] |- |14:45 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] |[[Linux_Security_Summit_2015/Bio/Halcrow|Paul Lawrence and Mike Halcrow, Google]] |- |''15:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] | Emily Ratliff, Linux Foundation |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] | [[Linux_Security_Summit_2015/Bio/Wojciechowski|Lukasz Wojciechowski, Samsung]] |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] | Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks |- |''10:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] |[[Linux_Security_Summit_2015/Bio/VanderStoep|Jeffrey Vander Stoep, Google]] |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |[[Linux_Security_Summit_2015/Bio/Kasatkin|Dmitry Kasatkin, Huawei Technologies]] |- |''12:15'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |13:30 |Subsystem Update: Smack |[[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |13:50 |Subsystem Update: AppArmor |John Johansen, Canonical |- |14:10 |Subsystem Update: Integrity |[[Linux_Security_Summit_2015/Bio/Zohar|Mimi Zohar, IBM]] |- |''14:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |14:40 |Subsystem Update: SELinux |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |15:00 |Subsystem Update: Capabilities | [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] |- |15:20 |Subsystem Update: Seccomp |[[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] |- |15:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] | [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |''16:10'' | colspan="2"|<span style="color:darkgreen">''Break''</span> |- |16:30 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} 1b1001d9172caab53fc0ab5d9d93c59d9ea08da1 3655 3652 2015-07-07T14:44:49Z JamesMorris 2 /* Day 1 (Thursday 20th August) */ wikitext text/x-wiki = Schedule = == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |Welcome |[[Linux_Security_Summit_2015/Bio/Morris|James Morris, Oracle]] |- |09:05 | '''<span style="color:navy">Keynote</span>''' | [https://www.linux.com/news/featured-blogs/200-libby-clark/814542-15-reddit-ama-questions-for-kernelorg-sysadmin-konstantin-ryabitsev Konstantin Ryabitsev, Linux Foundation] |- |''09:55'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] | Greg Wettstein, IDfusion |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] | [[Linux_Security_Summit_2015/Bio/Smalley|Stephen Smalley, NSA]] |- |''11:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |11:45 | [[Linux_Security_Summit_2015/Abstracts/Stiller|Linux Incident Response]] | Mike Scutt and Tim Stiller, Rapid7 |- |''12:45'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] |[[Linux_Security_Summit_2015/Bio/Reshetova|Elena Reshetova, Intel]] |- |14:45 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] |[[Linux_Security_Summit_2015/Bio/Halcrow|Paul Lawrence and Mike Halcrow, Google]] |- |''15:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] | Emily Ratliff, Linux Foundation |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] | [[Linux_Security_Summit_2015/Bio/Wojciechowski|Lukasz Wojciechowski, Samsung]] |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] | Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks |- |''10:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] |[[Linux_Security_Summit_2015/Bio/VanderStoep|Jeffrey Vander Stoep, Google]] |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |[[Linux_Security_Summit_2015/Bio/Kasatkin|Dmitry Kasatkin, Huawei Technologies]] |- |''12:15'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |13:30 |Subsystem Update: Smack |[[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |13:50 |Subsystem Update: AppArmor |John Johansen, Canonical |- |14:10 |Subsystem Update: Integrity |[[Linux_Security_Summit_2015/Bio/Zohar|Mimi Zohar, IBM]] |- |''14:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |14:40 |Subsystem Update: SELinux |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |15:00 |Subsystem Update: Capabilities | [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] |- |15:20 |Subsystem Update: Seccomp |[[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] |- |15:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] | [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |''16:10'' | colspan="2"|<span style="color:darkgreen">''Break''</span> |- |16:30 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} 87ae9cf3ee7060c86c8233f35b2996bdc44d284f 3657 3655 2015-07-08T01:36:16Z JamesMorris 2 /* Day 1 (Thursday 20th August) */ wikitext text/x-wiki = Schedule = == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |Welcome |[[Linux_Security_Summit_2015/Bio/Morris|James Morris, Oracle]] |- |09:05 | '''<span style="color:navy">Keynote</span>''' | [[Linux_Security_Summit_2015/Bio/Kon|Konstantin Ryabitsev, Linux Foundation]] [https://www.linux.com/news/featured-blogs/200-libby-clark/814542-15-reddit-ama-questions-for-kernelorg-sysadmin-konstantin-ryabitsev Reddit AMA] |- |''09:55'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] | Greg Wettstein, IDfusion |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] | [[Linux_Security_Summit_2015/Bio/Smalley|Stephen Smalley, NSA]] |- |''11:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |11:45 | [[Linux_Security_Summit_2015/Abstracts/Stiller|Linux Incident Response]] | Mike Scutt and Tim Stiller, Rapid7 |- |''12:45'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] |[[Linux_Security_Summit_2015/Bio/Reshetova|Elena Reshetova, Intel]] |- |14:45 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] |[[Linux_Security_Summit_2015/Bio/Halcrow|Paul Lawrence and Mike Halcrow, Google]] |- |''15:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] | Emily Ratliff, Linux Foundation |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] | [[Linux_Security_Summit_2015/Bio/Wojciechowski|Lukasz Wojciechowski, Samsung]] |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] | Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks |- |''10:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] |[[Linux_Security_Summit_2015/Bio/VanderStoep|Jeffrey Vander Stoep, Google]] |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |[[Linux_Security_Summit_2015/Bio/Kasatkin|Dmitry Kasatkin, Huawei Technologies]] |- |''12:15'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |13:30 |Subsystem Update: Smack |[[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |13:50 |Subsystem Update: AppArmor |John Johansen, Canonical |- |14:10 |Subsystem Update: Integrity |[[Linux_Security_Summit_2015/Bio/Zohar|Mimi Zohar, IBM]] |- |''14:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |14:40 |Subsystem Update: SELinux |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |15:00 |Subsystem Update: Capabilities | [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] |- |15:20 |Subsystem Update: Seccomp |[[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] |- |15:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] | [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |''16:10'' | colspan="2"|<span style="color:darkgreen">''Break''</span> |- |16:30 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} 7539739238315fb9be28749d1c5fdf30fab646fd 3658 3657 2015-07-08T01:36:35Z JamesMorris 2 /* Day 1 (Thursday 20th August) */ wikitext text/x-wiki = Schedule = == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |Welcome |[[Linux_Security_Summit_2015/Bio/Morris|James Morris, Oracle]] |- |09:05 | '''<span style="color:navy">Keynote</span>''' | [[Linux_Security_Summit_2015/Bio/Kon|Konstantin Ryabitsev, Linux Foundation]] ([https://www.linux.com/news/featured-blogs/200-libby-clark/814542-15-reddit-ama-questions-for-kernelorg-sysadmin-konstantin-ryabitsev Reddit AMA]) |- |''09:55'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] | Greg Wettstein, IDfusion |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] | [[Linux_Security_Summit_2015/Bio/Smalley|Stephen Smalley, NSA]] |- |''11:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |11:45 | [[Linux_Security_Summit_2015/Abstracts/Stiller|Linux Incident Response]] | Mike Scutt and Tim Stiller, Rapid7 |- |''12:45'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] |[[Linux_Security_Summit_2015/Bio/Reshetova|Elena Reshetova, Intel]] |- |14:45 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] |[[Linux_Security_Summit_2015/Bio/Halcrow|Paul Lawrence and Mike Halcrow, Google]] |- |''15:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] | Emily Ratliff, Linux Foundation |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] | [[Linux_Security_Summit_2015/Bio/Wojciechowski|Lukasz Wojciechowski, Samsung]] |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] | Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks |- |''10:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] |[[Linux_Security_Summit_2015/Bio/VanderStoep|Jeffrey Vander Stoep, Google]] |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |[[Linux_Security_Summit_2015/Bio/Kasatkin|Dmitry Kasatkin, Huawei Technologies]] |- |''12:15'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |13:30 |Subsystem Update: Smack |[[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |13:50 |Subsystem Update: AppArmor |John Johansen, Canonical |- |14:10 |Subsystem Update: Integrity |[[Linux_Security_Summit_2015/Bio/Zohar|Mimi Zohar, IBM]] |- |''14:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |14:40 |Subsystem Update: SELinux |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |15:00 |Subsystem Update: Capabilities | [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] |- |15:20 |Subsystem Update: Seccomp |[[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] |- |15:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] | [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |''16:10'' | colspan="2"|<span style="color:darkgreen">''Break''</span> |- |16:30 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} f3fa94a125a91604b4a2690527d1970d0e9602ab 3659 3658 2015-07-08T01:37:07Z JamesMorris 2 /* Day 1 (Thursday 20th August) */ wikitext text/x-wiki = Schedule = == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |Welcome |[[Linux_Security_Summit_2015/Bio/Morris|James Morris, Oracle]] |- |09:05 | '''<span style="color:navy">Keynote</span>''' | [[Linux_Security_Summit_2015/Bio/Kon|Konstantin Ryabitsev, Linux Foundation]] (see also [https://www.linux.com/news/featured-blogs/200-libby-clark/814542-15-reddit-ama-questions-for-kernelorg-sysadmin-konstantin-ryabitsev Reddit AMA]) |- |''09:55'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] | Greg Wettstein, IDfusion |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] | [[Linux_Security_Summit_2015/Bio/Smalley|Stephen Smalley, NSA]] |- |''11:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |11:45 | [[Linux_Security_Summit_2015/Abstracts/Stiller|Linux Incident Response]] | Mike Scutt and Tim Stiller, Rapid7 |- |''12:45'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] |[[Linux_Security_Summit_2015/Bio/Reshetova|Elena Reshetova, Intel]] |- |14:45 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] |[[Linux_Security_Summit_2015/Bio/Halcrow|Paul Lawrence and Mike Halcrow, Google]] |- |''15:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] | Emily Ratliff, Linux Foundation |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] | [[Linux_Security_Summit_2015/Bio/Wojciechowski|Lukasz Wojciechowski, Samsung]] |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] | Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks |- |''10:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] |[[Linux_Security_Summit_2015/Bio/VanderStoep|Jeffrey Vander Stoep, Google]] |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |[[Linux_Security_Summit_2015/Bio/Kasatkin|Dmitry Kasatkin, Huawei Technologies]] |- |''12:15'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |13:30 |Subsystem Update: Smack |[[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |13:50 |Subsystem Update: AppArmor |John Johansen, Canonical |- |14:10 |Subsystem Update: Integrity |[[Linux_Security_Summit_2015/Bio/Zohar|Mimi Zohar, IBM]] |- |''14:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |14:40 |Subsystem Update: SELinux |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |15:00 |Subsystem Update: Capabilities | [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] |- |15:20 |Subsystem Update: Seccomp |[[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] |- |15:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] | [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |''16:10'' | colspan="2"|<span style="color:darkgreen">''Break''</span> |- |16:30 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} efe9a6c80551e7b658500570e4d7beba766555dd 3661 3659 2015-07-08T01:39:02Z JamesMorris 2 /* Day 1 (Thursday 20th August) */ wikitext text/x-wiki = Schedule = == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |Welcome |[[Linux_Security_Summit_2015/Bio/Morris|James Morris, Oracle]] |- |09:05 | '''<span style="color:navy">Keynote</span>''' | [[Linux_Security_Summit_2015/Bio/Kon|Konstantin Ryabitsev, Linux Foundation]] (see also [https://www.linux.com/news/featured-blogs/200-libby-clark/814542-15-reddit-ama-questions-for-kernelorg-sysadmin-konstantin-ryabitsev Reddit AMA]) |- |''09:55'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] | Greg Wettstein, IDfusion |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] | [[Linux_Security_Summit_2015/Bio/Smalley|Stephen Smalley, NSA]] |- |''11:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |11:45 | [[Linux_Security_Summit_2015/Abstracts/Stiller|Linux Incident Response]] | [[Linux_Security_Summit_2015/Bio/Stiller|Mike Scutt and Tim Stiller, Rapid7]] |- |''12:45'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] |[[Linux_Security_Summit_2015/Bio/Reshetova|Elena Reshetova, Intel]] |- |14:45 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] |[[Linux_Security_Summit_2015/Bio/Halcrow|Paul Lawrence and Mike Halcrow, Google]] |- |''15:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] | Emily Ratliff, Linux Foundation |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] | [[Linux_Security_Summit_2015/Bio/Wojciechowski|Lukasz Wojciechowski, Samsung]] |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] | Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks |- |''10:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] |[[Linux_Security_Summit_2015/Bio/VanderStoep|Jeffrey Vander Stoep, Google]] |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |[[Linux_Security_Summit_2015/Bio/Kasatkin|Dmitry Kasatkin, Huawei Technologies]] |- |''12:15'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |13:30 |Subsystem Update: Smack |[[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |13:50 |Subsystem Update: AppArmor |John Johansen, Canonical |- |14:10 |Subsystem Update: Integrity |[[Linux_Security_Summit_2015/Bio/Zohar|Mimi Zohar, IBM]] |- |''14:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |14:40 |Subsystem Update: SELinux |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |15:00 |Subsystem Update: Capabilities | [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] |- |15:20 |Subsystem Update: Seccomp |[[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] |- |15:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] | [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |''16:10'' | colspan="2"|<span style="color:darkgreen">''Break''</span> |- |16:30 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} 09f0861e0cd3d67802a76f6c8f415c45291ddb7b 3663 3661 2015-07-08T11:53:02Z JamesMorris 2 /* Day 2 (Friday 21st August) */ wikitext text/x-wiki = Schedule = == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |Welcome |[[Linux_Security_Summit_2015/Bio/Morris|James Morris, Oracle]] |- |09:05 | '''<span style="color:navy">Keynote</span>''' | [[Linux_Security_Summit_2015/Bio/Kon|Konstantin Ryabitsev, Linux Foundation]] (see also [https://www.linux.com/news/featured-blogs/200-libby-clark/814542-15-reddit-ama-questions-for-kernelorg-sysadmin-konstantin-ryabitsev Reddit AMA]) |- |''09:55'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] | Greg Wettstein, IDfusion |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] | [[Linux_Security_Summit_2015/Bio/Smalley|Stephen Smalley, NSA]] |- |''11:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |11:45 | [[Linux_Security_Summit_2015/Abstracts/Stiller|Linux Incident Response]] | [[Linux_Security_Summit_2015/Bio/Stiller|Mike Scutt and Tim Stiller, Rapid7]] |- |''12:45'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] |[[Linux_Security_Summit_2015/Bio/Reshetova|Elena Reshetova, Intel]] |- |14:45 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] |[[Linux_Security_Summit_2015/Bio/Halcrow|Paul Lawrence and Mike Halcrow, Google]] |- |''15:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] | Emily Ratliff, Linux Foundation |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] | [[Linux_Security_Summit_2015/Bio/Wojciechowski|Lukasz Wojciechowski, Samsung]] |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] | [[Linux_Security_Summit_2015/Bio/Baushke|Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks]] |- |''10:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] |[[Linux_Security_Summit_2015/Bio/VanderStoep|Jeffrey Vander Stoep, Google]] |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |[[Linux_Security_Summit_2015/Bio/Kasatkin|Dmitry Kasatkin, Huawei Technologies]] |- |''12:15'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |13:30 |Subsystem Update: Smack |[[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |13:50 |Subsystem Update: AppArmor |John Johansen, Canonical |- |14:10 |Subsystem Update: Integrity |[[Linux_Security_Summit_2015/Bio/Zohar|Mimi Zohar, IBM]] |- |''14:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |14:40 |Subsystem Update: SELinux |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |15:00 |Subsystem Update: Capabilities | [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] |- |15:20 |Subsystem Update: Seccomp |[[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] |- |15:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] | [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |''16:10'' | colspan="2"|<span style="color:darkgreen">''Break''</span> |- |16:30 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} 3f139eb74d07799b29e5b87d8a3ae1b087a6324e 3665 3663 2015-07-09T14:54:28Z JamesMorris 2 /* Day 1 (Thursday 20th August) */ wikitext text/x-wiki = Schedule = == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |Welcome |[[Linux_Security_Summit_2015/Bio/Morris|James Morris, Oracle]] |- |09:05 | '''<span style="color:navy">Keynote</span>''' | [[Linux_Security_Summit_2015/Bio/Kon|Konstantin Ryabitsev, Linux Foundation]] (see also [https://www.linux.com/news/featured-blogs/200-libby-clark/814542-15-reddit-ama-questions-for-kernelorg-sysadmin-konstantin-ryabitsev Reddit AMA]) |- |''09:55'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] | Greg Wettstein, IDfusion |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] | [[Linux_Security_Summit_2015/Bio/Smalley|Stephen Smalley, NSA]] |- |''11:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |11:45 | [[Linux_Security_Summit_2015/Abstracts/Stiller|Linux Incident Response]] | [[Linux_Security_Summit_2015/Bio/Stiller|Mike Scutt and Tim Stiller, Rapid7]] |- |''12:45'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] |[[Linux_Security_Summit_2015/Bio/Reshetova|Elena Reshetova, Intel]] |- |14:45 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] |[[Linux_Security_Summit_2015/Bio/Halcrow|Paul Lawrence and Mike Halcrow, Google]] |- |''15:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] | [[Linux_Security_Summit_2015/Bio/Ratliff|Emily Ratliff, Linux Foundation]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] | [[Linux_Security_Summit_2015/Bio/Wojciechowski|Lukasz Wojciechowski, Samsung]] |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] | [[Linux_Security_Summit_2015/Bio/Baushke|Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks]] |- |''10:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] |[[Linux_Security_Summit_2015/Bio/VanderStoep|Jeffrey Vander Stoep, Google]] |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |[[Linux_Security_Summit_2015/Bio/Kasatkin|Dmitry Kasatkin, Huawei Technologies]] |- |''12:15'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |13:30 |Subsystem Update: Smack |[[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |13:50 |Subsystem Update: AppArmor |John Johansen, Canonical |- |14:10 |Subsystem Update: Integrity |[[Linux_Security_Summit_2015/Bio/Zohar|Mimi Zohar, IBM]] |- |''14:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |14:40 |Subsystem Update: SELinux |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |15:00 |Subsystem Update: Capabilities | [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] |- |15:20 |Subsystem Update: Seccomp |[[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] |- |15:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] | [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |''16:10'' | colspan="2"|<span style="color:darkgreen">''Break''</span> |- |16:30 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} 960315e8dec05e935dec6d4f80184704cb8bc5eb 3670 3665 2015-08-09T22:40:23Z JamesMorris 2 /* Day 1 (Thursday 20th August) */ wikitext text/x-wiki = Schedule = == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |Welcome |[[Linux_Security_Summit_2015/Bio/Morris|James Morris, Oracle]] |- |09:05 | '''<span style="color:navy">Keynote</span>''' | [[Linux_Security_Summit_2015/Bio/Kon|Konstantin Ryabitsev, Linux Foundation]] (see also [https://www.linux.com/news/featured-blogs/200-libby-clark/814542-15-reddit-ama-questions-for-kernelorg-sysadmin-konstantin-ryabitsev Reddit AMA]) |- |''09:55'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] | [[Linux_Security_Summit_2015/Bio/Wettstein|Greg Wettstein, IDfusion]] |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] | [[Linux_Security_Summit_2015/Bio/Smalley|Stephen Smalley, NSA]] |- |''11:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |11:45 | [[Linux_Security_Summit_2015/Abstracts/Stiller|Linux Incident Response]] | [[Linux_Security_Summit_2015/Bio/Stiller|Mike Scutt and Tim Stiller, Rapid7]] |- |''12:45'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] |[[Linux_Security_Summit_2015/Bio/Reshetova|Elena Reshetova, Intel]] |- |14:45 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] |[[Linux_Security_Summit_2015/Bio/Halcrow|Paul Lawrence and Mike Halcrow, Google]] |- |''15:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] | [[Linux_Security_Summit_2015/Bio/Ratliff|Emily Ratliff, Linux Foundation]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] | [[Linux_Security_Summit_2015/Bio/Wojciechowski|Lukasz Wojciechowski, Samsung]] |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] | [[Linux_Security_Summit_2015/Bio/Baushke|Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks]] |- |''10:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] |[[Linux_Security_Summit_2015/Bio/VanderStoep|Jeffrey Vander Stoep, Google]] |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |[[Linux_Security_Summit_2015/Bio/Kasatkin|Dmitry Kasatkin, Huawei Technologies]] |- |''12:15'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |13:30 |Subsystem Update: Smack |[[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |13:50 |Subsystem Update: AppArmor |John Johansen, Canonical |- |14:10 |Subsystem Update: Integrity |[[Linux_Security_Summit_2015/Bio/Zohar|Mimi Zohar, IBM]] |- |''14:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |14:40 |Subsystem Update: SELinux |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |15:00 |Subsystem Update: Capabilities | [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] |- |15:20 |Subsystem Update: Seccomp |[[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] |- |15:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] | [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |''16:10'' | colspan="2"|<span style="color:darkgreen">''Break''</span> |- |16:30 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} bd99024e5d6efed38428b776575096d5d886ca6c 3671 3670 2015-08-15T03:21:53Z JamesMorris 2 /* Day 1 (Thursday 20th August) */ wikitext text/x-wiki = Schedule = == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |Welcome |[[Linux_Security_Summit_2015/Bio/Morris|James Morris, Oracle]] |- |09:05 | '''<span style="color:navy">Keynote: Giant Bags of Mostly Water: Securing your IT Infrastructure by Securing your Team</span>''' | [[Linux_Security_Summit_2015/Bio/Kon|Konstantin Ryabitsev, Linux Foundation]] (see also [https://www.linux.com/news/featured-blogs/200-libby-clark/814542-15-reddit-ama-questions-for-kernelorg-sysadmin-konstantin-ryabitsev Reddit AMA]) |- |''09:55'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] | [[Linux_Security_Summit_2015/Bio/Wettstein|Greg Wettstein, IDfusion]] |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] | [[Linux_Security_Summit_2015/Bio/Smalley|Stephen Smalley, NSA]] |- |''11:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |11:45 | [[Linux_Security_Summit_2015/Abstracts/Stiller|Linux Incident Response]] | [[Linux_Security_Summit_2015/Bio/Stiller|Mike Scutt and Tim Stiller, Rapid7]] |- |''12:45'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] |[[Linux_Security_Summit_2015/Bio/Reshetova|Elena Reshetova, Intel]] |- |14:45 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] |[[Linux_Security_Summit_2015/Bio/Halcrow|Paul Lawrence and Mike Halcrow, Google]] |- |''15:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] | [[Linux_Security_Summit_2015/Bio/Ratliff|Emily Ratliff, Linux Foundation]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] | [[Linux_Security_Summit_2015/Bio/Wojciechowski|Lukasz Wojciechowski, Samsung]] |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] | [[Linux_Security_Summit_2015/Bio/Baushke|Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks]] |- |''10:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] |[[Linux_Security_Summit_2015/Bio/VanderStoep|Jeffrey Vander Stoep, Google]] |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |[[Linux_Security_Summit_2015/Bio/Kasatkin|Dmitry Kasatkin, Huawei Technologies]] |- |''12:15'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |13:30 |Subsystem Update: Smack |[[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |13:50 |Subsystem Update: AppArmor |John Johansen, Canonical |- |14:10 |Subsystem Update: Integrity |[[Linux_Security_Summit_2015/Bio/Zohar|Mimi Zohar, IBM]] |- |''14:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |14:40 |Subsystem Update: SELinux |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |15:00 |Subsystem Update: Capabilities | [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] |- |15:20 |Subsystem Update: Seccomp |[[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] |- |15:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] | [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |''16:10'' | colspan="2"|<span style="color:darkgreen">''Break''</span> |- |16:30 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} 6117c83ad7b48ba582d34a4682133cb788fdd38b 3672 3671 2015-08-15T03:22:14Z JamesMorris 2 /* Day 1 (Thursday 20th August) */ wikitext text/x-wiki = Schedule = == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |Welcome |[[Linux_Security_Summit_2015/Bio/Morris|James Morris, Oracle]] |- |09:05 | '''<span style="color:navy">Keynote: Giant Bags of Mostly Water -- Securing your IT Infrastructure by Securing your Team</span>''' | [[Linux_Security_Summit_2015/Bio/Kon|Konstantin Ryabitsev, Linux Foundation]] (see also [https://www.linux.com/news/featured-blogs/200-libby-clark/814542-15-reddit-ama-questions-for-kernelorg-sysadmin-konstantin-ryabitsev Reddit AMA]) |- |''09:55'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] | [[Linux_Security_Summit_2015/Bio/Wettstein|Greg Wettstein, IDfusion]] |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] | [[Linux_Security_Summit_2015/Bio/Smalley|Stephen Smalley, NSA]] |- |''11:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |11:45 | [[Linux_Security_Summit_2015/Abstracts/Stiller|Linux Incident Response]] | [[Linux_Security_Summit_2015/Bio/Stiller|Mike Scutt and Tim Stiller, Rapid7]] |- |''12:45'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] |[[Linux_Security_Summit_2015/Bio/Reshetova|Elena Reshetova, Intel]] |- |14:45 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] |[[Linux_Security_Summit_2015/Bio/Halcrow|Paul Lawrence and Mike Halcrow, Google]] |- |''15:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] | [[Linux_Security_Summit_2015/Bio/Ratliff|Emily Ratliff, Linux Foundation]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] | [[Linux_Security_Summit_2015/Bio/Wojciechowski|Lukasz Wojciechowski, Samsung]] |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] | [[Linux_Security_Summit_2015/Bio/Baushke|Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks]] |- |''10:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] |[[Linux_Security_Summit_2015/Bio/VanderStoep|Jeffrey Vander Stoep, Google]] |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |[[Linux_Security_Summit_2015/Bio/Kasatkin|Dmitry Kasatkin, Huawei Technologies]] |- |''12:15'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |13:30 |Subsystem Update: Smack |[[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |13:50 |Subsystem Update: AppArmor |John Johansen, Canonical |- |14:10 |Subsystem Update: Integrity |[[Linux_Security_Summit_2015/Bio/Zohar|Mimi Zohar, IBM]] |- |''14:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |14:40 |Subsystem Update: SELinux |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |15:00 |Subsystem Update: Capabilities | [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] |- |15:20 |Subsystem Update: Seccomp |[[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] |- |15:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] | [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |''16:10'' | colspan="2"|<span style="color:darkgreen">''Break''</span> |- |16:30 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} 645463dfc89a6e8cf453b515aee003a24cde94ca 3673 3672 2015-08-15T03:22:39Z JamesMorris 2 /* Day 1 (Thursday 20th August) */ wikitext text/x-wiki = Schedule = == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |Welcome |[[Linux_Security_Summit_2015/Bio/Morris|James Morris, Oracle]] |- |09:05 | '''<span style="color:navy">Keynote:</span> Giant Bags of Mostly Water - Securing your IT Infrastructure by Securing your Team''' | [[Linux_Security_Summit_2015/Bio/Kon|Konstantin Ryabitsev, Linux Foundation]] (see also [https://www.linux.com/news/featured-blogs/200-libby-clark/814542-15-reddit-ama-questions-for-kernelorg-sysadmin-konstantin-ryabitsev Reddit AMA]) |- |''09:55'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] | [[Linux_Security_Summit_2015/Bio/Wettstein|Greg Wettstein, IDfusion]] |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] | [[Linux_Security_Summit_2015/Bio/Smalley|Stephen Smalley, NSA]] |- |''11:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |11:45 | [[Linux_Security_Summit_2015/Abstracts/Stiller|Linux Incident Response]] | [[Linux_Security_Summit_2015/Bio/Stiller|Mike Scutt and Tim Stiller, Rapid7]] |- |''12:45'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] |[[Linux_Security_Summit_2015/Bio/Reshetova|Elena Reshetova, Intel]] |- |14:45 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] |[[Linux_Security_Summit_2015/Bio/Halcrow|Paul Lawrence and Mike Halcrow, Google]] |- |''15:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] | [[Linux_Security_Summit_2015/Bio/Ratliff|Emily Ratliff, Linux Foundation]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] | [[Linux_Security_Summit_2015/Bio/Wojciechowski|Lukasz Wojciechowski, Samsung]] |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] | [[Linux_Security_Summit_2015/Bio/Baushke|Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks]] |- |''10:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] |[[Linux_Security_Summit_2015/Bio/VanderStoep|Jeffrey Vander Stoep, Google]] |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |[[Linux_Security_Summit_2015/Bio/Kasatkin|Dmitry Kasatkin, Huawei Technologies]] |- |''12:15'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |13:30 |Subsystem Update: Smack |[[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |13:50 |Subsystem Update: AppArmor |John Johansen, Canonical |- |14:10 |Subsystem Update: Integrity |[[Linux_Security_Summit_2015/Bio/Zohar|Mimi Zohar, IBM]] |- |''14:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |14:40 |Subsystem Update: SELinux |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |15:00 |Subsystem Update: Capabilities | [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] |- |15:20 |Subsystem Update: Seccomp |[[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] |- |15:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] | [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |''16:10'' | colspan="2"|<span style="color:darkgreen">''Break''</span> |- |16:30 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} 0eebff00c0a130d974978eca48435591a6cdd582 3674 3673 2015-08-15T03:23:11Z JamesMorris 2 /* Day 1 (Thursday 20th August) */ wikitext text/x-wiki = Schedule = == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |Welcome |[[Linux_Security_Summit_2015/Bio/Morris|James Morris, Oracle]] |- |09:05 | '''<span style="color:navy">Keynote:</span>''' Giant Bags of Mostly Water - Securing your IT Infrastructure by Securing your Team | [[Linux_Security_Summit_2015/Bio/Kon|Konstantin Ryabitsev, Linux Foundation]] (see also [https://www.linux.com/news/featured-blogs/200-libby-clark/814542-15-reddit-ama-questions-for-kernelorg-sysadmin-konstantin-ryabitsev Reddit AMA]) |- |''09:55'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] | [[Linux_Security_Summit_2015/Bio/Wettstein|Greg Wettstein, IDfusion]] |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] | [[Linux_Security_Summit_2015/Bio/Smalley|Stephen Smalley, NSA]] |- |''11:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |11:45 | [[Linux_Security_Summit_2015/Abstracts/Stiller|Linux Incident Response]] | [[Linux_Security_Summit_2015/Bio/Stiller|Mike Scutt and Tim Stiller, Rapid7]] |- |''12:45'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] |[[Linux_Security_Summit_2015/Bio/Reshetova|Elena Reshetova, Intel]] |- |14:45 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] |[[Linux_Security_Summit_2015/Bio/Halcrow|Paul Lawrence and Mike Halcrow, Google]] |- |''15:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] | [[Linux_Security_Summit_2015/Bio/Ratliff|Emily Ratliff, Linux Foundation]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] | [[Linux_Security_Summit_2015/Bio/Wojciechowski|Lukasz Wojciechowski, Samsung]] |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] | [[Linux_Security_Summit_2015/Bio/Baushke|Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks]] |- |''10:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] |[[Linux_Security_Summit_2015/Bio/VanderStoep|Jeffrey Vander Stoep, Google]] |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |[[Linux_Security_Summit_2015/Bio/Kasatkin|Dmitry Kasatkin, Huawei Technologies]] |- |''12:15'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |13:30 |Subsystem Update: Smack |[[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |13:50 |Subsystem Update: AppArmor |John Johansen, Canonical |- |14:10 |Subsystem Update: Integrity |[[Linux_Security_Summit_2015/Bio/Zohar|Mimi Zohar, IBM]] |- |''14:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |14:40 |Subsystem Update: SELinux |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |15:00 |Subsystem Update: Capabilities | [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] |- |15:20 |Subsystem Update: Seccomp |[[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] |- |15:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] | [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |''16:10'' | colspan="2"|<span style="color:darkgreen">''Break''</span> |- |16:30 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} 71c91a8627309c09226692b6f3916fd0de7be794 3675 3674 2015-08-15T03:52:02Z JamesMorris 2 /* Day 1 (Thursday 20th August) */ wikitext text/x-wiki = Schedule = == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |Welcome |[[Linux_Security_Summit_2015/Bio/Morris|James Morris, Oracle]] |- |09:05 | '''<span style="color:navy">Keynote:</span>''' Giant Bags of Mostly Water - Securing your IT Infrastructure by Securing your Team | [[Linux_Security_Summit_2015/Bio/Kon|Konstantin Ryabitsev, Linux Foundation]] (see also [https://www.linux.com/news/featured-blogs/200-libby-clark/814542-15-reddit-ama-questions-for-kernelorg-sysadmin-konstantin-ryabitsev Reddit AMA]) |- |''09:55'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] | [[Linux_Security_Summit_2015/Bio/Wettstein|Greg Wettstein, IDfusion]] |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] ''([http://kernsec.org/files/lss2015/lss2015_selinuxinandroidlollipopandm_smalley.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Smalley|Stephen Smalley, NSA]] |- |''11:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |11:45 | [[Linux_Security_Summit_2015/Abstracts/Stiller|Linux Incident Response]] | [[Linux_Security_Summit_2015/Bio/Stiller|Mike Scutt and Tim Stiller, Rapid7]] |- |''12:45'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] |[[Linux_Security_Summit_2015/Bio/Reshetova|Elena Reshetova, Intel]] |- |14:45 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] |[[Linux_Security_Summit_2015/Bio/Halcrow|Paul Lawrence and Mike Halcrow, Google]] |- |''15:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] | [[Linux_Security_Summit_2015/Bio/Ratliff|Emily Ratliff, Linux Foundation]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] | [[Linux_Security_Summit_2015/Bio/Wojciechowski|Lukasz Wojciechowski, Samsung]] |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] | [[Linux_Security_Summit_2015/Bio/Baushke|Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks]] |- |''10:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] |[[Linux_Security_Summit_2015/Bio/VanderStoep|Jeffrey Vander Stoep, Google]] |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |[[Linux_Security_Summit_2015/Bio/Kasatkin|Dmitry Kasatkin, Huawei Technologies]] |- |''12:15'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |13:30 |Subsystem Update: Smack |[[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |13:50 |Subsystem Update: AppArmor |John Johansen, Canonical |- |14:10 |Subsystem Update: Integrity |[[Linux_Security_Summit_2015/Bio/Zohar|Mimi Zohar, IBM]] |- |''14:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |14:40 |Subsystem Update: SELinux |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |15:00 |Subsystem Update: Capabilities | [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] |- |15:20 |Subsystem Update: Seccomp |[[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] |- |15:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] | [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |''16:10'' | colspan="2"|<span style="color:darkgreen">''Break''</span> |- |16:30 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} d00031b95b16ee7aafbc30c87ca45c6c3d405cce 3676 3675 2015-08-18T23:38:31Z JamesMorris 2 /* Schedule */ wikitext text/x-wiki = Schedule = Note: LSS will be held in the '''Jefferson Room, 4th Floor.''' == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |Welcome |[[Linux_Security_Summit_2015/Bio/Morris|James Morris, Oracle]] |- |09:05 | '''<span style="color:navy">Keynote:</span>''' Giant Bags of Mostly Water - Securing your IT Infrastructure by Securing your Team | [[Linux_Security_Summit_2015/Bio/Kon|Konstantin Ryabitsev, Linux Foundation]] (see also [https://www.linux.com/news/featured-blogs/200-libby-clark/814542-15-reddit-ama-questions-for-kernelorg-sysadmin-konstantin-ryabitsev Reddit AMA]) |- |''09:55'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] | [[Linux_Security_Summit_2015/Bio/Wettstein|Greg Wettstein, IDfusion]] |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] ''([http://kernsec.org/files/lss2015/lss2015_selinuxinandroidlollipopandm_smalley.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Smalley|Stephen Smalley, NSA]] |- |''11:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |11:45 | [[Linux_Security_Summit_2015/Abstracts/Stiller|Linux Incident Response]] | [[Linux_Security_Summit_2015/Bio/Stiller|Mike Scutt and Tim Stiller, Rapid7]] |- |''12:45'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] |[[Linux_Security_Summit_2015/Bio/Reshetova|Elena Reshetova, Intel]] |- |14:45 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] |[[Linux_Security_Summit_2015/Bio/Halcrow|Paul Lawrence and Mike Halcrow, Google]] |- |''15:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] | [[Linux_Security_Summit_2015/Bio/Ratliff|Emily Ratliff, Linux Foundation]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] | [[Linux_Security_Summit_2015/Bio/Wojciechowski|Lukasz Wojciechowski, Samsung]] |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] | [[Linux_Security_Summit_2015/Bio/Baushke|Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks]] |- |''10:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] |[[Linux_Security_Summit_2015/Bio/VanderStoep|Jeffrey Vander Stoep, Google]] |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |[[Linux_Security_Summit_2015/Bio/Kasatkin|Dmitry Kasatkin, Huawei Technologies]] |- |''12:15'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |13:30 |Subsystem Update: Smack |[[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |13:50 |Subsystem Update: AppArmor |John Johansen, Canonical |- |14:10 |Subsystem Update: Integrity |[[Linux_Security_Summit_2015/Bio/Zohar|Mimi Zohar, IBM]] |- |''14:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |14:40 |Subsystem Update: SELinux |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |15:00 |Subsystem Update: Capabilities | [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] |- |15:20 |Subsystem Update: Seccomp |[[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] |- |15:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] | [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |''16:10'' | colspan="2"|<span style="color:darkgreen">''Break''</span> |- |16:30 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} 25c8398ae1bb67bc63abf1cd9c0bb4419186eeb1 3677 3676 2015-08-18T23:41:39Z JamesMorris 2 /* Schedule */ wikitext text/x-wiki = Schedule = Note: LSS will be held in the '''Jefferson Room, 4th Floor, Union St Tower''' == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |Welcome |[[Linux_Security_Summit_2015/Bio/Morris|James Morris, Oracle]] |- |09:05 | '''<span style="color:navy">Keynote:</span>''' Giant Bags of Mostly Water - Securing your IT Infrastructure by Securing your Team | [[Linux_Security_Summit_2015/Bio/Kon|Konstantin Ryabitsev, Linux Foundation]] (see also [https://www.linux.com/news/featured-blogs/200-libby-clark/814542-15-reddit-ama-questions-for-kernelorg-sysadmin-konstantin-ryabitsev Reddit AMA]) |- |''09:55'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] | [[Linux_Security_Summit_2015/Bio/Wettstein|Greg Wettstein, IDfusion]] |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] ''([http://kernsec.org/files/lss2015/lss2015_selinuxinandroidlollipopandm_smalley.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Smalley|Stephen Smalley, NSA]] |- |''11:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |11:45 | [[Linux_Security_Summit_2015/Abstracts/Stiller|Linux Incident Response]] | [[Linux_Security_Summit_2015/Bio/Stiller|Mike Scutt and Tim Stiller, Rapid7]] |- |''12:45'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] |[[Linux_Security_Summit_2015/Bio/Reshetova|Elena Reshetova, Intel]] |- |14:45 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] |[[Linux_Security_Summit_2015/Bio/Halcrow|Paul Lawrence and Mike Halcrow, Google]] |- |''15:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] | [[Linux_Security_Summit_2015/Bio/Ratliff|Emily Ratliff, Linux Foundation]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] | [[Linux_Security_Summit_2015/Bio/Wojciechowski|Lukasz Wojciechowski, Samsung]] |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] | [[Linux_Security_Summit_2015/Bio/Baushke|Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks]] |- |''10:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] |[[Linux_Security_Summit_2015/Bio/VanderStoep|Jeffrey Vander Stoep, Google]] |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |[[Linux_Security_Summit_2015/Bio/Kasatkin|Dmitry Kasatkin, Huawei Technologies]] |- |''12:15'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |13:30 |Subsystem Update: Smack |[[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |13:50 |Subsystem Update: AppArmor |John Johansen, Canonical |- |14:10 |Subsystem Update: Integrity |[[Linux_Security_Summit_2015/Bio/Zohar|Mimi Zohar, IBM]] |- |''14:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |14:40 |Subsystem Update: SELinux |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |15:00 |Subsystem Update: Capabilities | [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] |- |15:20 |Subsystem Update: Seccomp |[[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] |- |15:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] | [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |''16:10'' | colspan="2"|<span style="color:darkgreen">''Break''</span> |- |16:30 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} df4c1a4bb8c5c0fca710f74c6e4a6dffc0740bc5 3678 3677 2015-08-18T23:48:47Z JamesMorris 2 wikitext text/x-wiki = Schedule = Note: LSS will be held in the '''Jefferson Room, 4th Floor, Union St Tower''' == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |Welcome |[[Linux_Security_Summit_2015/Bio/Morris|James Morris, Oracle]] |- |09:05 | '''<span style="color:navy">Keynote:</span>''' Giant Bags of Mostly Water - Securing your IT Infrastructure by Securing your Team | [[Linux_Security_Summit_2015/Bio/Kon|Konstantin Ryabitsev, Linux Foundation]] (see also [https://www.linux.com/news/featured-blogs/200-libby-clark/814542-15-reddit-ama-questions-for-kernelorg-sysadmin-konstantin-ryabitsev Reddit AMA]) |- |''09:55'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] | [[Linux_Security_Summit_2015/Bio/Wettstein|Greg Wettstein, IDfusion]] |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] ''([http://kernsec.org/files/lss2015/lss2015_selinuxinandroidlollipopandm_smalley.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Smalley|Stephen Smalley, NSA]] |- |''11:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |11:45 | [[Linux_Security_Summit_2015/Abstracts/Stiller|Linux Incident Response]] | [[Linux_Security_Summit_2015/Bio/Stiller|Mike Scutt and Tim Stiller, Rapid7]] |- |''12:45'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] |[[Linux_Security_Summit_2015/Bio/Reshetova|Elena Reshetova, Intel]] |- |14:45 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] |[[Linux_Security_Summit_2015/Bio/Halcrow|Paul Lawrence and Mike Halcrow, Google]] |- |''15:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] | [[Linux_Security_Summit_2015/Bio/Ratliff|Emily Ratliff, Linux Foundation]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] | [[Linux_Security_Summit_2015/Bio/Wojciechowski|Lukasz Wojciechowski, Samsung]] |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] | [[Linux_Security_Summit_2015/Bio/Baushke|Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks]] |- |''10:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] |[[Linux_Security_Summit_2015/Bio/VanderStoep|Jeffrey Vander Stoep, Google]] |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |[[Linux_Security_Summit_2015/Bio/Kasatkin|Dmitry Kasatkin, Huawei Technologies]] |- |''12:15'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |13:30 |Subsystem Update: Smack |[[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] ''([http://kernsec.org/files/lss2015/201508-LinuxSecuritySummit-Smack.pdf slides])'' |- |13:50 |Subsystem Update: AppArmor |John Johansen, Canonical |- |14:10 |Subsystem Update: Integrity |[[Linux_Security_Summit_2015/Bio/Zohar|Mimi Zohar, IBM]] |- |''14:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |14:40 |Subsystem Update: SELinux |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |15:00 |Subsystem Update: Capabilities | [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] |- |15:20 |Subsystem Update: Seccomp |[[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] |- |15:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] ''([http://kernsec.org/files/lss2015/201508-LinuxSecuritySummit-Stacking.pdf])'' | [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |''16:10'' | colspan="2"|<span style="color:darkgreen">''Break''</span> |- |16:30 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} 0cc149fdea28c4c2a9d68a8d41bcfa789ca89df8 3679 3678 2015-08-18T23:49:50Z JamesMorris 2 wikitext text/x-wiki = Schedule = Note: LSS will be held in the '''Jefferson Room, 4th Floor, Union St Tower''' == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |Welcome |[[Linux_Security_Summit_2015/Bio/Morris|James Morris, Oracle]] |- |09:05 | '''<span style="color:navy">Keynote:</span>''' Giant Bags of Mostly Water - Securing your IT Infrastructure by Securing your Team | [[Linux_Security_Summit_2015/Bio/Kon|Konstantin Ryabitsev, Linux Foundation]] (see also [https://www.linux.com/news/featured-blogs/200-libby-clark/814542-15-reddit-ama-questions-for-kernelorg-sysadmin-konstantin-ryabitsev Reddit AMA]) |- |''09:55'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] | [[Linux_Security_Summit_2015/Bio/Wettstein|Greg Wettstein, IDfusion]] |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] ''([http://kernsec.org/files/lss2015/lss2015_selinuxinandroidlollipopandm_smalley.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Smalley|Stephen Smalley, NSA]] |- |''11:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |11:45 | [[Linux_Security_Summit_2015/Abstracts/Stiller|Linux Incident Response]] | [[Linux_Security_Summit_2015/Bio/Stiller|Mike Scutt and Tim Stiller, Rapid7]] |- |''12:45'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] |[[Linux_Security_Summit_2015/Bio/Reshetova|Elena Reshetova, Intel]] |- |14:45 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] |[[Linux_Security_Summit_2015/Bio/Halcrow|Paul Lawrence and Mike Halcrow, Google]] |- |''15:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] | [[Linux_Security_Summit_2015/Bio/Ratliff|Emily Ratliff, Linux Foundation]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] | [[Linux_Security_Summit_2015/Bio/Wojciechowski|Lukasz Wojciechowski, Samsung]] |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] | [[Linux_Security_Summit_2015/Bio/Baushke|Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks]] |- |''10:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] |[[Linux_Security_Summit_2015/Bio/VanderStoep|Jeffrey Vander Stoep, Google]] |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |[[Linux_Security_Summit_2015/Bio/Kasatkin|Dmitry Kasatkin, Huawei Technologies]] |- |''12:15'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |13:30 |Subsystem Update: Smack ''([http://kernsec.org/files/lss2015/201508-LinuxSecuritySummit-Smack.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |13:50 |Subsystem Update: AppArmor |John Johansen, Canonical |- |14:10 |Subsystem Update: Integrity |[[Linux_Security_Summit_2015/Bio/Zohar|Mimi Zohar, IBM]] |- |''14:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |14:40 |Subsystem Update: SELinux |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |15:00 |Subsystem Update: Capabilities | [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] |- |15:20 |Subsystem Update: Seccomp |[[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] |- |15:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] ''([http://kernsec.org/files/lss2015/201508-LinuxSecuritySummit-Stacking.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |''16:10'' | colspan="2"|<span style="color:darkgreen">''Break''</span> |- |16:30 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} b737be1e2772d1266a38eb5922674b157079889a 3680 3679 2015-08-18T23:56:21Z JamesMorris 2 /* Day 2 (Friday 21st August) */ wikitext text/x-wiki = Schedule = Note: LSS will be held in the '''Jefferson Room, 4th Floor, Union St Tower''' == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |Welcome |[[Linux_Security_Summit_2015/Bio/Morris|James Morris, Oracle]] |- |09:05 | '''<span style="color:navy">Keynote:</span>''' Giant Bags of Mostly Water - Securing your IT Infrastructure by Securing your Team | [[Linux_Security_Summit_2015/Bio/Kon|Konstantin Ryabitsev, Linux Foundation]] (see also [https://www.linux.com/news/featured-blogs/200-libby-clark/814542-15-reddit-ama-questions-for-kernelorg-sysadmin-konstantin-ryabitsev Reddit AMA]) |- |''09:55'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] | [[Linux_Security_Summit_2015/Bio/Wettstein|Greg Wettstein, IDfusion]] |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] ''([http://kernsec.org/files/lss2015/lss2015_selinuxinandroidlollipopandm_smalley.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Smalley|Stephen Smalley, NSA]] |- |''11:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |11:45 | [[Linux_Security_Summit_2015/Abstracts/Stiller|Linux Incident Response]] | [[Linux_Security_Summit_2015/Bio/Stiller|Mike Scutt and Tim Stiller, Rapid7]] |- |''12:45'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] |[[Linux_Security_Summit_2015/Bio/Reshetova|Elena Reshetova, Intel]] |- |14:45 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] |[[Linux_Security_Summit_2015/Bio/Halcrow|Paul Lawrence and Mike Halcrow, Google]] |- |''15:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] | [[Linux_Security_Summit_2015/Bio/Ratliff|Emily Ratliff, Linux Foundation]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] ''([http://kernsec.org/files/lss2015/AppPrivs.pdf])'' | [[Linux_Security_Summit_2015/Bio/Wojciechowski|Lukasz Wojciechowski, Samsung]] |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] | [[Linux_Security_Summit_2015/Bio/Baushke|Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks]] |- |''10:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] |[[Linux_Security_Summit_2015/Bio/VanderStoep|Jeffrey Vander Stoep, Google]] |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |[[Linux_Security_Summit_2015/Bio/Kasatkin|Dmitry Kasatkin, Huawei Technologies]] |- |''12:15'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |13:30 |Subsystem Update: Smack ''([http://kernsec.org/files/lss2015/201508-LinuxSecuritySummit-Smack.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |13:50 |Subsystem Update: AppArmor |John Johansen, Canonical |- |14:10 |Subsystem Update: Integrity |[[Linux_Security_Summit_2015/Bio/Zohar|Mimi Zohar, IBM]] |- |''14:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |14:40 |Subsystem Update: SELinux |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |15:00 |Subsystem Update: Capabilities | [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] |- |15:20 |Subsystem Update: Seccomp |[[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] |- |15:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] ''([http://kernsec.org/files/lss2015/201508-LinuxSecuritySummit-Stacking.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |''16:10'' | colspan="2"|<span style="color:darkgreen">''Break''</span> |- |16:30 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} 95b77550f1db1392f96bbfbe7d58b5cd5e4f175f 3681 3680 2015-08-18T23:56:37Z JamesMorris 2 /* Day 2 (Friday 21st August) */ wikitext text/x-wiki = Schedule = Note: LSS will be held in the '''Jefferson Room, 4th Floor, Union St Tower''' == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |Welcome |[[Linux_Security_Summit_2015/Bio/Morris|James Morris, Oracle]] |- |09:05 | '''<span style="color:navy">Keynote:</span>''' Giant Bags of Mostly Water - Securing your IT Infrastructure by Securing your Team | [[Linux_Security_Summit_2015/Bio/Kon|Konstantin Ryabitsev, Linux Foundation]] (see also [https://www.linux.com/news/featured-blogs/200-libby-clark/814542-15-reddit-ama-questions-for-kernelorg-sysadmin-konstantin-ryabitsev Reddit AMA]) |- |''09:55'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] | [[Linux_Security_Summit_2015/Bio/Wettstein|Greg Wettstein, IDfusion]] |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] ''([http://kernsec.org/files/lss2015/lss2015_selinuxinandroidlollipopandm_smalley.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Smalley|Stephen Smalley, NSA]] |- |''11:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |11:45 | [[Linux_Security_Summit_2015/Abstracts/Stiller|Linux Incident Response]] | [[Linux_Security_Summit_2015/Bio/Stiller|Mike Scutt and Tim Stiller, Rapid7]] |- |''12:45'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] |[[Linux_Security_Summit_2015/Bio/Reshetova|Elena Reshetova, Intel]] |- |14:45 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] |[[Linux_Security_Summit_2015/Bio/Halcrow|Paul Lawrence and Mike Halcrow, Google]] |- |''15:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] | [[Linux_Security_Summit_2015/Bio/Ratliff|Emily Ratliff, Linux Foundation]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] ''([http://kernsec.org/files/lss2015/AppPrivs.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Wojciechowski|Lukasz Wojciechowski, Samsung]] |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] | [[Linux_Security_Summit_2015/Bio/Baushke|Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks]] |- |''10:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] |[[Linux_Security_Summit_2015/Bio/VanderStoep|Jeffrey Vander Stoep, Google]] |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |[[Linux_Security_Summit_2015/Bio/Kasatkin|Dmitry Kasatkin, Huawei Technologies]] |- |''12:15'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |13:30 |Subsystem Update: Smack ''([http://kernsec.org/files/lss2015/201508-LinuxSecuritySummit-Smack.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |13:50 |Subsystem Update: AppArmor |John Johansen, Canonical |- |14:10 |Subsystem Update: Integrity |[[Linux_Security_Summit_2015/Bio/Zohar|Mimi Zohar, IBM]] |- |''14:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |14:40 |Subsystem Update: SELinux |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |15:00 |Subsystem Update: Capabilities | [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] |- |15:20 |Subsystem Update: Seccomp |[[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] |- |15:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] ''([http://kernsec.org/files/lss2015/201508-LinuxSecuritySummit-Stacking.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |''16:10'' | colspan="2"|<span style="color:darkgreen">''Break''</span> |- |16:30 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} 454e07b59c07ad56b1804ad9ea8ef92f847d98e6 3682 3681 2015-08-19T16:31:46Z JamesMorris 2 /* Day 1 (Thursday 20th August) */ wikitext text/x-wiki = Schedule = Note: LSS will be held in the '''Jefferson Room, 4th Floor, Union St Tower''' == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |Welcome |[[Linux_Security_Summit_2015/Bio/Morris|James Morris, Oracle]] |- |09:05 | '''<span style="color:navy">Keynote:</span>''' Giant Bags of Mostly Water - Securing your IT Infrastructure by Securing your Team | [[Linux_Security_Summit_2015/Bio/Kon|Konstantin Ryabitsev, Linux Foundation]] (see also [https://www.linux.com/news/featured-blogs/200-libby-clark/814542-15-reddit-ama-questions-for-kernelorg-sysadmin-konstantin-ryabitsev Reddit AMA]) |- |''09:55'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] ''([http://kernsec.org/files/lss2015/idfusion-iso-identity-slides.pdf slides], [http://kernsec.org/files/lss2015/idfusion-iso-identity-paper.pdf paper])'' | [[Linux_Security_Summit_2015/Bio/Wettstein|Greg Wettstein, IDfusion]] |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] ''([http://kernsec.org/files/lss2015/lss2015_selinuxinandroidlollipopandm_smalley.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Smalley|Stephen Smalley, NSA]] |- |''11:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |11:45 | [[Linux_Security_Summit_2015/Abstracts/Stiller|Linux Incident Response]] | [[Linux_Security_Summit_2015/Bio/Stiller|Mike Scutt and Tim Stiller, Rapid7]] |- |''12:45'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] |[[Linux_Security_Summit_2015/Bio/Reshetova|Elena Reshetova, Intel]] |- |14:45 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] |[[Linux_Security_Summit_2015/Bio/Halcrow|Paul Lawrence and Mike Halcrow, Google]] |- |''15:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] | [[Linux_Security_Summit_2015/Bio/Ratliff|Emily Ratliff, Linux Foundation]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] ''([http://kernsec.org/files/lss2015/AppPrivs.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Wojciechowski|Lukasz Wojciechowski, Samsung]] |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] | [[Linux_Security_Summit_2015/Bio/Baushke|Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks]] |- |''10:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] |[[Linux_Security_Summit_2015/Bio/VanderStoep|Jeffrey Vander Stoep, Google]] |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |[[Linux_Security_Summit_2015/Bio/Kasatkin|Dmitry Kasatkin, Huawei Technologies]] |- |''12:15'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |13:30 |Subsystem Update: Smack ''([http://kernsec.org/files/lss2015/201508-LinuxSecuritySummit-Smack.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |13:50 |Subsystem Update: AppArmor |John Johansen, Canonical |- |14:10 |Subsystem Update: Integrity |[[Linux_Security_Summit_2015/Bio/Zohar|Mimi Zohar, IBM]] |- |''14:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |14:40 |Subsystem Update: SELinux |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |15:00 |Subsystem Update: Capabilities | [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] |- |15:20 |Subsystem Update: Seccomp |[[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] |- |15:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] ''([http://kernsec.org/files/lss2015/201508-LinuxSecuritySummit-Stacking.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |''16:10'' | colspan="2"|<span style="color:darkgreen">''Break''</span> |- |16:30 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} 928b2501f0e0d76f73908e803d3b72f11e4b7cf2 3683 3682 2015-08-19T16:32:42Z JamesMorris 2 /* Day 1 (Thursday 20th August) */ wikitext text/x-wiki = Schedule = Note: LSS will be held in the '''Jefferson Room, 4th Floor, Union St Tower''' == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |Welcome |[[Linux_Security_Summit_2015/Bio/Morris|James Morris, Oracle]] |- |09:05 | '''<span style="color:navy">Keynote:</span>''' Giant Bags of Mostly Water - Securing your IT Infrastructure by Securing your Team | [[Linux_Security_Summit_2015/Bio/Kon|Konstantin Ryabitsev, Linux Foundation]] (see also [https://www.linux.com/news/featured-blogs/200-libby-clark/814542-15-reddit-ama-questions-for-kernelorg-sysadmin-konstantin-ryabitsev Reddit AMA]) |- |''09:55'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] ''([http://kernsec.org/files/lss2015/idfusion-iso-identity-slides.pdf slides], [http://kernsec.org/files/lss2015/idfusion-iso-identity-paper.pdf paper])'' | [[Linux_Security_Summit_2015/Bio/Wettstein|Greg Wettstein, IDfusion]] |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] ''([http://kernsec.org/files/lss2015/lss2015_selinuxinandroidlollipopandm_smalley.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Smalley|Stephen Smalley, NSA]] |- |''11:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |11:45 | TBA | TBA |- |''12:45'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] |[[Linux_Security_Summit_2015/Bio/Reshetova|Elena Reshetova, Intel]] |- |14:45 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] |[[Linux_Security_Summit_2015/Bio/Halcrow|Paul Lawrence and Mike Halcrow, Google]] |- |''15:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] | [[Linux_Security_Summit_2015/Bio/Ratliff|Emily Ratliff, Linux Foundation]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] ''([http://kernsec.org/files/lss2015/AppPrivs.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Wojciechowski|Lukasz Wojciechowski, Samsung]] |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] | [[Linux_Security_Summit_2015/Bio/Baushke|Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks]] |- |''10:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] |[[Linux_Security_Summit_2015/Bio/VanderStoep|Jeffrey Vander Stoep, Google]] |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |[[Linux_Security_Summit_2015/Bio/Kasatkin|Dmitry Kasatkin, Huawei Technologies]] |- |''12:15'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |13:30 |Subsystem Update: Smack ''([http://kernsec.org/files/lss2015/201508-LinuxSecuritySummit-Smack.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |13:50 |Subsystem Update: AppArmor |John Johansen, Canonical |- |14:10 |Subsystem Update: Integrity |[[Linux_Security_Summit_2015/Bio/Zohar|Mimi Zohar, IBM]] |- |''14:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |14:40 |Subsystem Update: SELinux |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |15:00 |Subsystem Update: Capabilities | [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] |- |15:20 |Subsystem Update: Seccomp |[[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] |- |15:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] ''([http://kernsec.org/files/lss2015/201508-LinuxSecuritySummit-Stacking.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |''16:10'' | colspan="2"|<span style="color:darkgreen">''Break''</span> |- |16:30 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} 13c289ec15188fce9101a92284fa9b6868a221d0 3684 3683 2015-08-19T16:33:45Z JamesMorris 2 /* Day 1 (Thursday 20th August) */ wikitext text/x-wiki = Schedule = Note: LSS will be held in the '''Jefferson Room, 4th Floor, Union St Tower''' == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |Welcome |[[Linux_Security_Summit_2015/Bio/Morris|James Morris, Oracle]] |- |09:05 | '''<span style="color:navy">Keynote:</span>''' Giant Bags of Mostly Water - Securing your IT Infrastructure by Securing your Team | [[Linux_Security_Summit_2015/Bio/Kon|Konstantin Ryabitsev, Linux Foundation]] (see also [https://www.linux.com/news/featured-blogs/200-libby-clark/814542-15-reddit-ama-questions-for-kernelorg-sysadmin-konstantin-ryabitsev Reddit AMA]) |- |''09:55'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] ''([http://kernsec.org/files/lss2015/idfusion-iso-identity-slides.pdf slides], [http://kernsec.org/files/lss2015/idfusion-iso-identity-paper.pdf paper])'' | [[Linux_Security_Summit_2015/Bio/Wettstein|Greg Wettstein, IDfusion]] |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] ''([http://kernsec.org/files/lss2015/lss2015_selinuxinandroidlollipopandm_smalley.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Smalley|Stephen Smalley, NSA]] |- |''11:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |11:45 | TBA | TBA |- |''12:45'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] |[[Linux_Security_Summit_2015/Bio/Reshetova|Elena Reshetova, Intel]] |- |14:45 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] |[[Linux_Security_Summit_2015/Bio/Halcrow|Paul Lawrence and Mike Halcrow, Google]] |- |''15:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] ''([http://kernsec.org/files/lss2015/CII-for-LSS-August2015-forposting.pdf slides)'' | [[Linux_Security_Summit_2015/Bio/Ratliff|Emily Ratliff, Linux Foundation]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] ''([http://kernsec.org/files/lss2015/AppPrivs.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Wojciechowski|Lukasz Wojciechowski, Samsung]] |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] | [[Linux_Security_Summit_2015/Bio/Baushke|Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks]] |- |''10:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] |[[Linux_Security_Summit_2015/Bio/VanderStoep|Jeffrey Vander Stoep, Google]] |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |[[Linux_Security_Summit_2015/Bio/Kasatkin|Dmitry Kasatkin, Huawei Technologies]] |- |''12:15'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |13:30 |Subsystem Update: Smack ''([http://kernsec.org/files/lss2015/201508-LinuxSecuritySummit-Smack.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |13:50 |Subsystem Update: AppArmor |John Johansen, Canonical |- |14:10 |Subsystem Update: Integrity |[[Linux_Security_Summit_2015/Bio/Zohar|Mimi Zohar, IBM]] |- |''14:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |14:40 |Subsystem Update: SELinux |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |15:00 |Subsystem Update: Capabilities | [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] |- |15:20 |Subsystem Update: Seccomp |[[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] |- |15:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] ''([http://kernsec.org/files/lss2015/201508-LinuxSecuritySummit-Stacking.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |''16:10'' | colspan="2"|<span style="color:darkgreen">''Break''</span> |- |16:30 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} d7a68c482925e650fcf76b1a1c439425f000b7bc 3685 3684 2015-08-19T16:34:13Z JamesMorris 2 /* Day 1 (Thursday 20th August) */ wikitext text/x-wiki = Schedule = Note: LSS will be held in the '''Jefferson Room, 4th Floor, Union St Tower''' == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |Welcome |[[Linux_Security_Summit_2015/Bio/Morris|James Morris, Oracle]] |- |09:05 | '''<span style="color:navy">Keynote:</span>''' Giant Bags of Mostly Water - Securing your IT Infrastructure by Securing your Team | [[Linux_Security_Summit_2015/Bio/Kon|Konstantin Ryabitsev, Linux Foundation]] (see also [https://www.linux.com/news/featured-blogs/200-libby-clark/814542-15-reddit-ama-questions-for-kernelorg-sysadmin-konstantin-ryabitsev Reddit AMA]) |- |''09:55'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] ''([http://kernsec.org/files/lss2015/idfusion-iso-identity-slides.pdf slides], [http://kernsec.org/files/lss2015/idfusion-iso-identity-paper.pdf paper])'' | [[Linux_Security_Summit_2015/Bio/Wettstein|Greg Wettstein, IDfusion]] |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] ''([http://kernsec.org/files/lss2015/lss2015_selinuxinandroidlollipopandm_smalley.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Smalley|Stephen Smalley, NSA]] |- |''11:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |11:45 | TBA | TBA |- |''12:45'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] |[[Linux_Security_Summit_2015/Bio/Reshetova|Elena Reshetova, Intel]] |- |14:45 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] |[[Linux_Security_Summit_2015/Bio/Halcrow|Paul Lawrence and Mike Halcrow, Google]] |- |''15:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] ''([http://kernsec.org/files/lss2015/CII-for-LSS-August2015-forposting.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Ratliff|Emily Ratliff, Linux Foundation]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] ''([http://kernsec.org/files/lss2015/AppPrivs.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Wojciechowski|Lukasz Wojciechowski, Samsung]] |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] | [[Linux_Security_Summit_2015/Bio/Baushke|Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks]] |- |''10:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] |[[Linux_Security_Summit_2015/Bio/VanderStoep|Jeffrey Vander Stoep, Google]] |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |[[Linux_Security_Summit_2015/Bio/Kasatkin|Dmitry Kasatkin, Huawei Technologies]] |- |''12:15'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |13:30 |Subsystem Update: Smack ''([http://kernsec.org/files/lss2015/201508-LinuxSecuritySummit-Smack.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |13:50 |Subsystem Update: AppArmor |John Johansen, Canonical |- |14:10 |Subsystem Update: Integrity |[[Linux_Security_Summit_2015/Bio/Zohar|Mimi Zohar, IBM]] |- |''14:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |14:40 |Subsystem Update: SELinux |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |15:00 |Subsystem Update: Capabilities | [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] |- |15:20 |Subsystem Update: Seccomp |[[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] |- |15:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] ''([http://kernsec.org/files/lss2015/201508-LinuxSecuritySummit-Stacking.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |''16:10'' | colspan="2"|<span style="color:darkgreen">''Break''</span> |- |16:30 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} fcc4fb507ead0f08543650b05ba0c3e14b060161 3686 3685 2015-08-19T23:23:54Z JamesMorris 2 /* Schedule */ wikitext text/x-wiki = Schedule = Note: LSS will be held in the '''Jefferson Room, 4th Floor, Union St Tower''' == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |Welcome |[[Linux_Security_Summit_2015/Bio/Morris|James Morris, Oracle]] |- |09:05 | '''<span style="color:navy">Keynote:</span>''' Giant Bags of Mostly Water - Securing your IT Infrastructure by Securing your Team | [[Linux_Security_Summit_2015/Bio/Kon|Konstantin Ryabitsev, Linux Foundation]] (see also [https://www.linux.com/news/featured-blogs/200-libby-clark/814542-15-reddit-ama-questions-for-kernelorg-sysadmin-konstantin-ryabitsev Reddit AMA]) |- |''09:55'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] ''([http://kernsec.org/files/lss2015/idfusion-iso-identity-slides.pdf slides], [http://kernsec.org/files/lss2015/idfusion-iso-identity-paper.pdf paper])'' | [[Linux_Security_Summit_2015/Bio/Wettstein|Greg Wettstein, IDfusion]] |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] ''([http://kernsec.org/files/lss2015/lss2015_selinuxinandroidlollipopandm_smalley.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Smalley|Stephen Smalley, NSA]] |- |''11:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |11:45 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |''12:45'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] |[[Linux_Security_Summit_2015/Bio/Reshetova|Elena Reshetova, Intel]] |- |14:45 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] |[[Linux_Security_Summit_2015/Bio/Halcrow|Paul Lawrence and Mike Halcrow, Google]] |- |''15:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] ''([http://kernsec.org/files/lss2015/CII-for-LSS-August2015-forposting.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Ratliff|Emily Ratliff, Linux Foundation]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] ''([http://kernsec.org/files/lss2015/AppPrivs.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Wojciechowski|Lukasz Wojciechowski, Samsung]] |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] | [[Linux_Security_Summit_2015/Bio/Baushke|Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks]] |- |''10:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] |[[Linux_Security_Summit_2015/Bio/VanderStoep|Jeffrey Vander Stoep, Google]] |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |[[Linux_Security_Summit_2015/Bio/Kasatkin|Dmitry Kasatkin, Huawei Technologies]] |- |''12:15'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |13:30 |Subsystem Update: Smack ''([http://kernsec.org/files/lss2015/201508-LinuxSecuritySummit-Smack.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |13:50 |Subsystem Update: AppArmor |John Johansen, Canonical |- |14:10 |Subsystem Update: Integrity |[[Linux_Security_Summit_2015/Bio/Zohar|Mimi Zohar, IBM]] |- |''14:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |14:40 |Subsystem Update: SELinux |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |15:00 |Subsystem Update: Capabilities | [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] |- |15:20 |Subsystem Update: Seccomp |[[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] |- |15:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] ''([http://kernsec.org/files/lss2015/201508-LinuxSecuritySummit-Stacking.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |''16:10'' | colspan="2"|<span style="color:darkgreen">''Break''</span> |- |16:30 | TBA | TBA |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} 9a71f3da5450df78a7efd1a435ea10d0253edb97 3687 3686 2015-08-19T23:25:39Z JamesMorris 2 /* Day 2 (Friday 21st August) */ wikitext text/x-wiki = Schedule = Note: LSS will be held in the '''Jefferson Room, 4th Floor, Union St Tower''' == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |Welcome |[[Linux_Security_Summit_2015/Bio/Morris|James Morris, Oracle]] |- |09:05 | '''<span style="color:navy">Keynote:</span>''' Giant Bags of Mostly Water - Securing your IT Infrastructure by Securing your Team | [[Linux_Security_Summit_2015/Bio/Kon|Konstantin Ryabitsev, Linux Foundation]] (see also [https://www.linux.com/news/featured-blogs/200-libby-clark/814542-15-reddit-ama-questions-for-kernelorg-sysadmin-konstantin-ryabitsev Reddit AMA]) |- |''09:55'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] ''([http://kernsec.org/files/lss2015/idfusion-iso-identity-slides.pdf slides], [http://kernsec.org/files/lss2015/idfusion-iso-identity-paper.pdf paper])'' | [[Linux_Security_Summit_2015/Bio/Wettstein|Greg Wettstein, IDfusion]] |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] ''([http://kernsec.org/files/lss2015/lss2015_selinuxinandroidlollipopandm_smalley.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Smalley|Stephen Smalley, NSA]] |- |''11:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |11:45 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |''12:45'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] |[[Linux_Security_Summit_2015/Bio/Reshetova|Elena Reshetova, Intel]] |- |14:45 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] |[[Linux_Security_Summit_2015/Bio/Halcrow|Paul Lawrence and Mike Halcrow, Google]] |- |''15:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] ''([http://kernsec.org/files/lss2015/CII-for-LSS-August2015-forposting.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Ratliff|Emily Ratliff, Linux Foundation]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] ''([http://kernsec.org/files/lss2015/AppPrivs.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Wojciechowski|Lukasz Wojciechowski, Samsung]] |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] | [[Linux_Security_Summit_2015/Bio/Baushke|Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks]] |- |''10:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] |[[Linux_Security_Summit_2015/Bio/VanderStoep|Jeffrey Vander Stoep, Google]] |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |[[Linux_Security_Summit_2015/Bio/Kasatkin|Dmitry Kasatkin, Huawei Technologies]] |- |''12:15'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |13:30 |Subsystem Update: Smack ''([http://kernsec.org/files/lss2015/201508-LinuxSecuritySummit-Smack.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |13:50 |Subsystem Update: AppArmor |John Johansen, Canonical |- |14:10 |Subsystem Update: Integrity |[[Linux_Security_Summit_2015/Bio/Zohar|Mimi Zohar, IBM]] |- |''14:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |14:40 |Subsystem Update: SELinux |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |15:00 |Subsystem Update: Capabilities | [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] |- |15:20 |Subsystem Update: Seccomp |[[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] |- |15:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] ''([http://kernsec.org/files/lss2015/201508-LinuxSecuritySummit-Stacking.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |''16:10'' | colspan="2"|<span style="color:darkgreen">''Break''</span> |- |16:20 | GRR Rapid Response: Remote Live Forensics for Incident Response | Sean Gillespie |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} d25072bc7fa4032153870d3a2d1dfc60a84e45ac 0 150 3642 2015-07-04T08:29:52Z JamesMorris 2 Created page with "'''Herbert Xu''' is a Linux developer. His current interests include networking and cryptography." wikitext text/x-wiki '''Herbert Xu''' is a Linux developer. His current interests include networking and cryptography. d05fa359b4797025251ef669056a8e211a9c1b18 0 126 3643 3637 2015-07-04T08:31:13Z JamesMorris 2 /* Program Committee */ wikitext text/x-wiki = Description = The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions = Event = The Linux Security Summit for 2015 will be held across '''20 and 21 August''' in Seattle, WA, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon] and other events. All attendees and presenters must be registered to attend LinuxCon. Registration and general event details may be found here: [http://events.linuxfoundation.org/events/linux-security-summit http://events.linuxfoundation.org/events/linux-security-summit] = Call for Participation = '''The CFP is now closed.''' The program committee sought proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. * Discussion Topics: 30 minutes in length. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques == Program Committee== The Linux Security Summit for 2015 is organized by: * [[Linux_Security_Summit_2015/Bio/Morris|James Morris, Oracle]] * [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] * [[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] * Stephen Smalley, NSA * Joshua Brindle, Quark Security * [[Linux_Security_Summit_2015/Bio/Xu|Herbert Xu, Red Hat]] * John Johansen, Canonical * [[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] * [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] * [[Linux_Security_Summit_2015/Bio/Zohar|Mimi Zohar, IBM]] The program committee may be contacted as a group via email: lss-pc@lists.linuxfoundation.org 2c3f2eb440f993db9ec77462011b38b608f1594e 3645 3643 2015-07-07T02:15:08Z JamesMorris 2 /* Program Committee */ wikitext text/x-wiki = Description = The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions = Event = The Linux Security Summit for 2015 will be held across '''20 and 21 August''' in Seattle, WA, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon] and other events. All attendees and presenters must be registered to attend LinuxCon. Registration and general event details may be found here: [http://events.linuxfoundation.org/events/linux-security-summit http://events.linuxfoundation.org/events/linux-security-summit] = Call for Participation = '''The CFP is now closed.''' The program committee sought proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. * Discussion Topics: 30 minutes in length. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques == Program Committee== The Linux Security Summit for 2015 is organized by: * [[Linux_Security_Summit_2015/Bio/Morris|James Morris, Oracle]] * [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] * [[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] * [[Linux_Security_Summit_2015/Bio/Smalley|Stephen Smalley, NSA]] * Joshua Brindle, Quark Security * [[Linux_Security_Summit_2015/Bio/Xu|Herbert Xu, Red Hat]] * John Johansen, Canonical * [[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] * [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] * [[Linux_Security_Summit_2015/Bio/Zohar|Mimi Zohar, IBM]] The program committee may be contacted as a group via email: lss-pc@lists.linuxfoundation.org f6cc122f1f08decfae93edc96ae75c285fe58b6f 3654 3645 2015-07-07T14:26:06Z JamesMorris 2 wikitext text/x-wiki = Description = The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions = Event = The Linux Security Summit for 2015 will be held across '''20 and 21 August''' in Seattle, WA, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon] and other events. All attendees and presenters must be registered to attend LinuxCon. Registration and general event details may be found here: [http://events.linuxfoundation.org/events/linux-security-summit http://events.linuxfoundation.org/events/linux-security-summit] {{:Linux_Security_Summit_2015/Schedule}} = Call for Participation = '''The CFP is now closed.''' The program committee sought proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. * Discussion Topics: 30 minutes in length. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques == Program Committee== The Linux Security Summit for 2015 is organized by: * [[Linux_Security_Summit_2015/Bio/Morris|James Morris, Oracle]] * [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] * [[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] * [[Linux_Security_Summit_2015/Bio/Smalley|Stephen Smalley, NSA]] * Joshua Brindle, Quark Security * [[Linux_Security_Summit_2015/Bio/Xu|Herbert Xu, Red Hat]] * John Johansen, Canonical * [[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] * [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] * [[Linux_Security_Summit_2015/Bio/Zohar|Mimi Zohar, IBM]] The program committee may be contacted as a group via email: lss-pc@lists.linuxfoundation.org 8071a5bb89c466acb1e35a513df8adf9607ea99a 3666 3654 2015-07-24T03:31:45Z JamesMorris 2 /* Event */ wikitext text/x-wiki = Description = The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions = Event = The Linux Security Summit for 2015 will be held across '''20 and 21 August''' in Seattle, WA, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon] and other events. <s>All attendees and presenters must be registered to attend LinuxCon.</s> ETA: LinuxCon registration is not required to attend LSS. Registration and general event details may be found here: [http://events.linuxfoundation.org/events/linux-security-summit http://events.linuxfoundation.org/events/linux-security-summit] {{:Linux_Security_Summit_2015/Schedule}} = Call for Participation = '''The CFP is now closed.''' The program committee sought proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. * Discussion Topics: 30 minutes in length. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques == Program Committee== The Linux Security Summit for 2015 is organized by: * [[Linux_Security_Summit_2015/Bio/Morris|James Morris, Oracle]] * [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] * [[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] * [[Linux_Security_Summit_2015/Bio/Smalley|Stephen Smalley, NSA]] * Joshua Brindle, Quark Security * [[Linux_Security_Summit_2015/Bio/Xu|Herbert Xu, Red Hat]] * John Johansen, Canonical * [[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] * [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] * [[Linux_Security_Summit_2015/Bio/Zohar|Mimi Zohar, IBM]] The program committee may be contacted as a group via email: lss-pc@lists.linuxfoundation.org 5fc3f48e5a9ffcddee669d669d74dfe130d21e04 3668 3666 2015-08-09T22:38:47Z JamesMorris 2 /* Event */ wikitext text/x-wiki = Description = The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem updates * Breakout development sessions = Event = The Linux Security Summit for 2015 will be held across '''20 and 21 August''' in Seattle, WA, USA. It will be co-located with [https://events.linuxfoundation.org/events/linuxcon LinuxCon] and other events. LinuxCon registration is ''not'' required to attend LSS. Registration and general event details may be found here: [http://events.linuxfoundation.org/events/linux-security-summit http://events.linuxfoundation.org/events/linux-security-summit] {{:Linux_Security_Summit_2015/Schedule}} = Call for Participation = '''The CFP is now closed.''' The program committee sought proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. * Discussion Topics: 30 minutes in length. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats & techniques == Program Committee== The Linux Security Summit for 2015 is organized by: * [[Linux_Security_Summit_2015/Bio/Morris|James Morris, Oracle]] * [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] * [[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] * [[Linux_Security_Summit_2015/Bio/Smalley|Stephen Smalley, NSA]] * Joshua Brindle, Quark Security * [[Linux_Security_Summit_2015/Bio/Xu|Herbert Xu, Red Hat]] * John Johansen, Canonical * [[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] * [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] * [[Linux_Security_Summit_2015/Bio/Zohar|Mimi Zohar, IBM]] The program committee may be contacted as a group via email: lss-pc@lists.linuxfoundation.org 4b135024e1790228b3ae3579892814edf74b4ea1 0 151 3644 2015-07-07T02:14:14Z JamesMorris 2 Created page with "'''Stephen Smalley''' is a computer security researcher in the Trusted Systems Research organization of the US National Security Agency (NSA). He presently leads the NSA's Se..." wikitext text/x-wiki '''Stephen Smalley''' is a computer security researcher in the Trusted Systems Research organization of the US National Security Agency (NSA). He presently leads the NSA's Security Enhancements (SE) for Android project, which is advancing the state of the art in mobile operating system security. Prior to his work on Android, Mr. Smalley led the development and successful technology transfer of Security-Enhanced Linux (SELinux) to mainline Linux and co-developed Flexible Mandatory Access Controls (FMAC) for the OpenSolaris project. d34a8717a21ef99296a292b01b58cd6480208457 0 152 3647 2015-07-07T02:18:36Z JamesMorris 2 Created page with "''Jeff Vander Stoep'' is a software engineer on the Android security team at Google where he is working on improving the security and privacy of the Android platform. He is a ..." wikitext text/x-wiki ''Jeff Vander Stoep'' is a software engineer on the Android security team at Google where he is working on improving the security and privacy of the Android platform. He is a graduate of the University of Washington in Seattle. 340751c3c9e2073831d7171cdbecde7c15ce580e 3648 3647 2015-07-07T02:19:26Z JamesMorris 2 wikitext text/x-wiki '''Jeff Vander Stoep''' is a software engineer on the Android security team at Google where he is working on improving the security and privacy of the Android platform. He is a graduate of the University of Washington in Seattle. e8bba4c9c19047799668e2d36d00ba35d506d737 0 153 3653 2015-07-07T02:31:10Z JamesMorris 2 JamesMorris moved page [[Linux Security Summit 2015/Draft Schedule]] to [[Linux Security Summit 2015/Schedule]] wikitext text/x-wiki #REDIRECT [[Linux Security Summit 2015/Schedule]] 1b4958de45b72b33cc7fac1cd4b015b917cba4b2 0 154 3656 2015-07-08T01:35:04Z JamesMorris 2 Created page with "'''Konstantin Ryabitsev''' started programming in 1995 when CGIs ruled the web, and then spent a few years writing large applications in PHP. In 2001, he joined Duke Universit..." wikitext text/x-wiki '''Konstantin Ryabitsev''' started programming in 1995 when CGIs ruled the web, and then spent a few years writing large applications in PHP. In 2001, he joined Duke University Physics (birthplace of YUM and early cradle of the Fedora Project) as a Linux systems administrator. After moving to Montreal in 2005, he worked as a Senior Web Programmer for the McGIll university core web team, and then as a Senior IT Security Analyst for the Information Security Office. Konstantin joined The Linux Foundation in November 2011 and is part of The Linux Foundation Collaborative Projects devops team, responsible for managing kernel.org, codeaurora.org, opendaylight.org, yoctoproject.org, and others. He lives in Montreal, Quebec, with his wife and two kids. a62b9abde13a7ddb7a6efa3ea28836d8d38248df 0 155 3660 2015-07-08T01:38:16Z JamesMorris 2 Created page with "'''Tim Stiller''' is a Consultant on the Rapid7 Analytic Response Team. His primary focus includes incident response, forensics, malware analysis, automation engineering and d..." wikitext text/x-wiki '''Tim Stiller''' is a Consultant on the Rapid7 Analytic Response Team. His primary focus includes incident response, forensics, malware analysis, automation engineering and development. With over 7 years of experience, he has an expertise in information security, systems hardening and innovation development. Prior to Rapid7, he worked for Mandiant’s Managed Defense Team as an Incident Analyst, where he responded to a variety of malware based threats and developed an arsenal of automated tools to aid in hunting efforts. Tim holds multiple certifications including the CISSP, CEH and ECSA. b3a724cbb9701de8336a9bf8d1de796dfeac3549 0 156 3662 2015-07-08T11:52:12Z JamesMorris 2 Created page with "'''Mark Baushke''' has worked with Free and Open Source Software for many years including contributions to the GNU Compiler Collection, GNU Emacs, OpenSSH, and the CVS source ..." wikitext text/x-wiki '''Mark Baushke''' has worked with Free and Open Source Software for many years including contributions to the GNU Compiler Collection, GNU Emacs, OpenSSH, and the CVS source control system. He has worked at Juniper Networks from June 2000 to the present day. His work has included software tool development, engineering member of the Security Incident Response Team, working to obtain FIPS and Common Criteria certifications for the Junos Operating System for many releases. His current work is related to Juniper infrastructure security and readiness for Public Sector certifications for products based on GNU/Linux. Educational Highlights: B.S.E in Electrical Engineering from the University of Michigan; B.S.E in Computer Engineering from the University of Michigan Professional Affiliations: ACM IEEE Published works: RFC 6668 bd63747fff0f30f8ab8d7df87c61b5f13f65a0a4 0 157 3664 2015-07-09T14:53:46Z JamesMorris 2 Created page with "'''Emily Ratliff''' works as Sr. Director for Infrastructure Security at the Linux Foundation focusing on the Core Infrastructure Initiative. Emily has 15 years of experience ..." wikitext text/x-wiki '''Emily Ratliff''' works as Sr. Director for Infrastructure Security at the Linux Foundation focusing on the Core Infrastructure Initiative. Emily has 15 years of experience working as a security engineer for IBM and AMD. She has worked as a cloud security architect, an operating system security architect, and an infrastructure security architect. Emily has deep experience working with open standards groups including the Trusted Computing Group and GlobalPlatform. Emily holds a Bachelor of Science in Computer Science and German from the College of William and Mary and a MS degree in Computer Science from Florida State University. Emily has been a Certified Information Systems Security Professional since 2004. 28f04e13838b0cab32f32ed89fe2b0be67a03abf 0 158 3669 2015-08-09T22:39:46Z JamesMorris 2 Created page with "'''Dr. Greg Wettstein''' has been active in Linux development since early 1992. In 1993 he carried out the first enterprise deployment of Linux, when he directed the developm..." wikitext text/x-wiki '''Dr. Greg Wettstein''' has been active in Linux development since early 1992. In 1993 he carried out the first enterprise deployment of Linux, when he directed the development and implementation of an electronic medical record system on kernel version 0.96c at a major midwest healthcare institution. In 1999 he began worrying about the impact on identity security of ubiquitously networked information systems. Strategies to address this issue led to his current work on using structural definitions for identity as an architectural foundation for implementing measured and attestable information integrity architectures. Dr. Greg, in collaboration with his Golden Retriever Izzy, currently influence measured application platform development for IDfusion from the north shore of Big Chippewa lake in the glacial moraine country of west-central Minnesota, in a diligent effort to save the world as we know it. 451b5aaeccf134a2092b2a51807b58de832feec9 0 159 3688 2015-08-20T05:03:49Z JamesMorris 2 Created page with "Sean’s career in the InfoSec field began as a network defender in the USAF where he later transitioned to an attacker role with an aggressor squadron. After leaving the Air ..." wikitext text/x-wiki Sean’s career in the InfoSec field began as a network defender in the USAF where he later transitioned to an attacker role with an aggressor squadron. After leaving the Air Force he has spent most of his career developing tools and techniques for intrusion detection for both DoD and private companies. He moved to the Bay Area as an early member of Mandiant’s Redwood City SOC focusing on advanced detection methods, spent a year at Yahoo! working on open source security projects such as GRR, and now is a Senior Strategic Intrusion Analyst at CrowdStrike and is back to working on developing advanced detection methods. b0b0ed13e9aeab27706a750ff5f03dea7d8bdf24 0 160 3689 2015-08-20T05:04:50Z JamesMorris 2 Created page with "This will be a brief introduction and demonstration of the open source live response forensic platform GRR. I will cover some of the basic architecture and deployment conside..." wikitext text/x-wiki This will be a brief introduction and demonstration of the open source live response forensic platform GRR. I will cover some of the basic architecture and deployment considerations, demonstrate some of the capabilities with a running test environment, and then close with opportunities to contribute to development and the growing community. 44512e000a25e7801e420ad4bd7d445d8c0dc4cd 0 127 3690 3687 2015-08-20T05:05:40Z JamesMorris 2 /* Day 2 (Friday 21st August) */ wikitext text/x-wiki = Schedule = Note: LSS will be held in the '''Jefferson Room, 4th Floor, Union St Tower''' == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |Welcome |[[Linux_Security_Summit_2015/Bio/Morris|James Morris, Oracle]] |- |09:05 | '''<span style="color:navy">Keynote:</span>''' Giant Bags of Mostly Water - Securing your IT Infrastructure by Securing your Team | [[Linux_Security_Summit_2015/Bio/Kon|Konstantin Ryabitsev, Linux Foundation]] (see also [https://www.linux.com/news/featured-blogs/200-libby-clark/814542-15-reddit-ama-questions-for-kernelorg-sysadmin-konstantin-ryabitsev Reddit AMA]) |- |''09:55'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] ''([http://kernsec.org/files/lss2015/idfusion-iso-identity-slides.pdf slides], [http://kernsec.org/files/lss2015/idfusion-iso-identity-paper.pdf paper])'' | [[Linux_Security_Summit_2015/Bio/Wettstein|Greg Wettstein, IDfusion]] |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] ''([http://kernsec.org/files/lss2015/lss2015_selinuxinandroidlollipopandm_smalley.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Smalley|Stephen Smalley, NSA]] |- |''11:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |11:45 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |''12:45'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] |[[Linux_Security_Summit_2015/Bio/Reshetova|Elena Reshetova, Intel]] |- |14:45 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] |[[Linux_Security_Summit_2015/Bio/Halcrow|Paul Lawrence and Mike Halcrow, Google]] |- |''15:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] ''([http://kernsec.org/files/lss2015/CII-for-LSS-August2015-forposting.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Ratliff|Emily Ratliff, Linux Foundation]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] ''([http://kernsec.org/files/lss2015/AppPrivs.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Wojciechowski|Lukasz Wojciechowski, Samsung]] |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] | [[Linux_Security_Summit_2015/Bio/Baushke|Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks]] |- |''10:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] |[[Linux_Security_Summit_2015/Bio/VanderStoep|Jeffrey Vander Stoep, Google]] |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |[[Linux_Security_Summit_2015/Bio/Kasatkin|Dmitry Kasatkin, Huawei Technologies]] |- |''12:15'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |13:30 |Subsystem Update: Smack ''([http://kernsec.org/files/lss2015/201508-LinuxSecuritySummit-Smack.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |13:50 |Subsystem Update: AppArmor |John Johansen, Canonical |- |14:10 |Subsystem Update: Integrity |[[Linux_Security_Summit_2015/Bio/Zohar|Mimi Zohar, IBM]] |- |''14:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |14:40 |Subsystem Update: SELinux |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |15:00 |Subsystem Update: Capabilities | [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] |- |15:20 |Subsystem Update: Seccomp |[[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] |- |15:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] ''([http://kernsec.org/files/lss2015/201508-LinuxSecuritySummit-Stacking.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |''16:10'' | colspan="2"|<span style="color:darkgreen">''Break''</span> |- |16:20 | [[Linux_Security_Summit_2015/Abstracts/Gillespie_GRR GRR Rapid Response: Remote Live Forensics for Incident Response]] | Sean Gillespie |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} 9b39194e8b2138e51b2b90e99a36b57983b79322 3691 3690 2015-08-20T05:06:33Z JamesMorris 2 /* Schedule */ wikitext text/x-wiki = Schedule = Note: LSS will be held in the '''Jefferson Room, 4th Floor, Union St Tower''' == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |Welcome |[[Linux_Security_Summit_2015/Bio/Morris|James Morris, Oracle]] |- |09:05 | '''<span style="color:navy">Keynote:</span>''' Giant Bags of Mostly Water - Securing your IT Infrastructure by Securing your Team | [[Linux_Security_Summit_2015/Bio/Kon|Konstantin Ryabitsev, Linux Foundation]] (see also [https://www.linux.com/news/featured-blogs/200-libby-clark/814542-15-reddit-ama-questions-for-kernelorg-sysadmin-konstantin-ryabitsev Reddit AMA]) |- |''09:55'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] ''([http://kernsec.org/files/lss2015/idfusion-iso-identity-slides.pdf slides], [http://kernsec.org/files/lss2015/idfusion-iso-identity-paper.pdf paper])'' | [[Linux_Security_Summit_2015/Bio/Wettstein|Greg Wettstein, IDfusion]] |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] ''([http://kernsec.org/files/lss2015/lss2015_selinuxinandroidlollipopandm_smalley.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Smalley|Stephen Smalley, NSA]] |- |''11:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |11:45 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |''12:45'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] |[[Linux_Security_Summit_2015/Bio/Reshetova|Elena Reshetova, Intel]] |- |14:45 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] |[[Linux_Security_Summit_2015/Bio/Halcrow|Paul Lawrence and Mike Halcrow, Google]] |- |''15:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] ''([http://kernsec.org/files/lss2015/CII-for-LSS-August2015-forposting.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Ratliff|Emily Ratliff, Linux Foundation]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] ''([http://kernsec.org/files/lss2015/AppPrivs.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Wojciechowski|Lukasz Wojciechowski, Samsung]] |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] | [[Linux_Security_Summit_2015/Bio/Baushke|Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks]] |- |''10:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] |[[Linux_Security_Summit_2015/Bio/VanderStoep|Jeffrey Vander Stoep, Google]] |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |[[Linux_Security_Summit_2015/Bio/Kasatkin|Dmitry Kasatkin, Huawei Technologies]] |- |''12:15'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |13:30 |Subsystem Update: Smack ''([http://kernsec.org/files/lss2015/201508-LinuxSecuritySummit-Smack.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |13:50 |Subsystem Update: AppArmor |John Johansen, Canonical |- |14:10 |Subsystem Update: Integrity |[[Linux_Security_Summit_2015/Bio/Zohar|Mimi Zohar, IBM]] |- |''14:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |14:40 |Subsystem Update: SELinux |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |15:00 |Subsystem Update: Capabilities | [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] |- |15:20 |Subsystem Update: Seccomp |[[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] |- |15:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] ''([http://kernsec.org/files/lss2015/201508-LinuxSecuritySummit-Stacking.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |''16:10'' | colspan="2"|<span style="color:darkgreen">''Break''</span> |- |16:20 | [[Linux_Security_Summit_2015/Abstracts/Gillespie_GRR|GRR Rapid Response: Remote Live Forensics for Incident Response]] | Sean Gillespie |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} 3fca8214cf73265d9d4641dcc1b3868466466068 3692 3691 2015-08-20T05:07:49Z JamesMorris 2 /* Day 2 (Friday 21st August) */ wikitext text/x-wiki = Schedule = Note: LSS will be held in the '''Jefferson Room, 4th Floor, Union St Tower''' == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |Welcome |[[Linux_Security_Summit_2015/Bio/Morris|James Morris, Oracle]] |- |09:05 | '''<span style="color:navy">Keynote:</span>''' Giant Bags of Mostly Water - Securing your IT Infrastructure by Securing your Team | [[Linux_Security_Summit_2015/Bio/Kon|Konstantin Ryabitsev, Linux Foundation]] (see also [https://www.linux.com/news/featured-blogs/200-libby-clark/814542-15-reddit-ama-questions-for-kernelorg-sysadmin-konstantin-ryabitsev Reddit AMA]) |- |''09:55'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] ''([http://kernsec.org/files/lss2015/idfusion-iso-identity-slides.pdf slides], [http://kernsec.org/files/lss2015/idfusion-iso-identity-paper.pdf paper])'' | [[Linux_Security_Summit_2015/Bio/Wettstein|Greg Wettstein, IDfusion]] |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] ''([http://kernsec.org/files/lss2015/lss2015_selinuxinandroidlollipopandm_smalley.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Smalley|Stephen Smalley, NSA]] |- |''11:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |11:45 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |''12:45'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] |[[Linux_Security_Summit_2015/Bio/Reshetova|Elena Reshetova, Intel]] |- |14:45 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] |[[Linux_Security_Summit_2015/Bio/Halcrow|Paul Lawrence and Mike Halcrow, Google]] |- |''15:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] ''([http://kernsec.org/files/lss2015/CII-for-LSS-August2015-forposting.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Ratliff|Emily Ratliff, Linux Foundation]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] ''([http://kernsec.org/files/lss2015/AppPrivs.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Wojciechowski|Lukasz Wojciechowski, Samsung]] |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] | [[Linux_Security_Summit_2015/Bio/Baushke|Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks]] |- |''10:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] |[[Linux_Security_Summit_2015/Bio/VanderStoep|Jeffrey Vander Stoep, Google]] |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |[[Linux_Security_Summit_2015/Bio/Kasatkin|Dmitry Kasatkin, Huawei Technologies]] |- |''12:15'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |13:30 |Subsystem Update: Smack ''([http://kernsec.org/files/lss2015/201508-LinuxSecuritySummit-Smack.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |13:50 |Subsystem Update: AppArmor |John Johansen, Canonical |- |14:10 |Subsystem Update: Integrity |[[Linux_Security_Summit_2015/Bio/Zohar|Mimi Zohar, IBM]] |- |''14:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |14:40 |Subsystem Update: SELinux |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |15:00 |Subsystem Update: Capabilities | [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] |- |15:20 |Subsystem Update: Seccomp |[[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] |- |15:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] ''([http://kernsec.org/files/lss2015/201508-LinuxSecuritySummit-Stacking.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |''16:10'' | colspan="2"|<span style="color:darkgreen">''Break''</span> |- |16:20 | [[Linux_Security_Summit_2015/Abstracts/Gillespie_GRR|GRR Rapid Response: Remote Live Forensics for Incident Response]] | [[Linux_Security_Summit_2015/Bio/Gillespie|Sean Gillespie, CrowdStrike]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} 1cc2e4d8d6859877627c5c87da7474b3f2978946 3693 3692 2015-08-20T19:04:04Z JamesMorris 2 /* Day 2 (Friday 21st August) */ wikitext text/x-wiki = Schedule = Note: LSS will be held in the '''Jefferson Room, 4th Floor, Union St Tower''' == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |Welcome |[[Linux_Security_Summit_2015/Bio/Morris|James Morris, Oracle]] |- |09:05 | '''<span style="color:navy">Keynote:</span>''' Giant Bags of Mostly Water - Securing your IT Infrastructure by Securing your Team | [[Linux_Security_Summit_2015/Bio/Kon|Konstantin Ryabitsev, Linux Foundation]] (see also [https://www.linux.com/news/featured-blogs/200-libby-clark/814542-15-reddit-ama-questions-for-kernelorg-sysadmin-konstantin-ryabitsev Reddit AMA]) |- |''09:55'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] ''([http://kernsec.org/files/lss2015/idfusion-iso-identity-slides.pdf slides], [http://kernsec.org/files/lss2015/idfusion-iso-identity-paper.pdf paper])'' | [[Linux_Security_Summit_2015/Bio/Wettstein|Greg Wettstein, IDfusion]] |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] ''([http://kernsec.org/files/lss2015/lss2015_selinuxinandroidlollipopandm_smalley.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Smalley|Stephen Smalley, NSA]] |- |''11:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |11:45 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |''12:45'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] |[[Linux_Security_Summit_2015/Bio/Reshetova|Elena Reshetova, Intel]] |- |14:45 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] |[[Linux_Security_Summit_2015/Bio/Halcrow|Paul Lawrence and Mike Halcrow, Google]] |- |''15:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] ''([http://kernsec.org/files/lss2015/CII-for-LSS-August2015-forposting.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Ratliff|Emily Ratliff, Linux Foundation]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] ''([http://kernsec.org/files/lss2015/AppPrivs.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Wojciechowski|Lukasz Wojciechowski, Samsung]] |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] | [[Linux_Security_Summit_2015/Bio/Baushke|Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks]] |- |''10:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] |[[Linux_Security_Summit_2015/Bio/VanderStoep|Jeffrey Vander Stoep, Google]] |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |[[Linux_Security_Summit_2015/Bio/Kasatkin|Dmitry Kasatkin, Huawei Technologies]] |- |''12:15'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |13:30 |Subsystem Update: Smack ''([http://kernsec.org/files/lss2015/201508-LinuxSecuritySummit-Smack.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |13:50 |Subsystem Update: AppArmor |John Johansen, Canonical |- |14:10 |Subsystem Update: Integrity |[[Linux_Security_Summit_2015/Bio/Zohar|Mimi Zohar, IBM]] |- |''14:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |14:40 |Subsystem Update: SELinux |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |15:00 |Subsystem Update: Capabilities | [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] |- |15:20 |Subsystem Update: Seccomp ''([http://kernsec.org/files/lss2015/seccomp.pdf slides])' |[[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] |- |15:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] ''([http://kernsec.org/files/lss2015/201508-LinuxSecuritySummit-Stacking.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |''16:10'' | colspan="2"|<span style="color:darkgreen">''Break''</span> |- |16:20 | [[Linux_Security_Summit_2015/Abstracts/Gillespie_GRR|GRR Rapid Response: Remote Live Forensics for Incident Response]] | [[Linux_Security_Summit_2015/Bio/Gillespie|Sean Gillespie, CrowdStrike]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} 61d7df61906bf9f728b41805ef0d100c5461a5c6 3694 3693 2015-08-20T19:06:23Z JamesMorris 2 /* Day 2 (Friday 21st August) */ wikitext text/x-wiki = Schedule = Note: LSS will be held in the '''Jefferson Room, 4th Floor, Union St Tower''' == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |Welcome |[[Linux_Security_Summit_2015/Bio/Morris|James Morris, Oracle]] |- |09:05 | '''<span style="color:navy">Keynote:</span>''' Giant Bags of Mostly Water - Securing your IT Infrastructure by Securing your Team | [[Linux_Security_Summit_2015/Bio/Kon|Konstantin Ryabitsev, Linux Foundation]] (see also [https://www.linux.com/news/featured-blogs/200-libby-clark/814542-15-reddit-ama-questions-for-kernelorg-sysadmin-konstantin-ryabitsev Reddit AMA]) |- |''09:55'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] ''([http://kernsec.org/files/lss2015/idfusion-iso-identity-slides.pdf slides], [http://kernsec.org/files/lss2015/idfusion-iso-identity-paper.pdf paper])'' | [[Linux_Security_Summit_2015/Bio/Wettstein|Greg Wettstein, IDfusion]] |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] ''([http://kernsec.org/files/lss2015/lss2015_selinuxinandroidlollipopandm_smalley.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Smalley|Stephen Smalley, NSA]] |- |''11:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |11:45 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |''12:45'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] |[[Linux_Security_Summit_2015/Bio/Reshetova|Elena Reshetova, Intel]] |- |14:45 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] |[[Linux_Security_Summit_2015/Bio/Halcrow|Paul Lawrence and Mike Halcrow, Google]] |- |''15:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] ''([http://kernsec.org/files/lss2015/CII-for-LSS-August2015-forposting.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Ratliff|Emily Ratliff, Linux Foundation]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] ''([http://kernsec.org/files/lss2015/AppPrivs.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Wojciechowski|Lukasz Wojciechowski, Samsung]] |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] | [[Linux_Security_Summit_2015/Bio/Baushke|Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks]] |- |''10:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] |[[Linux_Security_Summit_2015/Bio/VanderStoep|Jeffrey Vander Stoep, Google]] |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |[[Linux_Security_Summit_2015/Bio/Kasatkin|Dmitry Kasatkin, Huawei Technologies]] |- |''12:15'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |13:30 |Subsystem Update: Smack ''([http://kernsec.org/files/lss2015/201508-LinuxSecuritySummit-Smack.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |13:50 |Subsystem Update: AppArmor |John Johansen, Canonical |- |14:10 |Subsystem Update: Integrity |[[Linux_Security_Summit_2015/Bio/Zohar|Mimi Zohar, IBM]] |- |''14:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |14:40 |Subsystem Update: SELinux |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |15:00 |Subsystem Update: Capabilities | [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] |- |15:20 |Subsystem Update: Seccomp ''([http://kernsec.org/files/lss2015/seccomp.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] |- |15:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] ''([http://kernsec.org/files/lss2015/201508-LinuxSecuritySummit-Stacking.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |''16:10'' | colspan="2"|<span style="color:darkgreen">''Break''</span> |- |16:20 | [[Linux_Security_Summit_2015/Abstracts/Gillespie_GRR|GRR Rapid Response: Remote Live Forensics for Incident Response]] | [[Linux_Security_Summit_2015/Bio/Gillespie|Sean Gillespie, CrowdStrike]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} 7a77254480791b16bd1bef7ae4a825a9b4283a60 3695 3694 2015-08-20T19:33:06Z JamesMorris 2 /* Day 2 (Friday 21st August) */ wikitext text/x-wiki = Schedule = Note: LSS will be held in the '''Jefferson Room, 4th Floor, Union St Tower''' == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |Welcome |[[Linux_Security_Summit_2015/Bio/Morris|James Morris, Oracle]] |- |09:05 | '''<span style="color:navy">Keynote:</span>''' Giant Bags of Mostly Water - Securing your IT Infrastructure by Securing your Team | [[Linux_Security_Summit_2015/Bio/Kon|Konstantin Ryabitsev, Linux Foundation]] (see also [https://www.linux.com/news/featured-blogs/200-libby-clark/814542-15-reddit-ama-questions-for-kernelorg-sysadmin-konstantin-ryabitsev Reddit AMA]) |- |''09:55'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] ''([http://kernsec.org/files/lss2015/idfusion-iso-identity-slides.pdf slides], [http://kernsec.org/files/lss2015/idfusion-iso-identity-paper.pdf paper])'' | [[Linux_Security_Summit_2015/Bio/Wettstein|Greg Wettstein, IDfusion]] |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] ''([http://kernsec.org/files/lss2015/lss2015_selinuxinandroidlollipopandm_smalley.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Smalley|Stephen Smalley, NSA]] |- |''11:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |11:45 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |''12:45'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] |[[Linux_Security_Summit_2015/Bio/Reshetova|Elena Reshetova, Intel]] |- |14:45 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] |[[Linux_Security_Summit_2015/Bio/Halcrow|Paul Lawrence and Mike Halcrow, Google]] |- |''15:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] ''([http://kernsec.org/files/lss2015/CII-for-LSS-August2015-forposting.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Ratliff|Emily Ratliff, Linux Foundation]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] ''([http://kernsec.org/files/lss2015/AppPrivs.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Wojciechowski|Lukasz Wojciechowski, Samsung]] |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] ''([http://kernsec.org/files/lss2015/ima-applications-slides.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Baushke|Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks]] |- |''10:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] |[[Linux_Security_Summit_2015/Bio/VanderStoep|Jeffrey Vander Stoep, Google]] |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |[[Linux_Security_Summit_2015/Bio/Kasatkin|Dmitry Kasatkin, Huawei Technologies]] |- |''12:15'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |13:30 |Subsystem Update: Smack ''([http://kernsec.org/files/lss2015/201508-LinuxSecuritySummit-Smack.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |13:50 |Subsystem Update: AppArmor |John Johansen, Canonical |- |14:10 |Subsystem Update: Integrity |[[Linux_Security_Summit_2015/Bio/Zohar|Mimi Zohar, IBM]] |- |''14:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |14:40 |Subsystem Update: SELinux |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |15:00 |Subsystem Update: Capabilities | [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] |- |15:20 |Subsystem Update: Seccomp ''([http://kernsec.org/files/lss2015/seccomp.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] |- |15:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] ''([http://kernsec.org/files/lss2015/201508-LinuxSecuritySummit-Stacking.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |''16:10'' | colspan="2"|<span style="color:darkgreen">''Break''</span> |- |16:20 | [[Linux_Security_Summit_2015/Abstracts/Gillespie_GRR|GRR Rapid Response: Remote Live Forensics for Incident Response]] | [[Linux_Security_Summit_2015/Bio/Gillespie|Sean Gillespie, CrowdStrike]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} 337a79ce568aefc45bba12e18eafc418255d7b7a 3696 3695 2015-08-20T21:16:50Z JamesMorris 2 /* Day 1 (Thursday 20th August) */ wikitext text/x-wiki = Schedule = Note: LSS will be held in the '''Jefferson Room, 4th Floor, Union St Tower''' == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |Welcome |[[Linux_Security_Summit_2015/Bio/Morris|James Morris, Oracle]] |- |09:05 | '''<span style="color:navy">Keynote:</span>''' Giant Bags of Mostly Water - Securing your IT Infrastructure by Securing your Team ''([http://slides.com/mricon/giant-bags-of-mostly-water#/])'' | [[Linux_Security_Summit_2015/Bio/Kon|Konstantin Ryabitsev, Linux Foundation]] (see also [https://www.linux.com/news/featured-blogs/200-libby-clark/814542-15-reddit-ama-questions-for-kernelorg-sysadmin-konstantin-ryabitsev Reddit AMA]) |- |''09:55'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] ''([http://kernsec.org/files/lss2015/idfusion-iso-identity-slides.pdf slides], [http://kernsec.org/files/lss2015/idfusion-iso-identity-paper.pdf paper])'' | [[Linux_Security_Summit_2015/Bio/Wettstein|Greg Wettstein, IDfusion]] |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] ''([http://kernsec.org/files/lss2015/lss2015_selinuxinandroidlollipopandm_smalley.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Smalley|Stephen Smalley, NSA]] |- |''11:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |11:45 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |''12:45'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] |[[Linux_Security_Summit_2015/Bio/Reshetova|Elena Reshetova, Intel]] |- |14:45 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] |[[Linux_Security_Summit_2015/Bio/Halcrow|Paul Lawrence and Mike Halcrow, Google]] |- |''15:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] ''([http://kernsec.org/files/lss2015/CII-for-LSS-August2015-forposting.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Ratliff|Emily Ratliff, Linux Foundation]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] ''([http://kernsec.org/files/lss2015/AppPrivs.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Wojciechowski|Lukasz Wojciechowski, Samsung]] |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] ''([http://kernsec.org/files/lss2015/ima-applications-slides.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Baushke|Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks]] |- |''10:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] |[[Linux_Security_Summit_2015/Bio/VanderStoep|Jeffrey Vander Stoep, Google]] |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |[[Linux_Security_Summit_2015/Bio/Kasatkin|Dmitry Kasatkin, Huawei Technologies]] |- |''12:15'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |13:30 |Subsystem Update: Smack ''([http://kernsec.org/files/lss2015/201508-LinuxSecuritySummit-Smack.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |13:50 |Subsystem Update: AppArmor |John Johansen, Canonical |- |14:10 |Subsystem Update: Integrity |[[Linux_Security_Summit_2015/Bio/Zohar|Mimi Zohar, IBM]] |- |''14:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |14:40 |Subsystem Update: SELinux |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |15:00 |Subsystem Update: Capabilities | [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] |- |15:20 |Subsystem Update: Seccomp ''([http://kernsec.org/files/lss2015/seccomp.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] |- |15:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] ''([http://kernsec.org/files/lss2015/201508-LinuxSecuritySummit-Stacking.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |''16:10'' | colspan="2"|<span style="color:darkgreen">''Break''</span> |- |16:20 | [[Linux_Security_Summit_2015/Abstracts/Gillespie_GRR|GRR Rapid Response: Remote Live Forensics for Incident Response]] | [[Linux_Security_Summit_2015/Bio/Gillespie|Sean Gillespie, CrowdStrike]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} 946dd03956a9a363ab45706366211c696f9c2eee 3697 3696 2015-08-20T21:17:20Z JamesMorris 2 /* Day 1 (Thursday 20th August) */ wikitext text/x-wiki = Schedule = Note: LSS will be held in the '''Jefferson Room, 4th Floor, Union St Tower''' == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |Welcome |[[Linux_Security_Summit_2015/Bio/Morris|James Morris, Oracle]] |- |09:05 | '''<span style="color:navy">Keynote:</span>''' Giant Bags of Mostly Water - Securing your IT Infrastructure by Securing your Team ''([http://slides.com/mricon/giant-bags-of-mostly-water#/ slides])'' | [[Linux_Security_Summit_2015/Bio/Kon|Konstantin Ryabitsev, Linux Foundation]] (see also [https://www.linux.com/news/featured-blogs/200-libby-clark/814542-15-reddit-ama-questions-for-kernelorg-sysadmin-konstantin-ryabitsev Reddit AMA]) |- |''09:55'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] ''([http://kernsec.org/files/lss2015/idfusion-iso-identity-slides.pdf slides], [http://kernsec.org/files/lss2015/idfusion-iso-identity-paper.pdf paper])'' | [[Linux_Security_Summit_2015/Bio/Wettstein|Greg Wettstein, IDfusion]] |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] ''([http://kernsec.org/files/lss2015/lss2015_selinuxinandroidlollipopandm_smalley.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Smalley|Stephen Smalley, NSA]] |- |''11:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |11:45 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |''12:45'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] |[[Linux_Security_Summit_2015/Bio/Reshetova|Elena Reshetova, Intel]] |- |14:45 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] |[[Linux_Security_Summit_2015/Bio/Halcrow|Paul Lawrence and Mike Halcrow, Google]] |- |''15:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] ''([http://kernsec.org/files/lss2015/CII-for-LSS-August2015-forposting.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Ratliff|Emily Ratliff, Linux Foundation]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] ''([http://kernsec.org/files/lss2015/AppPrivs.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Wojciechowski|Lukasz Wojciechowski, Samsung]] |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] ''([http://kernsec.org/files/lss2015/ima-applications-slides.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Baushke|Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks]] |- |''10:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] |[[Linux_Security_Summit_2015/Bio/VanderStoep|Jeffrey Vander Stoep, Google]] |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |[[Linux_Security_Summit_2015/Bio/Kasatkin|Dmitry Kasatkin, Huawei Technologies]] |- |''12:15'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |13:30 |Subsystem Update: Smack ''([http://kernsec.org/files/lss2015/201508-LinuxSecuritySummit-Smack.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |13:50 |Subsystem Update: AppArmor |John Johansen, Canonical |- |14:10 |Subsystem Update: Integrity |[[Linux_Security_Summit_2015/Bio/Zohar|Mimi Zohar, IBM]] |- |''14:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |14:40 |Subsystem Update: SELinux |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |15:00 |Subsystem Update: Capabilities | [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] |- |15:20 |Subsystem Update: Seccomp ''([http://kernsec.org/files/lss2015/seccomp.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] |- |15:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] ''([http://kernsec.org/files/lss2015/201508-LinuxSecuritySummit-Stacking.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |''16:10'' | colspan="2"|<span style="color:darkgreen">''Break''</span> |- |16:20 | [[Linux_Security_Summit_2015/Abstracts/Gillespie_GRR|GRR Rapid Response: Remote Live Forensics for Incident Response]] | [[Linux_Security_Summit_2015/Bio/Gillespie|Sean Gillespie, CrowdStrike]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} cca2810d0e8d56357d9e4dbac4631476cf869f6b 3698 3697 2015-08-20T22:10:39Z JamesMorris 2 /* Day 1 (Thursday 20th August) */ wikitext text/x-wiki = Schedule = Note: LSS will be held in the '''Jefferson Room, 4th Floor, Union St Tower''' == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |Welcome |[[Linux_Security_Summit_2015/Bio/Morris|James Morris, Oracle]] |- |09:05 | '''<span style="color:navy">Keynote:</span>''' Giant Bags of Mostly Water - Securing your IT Infrastructure by Securing your Team ''([http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Kon|Konstantin Ryabitsev, Linux Foundation]] (see also [https://www.linux.com/news/featured-blogs/200-libby-clark/814542-15-reddit-ama-questions-for-kernelorg-sysadmin-konstantin-ryabitsev Reddit AMA]) |- |''09:55'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] ''([http://kernsec.org/files/lss2015/idfusion-iso-identity-slides.pdf slides], [http://kernsec.org/files/lss2015/idfusion-iso-identity-paper.pdf paper])'' | [[Linux_Security_Summit_2015/Bio/Wettstein|Greg Wettstein, IDfusion]] |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] ''([http://kernsec.org/files/lss2015/lss2015_selinuxinandroidlollipopandm_smalley.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Smalley|Stephen Smalley, NSA]] |- |''11:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |11:45 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |''12:45'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] |[[Linux_Security_Summit_2015/Bio/Reshetova|Elena Reshetova, Intel]] |- |14:45 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] |[[Linux_Security_Summit_2015/Bio/Halcrow|Paul Lawrence and Mike Halcrow, Google]] |- |''15:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] ''([http://kernsec.org/files/lss2015/CII-for-LSS-August2015-forposting.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Ratliff|Emily Ratliff, Linux Foundation]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] ''([http://kernsec.org/files/lss2015/AppPrivs.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Wojciechowski|Lukasz Wojciechowski, Samsung]] |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] ''([http://kernsec.org/files/lss2015/ima-applications-slides.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Baushke|Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks]] |- |''10:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] |[[Linux_Security_Summit_2015/Bio/VanderStoep|Jeffrey Vander Stoep, Google]] |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |[[Linux_Security_Summit_2015/Bio/Kasatkin|Dmitry Kasatkin, Huawei Technologies]] |- |''12:15'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |13:30 |Subsystem Update: Smack ''([http://kernsec.org/files/lss2015/201508-LinuxSecuritySummit-Smack.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |13:50 |Subsystem Update: AppArmor |John Johansen, Canonical |- |14:10 |Subsystem Update: Integrity |[[Linux_Security_Summit_2015/Bio/Zohar|Mimi Zohar, IBM]] |- |''14:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |14:40 |Subsystem Update: SELinux |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |15:00 |Subsystem Update: Capabilities | [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] |- |15:20 |Subsystem Update: Seccomp ''([http://kernsec.org/files/lss2015/seccomp.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] |- |15:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] ''([http://kernsec.org/files/lss2015/201508-LinuxSecuritySummit-Stacking.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |''16:10'' | colspan="2"|<span style="color:darkgreen">''Break''</span> |- |16:20 | [[Linux_Security_Summit_2015/Abstracts/Gillespie_GRR|GRR Rapid Response: Remote Live Forensics for Incident Response]] | [[Linux_Security_Summit_2015/Bio/Gillespie|Sean Gillespie, CrowdStrike]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} eb98dfe39e54942b53e9640a9e2c5e004fa9b972 3699 3698 2015-08-21T16:05:57Z JamesMorris 2 /* Day 2 (Friday 21st August) */ wikitext text/x-wiki = Schedule = Note: LSS will be held in the '''Jefferson Room, 4th Floor, Union St Tower''' == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |Welcome |[[Linux_Security_Summit_2015/Bio/Morris|James Morris, Oracle]] |- |09:05 | '''<span style="color:navy">Keynote:</span>''' Giant Bags of Mostly Water - Securing your IT Infrastructure by Securing your Team ''([http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Kon|Konstantin Ryabitsev, Linux Foundation]] (see also [https://www.linux.com/news/featured-blogs/200-libby-clark/814542-15-reddit-ama-questions-for-kernelorg-sysadmin-konstantin-ryabitsev Reddit AMA]) |- |''09:55'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] ''([http://kernsec.org/files/lss2015/idfusion-iso-identity-slides.pdf slides], [http://kernsec.org/files/lss2015/idfusion-iso-identity-paper.pdf paper])'' | [[Linux_Security_Summit_2015/Bio/Wettstein|Greg Wettstein, IDfusion]] |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] ''([http://kernsec.org/files/lss2015/lss2015_selinuxinandroidlollipopandm_smalley.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Smalley|Stephen Smalley, NSA]] |- |''11:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |11:45 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |''12:45'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] |[[Linux_Security_Summit_2015/Bio/Reshetova|Elena Reshetova, Intel]] |- |14:45 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] |[[Linux_Security_Summit_2015/Bio/Halcrow|Paul Lawrence and Mike Halcrow, Google]] |- |''15:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] ''([http://kernsec.org/files/lss2015/CII-for-LSS-August2015-forposting.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Ratliff|Emily Ratliff, Linux Foundation]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] ''([http://kernsec.org/files/lss2015/AppPrivs.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Wojciechowski|Lukasz Wojciechowski, Samsung]] |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] ''([http://kernsec.org/files/lss2015/ima-applications-slides.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Baushke|Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks]] |- |''10:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] ''([http://kernsec.org/files/lss2015/vanderstoep.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/VanderStoep|Jeffrey Vander Stoep, Google]] |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |[[Linux_Security_Summit_2015/Bio/Kasatkin|Dmitry Kasatkin, Huawei Technologies]] |- |''12:15'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |13:30 |Subsystem Update: Smack ''([http://kernsec.org/files/lss2015/201508-LinuxSecuritySummit-Smack.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |13:50 |Subsystem Update: AppArmor |John Johansen, Canonical |- |14:10 |Subsystem Update: Integrity |[[Linux_Security_Summit_2015/Bio/Zohar|Mimi Zohar, IBM]] |- |''14:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |14:40 |Subsystem Update: SELinux |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |15:00 |Subsystem Update: Capabilities | [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] |- |15:20 |Subsystem Update: Seccomp ''([http://kernsec.org/files/lss2015/seccomp.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] |- |15:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] ''([http://kernsec.org/files/lss2015/201508-LinuxSecuritySummit-Stacking.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |''16:10'' | colspan="2"|<span style="color:darkgreen">''Break''</span> |- |16:20 | [[Linux_Security_Summit_2015/Abstracts/Gillespie_GRR|GRR Rapid Response: Remote Live Forensics for Incident Response]] | [[Linux_Security_Summit_2015/Bio/Gillespie|Sean Gillespie, CrowdStrike]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} 05aeb8d3d2b17fcb8f5a307b32842ea269470fdb 3700 3699 2015-08-21T16:08:46Z JamesMorris 2 /* Day 1 (Thursday 20th August) */ wikitext text/x-wiki = Schedule = Note: LSS will be held in the '''Jefferson Room, 4th Floor, Union St Tower''' == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |Welcome |[[Linux_Security_Summit_2015/Bio/Morris|James Morris, Oracle]] |- |09:05 | '''<span style="color:navy">Keynote:</span>''' Giant Bags of Mostly Water - Securing your IT Infrastructure by Securing your Team ''([http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Kon|Konstantin Ryabitsev, Linux Foundation]] (see also [https://www.linux.com/news/featured-blogs/200-libby-clark/814542-15-reddit-ama-questions-for-kernelorg-sysadmin-konstantin-ryabitsev Reddit AMA]) |- |''09:55'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] ''([http://kernsec.org/files/lss2015/idfusion-iso-identity-slides.pdf slides], [http://kernsec.org/files/lss2015/idfusion-iso-identity-paper.pdf paper])'' | [[Linux_Security_Summit_2015/Bio/Wettstein|Greg Wettstein, IDfusion]] |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] ''([http://kernsec.org/files/lss2015/lss2015_selinuxinandroidlollipopandm_smalley.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Smalley|Stephen Smalley, NSA]] |- |''11:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |11:45 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |''12:45'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] ''([http://kernsec.org/files/lss2015/reshetova.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Reshetova|Elena Reshetova, Intel]] |- |14:45 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] |[[Linux_Security_Summit_2015/Bio/Halcrow|Paul Lawrence and Mike Halcrow, Google]] |- |''15:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] ''([http://kernsec.org/files/lss2015/CII-for-LSS-August2015-forposting.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Ratliff|Emily Ratliff, Linux Foundation]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] ''([http://kernsec.org/files/lss2015/AppPrivs.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Wojciechowski|Lukasz Wojciechowski, Samsung]] |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] ''([http://kernsec.org/files/lss2015/ima-applications-slides.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Baushke|Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks]] |- |''10:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] ''([http://kernsec.org/files/lss2015/vanderstoep.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/VanderStoep|Jeffrey Vander Stoep, Google]] |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |[[Linux_Security_Summit_2015/Bio/Kasatkin|Dmitry Kasatkin, Huawei Technologies]] |- |''12:15'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |13:30 |Subsystem Update: Smack ''([http://kernsec.org/files/lss2015/201508-LinuxSecuritySummit-Smack.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |13:50 |Subsystem Update: AppArmor |John Johansen, Canonical |- |14:10 |Subsystem Update: Integrity |[[Linux_Security_Summit_2015/Bio/Zohar|Mimi Zohar, IBM]] |- |''14:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |14:40 |Subsystem Update: SELinux |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |15:00 |Subsystem Update: Capabilities | [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] |- |15:20 |Subsystem Update: Seccomp ''([http://kernsec.org/files/lss2015/seccomp.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] |- |15:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] ''([http://kernsec.org/files/lss2015/201508-LinuxSecuritySummit-Stacking.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |''16:10'' | colspan="2"|<span style="color:darkgreen">''Break''</span> |- |16:20 | [[Linux_Security_Summit_2015/Abstracts/Gillespie_GRR|GRR Rapid Response: Remote Live Forensics for Incident Response]] | [[Linux_Security_Summit_2015/Bio/Gillespie|Sean Gillespie, CrowdStrike]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} 0e8b58a5349c4d3d371fab109821031e6d27058c 3701 3700 2015-08-21T16:11:47Z JamesMorris 2 /* Day 1 (Thursday 20th August) */ wikitext text/x-wiki = Schedule = Note: LSS will be held in the '''Jefferson Room, 4th Floor, Union St Tower''' == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |Welcome |[[Linux_Security_Summit_2015/Bio/Morris|James Morris, Oracle]] |- |09:05 | '''<span style="color:navy">Keynote:</span>''' Giant Bags of Mostly Water - Securing your IT Infrastructure by Securing your Team ''([http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Kon|Konstantin Ryabitsev, Linux Foundation]] (see also [https://www.linux.com/news/featured-blogs/200-libby-clark/814542-15-reddit-ama-questions-for-kernelorg-sysadmin-konstantin-ryabitsev Reddit AMA]) |- |''09:55'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] ''([http://kernsec.org/files/lss2015/idfusion-iso-identity-slides.pdf slides], [http://kernsec.org/files/lss2015/idfusion-iso-identity-paper.pdf paper])'' | [[Linux_Security_Summit_2015/Bio/Wettstein|Greg Wettstein, IDfusion]] |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] ''([http://kernsec.org/files/lss2015/lss2015_selinuxinandroidlollipopandm_smalley.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Smalley|Stephen Smalley, NSA]] |- |''11:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |11:45 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |''12:45'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] ''([http://kernsec.org/files/lss2015/reshetova.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Reshetova|Elena Reshetova, Intel]] |- |14:45 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] ''([http://kernsec.org/files/lss2015/halcrow.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Halcrow|Paul Lawrence and Mike Halcrow, Google]] |- |''15:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] ''([http://kernsec.org/files/lss2015/CII-for-LSS-August2015-forposting.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Ratliff|Emily Ratliff, Linux Foundation]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] ''([http://kernsec.org/files/lss2015/AppPrivs.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Wojciechowski|Lukasz Wojciechowski, Samsung]] |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] ''([http://kernsec.org/files/lss2015/ima-applications-slides.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Baushke|Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks]] |- |''10:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] ''([http://kernsec.org/files/lss2015/vanderstoep.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/VanderStoep|Jeffrey Vander Stoep, Google]] |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |[[Linux_Security_Summit_2015/Bio/Kasatkin|Dmitry Kasatkin, Huawei Technologies]] |- |''12:15'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |13:30 |Subsystem Update: Smack ''([http://kernsec.org/files/lss2015/201508-LinuxSecuritySummit-Smack.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |13:50 |Subsystem Update: AppArmor |John Johansen, Canonical |- |14:10 |Subsystem Update: Integrity |[[Linux_Security_Summit_2015/Bio/Zohar|Mimi Zohar, IBM]] |- |''14:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |14:40 |Subsystem Update: SELinux |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |15:00 |Subsystem Update: Capabilities | [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] |- |15:20 |Subsystem Update: Seccomp ''([http://kernsec.org/files/lss2015/seccomp.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] |- |15:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] ''([http://kernsec.org/files/lss2015/201508-LinuxSecuritySummit-Stacking.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |''16:10'' | colspan="2"|<span style="color:darkgreen">''Break''</span> |- |16:20 | [[Linux_Security_Summit_2015/Abstracts/Gillespie_GRR|GRR Rapid Response: Remote Live Forensics for Incident Response]] | [[Linux_Security_Summit_2015/Bio/Gillespie|Sean Gillespie, CrowdStrike]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} d0478ff25d567559cd21343cc241d6afa85a0ab3 3702 3701 2015-08-21T20:36:56Z JamesMorris 2 /* Day 2 (Friday 21st August) */ wikitext text/x-wiki = Schedule = Note: LSS will be held in the '''Jefferson Room, 4th Floor, Union St Tower''' == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |Welcome |[[Linux_Security_Summit_2015/Bio/Morris|James Morris, Oracle]] |- |09:05 | '''<span style="color:navy">Keynote:</span>''' Giant Bags of Mostly Water - Securing your IT Infrastructure by Securing your Team ''([http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Kon|Konstantin Ryabitsev, Linux Foundation]] (see also [https://www.linux.com/news/featured-blogs/200-libby-clark/814542-15-reddit-ama-questions-for-kernelorg-sysadmin-konstantin-ryabitsev Reddit AMA]) |- |''09:55'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] ''([http://kernsec.org/files/lss2015/idfusion-iso-identity-slides.pdf slides], [http://kernsec.org/files/lss2015/idfusion-iso-identity-paper.pdf paper])'' | [[Linux_Security_Summit_2015/Bio/Wettstein|Greg Wettstein, IDfusion]] |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] ''([http://kernsec.org/files/lss2015/lss2015_selinuxinandroidlollipopandm_smalley.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Smalley|Stephen Smalley, NSA]] |- |''11:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |11:45 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |''12:45'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] ''([http://kernsec.org/files/lss2015/reshetova.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Reshetova|Elena Reshetova, Intel]] |- |14:45 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] ''([http://kernsec.org/files/lss2015/halcrow.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Halcrow|Paul Lawrence and Mike Halcrow, Google]] |- |''15:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] ''([http://kernsec.org/files/lss2015/CII-for-LSS-August2015-forposting.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Ratliff|Emily Ratliff, Linux Foundation]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] ''([http://kernsec.org/files/lss2015/AppPrivs.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Wojciechowski|Lukasz Wojciechowski, Samsung]] |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] ''([http://kernsec.org/files/lss2015/ima-applications-slides.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Baushke|Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks]] |- |''10:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] ''([http://kernsec.org/files/lss2015/vanderstoep.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/VanderStoep|Jeffrey Vander Stoep, Google]] |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |[[Linux_Security_Summit_2015/Bio/Kasatkin|Dmitry Kasatkin, Huawei Technologies]] |- |''12:15'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |13:30 |Subsystem Update: Smack ''([http://kernsec.org/files/lss2015/201508-LinuxSecuritySummit-Smack.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |13:50 |Subsystem Update: AppArmor ''([http://kernsec.org/files/lss2015/lss-apparmor-update-2015.odp slides])'' |John Johansen, Canonical |- |14:10 |Subsystem Update: Integrity |[[Linux_Security_Summit_2015/Bio/Zohar|Mimi Zohar, IBM]] |- |''14:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |14:40 |Subsystem Update: SELinux |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |15:00 |Subsystem Update: Capabilities | [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] |- |15:20 |Subsystem Update: Seccomp ''([http://kernsec.org/files/lss2015/seccomp.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] |- |15:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] ''([http://kernsec.org/files/lss2015/201508-LinuxSecuritySummit-Stacking.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |''16:10'' | colspan="2"|<span style="color:darkgreen">''Break''</span> |- |16:20 | [[Linux_Security_Summit_2015/Abstracts/Gillespie_GRR|GRR Rapid Response: Remote Live Forensics for Incident Response]] | [[Linux_Security_Summit_2015/Bio/Gillespie|Sean Gillespie, CrowdStrike]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} b0c90c841aa0d781d1b2d068b985d0eec5807b54 3704 3702 2015-08-21T20:38:33Z JamesMorris 2 /* Day 2 (Friday 21st August) */ wikitext text/x-wiki = Schedule = Note: LSS will be held in the '''Jefferson Room, 4th Floor, Union St Tower''' == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |Welcome |[[Linux_Security_Summit_2015/Bio/Morris|James Morris, Oracle]] |- |09:05 | '''<span style="color:navy">Keynote:</span>''' Giant Bags of Mostly Water - Securing your IT Infrastructure by Securing your Team ''([http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Kon|Konstantin Ryabitsev, Linux Foundation]] (see also [https://www.linux.com/news/featured-blogs/200-libby-clark/814542-15-reddit-ama-questions-for-kernelorg-sysadmin-konstantin-ryabitsev Reddit AMA]) |- |''09:55'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] ''([http://kernsec.org/files/lss2015/idfusion-iso-identity-slides.pdf slides], [http://kernsec.org/files/lss2015/idfusion-iso-identity-paper.pdf paper])'' | [[Linux_Security_Summit_2015/Bio/Wettstein|Greg Wettstein, IDfusion]] |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] ''([http://kernsec.org/files/lss2015/lss2015_selinuxinandroidlollipopandm_smalley.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Smalley|Stephen Smalley, NSA]] |- |''11:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |11:45 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |''12:45'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] ''([http://kernsec.org/files/lss2015/reshetova.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Reshetova|Elena Reshetova, Intel]] |- |14:45 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] ''([http://kernsec.org/files/lss2015/halcrow.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Halcrow|Paul Lawrence and Mike Halcrow, Google]] |- |''15:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] ''([http://kernsec.org/files/lss2015/CII-for-LSS-August2015-forposting.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Ratliff|Emily Ratliff, Linux Foundation]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] ''([http://kernsec.org/files/lss2015/AppPrivs.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Wojciechowski|Lukasz Wojciechowski, Samsung]] |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] ''([http://kernsec.org/files/lss2015/ima-applications-slides.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Baushke|Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks]] |- |''10:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] ''([http://kernsec.org/files/lss2015/vanderstoep.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/VanderStoep|Jeffrey Vander Stoep, Google]] |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] |[[Linux_Security_Summit_2015/Bio/Kasatkin|Dmitry Kasatkin, Huawei Technologies]] |- |''12:15'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |13:30 |Subsystem Update: Smack ''([http://kernsec.org/files/lss2015/201508-LinuxSecuritySummit-Smack.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |13:50 |Subsystem Update: AppArmor ''([http://kernsec.org/files/lss2015/lss-apparmor-update-2015.odp slides])'' |[[Linux_Security_Summit_2015/Bio/Johansen|John Johansen, Canonical]] |- |14:10 |Subsystem Update: Integrity |[[Linux_Security_Summit_2015/Bio/Zohar|Mimi Zohar, IBM]] |- |''14:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |14:40 |Subsystem Update: SELinux |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |15:00 |Subsystem Update: Capabilities | [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] |- |15:20 |Subsystem Update: Seccomp ''([http://kernsec.org/files/lss2015/seccomp.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] |- |15:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] ''([http://kernsec.org/files/lss2015/201508-LinuxSecuritySummit-Stacking.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |''16:10'' | colspan="2"|<span style="color:darkgreen">''Break''</span> |- |16:20 | [[Linux_Security_Summit_2015/Abstracts/Gillespie_GRR|GRR Rapid Response: Remote Live Forensics for Incident Response]] | [[Linux_Security_Summit_2015/Bio/Gillespie|Sean Gillespie, CrowdStrike]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} 7ec9dc2305d969caad211fd7c9cf1eb8989eb250 3705 3704 2015-08-21T20:41:47Z JamesMorris 2 /* Day 2 (Friday 21st August) */ wikitext text/x-wiki = Schedule = Note: LSS will be held in the '''Jefferson Room, 4th Floor, Union St Tower''' == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |Welcome |[[Linux_Security_Summit_2015/Bio/Morris|James Morris, Oracle]] |- |09:05 | '''<span style="color:navy">Keynote:</span>''' Giant Bags of Mostly Water - Securing your IT Infrastructure by Securing your Team ''([http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Kon|Konstantin Ryabitsev, Linux Foundation]] (see also [https://www.linux.com/news/featured-blogs/200-libby-clark/814542-15-reddit-ama-questions-for-kernelorg-sysadmin-konstantin-ryabitsev Reddit AMA]) |- |''09:55'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] ''([http://kernsec.org/files/lss2015/idfusion-iso-identity-slides.pdf slides], [http://kernsec.org/files/lss2015/idfusion-iso-identity-paper.pdf paper])'' | [[Linux_Security_Summit_2015/Bio/Wettstein|Greg Wettstein, IDfusion]] |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] ''([http://kernsec.org/files/lss2015/lss2015_selinuxinandroidlollipopandm_smalley.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Smalley|Stephen Smalley, NSA]] |- |''11:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |11:45 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |''12:45'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] ''([http://kernsec.org/files/lss2015/reshetova.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Reshetova|Elena Reshetova, Intel]] |- |14:45 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] ''([http://kernsec.org/files/lss2015/halcrow.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Halcrow|Paul Lawrence and Mike Halcrow, Google]] |- |''15:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] ''([http://kernsec.org/files/lss2015/CII-for-LSS-August2015-forposting.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Ratliff|Emily Ratliff, Linux Foundation]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] ''([http://kernsec.org/files/lss2015/AppPrivs.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Wojciechowski|Lukasz Wojciechowski, Samsung]] |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] ''([http://kernsec.org/files/lss2015/ima-applications-slides.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Baushke|Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks]] |- |''10:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] ''([http://kernsec.org/files/lss2015/vanderstoep.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/VanderStoep|Jeffrey Vander Stoep, Google]] |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] ''([http://kernsec.org/files/lss2015/LSS2015_IMA_EVM_On_Android.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Kasatkin|Dmitry Kasatkin, Huawei Technologies]] |- |''12:15'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |13:30 |Subsystem Update: Smack ''([http://kernsec.org/files/lss2015/201508-LinuxSecuritySummit-Smack.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |13:50 |Subsystem Update: AppArmor ''([http://kernsec.org/files/lss2015/lss-apparmor-update-2015.odp slides])'' |[[Linux_Security_Summit_2015/Bio/Johansen|John Johansen, Canonical]] |- |14:10 |Subsystem Update: Integrity |[[Linux_Security_Summit_2015/Bio/Zohar|Mimi Zohar, IBM]] |- |''14:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |14:40 |Subsystem Update: SELinux |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |15:00 |Subsystem Update: Capabilities | [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] |- |15:20 |Subsystem Update: Seccomp ''([http://kernsec.org/files/lss2015/seccomp.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] |- |15:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] ''([http://kernsec.org/files/lss2015/201508-LinuxSecuritySummit-Stacking.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |''16:10'' | colspan="2"|<span style="color:darkgreen">''Break''</span> |- |16:20 | [[Linux_Security_Summit_2015/Abstracts/Gillespie_GRR|GRR Rapid Response: Remote Live Forensics for Incident Response]] | [[Linux_Security_Summit_2015/Bio/Gillespie|Sean Gillespie, CrowdStrike]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} e8bc8f8a73b1518118b16908ad001d383682b3e8 3706 3705 2015-08-21T22:01:23Z JamesMorris 2 /* Day 2 (Friday 21st August) */ wikitext text/x-wiki = Schedule = Note: LSS will be held in the '''Jefferson Room, 4th Floor, Union St Tower''' == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |Welcome |[[Linux_Security_Summit_2015/Bio/Morris|James Morris, Oracle]] |- |09:05 | '''<span style="color:navy">Keynote:</span>''' Giant Bags of Mostly Water - Securing your IT Infrastructure by Securing your Team ''([http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Kon|Konstantin Ryabitsev, Linux Foundation]] (see also [https://www.linux.com/news/featured-blogs/200-libby-clark/814542-15-reddit-ama-questions-for-kernelorg-sysadmin-konstantin-ryabitsev Reddit AMA]) |- |''09:55'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] ''([http://kernsec.org/files/lss2015/idfusion-iso-identity-slides.pdf slides], [http://kernsec.org/files/lss2015/idfusion-iso-identity-paper.pdf paper])'' | [[Linux_Security_Summit_2015/Bio/Wettstein|Greg Wettstein, IDfusion]] |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] ''([http://kernsec.org/files/lss2015/lss2015_selinuxinandroidlollipopandm_smalley.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Smalley|Stephen Smalley, NSA]] |- |''11:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |11:45 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |''12:45'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] ''([http://kernsec.org/files/lss2015/reshetova.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Reshetova|Elena Reshetova, Intel]] |- |14:45 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] ''([http://kernsec.org/files/lss2015/halcrow.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Halcrow|Paul Lawrence and Mike Halcrow, Google]] |- |''15:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] ''([http://kernsec.org/files/lss2015/CII-for-LSS-August2015-forposting.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Ratliff|Emily Ratliff, Linux Foundation]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] ''([http://kernsec.org/files/lss2015/AppPrivs.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Wojciechowski|Lukasz Wojciechowski, Samsung]] |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] ''([http://kernsec.org/files/lss2015/ima-applications-slides.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Baushke|Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks]] |- |''10:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] ''([http://kernsec.org/files/lss2015/vanderstoep.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/VanderStoep|Jeffrey Vander Stoep, Google]] |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] ''([http://kernsec.org/files/lss2015/LSS2015_IMA_EVM_On_Android.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Kasatkin|Dmitry Kasatkin, Huawei Technologies]] |- |''12:15'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |13:30 |Subsystem Update: Smack ''([http://kernsec.org/files/lss2015/201508-LinuxSecuritySummit-Smack.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |13:50 |Subsystem Update: AppArmor ''([http://kernsec.org/files/lss2015/lss-apparmor-update-2015.odp slides])'' |[[Linux_Security_Summit_2015/Bio/Johansen|John Johansen, Canonical]] |- |14:10 |Subsystem Update: Integrity ''([http://kernsec.org/files/lss2015/LSS2015-LinuxIntegritySubsystemStatus.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Zohar|Mimi Zohar, IBM]] |- |''14:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |14:40 |Subsystem Update: SELinux |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |15:00 |Subsystem Update: Capabilities | [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] |- |15:20 |Subsystem Update: Seccomp ''([http://kernsec.org/files/lss2015/seccomp.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] |- |15:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] ''([http://kernsec.org/files/lss2015/201508-LinuxSecuritySummit-Stacking.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |''16:10'' | colspan="2"|<span style="color:darkgreen">''Break''</span> |- |16:20 | [[Linux_Security_Summit_2015/Abstracts/Gillespie_GRR|GRR Rapid Response: Remote Live Forensics for Incident Response]] | [[Linux_Security_Summit_2015/Bio/Gillespie|Sean Gillespie, CrowdStrike]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} 5da8fbeeec33999e8a9ae070fd558dbabec67906 3707 3706 2015-08-21T22:04:39Z JamesMorris 2 /* Day 1 (Thursday 20th August) */ wikitext text/x-wiki = Schedule = Note: LSS will be held in the '''Jefferson Room, 4th Floor, Union St Tower''' == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |Welcome |[[Linux_Security_Summit_2015/Bio/Morris|James Morris, Oracle]] |- |09:05 | '''<span style="color:navy">Keynote:</span>''' Giant Bags of Mostly Water - Securing your IT Infrastructure by Securing your Team ''([http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Kon|Konstantin Ryabitsev, Linux Foundation]] (see also [https://www.linux.com/news/featured-blogs/200-libby-clark/814542-15-reddit-ama-questions-for-kernelorg-sysadmin-konstantin-ryabitsev Reddit AMA]) |- |''09:55'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] ''([http://kernsec.org/files/lss2015/idfusion-iso-identity-slides.pdf slides], [http://kernsec.org/files/lss2015/idfusion-iso-identity-paper.pdf paper])'' | [[Linux_Security_Summit_2015/Bio/Wettstein|Greg Wettstein, IDfusion]] |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] ''([http://kernsec.org/files/lss2015/lss2015_selinuxinandroidlollipopandm_smalley.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Smalley|Stephen Smalley, NSA]] |- |''11:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |11:45 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] ''([http://kernsec.org/files/lss2015/lss-audit_rework-pmoore-082015-r2.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |''12:45'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] ''([http://kernsec.org/files/lss2015/reshetova.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Reshetova|Elena Reshetova, Intel]] |- |14:45 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] ''([http://kernsec.org/files/lss2015/halcrow.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Halcrow|Paul Lawrence and Mike Halcrow, Google]] |- |''15:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] ''([http://kernsec.org/files/lss2015/CII-for-LSS-August2015-forposting.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Ratliff|Emily Ratliff, Linux Foundation]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] ''([http://kernsec.org/files/lss2015/AppPrivs.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Wojciechowski|Lukasz Wojciechowski, Samsung]] |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] ''([http://kernsec.org/files/lss2015/ima-applications-slides.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Baushke|Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks]] |- |''10:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] ''([http://kernsec.org/files/lss2015/vanderstoep.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/VanderStoep|Jeffrey Vander Stoep, Google]] |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] ''([http://kernsec.org/files/lss2015/LSS2015_IMA_EVM_On_Android.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Kasatkin|Dmitry Kasatkin, Huawei Technologies]] |- |''12:15'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |13:30 |Subsystem Update: Smack ''([http://kernsec.org/files/lss2015/201508-LinuxSecuritySummit-Smack.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |13:50 |Subsystem Update: AppArmor ''([http://kernsec.org/files/lss2015/lss-apparmor-update-2015.odp slides])'' |[[Linux_Security_Summit_2015/Bio/Johansen|John Johansen, Canonical]] |- |14:10 |Subsystem Update: Integrity ''([http://kernsec.org/files/lss2015/LSS2015-LinuxIntegritySubsystemStatus.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Zohar|Mimi Zohar, IBM]] |- |''14:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |14:40 |Subsystem Update: SELinux |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |15:00 |Subsystem Update: Capabilities | [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] |- |15:20 |Subsystem Update: Seccomp ''([http://kernsec.org/files/lss2015/seccomp.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] |- |15:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] ''([http://kernsec.org/files/lss2015/201508-LinuxSecuritySummit-Stacking.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |''16:10'' | colspan="2"|<span style="color:darkgreen">''Break''</span> |- |16:20 | [[Linux_Security_Summit_2015/Abstracts/Gillespie_GRR|GRR Rapid Response: Remote Live Forensics for Incident Response]] | [[Linux_Security_Summit_2015/Bio/Gillespie|Sean Gillespie, CrowdStrike]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} 3729efae31cdd14b4dfe69521b2590cc792ebb25 3708 3707 2015-08-21T22:05:21Z JamesMorris 2 /* Day 2 (Friday 21st August) */ wikitext text/x-wiki = Schedule = Note: LSS will be held in the '''Jefferson Room, 4th Floor, Union St Tower''' == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |Welcome |[[Linux_Security_Summit_2015/Bio/Morris|James Morris, Oracle]] |- |09:05 | '''<span style="color:navy">Keynote:</span>''' Giant Bags of Mostly Water - Securing your IT Infrastructure by Securing your Team ''([http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Kon|Konstantin Ryabitsev, Linux Foundation]] (see also [https://www.linux.com/news/featured-blogs/200-libby-clark/814542-15-reddit-ama-questions-for-kernelorg-sysadmin-konstantin-ryabitsev Reddit AMA]) |- |''09:55'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] ''([http://kernsec.org/files/lss2015/idfusion-iso-identity-slides.pdf slides], [http://kernsec.org/files/lss2015/idfusion-iso-identity-paper.pdf paper])'' | [[Linux_Security_Summit_2015/Bio/Wettstein|Greg Wettstein, IDfusion]] |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] ''([http://kernsec.org/files/lss2015/lss2015_selinuxinandroidlollipopandm_smalley.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Smalley|Stephen Smalley, NSA]] |- |''11:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |11:45 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] ''([http://kernsec.org/files/lss2015/lss-audit_rework-pmoore-082015-r2.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |''12:45'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] ''([http://kernsec.org/files/lss2015/reshetova.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Reshetova|Elena Reshetova, Intel]] |- |14:45 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] ''([http://kernsec.org/files/lss2015/halcrow.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Halcrow|Paul Lawrence and Mike Halcrow, Google]] |- |''15:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] ''([http://kernsec.org/files/lss2015/CII-for-LSS-August2015-forposting.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Ratliff|Emily Ratliff, Linux Foundation]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] ''([http://kernsec.org/files/lss2015/AppPrivs.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Wojciechowski|Lukasz Wojciechowski, Samsung]] |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] ''([http://kernsec.org/files/lss2015/ima-applications-slides.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Baushke|Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks]] |- |''10:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] ''([http://kernsec.org/files/lss2015/vanderstoep.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/VanderStoep|Jeffrey Vander Stoep, Google]] |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] ''([http://kernsec.org/files/lss2015/LSS2015_IMA_EVM_On_Android.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Kasatkin|Dmitry Kasatkin, Huawei Technologies]] |- |''12:15'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |13:30 |Subsystem Update: Smack ''([http://kernsec.org/files/lss2015/201508-LinuxSecuritySummit-Smack.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |13:50 |Subsystem Update: AppArmor ''([http://kernsec.org/files/lss2015/lss-apparmor-update-2015.odp slides])'' |[[Linux_Security_Summit_2015/Bio/Johansen|John Johansen, Canonical]] |- |14:10 |Subsystem Update: Integrity ''([http://kernsec.org/files/lss2015/LSS2015-LinuxIntegritySubsystemStatus.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Zohar|Mimi Zohar, IBM]] |- |''14:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |14:40 |Subsystem Update: SELinux ''([http://kernsec.org/files/lss2015/lss-state_of_selinux-pmoore-082015-r1.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |15:00 |Subsystem Update: Capabilities | [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] |- |15:20 |Subsystem Update: Seccomp ''([http://kernsec.org/files/lss2015/seccomp.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] |- |15:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] ''([http://kernsec.org/files/lss2015/201508-LinuxSecuritySummit-Stacking.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |''16:10'' | colspan="2"|<span style="color:darkgreen">''Break''</span> |- |16:20 | [[Linux_Security_Summit_2015/Abstracts/Gillespie_GRR|GRR Rapid Response: Remote Live Forensics for Incident Response]] | [[Linux_Security_Summit_2015/Bio/Gillespie|Sean Gillespie, CrowdStrike]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} 8bad5b07cdc486532f56bd8716aff844cb96a5bc 3709 3708 2015-08-24T21:01:11Z JamesMorris 2 /* Day 2 (Friday 21st August) */ wikitext text/x-wiki = Schedule = Note: LSS will be held in the '''Jefferson Room, 4th Floor, Union St Tower''' == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |Welcome |[[Linux_Security_Summit_2015/Bio/Morris|James Morris, Oracle]] |- |09:05 | '''<span style="color:navy">Keynote:</span>''' Giant Bags of Mostly Water - Securing your IT Infrastructure by Securing your Team ''([http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Kon|Konstantin Ryabitsev, Linux Foundation]] (see also [https://www.linux.com/news/featured-blogs/200-libby-clark/814542-15-reddit-ama-questions-for-kernelorg-sysadmin-konstantin-ryabitsev Reddit AMA]) |- |''09:55'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] ''([http://kernsec.org/files/lss2015/idfusion-iso-identity-slides.pdf slides], [http://kernsec.org/files/lss2015/idfusion-iso-identity-paper.pdf paper])'' | [[Linux_Security_Summit_2015/Bio/Wettstein|Greg Wettstein, IDfusion]] |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] ''([http://kernsec.org/files/lss2015/lss2015_selinuxinandroidlollipopandm_smalley.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Smalley|Stephen Smalley, NSA]] |- |''11:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |11:45 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] ''([http://kernsec.org/files/lss2015/lss-audit_rework-pmoore-082015-r2.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |''12:45'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] ''([http://kernsec.org/files/lss2015/reshetova.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Reshetova|Elena Reshetova, Intel]] |- |14:45 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] ''([http://kernsec.org/files/lss2015/halcrow.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Halcrow|Paul Lawrence and Mike Halcrow, Google]] |- |''15:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] ''([http://kernsec.org/files/lss2015/CII-for-LSS-August2015-forposting.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Ratliff|Emily Ratliff, Linux Foundation]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] ''([http://kernsec.org/files/lss2015/AppPrivs.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Wojciechowski|Lukasz Wojciechowski, Samsung]] |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] ''([http://kernsec.org/files/lss2015/ima-applications-slides.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Baushke|Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks]] |- |''10:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] ''([http://kernsec.org/files/lss2015/vanderstoep.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/VanderStoep|Jeffrey Vander Stoep, Google]] |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] ''([http://kernsec.org/files/lss2015/LSS2015_IMA_EVM_On_Android.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Kasatkin|Dmitry Kasatkin, Huawei Technologies]] |- |''12:15'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |13:30 |Subsystem Update: Smack ''([http://kernsec.org/files/lss2015/201508-LinuxSecuritySummit-Smack.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |13:50 |Subsystem Update: AppArmor ''([http://kernsec.org/files/lss2015/lss-apparmor-update-2015.odp slides])'' |[[Linux_Security_Summit_2015/Bio/Johansen|John Johansen, Canonical]] |- |14:10 |Subsystem Update: Integrity ''([http://kernsec.org/files/lss2015/LSS2015-LinuxIntegritySubsystemStatus.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Zohar|Mimi Zohar, IBM]] |- |''14:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |14:40 |Subsystem Update: SELinux ''([http://kernsec.org/files/lss2015/lss-state_of_selinux-pmoore-082015-r1.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |15:00 |Subsystem Update: Capabilities ''([http://kernsec.org/files/lss2015/capa.pdf])'' | [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] |- |15:20 |Subsystem Update: Seccomp ''([http://kernsec.org/files/lss2015/seccomp.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] |- |15:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] ''([http://kernsec.org/files/lss2015/201508-LinuxSecuritySummit-Stacking.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |''16:10'' | colspan="2"|<span style="color:darkgreen">''Break''</span> |- |16:20 | [[Linux_Security_Summit_2015/Abstracts/Gillespie_GRR|GRR Rapid Response: Remote Live Forensics for Incident Response]] | [[Linux_Security_Summit_2015/Bio/Gillespie|Sean Gillespie, CrowdStrike]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} d155a8e55e47a07b4d26b0f7aaccdf9d4bf545e1 3710 3709 2015-08-24T21:01:36Z JamesMorris 2 /* Day 2 (Friday 21st August) */ wikitext text/x-wiki = Schedule = Note: LSS will be held in the '''Jefferson Room, 4th Floor, Union St Tower''' == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |Welcome |[[Linux_Security_Summit_2015/Bio/Morris|James Morris, Oracle]] |- |09:05 | '''<span style="color:navy">Keynote:</span>''' Giant Bags of Mostly Water - Securing your IT Infrastructure by Securing your Team ''([http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Kon|Konstantin Ryabitsev, Linux Foundation]] (see also [https://www.linux.com/news/featured-blogs/200-libby-clark/814542-15-reddit-ama-questions-for-kernelorg-sysadmin-konstantin-ryabitsev Reddit AMA]) |- |''09:55'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] ''([http://kernsec.org/files/lss2015/idfusion-iso-identity-slides.pdf slides], [http://kernsec.org/files/lss2015/idfusion-iso-identity-paper.pdf paper])'' | [[Linux_Security_Summit_2015/Bio/Wettstein|Greg Wettstein, IDfusion]] |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] ''([http://kernsec.org/files/lss2015/lss2015_selinuxinandroidlollipopandm_smalley.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Smalley|Stephen Smalley, NSA]] |- |''11:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |11:45 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] ''([http://kernsec.org/files/lss2015/lss-audit_rework-pmoore-082015-r2.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |''12:45'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] ''([http://kernsec.org/files/lss2015/reshetova.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Reshetova|Elena Reshetova, Intel]] |- |14:45 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] ''([http://kernsec.org/files/lss2015/halcrow.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Halcrow|Paul Lawrence and Mike Halcrow, Google]] |- |''15:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] ''([http://kernsec.org/files/lss2015/CII-for-LSS-August2015-forposting.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Ratliff|Emily Ratliff, Linux Foundation]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] ''([http://kernsec.org/files/lss2015/AppPrivs.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Wojciechowski|Lukasz Wojciechowski, Samsung]] |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] ''([http://kernsec.org/files/lss2015/ima-applications-slides.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Baushke|Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks]] |- |''10:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] ''([http://kernsec.org/files/lss2015/vanderstoep.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/VanderStoep|Jeffrey Vander Stoep, Google]] |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] ''([http://kernsec.org/files/lss2015/LSS2015_IMA_EVM_On_Android.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Kasatkin|Dmitry Kasatkin, Huawei Technologies]] |- |''12:15'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |13:30 |Subsystem Update: Smack ''([http://kernsec.org/files/lss2015/201508-LinuxSecuritySummit-Smack.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |13:50 |Subsystem Update: AppArmor ''([http://kernsec.org/files/lss2015/lss-apparmor-update-2015.odp slides])'' |[[Linux_Security_Summit_2015/Bio/Johansen|John Johansen, Canonical]] |- |14:10 |Subsystem Update: Integrity ''([http://kernsec.org/files/lss2015/LSS2015-LinuxIntegritySubsystemStatus.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Zohar|Mimi Zohar, IBM]] |- |''14:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |14:40 |Subsystem Update: SELinux ''([http://kernsec.org/files/lss2015/lss-state_of_selinux-pmoore-082015-r1.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |15:00 |Subsystem Update: Capabilities ''([http://kernsec.org/files/lss2015/capa.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] |- |15:20 |Subsystem Update: Seccomp ''([http://kernsec.org/files/lss2015/seccomp.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] |- |15:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] ''([http://kernsec.org/files/lss2015/201508-LinuxSecuritySummit-Stacking.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |''16:10'' | colspan="2"|<span style="color:darkgreen">''Break''</span> |- |16:20 | [[Linux_Security_Summit_2015/Abstracts/Gillespie_GRR|GRR Rapid Response: Remote Live Forensics for Incident Response]] | [[Linux_Security_Summit_2015/Bio/Gillespie|Sean Gillespie, CrowdStrike]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} d34ac14eb834c704c2de8dbb6bb3ffa1cb56a41c 3711 3710 2015-08-26T18:05:55Z JamesMorris 2 /* Day 2 (Friday 21st August) */ wikitext text/x-wiki = Schedule = Note: LSS will be held in the '''Jefferson Room, 4th Floor, Union St Tower''' == Day 1 (Thursday 20th August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 |Welcome |[[Linux_Security_Summit_2015/Bio/Morris|James Morris, Oracle]] |- |09:05 | '''<span style="color:navy">Keynote:</span>''' Giant Bags of Mostly Water - Securing your IT Infrastructure by Securing your Team ''([http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Kon|Konstantin Ryabitsev, Linux Foundation]] (see also [https://www.linux.com/news/featured-blogs/200-libby-clark/814542-15-reddit-ama-questions-for-kernelorg-sysadmin-konstantin-ryabitsev Reddit AMA]) |- |''09:55'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:00 | [[Linux_Security_Summit_2015/Abstracts/Wettstein|CC3: An Identity Attested Linux Security Supervisor Architecture]] ''([http://kernsec.org/files/lss2015/idfusion-iso-identity-slides.pdf slides], [http://kernsec.org/files/lss2015/idfusion-iso-identity-paper.pdf paper])'' | [[Linux_Security_Summit_2015/Bio/Wettstein|Greg Wettstein, IDfusion]] |- |10:45 | [[Linux_Security_Summit_2015/Abstracts/Smalley|SELinux in Android Lollipop and Android M]] ''([http://kernsec.org/files/lss2015/lss2015_selinuxinandroidlollipopandm_smalley.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Smalley|Stephen Smalley, NSA]] |- |''11:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |11:45 |[[Linux_Security_Summit_2015/Abstracts/Moore|Discussion: Rethinking Audit]] ''([http://kernsec.org/files/lss2015/lss-audit_rework-pmoore-082015-r2.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |''12:45'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |14:00 |[[Linux_Security_Summit_2015/Abstracts/Reshetova|Assembling Secure OS Images]] ''([http://kernsec.org/files/lss2015/reshetova.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Reshetova|Elena Reshetova, Intel]] |- |14:45 |[[Linux_Security_Summit_2015/Abstracts/Halcrow|Linux and Mobile Device Encryption]] ''([http://kernsec.org/files/lss2015/halcrow.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Halcrow|Paul Lawrence and Mike Halcrow, Google]] |- |''15:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |- |16:00 | [[Linux_Security_Summit_2015/Abstracts/Ratliff|Discussion: Core Infrastructure Initiative]] ''([http://kernsec.org/files/lss2015/CII-for-LSS-August2015-forposting.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Ratliff|Emily Ratliff, Linux Foundation]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} == Day 2 (Friday 21st August) == {| border="1" cellpadding="6" cellspacing="0" !Time !Title !Presenter |- |09:00 | [[Linux_Security_Summit_2015/Abstracts/Wojciechowski|Security Framework for Constraining Application Privileges]] ''([http://kernsec.org/files/lss2015/AppPrivs.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Wojciechowski|Lukasz Wojciechowski, Samsung]] |- |09:45 |[[Linux_Security_Summit_2015/Abstracts/Manolov|IMA/EVM: Real Applications for Embedded Networking Systems]] ''([http://kernsec.org/files/lss2015/ima-applications-slides.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Baushke|Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks]] |- |''10:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |10:45 |[[Linux_Security_Summit_2015/Abstracts/Vander_Stoep|Ioctl Command Whitelisting in SELinux]] ''([http://kernsec.org/files/lss2015/vanderstoep.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/VanderStoep|Jeffrey Vander Stoep, Google]] |- |11:30 |[[Linux_Security_Summit_2015/Abstracts/Kasatkin|IMA/EVM on Android Device]] ''([http://kernsec.org/files/lss2015/LSS2015_IMA_EVM_On_Android.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Kasatkin|Dmitry Kasatkin, Huawei Technologies]] |- |''12:15'' |colspan="2"|<span style="color:darkgreen">''Lunch''</span> |- |13:30 |Subsystem Update: Smack ''([http://kernsec.org/files/lss2015/201508-LinuxSecuritySummit-Smack.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |13:50 |Subsystem Update: AppArmor ''([http://kernsec.org/files/lss2015/lss-apparmor-update-2015.odp slides])'' |[[Linux_Security_Summit_2015/Bio/Johansen|John Johansen, Canonical]] |- |14:10 |Subsystem Update: Integrity ''([http://kernsec.org/files/lss2015/LSS2015-LinuxIntegritySubsystemStatus.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Zohar|Mimi Zohar, IBM]] |- |''14:30'' |colspan="2"|<span style="color:darkgreen">''Break''</span> |- |14:40 |Subsystem Update: SELinux ''([http://kernsec.org/files/lss2015/lss-state_of_selinux-pmoore-082015-r1.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Moore|Paul Moore, Red Hat]] |- |15:00 |Subsystem Update: Capabilities ''([http://kernsec.org/files/lss2015/capa.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Hallyn|Serge Hallyn, Canonical]] |- |15:20 |Subsystem Update: Seccomp ''([http://kernsec.org/files/lss2015/seccomp.pdf slides])'' |[[Linux_Security_Summit_2015/Bio/Cook|Kees Cook, Google]] |- |15:40 | [[Linux_Security_Summit_2015/Abstracts/Schaufler_Stacking|Discussion: Linux Security Module Stacking Next Steps]] ''([http://kernsec.org/files/lss2015/201508-LinuxSecuritySummit-Stacking.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Schaufler|Casey Schaufler, Intel]] |- |''16:10'' | colspan="2"|<span style="color:darkgreen">''Break''</span> |- |16:20 | [[Linux_Security_Summit_2015/Abstracts/Gillespie_GRR|GRR Rapid Response: Remote Live Forensics for Incident Response]] ''([http://kernsec.org/files/lss2015/GRR.pdf slides])'' | [[Linux_Security_Summit_2015/Bio/Gillespie|Sean Gillespie, CrowdStrike]] |- |''17:00'' |colspan="2"|<span style="color:darkgreen">''Finish''</span> |} 7c792296e8ecae20dad03f361fb6fda32fa571d9 0 161 3703 2015-08-21T20:37:38Z JamesMorris 2 Created page with "'''John Johansen''' works for Canonical as a member of the Ubuntu Security team, focusing on kernel security. He has been involved with apparmor for several years and is the c..." wikitext text/x-wiki '''John Johansen''' works for Canonical as a member of the Ubuntu Security team, focusing on kernel security. He has been involved with apparmor for several years and is the current upstream maintainer. He is involved in designing the security system of the Ubuntu touch platform. Previously he was involved with compiler hardening (stack canaries, format string mitigation, pointer encryption, ...). 545eb5d7b9fd21b8b82785f7d9098a2c2354aa0b 0 5 3712 3412 2015-11-04T16:02:43Z KeesCook 3 /* Kernel Security Projects */ wikitext text/x-wiki == Kernel Security Projects == === Access Control === * [http://vger.kernel.org/vger-lists.html#linux-security-module Linux Security Modules (LSM)], the API for access control frameworks * [http://www.novell.com/linux/security/apparmor/ AppArmor], a pathname-based access control system * [http://selinuxproject.org/page/Main_Page Security Enhanced Linux (SELinux)], a flexible and fine-grained MAC framework * [http://www.schaufler-ca.com/ Smack], the Simplified Mandatory Access Control Kernel for Linux * [http://tomoyo.sourceforge.jp/ TOMOYO], another pathname-based access control system (LiveCD available) * [http://grsecurity.net/features.php grsecurity], extensive security enhancement patch for the Linux kernel (RBAC, chroot hardening, auditing, stack/heap protection randomization and more...) * [http://www.rsbac.org/why Rule Set Based Access Control (RSBAC)], Linux kernel patch implementing a security framework * [http://schreuders.org/FBAC-LSM FBAC-LSM] aims to provide easy to configure (functionality-based) application restrictions * [http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blob;f=Documentation/security/Yama.txt;hb=HEAD Yama] adds restrictions to ptrace, providing a programmatic way to declare relationships between processes === Integrity === This is a rapidly developing area, see the following LWN article for an overview: * [http://lwn.net/Articles/309441/ System integrity in Linux] === Privileges === * [http://www.friedhoff.org/posixfilecaps.html POSIX File Capabilities] ** [http://lwn.net/Articles/313047/ Filesystem capabilities in Fedora 10 LWN article] === Networking === There are several separately maintained projects relating to network security, including: * [http://www.netfilter.org/ Netfilter] packet filtering * Labeled Networking, including NetLabel, CIPSO, Labeled IPsec and SECMARK, see [http://paulmoore.livejournal.com/ Paul Moore's blog] * [http://www.nufw.org/ NuFW] authenticating firewall based on Netfilter === Storage === * [http://selinuxproject.org/page/Labeled_NFS Labeled NFS], a project to add MAC labeling support to the NFSv4 protocol * [http://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=blob;f=Documentation/device-mapper/verity.txt dm-verity], a device mapper target for efficient, integrity-assured block devices === Cryptography === The cryptographic subsystem is maintained separately by Herbert Xu, refer to the [http://vger.kernel.org/vger-lists.html#linux-crypto mailing list]. === Working Group === * [[Linux Security Workgroup]] === Self Protection === * [[Kernel Self Protection Project]] b7373a1f1d93238079136d2d73ef89a6012535b7 0 162 3713 2015-11-04T16:35:26Z KeesCook 3 Outline the KSPP wikitext text/x-wiki = Kernel Self Protection Project = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, smatch, coccinelle, coverity) and dynamic checkers (kernel configs, trinity, KASan). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in [https://pax.grsecurity.net/ PaX], [https://grsecurity.net/features.php grsecurity], and piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate both classes of bugs and methods of exploitation. Want to get involved? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list] and introduce yourself. Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. == [[/Bug Class|Bug Classes]] == * [[/Bug Class/Stack overflow|Stack overflow]] * [[/Bug Class/Integer overflow|Integer overflow]] * [[/Bug Class/Heap overflow|Heap overflow]] * [[/Bug Class/Format string injection|Format string injection]] * [[/Bug Class/Kernel pointer leak|Kernel pointer leak]] * [[/Bug Class/Uninitialized variables|Uninitialized variables]] == [[/Exploit Method|Exploitation Methods]] == * [[/Exploit Method/Kernel location|Kernel location]] * [[/Exploit Method/Text overwrite|Text overwrite]] * [[/Exploit Method/Function pointer overwrite|Function pointer overwrite]] * [[/Exploit Method/Userspace execution|Userspace execution]] * [[/Exploit Method/Userspace data usage|Userspace data usage]] * [[/Exploit Method/Reused code chunks|Reused code chunks]] fee417dbb53a4a51de57276d2cf994dee802b645 3714 3713 2015-11-04T16:38:55Z KeesCook 3 /* Kernel Self Protection Project */ add links to existing bug-hunting tools wikitext text/x-wiki = Kernel Self Protection Project = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in [https://pax.grsecurity.net/ PaX], [https://grsecurity.net/features.php grsecurity], and piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate both classes of bugs and methods of exploitation. Want to get involved? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list] and introduce yourself. Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. == [[/Bug Class|Bug Classes]] == * [[/Bug Class/Stack overflow|Stack overflow]] * [[/Bug Class/Integer overflow|Integer overflow]] * [[/Bug Class/Heap overflow|Heap overflow]] * [[/Bug Class/Format string injection|Format string injection]] * [[/Bug Class/Kernel pointer leak|Kernel pointer leak]] * [[/Bug Class/Uninitialized variables|Uninitialized variables]] == [[/Exploit Method|Exploitation Methods]] == * [[/Exploit Method/Kernel location|Kernel location]] * [[/Exploit Method/Text overwrite|Text overwrite]] * [[/Exploit Method/Function pointer overwrite|Function pointer overwrite]] * [[/Exploit Method/Userspace execution|Userspace execution]] * [[/Exploit Method/Userspace data usage|Userspace data usage]] * [[/Exploit Method/Reused code chunks|Reused code chunks]] d4521fc8de8467a05b72009182c3d9532daac072 3715 3714 2015-11-04T16:39:22Z KeesCook 3 /* Kernel Self Protection Project */ wikitext text/x-wiki This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in [https://pax.grsecurity.net/ PaX], [https://grsecurity.net/features.php grsecurity], and piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate both classes of bugs and methods of exploitation. Want to get involved? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list] and introduce yourself. Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. == [[/Bug Class|Bug Classes]] == * [[/Bug Class/Stack overflow|Stack overflow]] * [[/Bug Class/Integer overflow|Integer overflow]] * [[/Bug Class/Heap overflow|Heap overflow]] * [[/Bug Class/Format string injection|Format string injection]] * [[/Bug Class/Kernel pointer leak|Kernel pointer leak]] * [[/Bug Class/Uninitialized variables|Uninitialized variables]] == [[/Exploit Method|Exploitation Methods]] == * [[/Exploit Method/Kernel location|Kernel location]] * [[/Exploit Method/Text overwrite|Text overwrite]] * [[/Exploit Method/Function pointer overwrite|Function pointer overwrite]] * [[/Exploit Method/Userspace execution|Userspace execution]] * [[/Exploit Method/Userspace data usage|Userspace data usage]] * [[/Exploit Method/Reused code chunks|Reused code chunks]] 5261249a274f407b062508c3149b366f7c807db9 3716 3715 2015-11-04T17:59:34Z KeesCook 3 carve out sections wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in [https://pax.grsecurity.net/ PaX], [https://grsecurity.net/features.php grsecurity], and piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate both classes of bugs and methods of exploitation. = Get Involved = Want to get involved? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list] and introduce yourself. Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Work Areas = This is far from a comprehensive list, but it's a starting point we can add to: == [[/Bug Class|Bug Classes]] == * [[/Bug Class/Stack overflow|Stack overflow]] * [[/Bug Class/Integer overflow|Integer overflow]] * [[/Bug Class/Heap overflow|Heap overflow]] * [[/Bug Class/Format string injection|Format string injection]] * [[/Bug Class/Kernel pointer leak|Kernel pointer leak]] * [[/Bug Class/Uninitialized variables|Uninitialized variables]] == [[/Exploit Method|Exploitation Methods]] == * [[/Exploit Method/Kernel location|Kernel location]] * [[/Exploit Method/Text overwrite|Text overwrite]] * [[/Exploit Method/Function pointer overwrite|Function pointer overwrite]] * [[/Exploit Method/Userspace execution|Userspace execution]] * [[/Exploit Method/Userspace data usage|Userspace data usage]] * [[/Exploit Method/Reused code chunks|Reused code chunks]] d887f311458e41117aa4e4a3851df09a1d501d40 3717 3716 2015-11-04T20:41:20Z KeesCook 3 wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in [https://pax.grsecurity.net/ PaX], [https://grsecurity.net/features.php grsecurity], and piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate both classes of bugs and methods of exploitation. = Get Involved = Want to get involved? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list] and introduce yourself. Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Work Areas = This is far from a comprehensive list, but it's a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] c08933516bc70c792cdae7d3c2e9d59e6fbe9a07 3732 3717 2015-11-04T22:35:57Z KeesCook 3 /* Mission Statement */ wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in [https://pax.grsecurity.net/ PaX], [https://grsecurity.net/features.php grsecurity], and piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Get Involved = Want to get involved? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list] and introduce yourself. Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Work Areas = This is far from a comprehensive list, but it's a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] 3d3d74b8b080d456f7a11b2d2ff12f3b97096dc3 0 163 3718 2015-11-04T20:49:01Z KeesCook 3 Created page with "Many bugs in the kernel belong to specific classes. Here we try to focus on classes of bugs that have security implications, explain them, link to examples, and link to defens..." wikitext text/x-wiki Many bugs in the kernel belong to specific classes. Here we try to focus on classes of bugs that have security implications, explain them, link to examples, and link to defenses that are or could be used to entirely eliminate the bug class. [[Kernel Self Protection Project]] 595633d1b3120db700ad28f99921e1cc8a34990d 0 164 3719 2015-11-04T20:52:10Z KeesCook 3 Created page with "When [[Bug Classes|bugs]]in the kernel provide unintended read and write primitives to an attacker, there are many techniques used to gain execution control over the kernel. H..." wikitext text/x-wiki When [[Bug Classes|bugs]]in the kernel provide unintended read and write primitives to an attacker, there are many techniques used to gain execution control over the kernel. Here we try to explain them, link to examples, and link to defenses that are or could be used to eliminate an exploitation method. [[Kernel Self Protection Project]] 3133fea9ddda0ccbdf160ccdd4a1a82d4e546939 3720 3719 2015-11-04T20:52:21Z KeesCook 3 wikitext text/x-wiki When [[Bug Classes|bugs]] in the kernel provide unintended read and write primitives to an attacker, there are many techniques used to gain execution control over the kernel. Here we try to explain them, link to examples, and link to defenses that are or could be used to eliminate an exploitation method. [[Kernel Self Protection Project]] 0eb0bbc59d4bdd99f2ab6c4015b69655c2803762 10 165 3721 2015-11-04T20:57:24Z KeesCook 3 Created page with "Testing" wikitext text/x-wiki Testing 0820b32b206b7352858e8903a838ed14319acdfd 3722 3721 2015-11-04T20:57:59Z KeesCook 3 Blanked the page wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 0 166 3723 2015-11-04T21:33:39Z KeesCook 3 Created page with "= Details = The traditional bug results in the stack buffer being written past the end of the stack frame, which allows the saved instruction pointer to be overwritten in orde..." wikitext text/x-wiki = Details = The traditional bug results in the stack buffer being written past the end of the stack frame, which allows the saved instruction pointer to be overwritten in order to gain execution control. Other attacks could stay within the stack frame, manipulating local variables ("data only" attacks). Some attacks allow for arbitrary offsets between kernel stacks to be written. = Examples = * [https://jon.oberheide.org/files/half-nelson.c half-nelson.c] This uses stack offsets, rather than the traditional buffer overflow. = Mitigations = * stack canaries (e.g. gcc's -fstack-protector and -fstack-protector-strong) * kernel stack location randomization * shadow stacks eeb15a88f63ea3808a2ffcb8e233b4935c5de5ba 3724 3723 2015-11-04T21:35:47Z KeesCook 3 wikitext text/x-wiki = Details = The traditional bug results in the stack buffer being written past the end of the stack frame, which allows the saved instruction pointer to be overwritten in order to gain execution control. Other attacks could stay within the stack frame, manipulating local variables ("data only" attacks). Some attacks allow for arbitrary offsets between kernel stacks to be written. = Examples = * [https://jon.oberheide.org/files/half-nelson.c half-nelson.c] This uses stack offsets, rather than the traditional buffer overflow. = Mitigations = * stack canaries (e.g. gcc's -fstack-protector and [https://git.kernel.org/linus/8779657d29c0ebcc0c94ede4df2f497baf1b563f -fstack-protector-strong]) * kernel stack location randomization * shadow stacks ff01d824633ee4794de17cf1392915a6537bb920 3725 3724 2015-11-04T21:44:26Z KeesCook 3 /* Mitigations */ wikitext text/x-wiki = Details = The traditional bug results in the stack buffer being written past the end of the stack frame, which allows the saved instruction pointer to be overwritten in order to gain execution control. Other attacks could stay within the stack frame, manipulating local variables ("data only" attacks). Some attacks allow for arbitrary offsets between kernel stacks to be written. = Examples = * [https://jon.oberheide.org/files/half-nelson.c half-nelson.c] This uses stack offsets, rather than the traditional buffer overflow. = Mitigations = * stack canaries (e.g. gcc's -fstack-protector and [https://git.kernel.org/linus/8779657d29c0ebcc0c94ede4df2f497baf1b563f -fstack-protector-strong]) * guard pages (e.g. GRKERNSEC_KSTACKOVERFLOW) * alloca checking (e.g. PAX_MEMORY_STACKLEAK) * kernel stack location randomization * shadow stacks e3b68e2ebb64bbec65d06fd5dae5269e20674b47 3726 3725 2015-11-04T21:47:09Z KeesCook 3 /* Details */ wikitext text/x-wiki = Details = The traditional bug results in the stack buffer being written past the end of the stack frame, which allows the saved instruction pointer to be overwritten in order to gain execution control ("stack buffer overflow"). A stack depth overflow bug is when the size of the stack grows past its maximal size (via deep call stacks or via alloca abuse), and allows writing on other stacks or threadinfo. Other attacks could stay within the stack frame, manipulating local variables ("data only" attacks), and some attacks allow for writing by arbitrary offsets between kernel stacks. = Examples = * [https://jon.oberheide.org/files/half-nelson.c half-nelson.c] This uses stack offsets, rather than the traditional buffer overflow. = Mitigations = * stack canaries (e.g. gcc's -fstack-protector and [https://git.kernel.org/linus/8779657d29c0ebcc0c94ede4df2f497baf1b563f -fstack-protector-strong]) * guard pages (e.g. GRKERNSEC_KSTACKOVERFLOW) * alloca checking (e.g. PAX_MEMORY_STACKLEAK) * kernel stack location randomization * shadow stacks 1122a6ecd81d7ed4df0aa053cabdf32f9c6e0456 3727 3726 2015-11-04T21:48:07Z KeesCook 3 wikitext text/x-wiki = Details = The traditional bug results in the stack buffer being written past the end of the stack frame, which allows the saved instruction pointer to be overwritten in order to gain execution control ("stack buffer overflow"). A stack depth overflow bug is when the size of the stack grows past its maximal size (via deep call stacks or via alloca abuse), and allows writing on other stacks or threadinfo. Other attacks could stay within the stack frame, manipulating local variables ("data only" attacks), and some attacks allow for writing by arbitrary offsets between kernel stacks. = Examples = * [https://jon.oberheide.org/files/half-nelson.c half-nelson.c] This uses stack offsets, rather than the traditional buffer overflow. = Mitigations = * stack canaries (e.g. gcc's -fstack-protector and [https://git.kernel.org/linus/8779657d29c0ebcc0c94ede4df2f497baf1b563f -fstack-protector-strong]) * guard pages (e.g. GRKERNSEC_KSTACKOVERFLOW) * alloca checking (e.g. PAX_MEMORY_STACKLEAK) * kernel stack location randomization * shadow stacks f2b71ff3595f782b096e636619b6c9767a3bca2a 0 167 3728 2015-11-04T22:02:37Z KeesCook 3 Created page with "= Details = Integer overflows (or underflows) occur when a multiplication happens that exceeds the size that can be represented by the datatype, generally wrapping around. Th..." wikitext text/x-wiki = Details = Integer overflows (or underflows) occur when a multiplication happens that exceeds the size that can be represented by the datatype, generally wrapping around. This usually results in either writing to too-small buffers, or producing out of bound array indexes. Exploitation is most common via heap overflows, since the (too-small) buffers tend to be allocated on the heap. Additionally, reference counting can overflow and wrap around, leading to use-after-free exploits. = Examples = * [https://jon.oberheide.org/blog/2010/09/10/linux-kernel-can-slub-overflow/ slub overflow] = Mitigations = * check for refcount overflows (e.g. PAX_REFCOUNT) * compiler instrumentation to detect multiplication overflows at runtime (e.g. [https://github.com/ephox-gcc-plugins PAX_SIZE_OVERFLOW]) d728debe9d6412db92f31b6556090ffdfd2186d6 0 168 3729 2015-11-04T22:11:53Z KeesCook 3 Created page with "= Details = Heap overflows tend to occur due to integer overflows or otherwise broken bounds checking. Exploits overwrite adjacent heap memory, or manipulate the heap metadata..." wikitext text/x-wiki = Details = Heap overflows tend to occur due to integer overflows or otherwise broken bounds checking. Exploits overwrite adjacent heap memory, or manipulate the heap metadata values. = Examples = * [http://blog.includesecurity.com/2014/06/exploit-walkthrough-cve-2014-0196-pty-kernel-race-condition.html pty race condition] = Mitigations = * runtime validation of variable size vs copy_to_user/copy_from_user size (e.g. PAX_USERCOPY) * guard pages * metadata validation (e.g. glibc's heap protections) 1fe0dd1e4415e8a62fb85c952ee39c3cd3a5af1a 0 169 3730 2015-11-04T22:17:07Z KeesCook 3 Created page with "= Details = When an attacker supplied string is accidentally passed to format string parsing, the attacker can manipulate the resulting output. The write primitive available ..." wikitext text/x-wiki = Details = When an attacker supplied string is accidentally passed to format string parsing, the attacker can manipulate the resulting output. The write primitive available is through the use of the %n specifier, which writes to memory. All the other formats lead to information leaks. = Examples = = Mitigations = * [https://git.kernel.org/linus/708d96fd060bd1e729fc93048cea8901f8bacb7c Eliminate the use of %n] * detect non-const format strings at compile time (e.g. gcc's -Wformat-security) * detect non-const format strings at run time (e.g. memory location checking done with glibc's -D_FORITY_SOURCE=2) e17d255b3db2dc0c8ca68a300d5f3dedd5fe50cc 0 170 3731 2015-11-04T22:34:53Z KeesCook 3 Created page with "= Details = When a kernel memory address (any of text, stack, heap, etc) leaks into userspace, attackers can learn potentially sensitive information about data layout, kernel ..." wikitext text/x-wiki = Details = When a kernel memory address (any of text, stack, heap, etc) leaks into userspace, attackers can learn potentially sensitive information about data layout, kernel layout, stack layout, architecture layout, etc. These can be used in turn to perform attacks where those sensitive locations are needed for a successful exploitation. = Examples = * so many: /proc (kallsyms, modules, slabinfo, etc), /sys, etc * [http://vulnfactory.org/exploits/alpha-omega.c alpha-omega.c] uses INET_DIAG to target socket structure function pointers on the heap = Mitigations = * [https://git.kernel.org/linus/455cd5ab305c90ffc422dd2e0fb634730942b257 kptr_restrict] is too weak: requires opt-in by developers * remove visibility to kernel symbols (e.g. GRKERNSEC_HIDESYM) * detect and block usage of %p or similar writes to seq_file or other user buffers (e.g. GRKERNSEC_HIDESYM + PAX_USERCOPY) 202bed70b89769c5265eee739e5f794b94aa15a8 0 171 3733 2015-11-04T22:44:29Z KeesCook 3 Created page with "= Details = When variables (on either stack or heap) are used without being explicitly initialized, behavior is "undefined". In reality, "uninitialized" just means "still has ..." wikitext text/x-wiki = Details = When variables (on either stack or heap) are used without being explicitly initialized, behavior is "undefined". In reality, "uninitialized" just means "still has the prior value". When an attacker can control prior values, this can lead to exploitation or leaks, either through regular techniques or through "data-only" attacks. = Examples = * [https://outflux.net/slides/2011/defcon/kernel-exploitation.pdf Kernel Exploitation via Uninitialized Stack] = Mitigations = * clear kernel stack between system calls (e.g. PAX_MEMORY_STACKLEAK) * instrument compiler to fully initialize all structures (e.g. PAX_MEMORY_STRUCTLEAK) 75daf913da05a597de9556740636e20395a2e544 0 103 3734 3452 2015-11-04T22:46:25Z KeesCook 3 /* ASLR for kernel code */ wikitext text/x-wiki The [[Linux Security Workgroup]] has put together this page in an effort to bring the Linux security community together in hardening the Linux Kernel and to help prevent duplication of efforts. There are a number of active Linux Kernel hardening projects and this page gives details on some of them. = Static Analysis = == Coccinelle == [http://en.wikipedia.org/wiki/Coccinelle_(software) Coccinelle] is a tool for matching and fixing source code for C, C++, and other languages. Run by: * Fengguang Wu - Running against what trees? * Artem Bityutskiy - Running against what trees? == Coverity == [http://en.wikipedia.org/wiki/Coverity Coverity] provides static analysis tools for C, C++, and other languages. Red Hat's Coverity license allows results to be shared with upstream projects. Run by: Paul Moore at Red Hat against what trees? == Smatch == [http://smatch.sourceforge.net/ Smatch] is a static analysis tool for C. Run by: * Dan Carpenter - Running against linux-next x86_64 allmodconfig * Fengguang Wu - Running against what trees? = Dynamic Analysis = == kmemcheck, kmemleak == Linux Kernel debugging features for detecting memory issues. Run by: ? == KEDR == [http://kedr.berlios.de/ KEDR] provides runtime analysis of Linux kernel modules including device drivers, file system modules, etc. Run by: ? = Fuzz Testing = == Trinity == [http://codemonkey.org.uk/projects/trinity/ Trinity] is a Linux system call fuzzer. Run by: Dave Jones and Fengguang Wu == Metasploit == [http://www.metasploit.com/ Metasploit] software is used for identifying security issues. It includes many capabilities, including fuzzer support. Run by: ? = Development = == ASLR for kernel code == Kernel text and module base address now randomized on x86. Next will be arm64 and arm. Project Owner: Google, Linaro e356900a64697f3b5b01fffa85925d9e76ca4f7e 0 172 3735 2015-11-04T22:54:24Z KeesCook 3 Created page with "= Details = Finding the kernel location can be an important first step for exploitation. Without it, for example, it's harder to make kernel function calls for privilege escal..." wikitext text/x-wiki = Details = Finding the kernel location can be an important first step for exploitation. Without it, for example, it's harder to make kernel function calls for privilege escalation. Besides the kernel itself, lots of other locations may be valuable to an attacker. See [Bug Classes/Kernel pointer leak|Kernel pointer leaks] for more information. = Examples = * See [[Bug Classes/Kernel pointer leak|Kernel pointer leaks]] examples * /proc/kallsyms, /proc/modules * [https://github.com/jonoberheide/ksymhunter ksymhunter] = Mitigations = * hide symbols and kernel pointers (see [[Bug Classes/Kernel pointer leak|Kernel pointer leaks]]) * [[https://git.kernel.org/linus/8ab3820fd5b2896d66da7bb2a906bc382e63e7bc kernel ASLR]] * runtime randomization of kernel functions * executable-but-not-readable memory * per-build structure layout randomization (e.g. GRKERNSEC_RANDSTRUCT) bd99c8896f000638cb3818fa85c67be9ddb5fd2a 3736 3735 2015-11-04T22:54:49Z KeesCook 3 /* Mitigations */ wikitext text/x-wiki = Details = Finding the kernel location can be an important first step for exploitation. Without it, for example, it's harder to make kernel function calls for privilege escalation. Besides the kernel itself, lots of other locations may be valuable to an attacker. See [Bug Classes/Kernel pointer leak|Kernel pointer leaks] for more information. = Examples = * See [[Bug Classes/Kernel pointer leak|Kernel pointer leaks]] examples * /proc/kallsyms, /proc/modules * [https://github.com/jonoberheide/ksymhunter ksymhunter] = Mitigations = * hide symbols and kernel pointers (see [[Bug Classes/Kernel pointer leak|Kernel pointer leaks]]) * [https://git.kernel.org/linus/8ab3820fd5b2896d66da7bb2a906bc382e63e7bc kernel ASLR] * runtime randomization of kernel functions * executable-but-not-readable memory * per-build structure layout randomization (e.g. GRKERNSEC_RANDSTRUCT) 739468794665d0b9f563e82d5eb6b47c5d757684 3737 3736 2015-11-04T22:55:03Z KeesCook 3 /* Details */ wikitext text/x-wiki = Details = Finding the kernel location can be an important first step for exploitation. Without it, for example, it's harder to make kernel function calls for privilege escalation. Besides the kernel itself, lots of other locations may be valuable to an attacker. See [[Bug Classes/Kernel pointer leak|Kernel pointer leaks]] for more information. = Examples = * See [[Bug Classes/Kernel pointer leak|Kernel pointer leaks]] examples * /proc/kallsyms, /proc/modules * [https://github.com/jonoberheide/ksymhunter ksymhunter] = Mitigations = * hide symbols and kernel pointers (see [[Bug Classes/Kernel pointer leak|Kernel pointer leaks]]) * [https://git.kernel.org/linus/8ab3820fd5b2896d66da7bb2a906bc382e63e7bc kernel ASLR] * runtime randomization of kernel functions * executable-but-not-readable memory * per-build structure layout randomization (e.g. GRKERNSEC_RANDSTRUCT) 7f4688ac3581f3ee412df23ac80b41998c782432 0 173 3738 2015-11-04T23:00:22Z KeesCook 3 Created page with "= Details = If an attacker has a write primitive and knows where the kernel is located in memory, they could overwrite functions to do whatever they wanted. Protecting against..." wikitext text/x-wiki = Details = If an attacker has a write primitive and knows where the kernel is located in memory, they could overwrite functions to do whatever they wanted. Protecting against this is the most basic of kernel memory protections: make sure the kernel is read-only. = Examples = * patch setuid to always succeed = Mitigations = * Do not leave executable memory also writable 83f22d2eb0cd5690347521391c77502a2de8ccc5 3746 3738 2015-11-18T22:02:56Z KeesCook 3 /* Examples */ wikitext text/x-wiki = Details = If an attacker has a write primitive and knows where the kernel is located in memory, they could overwrite functions to do whatever they wanted. Protecting against this is the most basic of kernel memory protections: make sure the kernel is read-only. = Examples = * patch setuid to always succeed * [http://itszn.com/blog/?p=21 overwrite vDSO] = Mitigations = * Do not leave executable memory also writable 50d676784759a2cb70e92bb745f1ac94ddee48f8 0 174 3739 2015-11-04T23:10:31Z KeesCook 3 Created page with "= Details = When an attacker has a write primitive, they can start function pointers to redirect execution. Function pointers exist in a large number of places in the kernel r..." wikitext text/x-wiki = Details = When an attacker has a write primitive, they can start function pointers to redirect execution. Function pointers exist in a large number of places in the kernel ranging from function pointer tables (e.g. fops), to vector and descriptor tables. = Examples = * [https://outflux.net/blog/archives/2010/10/19/cve-2010-2963-v4l-compat-exploit/ security_operations overwrite] * [https://blogs.oracle.com/ksplice/entry/anatomy_of_an_exploit_cve IDT, timer_list_fops, or security_operations overwrite] = Mitigations = * make function pointer tables read-only (e.g. PAX_CONSTIFY_PLUGIN) * make sensitive targets that need only occasional updates only writable during updates (e.g. PAX_KERNEXEC) 9d4f7031834f6ff868d79e568ae1399878e419c2 0 175 3740 2015-11-04T23:15:22Z KeesCook 3 Created page with "= Details = Once an attacker has gain control over the instruction pointers, it must be aimed somewhere. The place where attackers have the most control over memory layout ten..." wikitext text/x-wiki = Details = Once an attacker has gain control over the instruction pointers, it must be aimed somewhere. The place where attackers have the most control over memory layout tends to be in userspace, so it has been natural to place malicious code in userspace and have the kernel redirection execution there. = Examples = * See nearly every other exploit example listed under other [[Exploit Methods]] and [[Bug Classes]]. = Mitigations = * hardware segmentation: SMEP (x86), PXN (arm) * compiler instrumentation to set high bit on function calls * emulate memory segmentation via separate page tables (e.g. PAX_MEMORY_UDEREF) f933e08a8611144bb148cf35948a1b31168c44bd 3747 3740 2015-12-10T18:22:25Z KeesCook 3 wikitext text/x-wiki = Details = Once an attacker has gain control over the instruction pointers, it must be aimed somewhere. The place where attackers have the most control over memory layout tends to be in userspace, so it has been natural to place malicious code in userspace and have the kernel redirection execution there. For more details, see [[Exploit Methods/Userspace data usage|Userspace access]], as that is technically a superset of userspace execution. = Examples = * See nearly every other exploit example listed under other [[Exploit Methods]] and [[Bug Classes]]. = Mitigations = * hardware segmentation: SMEP (x86), PXN (arm) * compiler instrumentation to set high bit on function calls * emulate memory segmentation via separate page tables (e.g. PAX_MEMORY_UDEREF) c0d1e148285995fa539fbc2c5193a38ea31b247c 3768 3747 2016-04-04T23:54:41Z KeesCook 3 /* Mitigations */ add PXN table wikitext text/x-wiki = Details = Once an attacker has gain control over the instruction pointers, it must be aimed somewhere. The place where attackers have the most control over memory layout tends to be in userspace, so it has been natural to place malicious code in userspace and have the kernel redirection execution there. For more details, see [[Exploit Methods/Userspace data usage|Userspace access]], as that is technically a superset of userspace execution. = Examples = * See nearly every other exploit example listed under other [[Exploit Methods]] and [[Bug Classes]]. = Mitigations = * hardware segmentation: SMEP (x86), PXN (arm) * compiler instrumentation to set high bit on function calls * emulate memory segmentation via separate page tables (e.g. PAX_MEMORY_UDEREF) Right now, the upstream options available for Privileged eXecute Never (e.g. PXN, SMEP) are: {| class="wikitable" !colspan="2"|CPU ! Feature Name |- |rowspan="3"| ARM | ARMv7 32-bit non-LPAE | CONFIG_CPU_SW_DOMAIN_PAN |- | ARMv7 32-bit LPAE (e.g. Cortex-A7, A15+) | hardware PXN |- | ARMv8.0+ | hardware PXN |- |rowspan="2"| x86 | pre-Ivy-Bridge |style="color: red;"| nothing |- | Ivy-Bridge+ (since May 2012) | hardware PXN (SMEP) |- |colspan="2"| s/390 | hardware PXN (Address Spaces) |- |colspan="2"| powerpc |style="color: red;"| nothing? |- |colspan="2"| MIPS |style="color: red;"| nothing? |} 36863f89b2a9e3be17caeb56d565e43d0ca13855 3769 3768 2016-04-04T23:55:47Z KeesCook 3 /* Details */ wikitext text/x-wiki = Details = Once an attacker has gain control over the instruction pointers, it must be aimed somewhere. The place where attackers have the most control over memory layout tends to be in userspace, so it has been natural to place malicious code in userspace and have the kernel redirection execution there. (Frequently known as "ret2usr".) For more details, see [[Exploit Methods/Userspace data usage|Userspace access]], as that is technically a superset of userspace execution. = Examples = * See nearly every other exploit example listed under other [[Exploit Methods]] and [[Bug Classes]]. = Mitigations = * hardware segmentation: SMEP (x86), PXN (arm) * compiler instrumentation to set high bit on function calls * emulate memory segmentation via separate page tables (e.g. PAX_MEMORY_UDEREF) Right now, the upstream options available for Privileged eXecute Never (e.g. PXN, SMEP) are: {| class="wikitable" !colspan="2"|CPU ! Feature Name |- |rowspan="3"| ARM | ARMv7 32-bit non-LPAE | CONFIG_CPU_SW_DOMAIN_PAN |- | ARMv7 32-bit LPAE (e.g. Cortex-A7, A15+) | hardware PXN |- | ARMv8.0+ | hardware PXN |- |rowspan="2"| x86 | pre-Ivy-Bridge |style="color: red;"| nothing |- | Ivy-Bridge+ (since May 2012) | hardware PXN (SMEP) |- |colspan="2"| s/390 | hardware PXN (Address Spaces) |- |colspan="2"| powerpc |style="color: red;"| nothing? |- |colspan="2"| MIPS |style="color: red;"| nothing? |} 45095bbf0c08bef854ca2bc840ede72bb9e35699 3770 3769 2016-04-05T18:09:06Z KeesCook 3 /* Mitigations */ wikitext text/x-wiki = Details = Once an attacker has gain control over the instruction pointers, it must be aimed somewhere. The place where attackers have the most control over memory layout tends to be in userspace, so it has been natural to place malicious code in userspace and have the kernel redirection execution there. (Frequently known as "ret2usr".) For more details, see [[Exploit Methods/Userspace data usage|Userspace access]], as that is technically a superset of userspace execution. = Examples = * See nearly every other exploit example listed under other [[Exploit Methods]] and [[Bug Classes]]. = Mitigations = * hardware segmentation: SMEP (x86), PXN (arm) * compiler instrumentation to set high bit on function calls * emulate memory segmentation via separate page tables (e.g. PAX_MEMORY_UDEREF) Right now, the upstream options available for Privileged eXecute Never (e.g. PXN, SMEP) are: {| class="wikitable" !colspan="2"|CPU ! Feature Name |- |rowspan="3"| ARM | ARMv7 32-bit non-LPAE | CONFIG_CPU_SW_DOMAIN_PAN |- | ARMv7 32-bit LPAE (e.g. Cortex-A7, A15+) | hardware PXN |- | ARMv8.0+ | hardware PXN |- |rowspan="2"| x86 | pre-Ivy-Bridge |style="color: red;"| nothing |- | Ivy-Bridge+ (since May 2012) | hardware PXN (SMEP) |- |colspan="2"| s/390 | hardware PXN (Address Spaces) |- |colspan="2"| powerpc |style="color: red;"| nothing? |- |colspan="2"| MIPS |style="color: red;"| nothing (could use ASID switching) |} 98056efa494d0ba0955c6a2401b91575df7f4ae8 3772 3770 2016-04-05T18:10:27Z KeesCook 3 /* Mitigations */ wikitext text/x-wiki = Details = Once an attacker has gain control over the instruction pointers, it must be aimed somewhere. The place where attackers have the most control over memory layout tends to be in userspace, so it has been natural to place malicious code in userspace and have the kernel redirection execution there. (Frequently known as "ret2usr".) For more details, see [[Exploit Methods/Userspace data usage|Userspace access]], as that is technically a superset of userspace execution. = Examples = * See nearly every other exploit example listed under other [[Exploit Methods]] and [[Bug Classes]]. = Mitigations = * hardware segmentation: SMEP (x86), PXN (arm) * compiler instrumentation to set high bit on function calls * emulate memory segmentation via separate page tables (e.g. PAX_MEMORY_UDEREF) Right now, the upstream options available for Privileged eXecute Never (e.g. PXN, SMEP) are: {| class="wikitable" !colspan="2"|CPU ! Feature Name |- |rowspan="3"| ARM | ARMv7 32-bit non-LPAE | CONFIG_CPU_SW_DOMAIN_PAN |- | ARMv7 32-bit LPAE (e.g. Cortex-A7, A15+) | hardware PXN |- | ARMv8.0+ | hardware PXN |- |rowspan="2"| x86 | pre-Ivy-Bridge |style="color: red;"| nothing |- | Ivy-Bridge+ (since May 2012) | hardware PXN (SMEP) |- |colspan="2"| s/390 | hardware PXN (Address Spaces) |- |colspan="2"| powerpc |style="color: red;"| nothing? |- |colspan="2"| MIPS |style="color: red;"| nothing (could use ASID switching?) |} 241b0b70c7eebe223c8a4d8fd3a953909ab0fdb6 0 176 3741 2015-11-04T23:20:42Z KeesCook 3 Created page with "= Details = Sometimes an attacker won't be able to control the instruction pointer directly, but they will be able to redirect the dereference a structure or other pointer. In..." wikitext text/x-wiki = Details = Sometimes an attacker won't be able to control the instruction pointer directly, but they will be able to redirect the dereference a structure or other pointer. In these cases, it is easiest to aim at malicious structures that have been built in userspace to perform the exploitation. = Examples = * [https://github.com/geekben/towelroot/blob/master/towelroot.c cred structure] * [http://labs.bromium.com/2015/02/02/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/ fake kernel stack] = Mitigations = * hardware segmentation: SMAP (x86), PAN (arm, arm64), Domains (arm) * emulate memory segmentation via separate page tables (e.g. PAX_UDEREF) 9015c314d1f32d07cec7c3ef6596681a664da8f4 3744 3741 2015-11-17T21:40:47Z KeesCook 3 /* Examples */ wikitext text/x-wiki = Details = Sometimes an attacker won't be able to control the instruction pointer directly, but they will be able to redirect the dereference a structure or other pointer. In these cases, it is easiest to aim at malicious structures that have been built in userspace to perform the exploitation. = Examples = * [https://github.com/geekben/towelroot/blob/master/towelroot.c cred structure] * [http://labs.bromium.com/2015/02/02/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/ fake kernel stack] * [http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=176155dac13f528e0a58c14dc322623219365d91 Bad casts] = Mitigations = * hardware segmentation: SMAP (x86), PAN (arm, arm64), Domains (arm) * emulate memory segmentation via separate page tables (e.g. PAX_UDEREF) c13d53d69a2d2855f9355c546e4a0fc9b3ad94bb 3748 3744 2015-12-10T18:38:00Z KeesCook 3 wikitext text/x-wiki = Details = Sometimes an attacker won't be able to control the instruction pointer directly, but they will be able to redirect the dereference a structure or other pointer. In these cases, it is easiest to aim at malicious structures that have been built in userspace to perform the exploitation. = Examples = * [https://github.com/geekben/towelroot/blob/master/towelroot.c cred structure] * [http://labs.bromium.com/2015/02/02/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/ fake kernel stack] * [http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=176155dac13f528e0a58c14dc322623219365d91 Bad casts] = Mitigations = * hardware segmentation: SMAP (x86), PAN (arm, arm64), Domains (arm) * emulate memory segmentation via separate page tables, PCID, etc (e.g. PaX_UDEREF) Right now, the upstream options available for PAN are: {| class="wikitable" !colspan="2"|CPU ! Feature Name |- |rowspan="5"| ARM | v7 32-bit non-LPAE | CONFIG_CPU_SW_DOMAIN_PAN |- | v7 32-bit LPAE | [http://marc.info/?l=linux-arm-kernel&m=144308911409429&w=2 Catalin's series] (CONFIG_CPU_TTBR0_PAN) |- | v8 32-bit | Catalin's series? |- | v8 64-bit |style="color: red;"| nothing? |- | v8.1 | hardware PAN |- |rowspan="2"| x86 | pre-late-Broadwell |style="color: red;"| nothing |- | Broadwell+ | hardware PAN (SMAP) |- |colspan="2"| powerpc |style="color: red;"| nothing? |- |colspan="2"| MIPS |style="color: red;"| nothing? |} 22f4e27eb4baeb15d1daa7ef7070376c26d86af7 3749 3748 2015-12-10T18:45:09Z KeesCook 3 /* Mitigations */ wikitext text/x-wiki = Details = Sometimes an attacker won't be able to control the instruction pointer directly, but they will be able to redirect the dereference a structure or other pointer. In these cases, it is easiest to aim at malicious structures that have been built in userspace to perform the exploitation. = Examples = * [https://github.com/geekben/towelroot/blob/master/towelroot.c cred structure] * [http://labs.bromium.com/2015/02/02/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/ fake kernel stack] * [http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=176155dac13f528e0a58c14dc322623219365d91 Bad casts] = Mitigations = * hardware segmentation: SMAP (x86), PAN (arm, arm64), Domains (arm) * emulate memory segmentation via separate page tables, PCID, etc (e.g. PaX_UDEREF) Right now, the upstream options available for PAN are: {| class="wikitable" !colspan="2"|CPU ! Feature Name |- |rowspan="5"| ARM | v7 32-bit non-LPAE | CONFIG_CPU_SW_DOMAIN_PAN |- | v7 32-bit LPAE | CONFIG_CPU_TTBR0_PAN ([http://marc.info/?l=linux-arm-kernel&m=144308911409429&w=2 Catalin's series]) |- | v8 32-bit | CONFIG_CPU_TTBR0_PAN |- | v8 64-bit |style="color: red;"| nothing |- | v8.1 | hardware PAN |- |rowspan="2"| x86 | pre-late-Broadwell |style="color: red;"| nothing |- | Broadwell+ | hardware PAN (SMAP) |- |colspan="2"| powerpc |style="color: red;"| nothing? |- |colspan="2"| MIPS |style="color: red;"| nothing? |} 92342c3d97da5bd708ae553e9f28deb2250e991f 3750 3749 2015-12-10T18:45:46Z KeesCook 3 /* Mitigations */ wikitext text/x-wiki = Details = Sometimes an attacker won't be able to control the instruction pointer directly, but they will be able to redirect the dereference a structure or other pointer. In these cases, it is easiest to aim at malicious structures that have been built in userspace to perform the exploitation. = Examples = * [https://github.com/geekben/towelroot/blob/master/towelroot.c cred structure] * [http://labs.bromium.com/2015/02/02/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/ fake kernel stack] * [http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=176155dac13f528e0a58c14dc322623219365d91 Bad casts] = Mitigations = * hardware segmentation: SMAP (x86), PAN (arm, arm64), Domains (arm) * emulate memory segmentation via separate page tables, PCID, etc (e.g. PaX_UDEREF) Right now, the upstream options available for Privileged Access Never (PAN) are: {| class="wikitable" !colspan="2"|CPU ! Feature Name |- |rowspan="5"| ARM | v7 32-bit non-LPAE | CONFIG_CPU_SW_DOMAIN_PAN |- | v7 32-bit LPAE | CONFIG_CPU_TTBR0_PAN ([http://marc.info/?l=linux-arm-kernel&m=144308911409429&w=2 Catalin's series]) |- | v8 32-bit | CONFIG_CPU_TTBR0_PAN |- | v8 64-bit |style="color: red;"| nothing |- | v8.1 | hardware PAN |- |rowspan="2"| x86 | pre-late-Broadwell |style="color: red;"| nothing |- | Broadwell+ | hardware PAN (SMAP) |- |colspan="2"| powerpc |style="color: red;"| nothing? |- |colspan="2"| MIPS |style="color: red;"| nothing? |} d857285906f99fb3f958138e942ff56064074b38 3751 3750 2015-12-10T19:15:23Z KeesCook 3 /* Mitigations */ wikitext text/x-wiki = Details = Sometimes an attacker won't be able to control the instruction pointer directly, but they will be able to redirect the dereference a structure or other pointer. In these cases, it is easiest to aim at malicious structures that have been built in userspace to perform the exploitation. = Examples = * [https://github.com/geekben/towelroot/blob/master/towelroot.c cred structure] * [http://labs.bromium.com/2015/02/02/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/ fake kernel stack] * [http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=176155dac13f528e0a58c14dc322623219365d91 Bad casts] = Mitigations = * hardware segmentation: SMAP (x86), PAN (arm, arm64), Domains (arm) * emulate memory segmentation via separate page tables, PCID, etc (e.g. PaX_UDEREF) Right now, the upstream options available for Privileged Access Never (PAN) are: {| class="wikitable" !colspan="2"|CPU ! Feature Name |- |rowspan="5"| ARM | v7 32-bit non-LPAE | CONFIG_CPU_SW_DOMAIN_PAN |- | v7 32-bit LPAE | CONFIG_CPU_TTBR0_PAN ([http://marc.info/?l=linux-arm-kernel&m=144308911409429&w=2 Catalin's series]) |- | v8.0 32-bit | CONFIG_CPU_TTBR0_PAN |- | v8.0 64-bit |style="color: red;"| nothing |- | v8.1 | hardware PAN |- |rowspan="2"| x86 | pre-late-Broadwell |style="color: red;"| nothing |- | Broadwell+ | hardware PAN (SMAP) |- |colspan="2"| s/390 | hardware PAN (architectural?) |- |colspan="2"| powerpc |style="color: red;"| nothing? |- |colspan="2"| MIPS |style="color: red;"| nothing? |} c6b0f74d5f85c8dbb0570885ae8b8bafd59159ff 3752 3751 2015-12-10T19:18:49Z KeesCook 3 /* Mitigations */ wikitext text/x-wiki = Details = Sometimes an attacker won't be able to control the instruction pointer directly, but they will be able to redirect the dereference a structure or other pointer. In these cases, it is easiest to aim at malicious structures that have been built in userspace to perform the exploitation. = Examples = * [https://github.com/geekben/towelroot/blob/master/towelroot.c cred structure] * [http://labs.bromium.com/2015/02/02/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/ fake kernel stack] * [http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=176155dac13f528e0a58c14dc322623219365d91 Bad casts] = Mitigations = * hardware segmentation: SMAP (x86), PAN (arm, arm64), Domains (arm) * emulate memory segmentation via separate page tables, PCID, etc (e.g. PAX_MEMORY_UDEREF) Right now, the upstream options available for Privileged Access Never (PAN) are: {| class="wikitable" !colspan="2"|CPU ! Feature Name |- |rowspan="5"| ARM | v7 32-bit non-LPAE | CONFIG_CPU_SW_DOMAIN_PAN |- | v7 32-bit LPAE | CONFIG_CPU_TTBR0_PAN ([http://marc.info/?l=linux-arm-kernel&m=144308911409429&w=2 Catalin's series]) |- | v8.0 32-bit | CONFIG_CPU_TTBR0_PAN |- | v8.0 64-bit |style="color: red;"| nothing |- | v8.1 | hardware PAN |- |rowspan="2"| x86 | pre-late-Broadwell |style="color: red;"| nothing |- | Broadwell+ | hardware PAN (SMAP) |- |colspan="2"| s/390 | hardware PAN (architectural?) |- |colspan="2"| powerpc |style="color: red;"| nothing? |- |colspan="2"| MIPS |style="color: red;"| nothing? |} 8631528f364f2e3fa65d4667b796788ba08d0fcb 3753 3752 2015-12-10T19:20:14Z KeesCook 3 /* Details */ wikitext text/x-wiki = Details = Sometimes an attacker won't be able to control the instruction pointer directly, but they will be able to redirect the dereference a structure or other pointer. In these cases, it is easiest to aim at malicious structures that have been built in userspace to perform the exploitation. Note that this is a superset that includes [Exploit Methods/Userspace execution|Userspace execution]. If we can protect against userspace access, we'll also be protecting against userspace execution. = Examples = * [https://github.com/geekben/towelroot/blob/master/towelroot.c cred structure] * [http://labs.bromium.com/2015/02/02/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/ fake kernel stack] * [http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=176155dac13f528e0a58c14dc322623219365d91 Bad casts] = Mitigations = * hardware segmentation: SMAP (x86), PAN (arm, arm64), Domains (arm) * emulate memory segmentation via separate page tables, PCID, etc (e.g. PAX_MEMORY_UDEREF) Right now, the upstream options available for Privileged Access Never (PAN) are: {| class="wikitable" !colspan="2"|CPU ! Feature Name |- |rowspan="5"| ARM | v7 32-bit non-LPAE | CONFIG_CPU_SW_DOMAIN_PAN |- | v7 32-bit LPAE | CONFIG_CPU_TTBR0_PAN ([http://marc.info/?l=linux-arm-kernel&m=144308911409429&w=2 Catalin's series]) |- | v8.0 32-bit | CONFIG_CPU_TTBR0_PAN |- | v8.0 64-bit |style="color: red;"| nothing |- | v8.1 | hardware PAN |- |rowspan="2"| x86 | pre-late-Broadwell |style="color: red;"| nothing |- | Broadwell+ | hardware PAN (SMAP) |- |colspan="2"| s/390 | hardware PAN (architectural?) |- |colspan="2"| powerpc |style="color: red;"| nothing? |- |colspan="2"| MIPS |style="color: red;"| nothing? |} 0be5b8c3a3b9e191f8cedc8adb23d95866bc609c 3754 3753 2015-12-10T19:20:27Z KeesCook 3 /* Details */ wikitext text/x-wiki = Details = Sometimes an attacker won't be able to control the instruction pointer directly, but they will be able to redirect the dereference a structure or other pointer. In these cases, it is easiest to aim at malicious structures that have been built in userspace to perform the exploitation. Note that this is a superset that includes [[Exploit Methods/Userspace execution|Userspace execution]]. If we can protect against userspace access, we'll also be protecting against userspace execution. = Examples = * [https://github.com/geekben/towelroot/blob/master/towelroot.c cred structure] * [http://labs.bromium.com/2015/02/02/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/ fake kernel stack] * [http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=176155dac13f528e0a58c14dc322623219365d91 Bad casts] = Mitigations = * hardware segmentation: SMAP (x86), PAN (arm, arm64), Domains (arm) * emulate memory segmentation via separate page tables, PCID, etc (e.g. PAX_MEMORY_UDEREF) Right now, the upstream options available for Privileged Access Never (PAN) are: {| class="wikitable" !colspan="2"|CPU ! Feature Name |- |rowspan="5"| ARM | v7 32-bit non-LPAE | CONFIG_CPU_SW_DOMAIN_PAN |- | v7 32-bit LPAE | CONFIG_CPU_TTBR0_PAN ([http://marc.info/?l=linux-arm-kernel&m=144308911409429&w=2 Catalin's series]) |- | v8.0 32-bit | CONFIG_CPU_TTBR0_PAN |- | v8.0 64-bit |style="color: red;"| nothing |- | v8.1 | hardware PAN |- |rowspan="2"| x86 | pre-late-Broadwell |style="color: red;"| nothing |- | Broadwell+ | hardware PAN (SMAP) |- |colspan="2"| s/390 | hardware PAN (architectural?) |- |colspan="2"| powerpc |style="color: red;"| nothing? |- |colspan="2"| MIPS |style="color: red;"| nothing? |} 8ba0f2760baba3d9e0ada4b3a9b68d49ad9bad15 3755 3754 2015-12-10T19:21:47Z KeesCook 3 /* Mitigations */ wikitext text/x-wiki = Details = Sometimes an attacker won't be able to control the instruction pointer directly, but they will be able to redirect the dereference a structure or other pointer. In these cases, it is easiest to aim at malicious structures that have been built in userspace to perform the exploitation. Note that this is a superset that includes [[Exploit Methods/Userspace execution|Userspace execution]]. If we can protect against userspace access, we'll also be protecting against userspace execution. = Examples = * [https://github.com/geekben/towelroot/blob/master/towelroot.c cred structure] * [http://labs.bromium.com/2015/02/02/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/ fake kernel stack] * [http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=176155dac13f528e0a58c14dc322623219365d91 Bad casts] = Mitigations = * hardware segmentation: SMAP (x86), PAN (arm, arm64), Domains (arm) * emulated PAN (memory segmentation via segments, Domains, page table swapping, PCID, etc. e.g. PAX_MEMORY_UDEREF) Right now, the upstream options available for Privileged Access Never (PAN) are: {| class="wikitable" !colspan="2"|CPU ! Feature Name |- |rowspan="5"| ARM | v7 32-bit non-LPAE | CONFIG_CPU_SW_DOMAIN_PAN |- | v7 32-bit LPAE | CONFIG_CPU_TTBR0_PAN ([http://marc.info/?l=linux-arm-kernel&m=144308911409429&w=2 Catalin's series]) |- | v8.0 32-bit | CONFIG_CPU_TTBR0_PAN |- | v8.0 64-bit |style="color: red;"| nothing |- | v8.1 | hardware PAN |- |rowspan="2"| x86 | pre-late-Broadwell |style="color: red;"| nothing |- | Broadwell+ | hardware PAN (SMAP) |- |colspan="2"| s/390 | hardware PAN (architectural?) |- |colspan="2"| powerpc |style="color: red;"| nothing? |- |colspan="2"| MIPS |style="color: red;"| nothing? |} 8dde941332769143111ad71a56fe8a805d662ef1 3756 3755 2015-12-10T19:37:27Z KeesCook 3 /* Mitigations */ wikitext text/x-wiki = Details = Sometimes an attacker won't be able to control the instruction pointer directly, but they will be able to redirect the dereference a structure or other pointer. In these cases, it is easiest to aim at malicious structures that have been built in userspace to perform the exploitation. Note that this is a superset that includes [[Exploit Methods/Userspace execution|Userspace execution]]. If we can protect against userspace access, we'll also be protecting against userspace execution. = Examples = * [https://github.com/geekben/towelroot/blob/master/towelroot.c cred structure] * [http://labs.bromium.com/2015/02/02/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/ fake kernel stack] * [http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=176155dac13f528e0a58c14dc322623219365d91 Bad casts] = Mitigations = * hardware segmentation: SMAP (x86), PAN (arm, arm64), Domains (arm) * emulated PAN (memory segmentation via segments, Domains, page table swapping, PCID, etc. e.g. PAX_MEMORY_UDEREF) Right now, the upstream options available for Privileged Access Never (PAN) are: {| class="wikitable" !colspan="2"|CPU ! Feature Name |- |rowspan="5"| ARM | v7 32-bit non-LPAE | CONFIG_CPU_SW_DOMAIN_PAN |- | v7 32-bit LPAE | CONFIG_CPU_TTBR0_PAN ([http://marc.info/?l=linux-arm-kernel&m=144308911409429&w=2 Catalin's series]) |- | v8.0 32-bit | CONFIG_CPU_TTBR0_PAN |- | v8.0 64-bit |style="color: red;"| nothing |- | v8.1 (since December 2014) | hardware PAN |- |rowspan="2"| x86 | pre-late-Broadwell |style="color: red;"| nothing |- | Broadwell+ (since October 2014) | hardware PAN (SMAP) |- |colspan="2"| s/390 | hardware PAN (architectural?) |- |colspan="2"| powerpc |style="color: red;"| nothing? |- |colspan="2"| MIPS |style="color: red;"| nothing? |} d797ff255dbbe4a537b830b5957e8467bd8306d8 3757 3756 2015-12-13T16:37:12Z KeesCook 3 /* Mitigations */ wikitext text/x-wiki = Details = Sometimes an attacker won't be able to control the instruction pointer directly, but they will be able to redirect the dereference a structure or other pointer. In these cases, it is easiest to aim at malicious structures that have been built in userspace to perform the exploitation. Note that this is a superset that includes [[Exploit Methods/Userspace execution|Userspace execution]]. If we can protect against userspace access, we'll also be protecting against userspace execution. = Examples = * [https://github.com/geekben/towelroot/blob/master/towelroot.c cred structure] * [http://labs.bromium.com/2015/02/02/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/ fake kernel stack] * [http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=176155dac13f528e0a58c14dc322623219365d91 Bad casts] = Mitigations = * hardware segmentation: SMAP (x86), PAN (arm, arm64), Domains (arm) * emulated PAN (memory segmentation via segments, Domains, page table swapping, PCID, etc. e.g. PAX_MEMORY_UDEREF) Right now, the upstream options available for Privileged Access Never (PAN) are: {| class="wikitable" !colspan="2"|CPU ! Feature Name |- |rowspan="5"| ARM | v7 32-bit non-LPAE | CONFIG_CPU_SW_DOMAIN_PAN |- | v7 32-bit LPAE | CONFIG_CPU_TTBR0_PAN ([http://marc.info/?l=linux-arm-kernel&m=144308911409429&w=2 Catalin's series]) |- | v8.0 32-bit | CONFIG_CPU_TTBR0_PAN |- | v8.0 64-bit |style="color: red;"| nothing |- | v8.1 (since December 2014) | hardware PAN |- |rowspan="2"| x86 | pre-late-Broadwell |style="color: red;"| nothing |- | Broadwell+ (since October 2014) | hardware PAN (SMAP) |- |colspan="2"| s/390 | hardware PAN (Address Spaces) |- |colspan="2"| powerpc |style="color: red;"| nothing? |- |colspan="2"| MIPS |style="color: red;"| nothing? |} b22a3212bf4d9cfdeb50ee3ba60bb0a774e48933 3771 3757 2016-04-05T18:10:12Z KeesCook 3 /* Mitigations */ wikitext text/x-wiki = Details = Sometimes an attacker won't be able to control the instruction pointer directly, but they will be able to redirect the dereference a structure or other pointer. In these cases, it is easiest to aim at malicious structures that have been built in userspace to perform the exploitation. Note that this is a superset that includes [[Exploit Methods/Userspace execution|Userspace execution]]. If we can protect against userspace access, we'll also be protecting against userspace execution. = Examples = * [https://github.com/geekben/towelroot/blob/master/towelroot.c cred structure] * [http://labs.bromium.com/2015/02/02/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/ fake kernel stack] * [http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=176155dac13f528e0a58c14dc322623219365d91 Bad casts] = Mitigations = * hardware segmentation: SMAP (x86), PAN (arm, arm64), Domains (arm) * emulated PAN (memory segmentation via segments, Domains, page table swapping, PCID, etc. e.g. PAX_MEMORY_UDEREF) Right now, the upstream options available for Privileged Access Never (PAN) are: {| class="wikitable" !colspan="2"|CPU ! Feature Name |- |rowspan="5"| ARM | v7 32-bit non-LPAE | CONFIG_CPU_SW_DOMAIN_PAN |- | v7 32-bit LPAE | CONFIG_CPU_TTBR0_PAN ([http://marc.info/?l=linux-arm-kernel&m=144308911409429&w=2 Catalin's series]) |- | v8.0 32-bit | CONFIG_CPU_TTBR0_PAN |- | v8.0 64-bit |style="color: red;"| nothing |- | v8.1 (since December 2014) | hardware PAN |- |rowspan="2"| x86 | pre-late-Broadwell |style="color: red;"| nothing |- | Broadwell+ (since October 2014) | hardware PAN (SMAP) |- |colspan="2"| s/390 | hardware PAN (Address Spaces) |- |colspan="2"| powerpc |style="color: red;"| nothing? |- |colspan="2"| MIPS |style="color: red;"| nothing (could use ASID switching?) |} 434d7158d0654fa8c7615da9466f0ebf578fad4e 3786 3771 2016-07-31T21:38:50Z KeesCook 3 /* Mitigations */ wikitext text/x-wiki = Details = Sometimes an attacker won't be able to control the instruction pointer directly, but they will be able to redirect the dereference a structure or other pointer. In these cases, it is easiest to aim at malicious structures that have been built in userspace to perform the exploitation. Note that this is a superset that includes [[Exploit Methods/Userspace execution|Userspace execution]]. If we can protect against userspace access, we'll also be protecting against userspace execution. = Examples = * [https://github.com/geekben/towelroot/blob/master/towelroot.c cred structure] * [http://labs.bromium.com/2015/02/02/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/ fake kernel stack] * [http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=176155dac13f528e0a58c14dc322623219365d91 Bad casts] = Mitigations = * hardware segmentation: SMAP (x86), PAN (arm, arm64), Domains (arm) * emulated PAN (memory segmentation via segments, Domains, page table swapping, PCID, etc. e.g. PAX_MEMORY_UDEREF) Right now, the upstream options available for Privileged Access Never (PAN) are: {| class="wikitable" !colspan="2"|CPU ! Feature Name |- |rowspan="5"| ARM | v7 32-bit non-LPAE | CONFIG_CPU_SW_DOMAIN_PAN |- | v7 32-bit LPAE | future: CONFIG_CPU_TTBR0_PAN ([http://marc.info/?l=linux-arm-kernel&m=144308911409429&w=2 Catalin's series]) |- | v8.0 32-bit | future: CONFIG_CPU_TTBR0_PAN |- | v8.0 64-bit | future: CONFIG_CPU_TTBR0_PAN |- | v8.1 (since December 2014) | hardware PAN |- |rowspan="2"| x86 | pre-late-Broadwell |style="color: red;"| nothing |- | Broadwell+ (since October 2014) | hardware PAN (SMAP) |- |colspan="2"| s/390 | hardware PAN (Address Spaces) |- |colspan="2"| powerpc |style="color: red;"| nothing? |- |colspan="2"| MIPS |style="color: red;"| nothing (could use ASID switching?) |} ffffca102da69600b67c54c6c2d80c71c1500097 0 177 3742 2015-11-04T23:25:17Z KeesCook 3 Created page with "= Details = This is more generally knows as Return Oriented Programming (ROP) or Jump Oriented Programming (JOP), but ultimately boils down to using the kernel's own executabl..." wikitext text/x-wiki = Details = This is more generally knows as Return Oriented Programming (ROP) or Jump Oriented Programming (JOP), but ultimately boils down to using the kernel's own executable memory to build a chain of gadgets in order to perform the attacker's exploit. = Examples = * [http://vulnfactory.org/research/h2hc-remote.pdf remote execution] = Mitigations = * compiler instrumentation for Control Flow Integrity (CFI) * Return Address Protection, Indirect Control Transfer Protection (e.g. [https://pax.grsecurity.net/docs/PaXTeam-H2HC15-RAP-RIP-ROP.pdf RAP]) 89aea160dc5dd96b795bfac568044c2c8b3097d8 3774 3742 2016-04-12T22:34:40Z KeesCook 3 /* Examples */ wikitext text/x-wiki = Details = This is more generally knows as Return Oriented Programming (ROP) or Jump Oriented Programming (JOP), but ultimately boils down to using the kernel's own executable memory to build a chain of gadgets in order to perform the attacker's exploit. = Examples = * [https://github.com/djrbliss/rose-exploit remote execution] ([http://vulnfactory.org/research/h2hc-remote.pdf slides]) = Mitigations = * compiler instrumentation for Control Flow Integrity (CFI) * Return Address Protection, Indirect Control Transfer Protection (e.g. [https://pax.grsecurity.net/docs/PaXTeam-H2HC15-RAP-RIP-ROP.pdf RAP]) d0de6baff515a0cd3817bae37adcb1f341e07c62 3777 3774 2016-05-04T22:10:19Z KeesCook 3 /* Examples */ wikitext text/x-wiki = Details = This is more generally knows as Return Oriented Programming (ROP) or Jump Oriented Programming (JOP), but ultimately boils down to using the kernel's own executable memory to build a chain of gadgets in order to perform the attacker's exploit. = Examples = * [https://github.com/djrbliss/rose-exploit remote execution] ([http://vulnfactory.org/research/h2hc-remote.pdf slides]) * [https://github.com/01org/jit-spray-poc-for-ksp JIT spraying] = Mitigations = * compiler instrumentation for Control Flow Integrity (CFI) * Return Address Protection, Indirect Control Transfer Protection (e.g. [https://pax.grsecurity.net/docs/PaXTeam-H2HC15-RAP-RIP-ROP.pdf RAP]) 527f0ae654db7a6450cce811125be778427f1105 3778 3777 2016-05-04T22:10:50Z KeesCook 3 /* Mitigations */ wikitext text/x-wiki = Details = This is more generally knows as Return Oriented Programming (ROP) or Jump Oriented Programming (JOP), but ultimately boils down to using the kernel's own executable memory to build a chain of gadgets in order to perform the attacker's exploit. = Examples = * [https://github.com/djrbliss/rose-exploit remote execution] ([http://vulnfactory.org/research/h2hc-remote.pdf slides]) * [https://github.com/01org/jit-spray-poc-for-ksp JIT spraying] = Mitigations = * compiler instrumentation for Control Flow Integrity (CFI) * Return Address Protection, Indirect Control Transfer Protection (e.g. [https://pax.grsecurity.net/docs/PaXTeam-H2HC15-RAP-RIP-ROP.pdf RAP]) * Constant blinding (to defeat JIT sprays) 445545585be5ace4ec94e860b47dcf5af3414ad9 0 170 3743 3731 2015-11-05T01:50:22Z KeesCook 3 /* Details */ wikitext text/x-wiki = Details = When a kernel memory address (any of text, stack, heap, etc) leaks into userspace, attackers can learn potentially sensitive information about data layout, kernel layout, stack layout, architecture layout, etc. These can be used in turn to perform attacks where those sensitive locations are needed for a successful exploitation. If locations aren't identified correctly, an attacker could crash the entire system, which makes kernel leaks critical to successful exploitation. = Examples = * so many: /proc (kallsyms, modules, slabinfo, etc), /sys, etc * [http://vulnfactory.org/exploits/alpha-omega.c alpha-omega.c] uses INET_DIAG to target socket structure function pointers on the heap = Mitigations = * [https://git.kernel.org/linus/455cd5ab305c90ffc422dd2e0fb634730942b257 kptr_restrict] is too weak: requires opt-in by developers * remove visibility to kernel symbols (e.g. GRKERNSEC_HIDESYM) * detect and block usage of %p or similar writes to seq_file or other user buffers (e.g. GRKERNSEC_HIDESYM + PAX_USERCOPY) 577483e250b498dc249839b175a36e158d9e55a5 0 162 3745 3732 2015-11-17T21:49:42Z KeesCook 3 principles wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in [https://pax.grsecurity.net/ PaX], [https://grsecurity.net/features.php grsecurity], and piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Features will be more than finding bugs. Should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Get Involved = Want to get involved? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list] and introduce yourself. Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Work Areas = This is far from a comprehensive list, but it's a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] 3499e606d9272d2740bfc386fa79f682dfb188eb 3760 3745 2016-01-21T20:18:58Z KeesCook 3 /* Bug Classes */ wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in [https://pax.grsecurity.net/ PaX], [https://grsecurity.net/features.php grsecurity], and piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Features will be more than finding bugs. Should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Get Involved = Want to get involved? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list] and introduce yourself. Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Work Areas = This is far from a comprehensive list, but it's a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] 8f98a961b739be66a20940a75dac7a4b4aa1b819 3776 3760 2016-05-04T21:45:26Z KeesCook 3 /* Work Areas */ add link to feature list wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in [https://pax.grsecurity.net/ PaX], [https://grsecurity.net/features.php grsecurity], and piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Features will be more than finding bugs. Should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Get Involved = Want to get involved? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list] and introduce yourself. Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Work Areas = While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. While the following is far from a comprehensive list, it's at least a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] 6cd2a5c79e82d9b2b33e2f78e59afd2cf89eda6b 3782 3776 2016-05-23T20:23:21Z KeesCook 3 wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in [https://pax.grsecurity.net/ PaX], [https://grsecurity.net/features.php grsecurity], and piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Features will be more than finding bugs. Should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Get Involved = Want to get involved? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list] and introduce yourself. Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Work Areas = While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. While the following is far from a comprehensive list, it's at least a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] = Specific TODO Items = Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention: * Implement kernel relocation and KASLR for ARM * Implement PAN emulation on arm64 for ARMv8.0 hardware (pre-8.0 emulates using Domains, 8.1 and later use hardware PAN) * Write a plugin to clear struct padding * Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings) * Reorganize and rename CONFIG_DEBUG_RODATA (and related options) to something without "DEBUG" in the name * Make CONFIG_DEBUG_RODATA mandatory on arm64 * Convert remaining BPF JITs to eBPF JIT (with blinding) * Write drivers/misc/lkdtm.c tests for PAX_USERCOPY * Write lib/test_bpf.c tests for eBPF constant blinding aad6d2067b87a579eb15fac446d441003b9e60d9 3783 3782 2016-06-01T21:25:13Z KeesCook 3 /* Specific TODO Items */ wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in [https://pax.grsecurity.net/ PaX], [https://grsecurity.net/features.php grsecurity], and piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Features will be more than finding bugs. Should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Get Involved = Want to get involved? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list] and introduce yourself. Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Work Areas = While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. While the following is far from a comprehensive list, it's at least a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] = Specific TODO Items = Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention: * Split thread_info off of kernel stack * Add guard page to bottom of kernel stack * Implement kernel relocation and KASLR for ARM * Implement PAN emulation on arm64 for ARMv8.0 hardware (pre-8.0 emulates using Domains, 8.1 and later use hardware PAN) * Write a plugin to clear struct padding * Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings) * Reorganize and rename CONFIG_DEBUG_RODATA (and related options) to something without "DEBUG" in the name * Make CONFIG_DEBUG_RODATA mandatory on arm64 * Convert remaining BPF JITs to eBPF JIT (with blinding) * Write drivers/misc/lkdtm.c tests for PAX_USERCOPY * Write lib/test_bpf.c tests for eBPF constant blinding 70419a0b290c6f951b60402ae55f9ea815fcb20b 3784 3783 2016-06-17T16:29:07Z KeesCook 3 /* Specific TODO Items */ wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in [https://pax.grsecurity.net/ PaX], [https://grsecurity.net/features.php grsecurity], and piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Features will be more than finding bugs. Should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Get Involved = Want to get involved? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list] and introduce yourself. Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Work Areas = While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. While the following is far from a comprehensive list, it's at least a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] = Specific TODO Items = Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention: * Split thread_info off of kernel stack * Move kernel stack to vmap area * Implement kernel relocation and KASLR for ARM * Implement PAN emulation on arm64 for ARMv8.0 hardware (pre-8.0 emulates using Domains, 8.1 and later use hardware PAN) * Write a plugin to clear struct padding * Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings) * Reorganize and rename CONFIG_DEBUG_RODATA (and related options) to something without "DEBUG" in the name * arm64: Make CONFIG_DEBUG_RODATA mandatory * Convert remaining BPF JITs to eBPF JIT (with blinding) * Write lib/test_bpf.c tests for eBPF constant blinding * Further restriction of perf_event_open (perf_event_paranoid=3) * arm64: fix _etext to be the bottom of kernel instead of including rodata a87d34b3257caafe3ea78f482da8b952b92eaf33 3785 3784 2016-07-06T17:34:43Z KeesCook 3 /* Specific TODO Items */ wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in [https://pax.grsecurity.net/ PaX], [https://grsecurity.net/features.php grsecurity], and piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Features will be more than finding bugs. Should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Get Involved = Want to get involved? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list] and introduce yourself. Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Work Areas = While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. While the following is far from a comprehensive list, it's at least a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] = Specific TODO Items = Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention: * Split thread_info off of kernel stack (under development on x86 already) * Move kernel stack to vmap area (under development on x86 already) * Implement kernel relocation and KASLR for ARM * Implement PAN emulation on arm64 for ARMv8.0 hardware (pre-8.0 emulates using Domains, 8.1 and later use hardware PAN) * Write a plugin to clear struct padding * Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings) * Reorganize and rename CONFIG_DEBUG_RODATA (and related options) to something without "DEBUG" in the name * arm64: Make CONFIG_DEBUG_RODATA mandatory * Convert remaining BPF JITs to eBPF JIT (with blinding) * Write lib/test_bpf.c tests for eBPF constant blinding * Further restriction of perf_event_open (perf_event_paranoid=3) 75ab4c6806818bab197cf80b0d9a41449afb5ce7 3787 3785 2016-08-12T21:42:52Z KeesCook 3 wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in [https://pax.grsecurity.net/ PaX], [https://grsecurity.net/features.php grsecurity], and piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Features will be more than finding bugs. Should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Get Involved = Want to get involved? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list] and introduce yourself. Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Work Areas = While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. While the following is far from a comprehensive list, it's at least a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] = Specific TODO Items = Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention: * Split thread_info off of kernel stack (under development on x86 already) * Move kernel stack to vmap area (under development on x86 already) * Implement kernel relocation and KASLR for ARM * Implement PAN emulation on arm64 for ARMv8.0 hardware (pre-8.0 emulates using Domains, 8.1 and later use hardware PAN) * Write a plugin to clear struct padding * Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings) * Reorganize and rename CONFIG_DEBUG_RODATA (and related options) to something without "DEBUG" in the name * arm64: Make CONFIG_DEBUG_RODATA mandatory * Convert remaining BPF JITs to eBPF JIT (with blinding) * Write lib/test_bpf.c tests for eBPF constant blinding * Further restriction of perf_event_open (perf_event_paranoid=3) = Recommended settings = People ask from time to time what a good security set of build CONFIGs and runtime sysctl are. This is a brain-dump of the various options for a particularly paranoid system. == CONFIGs == # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_RODATA=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. CONFIG_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR_STRONG=y # Blocks direct physical memory access. CONFIG_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of credentials. CONFIG_DEBUG_CREDENTIALS=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. CONFIG_HARDENED_USERCOPY=y # Randomize allocator freelists. CONFIG_SLAB_FREELIST_RANDOM # Dangerous; allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" === x86_32 === # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y === x86_64 === # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y === arm === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an out-of-tree Qualcomm kernel, this is similar to CONFIG_DEBUG_RODATA. CONFIG_ARM_KERNMEM_PERMS=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y === arm64 === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y == kernel command line options == # Enable allocator free poisoning. slub_debug=P === x86_64 === # Remove vsyscall entirely to avoid it being a ROP target of any kind. vsyscall=none == sysctls == # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling kernel.perf_event_paranoid = 2 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 ebe015761d6593c74a0cf85c67f84901fa9cd3d6 0 167 3758 3728 2016-01-04T20:06:07Z KeesCook 3 /* Examples */ wikitext text/x-wiki = Details = Integer overflows (or underflows) occur when a multiplication happens that exceeds the size that can be represented by the datatype, generally wrapping around. This usually results in either writing to too-small buffers, or producing out of bound array indexes. Exploitation is most common via heap overflows, since the (too-small) buffers tend to be allocated on the heap. Additionally, reference counting can overflow and wrap around, leading to use-after-free exploits. = Examples = * [https://jon.oberheide.org/blog/2010/09/10/linux-kernel-can-slub-overflow/ slub overflow] * [https://cyseclabs.com/page?n=02012016 refcount overflow] = Mitigations = * check for refcount overflows (e.g. PAX_REFCOUNT) * compiler instrumentation to detect multiplication overflows at runtime (e.g. [https://github.com/ephox-gcc-plugins PAX_SIZE_OVERFLOW]) f9609aaaac35471d8d4d05413d4c99e8a5015dd4 3759 3758 2016-01-21T20:18:15Z KeesCook 3 /* Examples */ wikitext text/x-wiki = Details = Integer overflows (or underflows) occur when a multiplication happens that exceeds the size that can be represented by the datatype, generally wrapping around. This usually results in either writing to too-small buffers, or producing out of bound array indexes. Exploitation is most common via heap overflows, since the (too-small) buffers tend to be allocated on the heap. Additionally, reference counting can overflow and wrap around, leading to use-after-free exploits. = Examples = * [https://jon.oberheide.org/blog/2010/09/10/linux-kernel-can-slub-overflow/ slub overflow] * [https://cyseclabs.com/page?n=02012016 refcount overflow] * [https://googleplex-android-review.git.corp.google.com/849547 refcount overflow] = Mitigations = * check for refcount overflows (e.g. PAX_REFCOUNT) * compiler instrumentation to detect multiplication overflows at runtime (e.g. [https://github.com/ephox-gcc-plugins PAX_SIZE_OVERFLOW]) 71421304b66e5e36b375661350da940805d4c89f 3762 3759 2016-02-03T21:02:41Z KeesCook 3 /* Examples */ paste-o wikitext text/x-wiki = Details = Integer overflows (or underflows) occur when a multiplication happens that exceeds the size that can be represented by the datatype, generally wrapping around. This usually results in either writing to too-small buffers, or producing out of bound array indexes. Exploitation is most common via heap overflows, since the (too-small) buffers tend to be allocated on the heap. Additionally, reference counting can overflow and wrap around, leading to use-after-free exploits. = Examples = * [https://jon.oberheide.org/blog/2010/09/10/linux-kernel-can-slub-overflow/ slub overflow] * [https://cyseclabs.com/page?n=02012016 group_info refcount overflow] * [http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/ keyring refcount overflow] = Mitigations = * check for refcount overflows (e.g. PAX_REFCOUNT) * compiler instrumentation to detect multiplication overflows at runtime (e.g. [https://github.com/ephox-gcc-plugins PAX_SIZE_OVERFLOW]) 9b799573c08c0dce9298fdf4659c2cec9773decd 3766 3762 2016-03-09T21:47:12Z KeesCook 3 /* Examples */ wikitext text/x-wiki = Details = Integer overflows (or underflows) occur when a multiplication happens that exceeds the size that can be represented by the datatype, generally wrapping around. This usually results in either writing to too-small buffers, or producing out of bound array indexes. Exploitation is most common via heap overflows, since the (too-small) buffers tend to be allocated on the heap. Additionally, reference counting can overflow and wrap around, leading to use-after-free exploits. = Examples = * [https://jon.oberheide.org/blog/2010/09/10/linux-kernel-can-slub-overflow/ slub overflow] * [https://cyseclabs.com/page?n=02012016 group_info refcount overflow] * [http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/ keyring refcount overflow] * [https://code.google.com/p/google-security-research/issues/detail?id=758 netfilter xt_alloc_table_info integer overflow] = Mitigations = * check for refcount overflows (e.g. PAX_REFCOUNT) * compiler instrumentation to detect multiplication overflows at runtime (e.g. [https://github.com/ephox-gcc-plugins PAX_SIZE_OVERFLOW]) b8aec2c3b9e254222de26c70de45835a4ce30e6a 0 178 3761 2016-01-21T20:24:55Z KeesCook 3 Created page with "= Details = When a memory allocation gets freed but there are still accidentally users of that memory, it is possible that an attacker could control the new memory allocation ..." wikitext text/x-wiki = Details = When a memory allocation gets freed but there are still accidentally users of that memory, it is possible that an attacker could control the new memory allocation that fills the freed area, and then manipulate the contents in a way that the system uses its stale pointer and expects a different structure than is currently present. If there are function pointers contained in the structure, this allows for trivial execution control. = Examples = * [http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/ keyring use-after-free] = Mitigations = * clearing memory on free can stop attacks where there is no reallocation control (e.g. PAX_MEMORY_SANITIZE) * segregating memory used by the kernel and by userspace can stop attacks where this boundary is crossed (e.g. PAX_USERCOPY) * randomizing heap allocations can frustrate the reallocation efforts the attack needs to perform (e.g. OpenBSD malloc) 6b0dbd88f3349cb2d35d70a8cf82228c50231f35 0 179 3763 2016-02-04T02:45:39Z JamesMorris 2 Created page with "TBA" wikitext text/x-wiki TBA ae50ce81c0ab15346851715818b855eed68b0618 3764 3763 2016-02-04T23:59:58Z JamesMorris 2 wikitext text/x-wiki The Linux Security Summit for 2016 will be co-located with [http://kernsec.org/wiki/index.php/Linux_Security_Summit_2016 LinuxCon North America], in Toronto, Canada, on 25th and 26th August. More details coming soon. b91bfd80613637788d80e61adc579dda5d876ee8 3767 3764 2016-03-29T10:50:24Z JamesMorris 2 wikitext text/x-wiki The Linux Security Summit for 2016 will be held in Toronto, Canada, on 25th and 26th August. See the event web site for details: http://events.linuxfoundation.org/events/linux-security-summit afdee54dd030a5cc90181990eaebf365a520433f 0 6 3765 3561 2016-02-20T13:20:12Z JamesMorris 2 wikitext text/x-wiki == Upcoming == [[Linux Security Summit 2016]], Toronto, Canada. August 25-26. == Past == === 2015 === * [[Linux Security Summit 2015]], Seattle, WA, USA. August 20-21. ===2014=== * [[Linux Security Summit 2014]], 18-19 August, Chicago, USA. Co-located with [http://events.linuxfoundation.org/events/linuxcon LinuxCon]. === 2013 === * [[Linux Security Summit 2013]] New Orleans, USA. === 2012 === * [[Linux Security Summit 2012]], San Diego, CA, USA. ===2011=== * [[Linux Security Summit 2011]], Santa Rosa, CA, USA. ===2010=== * [https://security.wiki.kernel.org/index.php/LinuxSecuritySummit2010 Linux Security Summit 2010], Boston MA, USA. ===2009=== *Security Microconf at the Linux Plumbers Conference 2009, September, Portland OR, USA. **CFP **LWN discussion *SELinux Developer Summit at LinuxCon 2009, September, Portland OR, USA. **Event Details *Security BoF (Birds of Feather) meeting at the Japan Linux Symposium, October 2009. Tokyo, Japan. **Enhanced Securities: Where Should We Go Next *Kernel Conference Australia, July 2009, Brisbane, Australia. *LCA security miniconf 20 January 2009, Hobart, Australia. 0321bca6154880f3fa0c914e68962fe08302ccaa 0 169 3773 3730 2016-04-12T22:29:44Z KeesCook 3 /* Examples */ wikitext text/x-wiki = Details = When an attacker supplied string is accidentally passed to format string parsing, the attacker can manipulate the resulting output. The write primitive available is through the use of the %n specifier, which writes to memory. All the other formats lead to information leaks. = Examples = * [http://seclists.org/oss-sec/2013/q2/510 injection via block layer] = Mitigations = * [https://git.kernel.org/linus/708d96fd060bd1e729fc93048cea8901f8bacb7c Eliminate the use of %n] * detect non-const format strings at compile time (e.g. gcc's -Wformat-security) * detect non-const format strings at run time (e.g. memory location checking done with glibc's -D_FORITY_SOURCE=2) f861dd78e0858ae51ec7fa45ea87f04a46a79be0 0 180 3775 2016-05-04T21:43:29Z KeesCook 3 initial dump of interesting features wikitext text/x-wiki This is a list of various interesting security features since v3.4 and when they were introduced in the upstream kernel. Feel free to add anything more! {| class="wikitable" ! Version ! Feature |- | v3.5 | seccomp-bpf, x86 |- | v3.7 | PXN, arm64 |- |rowspan="3"| v3.8 | seccomp-bpf, arm |- | seccomp reported in /proc/$pid/status |- | finit_module syscall and LSM hook |- | v3.13 | remove %n from printf |- |rowspan="5"| v3.14 | ptdump, arm |- | kaslr, x86 |- | modules ro/nx, arm |- | stack-protector-strong |- | kexec_load_disabled |- |rowspan="3"| v3.15 | seccomp-bpf, mips |- | lkdtm WRITE_KERN |- | module aslr, x86 |- | v3.16 | harden sysctl writing |- |rowspan="2"| v3.17 | seccomp syscall and TSYNC |- | request_firmware LSM hook |- |rowspan="2"| v3.18 | kernel memory W^X, x86 |- | overlayfs v3.18 |- |rowspan="11"| v3.19 | kernel ro/nx, arm |- | modules ro/nx, arm64 |- | ptdump, arm64 |- | seccomp-bpf, arm64 |- | PXN, arm |- | crypto- module prefixing |- | ecryptfs one-byte heap write fix |- | arm64 mmap ASLR fix |- | vdso ASLR fix |- | vsyscall=none, x86_64 |- | vdso ASLR, mips |- |rowspan="3"| v4.0 | kernel ro/nx, arm64 |- | stack ASLR fix |- | seccomp-bpf, RET_ERRNO capped to 4095 |- |rowspan="3"| v4.1 | kernel stack buffer overflow detection, mips |- | INET_DIAG cookies fixed |- | ET_DYN ASLR separate from mmap ASLR |- |rowspan="4"| v4.3 | PAN emulation, arm |- | ambient capabilities |- | seccomp-bpf, powerpc |- | x86_32 direct socket calls |- | v4.4 | vsyscall CONFIG |- |} c212116b5e36699ed59d1e2e56abec03ebf9cfc0 3779 3775 2016-05-04T22:21:51Z KeesCook 3 wikitext text/x-wiki This is a list of various interesting security features since v3.4 and when they were introduced in the upstream kernel. Feel free to add anything more! {| class="wikitable" ! Version ! Feature |- | v3.5 | seccomp-bpf, x86 |- | v3.7 | PXN, arm64 |- |rowspan="3"| v3.8 | seccomp-bpf, arm |- | seccomp reported in /proc/$pid/status |- | finit_module syscall and LSM hook |- | v3.13 | remove %n from printf |- |rowspan="5"| v3.14 | ptdump, arm |- | kaslr, x86 |- | modules ro/nx, arm |- | stack-protector-strong |- | kexec_load_disabled |- |rowspan="3"| v3.15 | seccomp-bpf, mips |- | lkdtm WRITE_KERN |- | module aslr, x86 |- | v3.16 | harden sysctl writing |- |rowspan="2"| v3.17 | seccomp syscall and TSYNC |- | request_firmware LSM hook |- |rowspan="2"| v3.18 | kernel memory W^X, x86 |- | overlayfs v3.18 |- |rowspan="11"| v3.19 | kernel ro/nx, arm |- | modules ro/nx, arm64 |- | ptdump, arm64 |- | seccomp-bpf, arm64 |- | PXN, arm |- | crypto- module prefixing |- | ecryptfs one-byte heap write fix |- | arm64 mmap ASLR fix |- | vdso ASLR fix |- | vsyscall=none, x86_64 |- | vdso ASLR, mips |- |rowspan="3"| v4.0 | kernel ro/nx, arm64 |- | stack ASLR fix |- | seccomp-bpf, RET_ERRNO capped to 4095 |- |rowspan="3"| v4.1 | kernel stack buffer overflow detection, mips |- | INET_DIAG cookies fixed |- | ET_DYN ASLR separate from mmap ASLR |- |rowspan="4"| v4.3 | PAN emulation, arm |- | ambient capabilities |- | seccomp-bpf, powerpc |- | x86_32 direct socket calls |- | v4.4 | vsyscall CONFIG |- | v4.5 | ASLR entropy bits sysctl |- |} f4739f709fe25c76ac8a9e6a015dbe00ad59fb29 3780 3779 2016-05-05T22:41:39Z KeesCook 3 wikitext text/x-wiki This is a list of various interesting security features since v3.4 and when they were introduced in the upstream kernel. Feel free to add anything more! {| class="wikitable" ! Version ! Feature |- | v3.5 | seccomp-bpf, x86 |- | v3.7 | PXN, arm64 |- |rowspan="3"| v3.8 | seccomp-bpf, arm |- | seccomp reported in /proc/$pid/status |- | finit_module syscall and LSM hook |- | v3.13 | remove %n from printf |- |rowspan="5"| v3.14 | ptdump, arm |- | kaslr, x86 |- | modules ro/nx, arm |- | stack-protector-strong |- | kexec_load_disabled |- |rowspan="3"| v3.15 | seccomp-bpf, mips |- | lkdtm WRITE_KERN |- | module aslr, x86 |- | v3.16 | harden sysctl writing |- |rowspan="2"| v3.17 | seccomp syscall and TSYNC |- | request_firmware LSM hook |- |rowspan="2"| v3.18 | kernel memory W^X, x86 |- | overlayfs v3.18 |- |rowspan="11"| v3.19 | kernel ro/nx, arm |- | modules ro/nx, arm64 |- | ptdump, arm64 |- | seccomp-bpf, arm64 |- | PXN, arm |- | crypto- module prefixing |- | ecryptfs one-byte heap write fix |- | arm64 mmap ASLR fix |- | vdso ASLR fix |- | vsyscall=none, x86_64 |- | vdso ASLR, mips |- |rowspan="3"| v4.0 | kernel ro/nx, arm64 |- | stack ASLR fix |- | seccomp-bpf, RET_ERRNO capped to 4095 |- |rowspan="3"| v4.1 | kernel stack buffer overflow detection, mips |- | INET_DIAG cookies fixed |- | ET_DYN ASLR separate from mmap ASLR |- |rowspan="4"| v4.3 | PAN emulation, arm |- | ambient capabilities |- | seccomp-bpf, powerpc |- | x86_32 direct socket calls |- | v4.4 | vsyscall CONFIG |- | v4.5 | ASLR entropy bits sysctl |- |rowspan="4"| v4.6 | KASLR, arm64 |- | RODATA on by default, arm64 |- | RODATA on by default, arm (ARMv7+) |- | RODATA mandatory, x86 |- |} e7722c58b68a82e0488d301886bf582cf564a7a7 3781 3780 2016-05-05T22:42:50Z KeesCook 3 wikitext text/x-wiki This is a list of various interesting security features since v3.4 and when they were introduced in the upstream kernel. Feel free to add anything more! {| class="wikitable" ! Version ! Feature |- | v3.5 | seccomp-bpf, x86 |- | v3.7 | PXN, arm64 |- |rowspan="3"| v3.8 | seccomp-bpf, arm |- | seccomp reported in /proc/$pid/status |- | finit_module syscall and LSM hook |- | v3.13 | remove %n from printf |- |rowspan="5"| v3.14 | ptdump, arm |- | kaslr, x86 |- | modules ro/nx, arm |- | stack-protector-strong |- | kexec_load_disabled |- |rowspan="3"| v3.15 | seccomp-bpf, mips |- | lkdtm WRITE_KERN |- | module aslr, x86 |- | v3.16 | harden sysctl writing |- |rowspan="2"| v3.17 | seccomp syscall and TSYNC |- | request_firmware LSM hook |- |rowspan="2"| v3.18 | kernel memory W^X, x86 |- | overlayfs v3.18 |- |rowspan="11"| v3.19 | kernel ro/nx, arm |- | modules ro/nx, arm64 |- | ptdump, arm64 |- | seccomp-bpf, arm64 |- | PXN, arm |- | crypto- module prefixing |- | ecryptfs one-byte heap write fix |- | arm64 mmap ASLR fix |- | vdso ASLR fix, x86_64 |- | vsyscall=none, x86_64 |- | vdso ASLR, mips |- |rowspan="3"| v4.0 | kernel ro/nx, arm64 |- | stack ASLR fix |- | seccomp-bpf, RET_ERRNO capped to 4095 |- |rowspan="3"| v4.1 | kernel stack buffer overflow detection, mips |- | INET_DIAG cookies fixed |- | ET_DYN ASLR separate from mmap ASLR |- |rowspan="4"| v4.3 | PAN emulation, arm |- | ambient capabilities |- | seccomp-bpf, powerpc |- | x86_32 direct socket calls |- | v4.4 | vsyscall CONFIG |- | v4.5 | ASLR entropy bits sysctl |- |rowspan="4"| v4.6 | KASLR, arm64 |- | RODATA on by default, arm64 |- | RODATA on by default, arm (ARMv7+) |- | RODATA mandatory, x86 |- |} 57b1ef5079c5bcfebac5c901a056c463ad942942 0 162 3788 3787 2016-08-12T21:44:59Z KeesCook 3 /* arm */ wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in [https://pax.grsecurity.net/ PaX], [https://grsecurity.net/features.php grsecurity], and piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Features will be more than finding bugs. Should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Get Involved = Want to get involved? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list] and introduce yourself. Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Work Areas = While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. While the following is far from a comprehensive list, it's at least a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] = Specific TODO Items = Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention: * Split thread_info off of kernel stack (under development on x86 already) * Move kernel stack to vmap area (under development on x86 already) * Implement kernel relocation and KASLR for ARM * Implement PAN emulation on arm64 for ARMv8.0 hardware (pre-8.0 emulates using Domains, 8.1 and later use hardware PAN) * Write a plugin to clear struct padding * Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings) * Reorganize and rename CONFIG_DEBUG_RODATA (and related options) to something without "DEBUG" in the name * arm64: Make CONFIG_DEBUG_RODATA mandatory * Convert remaining BPF JITs to eBPF JIT (with blinding) * Write lib/test_bpf.c tests for eBPF constant blinding * Further restriction of perf_event_open (perf_event_paranoid=3) = Recommended settings = People ask from time to time what a good security set of build CONFIGs and runtime sysctl are. This is a brain-dump of the various options for a particularly paranoid system. == CONFIGs == # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_RODATA=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. CONFIG_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR_STRONG=y # Blocks direct physical memory access. CONFIG_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of credentials. CONFIG_DEBUG_CREDENTIALS=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. CONFIG_HARDENED_USERCOPY=y # Randomize allocator freelists. CONFIG_SLAB_FREELIST_RANDOM # Dangerous; allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" === x86_32 === # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y === x86_64 === # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y === arm === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an out-of-tree Qualcomm kernel, this is similar to CONFIG_DEBUG_RODATA. CONFIG_ARM_KERNMEM_PERMS=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_CONFIG is unset === arm64 === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y == kernel command line options == # Enable allocator free poisoning. slub_debug=P === x86_64 === # Remove vsyscall entirely to avoid it being a ROP target of any kind. vsyscall=none == sysctls == # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling kernel.perf_event_paranoid = 2 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 610981096f6c9dff8d69952b0d40f7083997c412 3789 3788 2016-08-12T21:45:15Z KeesCook 3 /* arm */ wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in [https://pax.grsecurity.net/ PaX], [https://grsecurity.net/features.php grsecurity], and piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Features will be more than finding bugs. Should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Get Involved = Want to get involved? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list] and introduce yourself. Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Work Areas = While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. While the following is far from a comprehensive list, it's at least a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] = Specific TODO Items = Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention: * Split thread_info off of kernel stack (under development on x86 already) * Move kernel stack to vmap area (under development on x86 already) * Implement kernel relocation and KASLR for ARM * Implement PAN emulation on arm64 for ARMv8.0 hardware (pre-8.0 emulates using Domains, 8.1 and later use hardware PAN) * Write a plugin to clear struct padding * Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings) * Reorganize and rename CONFIG_DEBUG_RODATA (and related options) to something without "DEBUG" in the name * arm64: Make CONFIG_DEBUG_RODATA mandatory * Convert remaining BPF JITs to eBPF JIT (with blinding) * Write lib/test_bpf.c tests for eBPF constant blinding * Further restriction of perf_event_open (perf_event_paranoid=3) = Recommended settings = People ask from time to time what a good security set of build CONFIGs and runtime sysctl are. This is a brain-dump of the various options for a particularly paranoid system. == CONFIGs == # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_RODATA=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. CONFIG_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR_STRONG=y # Blocks direct physical memory access. CONFIG_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of credentials. CONFIG_DEBUG_CREDENTIALS=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. CONFIG_HARDENED_USERCOPY=y # Randomize allocator freelists. CONFIG_SLAB_FREELIST_RANDOM # Dangerous; allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" === x86_32 === # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y === x86_64 === # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y === arm === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an out-of-tree Qualcomm kernel, this is similar to CONFIG_DEBUG_RODATA. CONFIG_ARM_KERNMEM_PERMS=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset === arm64 === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y == kernel command line options == # Enable allocator free poisoning. slub_debug=P === x86_64 === # Remove vsyscall entirely to avoid it being a ROP target of any kind. vsyscall=none == sysctls == # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling kernel.perf_event_paranoid = 2 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 94e9ea80379e9eff0739dd2e303b2dcf41351415 3790 3789 2016-08-12T21:48:46Z KeesCook 3 /* CONFIGs */ wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in [https://pax.grsecurity.net/ PaX], [https://grsecurity.net/features.php grsecurity], and piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Features will be more than finding bugs. Should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Get Involved = Want to get involved? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list] and introduce yourself. Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Work Areas = While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. While the following is far from a comprehensive list, it's at least a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] = Specific TODO Items = Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention: * Split thread_info off of kernel stack (under development on x86 already) * Move kernel stack to vmap area (under development on x86 already) * Implement kernel relocation and KASLR for ARM * Implement PAN emulation on arm64 for ARMv8.0 hardware (pre-8.0 emulates using Domains, 8.1 and later use hardware PAN) * Write a plugin to clear struct padding * Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings) * Reorganize and rename CONFIG_DEBUG_RODATA (and related options) to something without "DEBUG" in the name * arm64: Make CONFIG_DEBUG_RODATA mandatory * Convert remaining BPF JITs to eBPF JIT (with blinding) * Write lib/test_bpf.c tests for eBPF constant blinding * Further restriction of perf_event_open (perf_event_paranoid=3) = Recommended settings = People ask from time to time what a good security set of build CONFIGs and runtime sysctl are. This is a brain-dump of the various options for a particularly paranoid system. == CONFIGs == # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_RODATA=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. CONFIG_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR_STRONG=y # Blocks direct physical memory access. CONFIG_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of credentials. CONFIG_DEBUG_CREDENTIALS=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. CONFIG_HARDENED_USERCOPY=y # Randomize allocator freelists. CONFIG_SLAB_FREELIST_RANDOM=y # Allow allocator validation checking to be enabled. CONFIG_SLUB_DEBUG=y # Dangerous; allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" === x86_32 === # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y === x86_64 === # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y === arm === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an out-of-tree Qualcomm kernel, this is similar to CONFIG_DEBUG_RODATA. CONFIG_ARM_KERNMEM_PERMS=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset === arm64 === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y == kernel command line options == # Enable allocator free poisoning. slub_debug=P === x86_64 === # Remove vsyscall entirely to avoid it being a ROP target of any kind. vsyscall=none == sysctls == # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling kernel.perf_event_paranoid = 2 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 5f1678f7fdcdb7453a58ee41aa7017d979a98ddd 3791 3790 2016-08-12T21:50:50Z KeesCook 3 /* x86_64 */ wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in [https://pax.grsecurity.net/ PaX], [https://grsecurity.net/features.php grsecurity], and piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Features will be more than finding bugs. Should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Get Involved = Want to get involved? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list] and introduce yourself. Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Work Areas = While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. While the following is far from a comprehensive list, it's at least a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] = Specific TODO Items = Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention: * Split thread_info off of kernel stack (under development on x86 already) * Move kernel stack to vmap area (under development on x86 already) * Implement kernel relocation and KASLR for ARM * Implement PAN emulation on arm64 for ARMv8.0 hardware (pre-8.0 emulates using Domains, 8.1 and later use hardware PAN) * Write a plugin to clear struct padding * Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings) * Reorganize and rename CONFIG_DEBUG_RODATA (and related options) to something without "DEBUG" in the name * arm64: Make CONFIG_DEBUG_RODATA mandatory * Convert remaining BPF JITs to eBPF JIT (with blinding) * Write lib/test_bpf.c tests for eBPF constant blinding * Further restriction of perf_event_open (perf_event_paranoid=3) = Recommended settings = People ask from time to time what a good security set of build CONFIGs and runtime sysctl are. This is a brain-dump of the various options for a particularly paranoid system. == CONFIGs == # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_RODATA=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. CONFIG_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR_STRONG=y # Blocks direct physical memory access. CONFIG_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of credentials. CONFIG_DEBUG_CREDENTIALS=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. CONFIG_HARDENED_USERCOPY=y # Randomize allocator freelists. CONFIG_SLAB_FREELIST_RANDOM=y # Allow allocator validation checking to be enabled. CONFIG_SLUB_DEBUG=y # Dangerous; allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" === x86_32 === # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y === x86_64 === # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y === arm === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an out-of-tree Qualcomm kernel, this is similar to CONFIG_DEBUG_RODATA. CONFIG_ARM_KERNMEM_PERMS=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset === arm64 === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y == kernel command line options == # Enable allocator free poisoning. slub_debug=P === x86_64 === # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. vsyscall=none == sysctls == # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling kernel.perf_event_paranoid = 2 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 f569248f42a5a2cfe9f860800927649cd4b15621 3792 3791 2016-08-12T21:51:13Z KeesCook 3 /* sysctls */ wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in [https://pax.grsecurity.net/ PaX], [https://grsecurity.net/features.php grsecurity], and piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Features will be more than finding bugs. Should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Get Involved = Want to get involved? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list] and introduce yourself. Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Work Areas = While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. While the following is far from a comprehensive list, it's at least a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] = Specific TODO Items = Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention: * Split thread_info off of kernel stack (under development on x86 already) * Move kernel stack to vmap area (under development on x86 already) * Implement kernel relocation and KASLR for ARM * Implement PAN emulation on arm64 for ARMv8.0 hardware (pre-8.0 emulates using Domains, 8.1 and later use hardware PAN) * Write a plugin to clear struct padding * Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings) * Reorganize and rename CONFIG_DEBUG_RODATA (and related options) to something without "DEBUG" in the name * arm64: Make CONFIG_DEBUG_RODATA mandatory * Convert remaining BPF JITs to eBPF JIT (with blinding) * Write lib/test_bpf.c tests for eBPF constant blinding * Further restriction of perf_event_open (perf_event_paranoid=3) = Recommended settings = People ask from time to time what a good security set of build CONFIGs and runtime sysctl are. This is a brain-dump of the various options for a particularly paranoid system. == CONFIGs == # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_RODATA=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. CONFIG_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR_STRONG=y # Blocks direct physical memory access. CONFIG_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of credentials. CONFIG_DEBUG_CREDENTIALS=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. CONFIG_HARDENED_USERCOPY=y # Randomize allocator freelists. CONFIG_SLAB_FREELIST_RANDOM=y # Allow allocator validation checking to be enabled. CONFIG_SLUB_DEBUG=y # Dangerous; allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" === x86_32 === # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y === x86_64 === # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y === arm === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an out-of-tree Qualcomm kernel, this is similar to CONFIG_DEBUG_RODATA. CONFIG_ARM_KERNMEM_PERMS=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset === arm64 === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y == kernel command line options == # Enable allocator free poisoning. slub_debug=P === x86_64 === # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. vsyscall=none == sysctls == # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 528369eaf76acdc329374ccf36660471d70d9c33 3793 3792 2016-08-13T02:56:37Z KeesCook 3 /* arm */ wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in [https://pax.grsecurity.net/ PaX], [https://grsecurity.net/features.php grsecurity], and piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Features will be more than finding bugs. Should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Get Involved = Want to get involved? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list] and introduce yourself. Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Work Areas = While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. While the following is far from a comprehensive list, it's at least a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] = Specific TODO Items = Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention: * Split thread_info off of kernel stack (under development on x86 already) * Move kernel stack to vmap area (under development on x86 already) * Implement kernel relocation and KASLR for ARM * Implement PAN emulation on arm64 for ARMv8.0 hardware (pre-8.0 emulates using Domains, 8.1 and later use hardware PAN) * Write a plugin to clear struct padding * Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings) * Reorganize and rename CONFIG_DEBUG_RODATA (and related options) to something without "DEBUG" in the name * arm64: Make CONFIG_DEBUG_RODATA mandatory * Convert remaining BPF JITs to eBPF JIT (with blinding) * Write lib/test_bpf.c tests for eBPF constant blinding * Further restriction of perf_event_open (perf_event_paranoid=3) = Recommended settings = People ask from time to time what a good security set of build CONFIGs and runtime sysctl are. This is a brain-dump of the various options for a particularly paranoid system. == CONFIGs == # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_RODATA=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. CONFIG_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR_STRONG=y # Blocks direct physical memory access. CONFIG_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of credentials. CONFIG_DEBUG_CREDENTIALS=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. CONFIG_HARDENED_USERCOPY=y # Randomize allocator freelists. CONFIG_SLAB_FREELIST_RANDOM=y # Allow allocator validation checking to be enabled. CONFIG_SLUB_DEBUG=y # Dangerous; allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" === x86_32 === # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y === x86_64 === # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y === arm === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an out-of-tree Qualcomm kernel, this is similar to CONFIG_DEBUG_RODATA. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset === arm64 === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y == kernel command line options == # Enable allocator free poisoning. slub_debug=P === x86_64 === # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. vsyscall=none == sysctls == # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 c99a2afc2ac8fbd8029a1e01db118411d29695eb 3794 3793 2016-08-13T21:29:38Z KeesCook 3 /* x86_64 */ wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in [https://pax.grsecurity.net/ PaX], [https://grsecurity.net/features.php grsecurity], and piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Features will be more than finding bugs. Should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Get Involved = Want to get involved? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list] and introduce yourself. Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Work Areas = While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. While the following is far from a comprehensive list, it's at least a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] = Specific TODO Items = Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention: * Split thread_info off of kernel stack (under development on x86 already) * Move kernel stack to vmap area (under development on x86 already) * Implement kernel relocation and KASLR for ARM * Implement PAN emulation on arm64 for ARMv8.0 hardware (pre-8.0 emulates using Domains, 8.1 and later use hardware PAN) * Write a plugin to clear struct padding * Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings) * Reorganize and rename CONFIG_DEBUG_RODATA (and related options) to something without "DEBUG" in the name * arm64: Make CONFIG_DEBUG_RODATA mandatory * Convert remaining BPF JITs to eBPF JIT (with blinding) * Write lib/test_bpf.c tests for eBPF constant blinding * Further restriction of perf_event_open (perf_event_paranoid=3) = Recommended settings = People ask from time to time what a good security set of build CONFIGs and runtime sysctl are. This is a brain-dump of the various options for a particularly paranoid system. == CONFIGs == # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_RODATA=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. CONFIG_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR_STRONG=y # Blocks direct physical memory access. CONFIG_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of credentials. CONFIG_DEBUG_CREDENTIALS=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. CONFIG_HARDENED_USERCOPY=y # Randomize allocator freelists. CONFIG_SLAB_FREELIST_RANDOM=y # Allow allocator validation checking to be enabled. CONFIG_SLUB_DEBUG=y # Dangerous; allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" === x86_32 === # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y === x86_64 === # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set === arm === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an out-of-tree Qualcomm kernel, this is similar to CONFIG_DEBUG_RODATA. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset === arm64 === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y == kernel command line options == # Enable allocator free poisoning. slub_debug=P === x86_64 === # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. vsyscall=none == sysctls == # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 ee49b9e8e8243275b3b16bb97b19c180a6971b5b 3795 3794 2016-08-13T21:31:28Z KeesCook 3 /* CONFIGs */ wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in [https://pax.grsecurity.net/ PaX], [https://grsecurity.net/features.php grsecurity], and piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Features will be more than finding bugs. Should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Get Involved = Want to get involved? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list] and introduce yourself. Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Work Areas = While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. While the following is far from a comprehensive list, it's at least a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] = Specific TODO Items = Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention: * Split thread_info off of kernel stack (under development on x86 already) * Move kernel stack to vmap area (under development on x86 already) * Implement kernel relocation and KASLR for ARM * Implement PAN emulation on arm64 for ARMv8.0 hardware (pre-8.0 emulates using Domains, 8.1 and later use hardware PAN) * Write a plugin to clear struct padding * Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings) * Reorganize and rename CONFIG_DEBUG_RODATA (and related options) to something without "DEBUG" in the name * arm64: Make CONFIG_DEBUG_RODATA mandatory * Convert remaining BPF JITs to eBPF JIT (with blinding) * Write lib/test_bpf.c tests for eBPF constant blinding * Further restriction of perf_event_open (perf_event_paranoid=3) = Recommended settings = People ask from time to time what a good security set of build CONFIGs and runtime sysctl are. This is a brain-dump of the various options for a particularly paranoid system. == CONFIGs == # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_RODATA=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. CONFIG_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR_STRONG=y # Blocks direct physical memory access. CONFIG_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targetted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. CONFIG_HARDENED_USERCOPY=y # Randomize allocator freelists. CONFIG_SLAB_FREELIST_RANDOM=y # Allow allocator validation checking to be enabled. CONFIG_SLUB_DEBUG=y # Dangerous; allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" === x86_32 === # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y === x86_64 === # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set === arm === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an out-of-tree Qualcomm kernel, this is similar to CONFIG_DEBUG_RODATA. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset === arm64 === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y == kernel command line options == # Enable allocator free poisoning. slub_debug=P === x86_64 === # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. vsyscall=none == sysctls == # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 5f4ee42b0201d1c0d44d48ac0714da493ce8e7f8 3796 3795 2016-08-13T21:33:12Z KeesCook 3 /* x86_64 */ wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in [https://pax.grsecurity.net/ PaX], [https://grsecurity.net/features.php grsecurity], and piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Features will be more than finding bugs. Should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Get Involved = Want to get involved? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list] and introduce yourself. Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Work Areas = While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. While the following is far from a comprehensive list, it's at least a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] = Specific TODO Items = Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention: * Split thread_info off of kernel stack (under development on x86 already) * Move kernel stack to vmap area (under development on x86 already) * Implement kernel relocation and KASLR for ARM * Implement PAN emulation on arm64 for ARMv8.0 hardware (pre-8.0 emulates using Domains, 8.1 and later use hardware PAN) * Write a plugin to clear struct padding * Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings) * Reorganize and rename CONFIG_DEBUG_RODATA (and related options) to something without "DEBUG" in the name * arm64: Make CONFIG_DEBUG_RODATA mandatory * Convert remaining BPF JITs to eBPF JIT (with blinding) * Write lib/test_bpf.c tests for eBPF constant blinding * Further restriction of perf_event_open (perf_event_paranoid=3) = Recommended settings = People ask from time to time what a good security set of build CONFIGs and runtime sysctl are. This is a brain-dump of the various options for a particularly paranoid system. == CONFIGs == # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_RODATA=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. CONFIG_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR_STRONG=y # Blocks direct physical memory access. CONFIG_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targetted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. CONFIG_HARDENED_USERCOPY=y # Randomize allocator freelists. CONFIG_SLAB_FREELIST_RANDOM=y # Allow allocator validation checking to be enabled. CONFIG_SLUB_DEBUG=y # Dangerous; allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" === x86_32 === # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y === x86_64 === # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set === arm === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an out-of-tree Qualcomm kernel, this is similar to CONFIG_DEBUG_RODATA. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset === arm64 === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y == kernel command line options == # Enable allocator free poisoning. slub_debug=P === x86_64 === # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. vsyscall=none == sysctls == # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 56d31cea004405c65c9d357ffc659cbcf774d0fe 3797 3796 2016-08-13T21:33:35Z KeesCook 3 /* x86_64 */ wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in [https://pax.grsecurity.net/ PaX], [https://grsecurity.net/features.php grsecurity], and piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Features will be more than finding bugs. Should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Get Involved = Want to get involved? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list] and introduce yourself. Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Work Areas = While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. While the following is far from a comprehensive list, it's at least a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] = Specific TODO Items = Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention: * Split thread_info off of kernel stack (under development on x86 already) * Move kernel stack to vmap area (under development on x86 already) * Implement kernel relocation and KASLR for ARM * Implement PAN emulation on arm64 for ARMv8.0 hardware (pre-8.0 emulates using Domains, 8.1 and later use hardware PAN) * Write a plugin to clear struct padding * Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings) * Reorganize and rename CONFIG_DEBUG_RODATA (and related options) to something without "DEBUG" in the name * arm64: Make CONFIG_DEBUG_RODATA mandatory * Convert remaining BPF JITs to eBPF JIT (with blinding) * Write lib/test_bpf.c tests for eBPF constant blinding * Further restriction of perf_event_open (perf_event_paranoid=3) = Recommended settings = People ask from time to time what a good security set of build CONFIGs and runtime sysctl are. This is a brain-dump of the various options for a particularly paranoid system. == CONFIGs == # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_RODATA=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. CONFIG_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR_STRONG=y # Blocks direct physical memory access. CONFIG_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targetted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. CONFIG_HARDENED_USERCOPY=y # Randomize allocator freelists. CONFIG_SLAB_FREELIST_RANDOM=y # Allow allocator validation checking to be enabled. CONFIG_SLUB_DEBUG=y # Dangerous; allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" === x86_32 === # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y === x86_64 === # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set === arm === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an out-of-tree Qualcomm kernel, this is similar to CONFIG_DEBUG_RODATA. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset === arm64 === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y == kernel command line options == # Enable allocator free poisoning. slub_debug=P === x86_64 === # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none == sysctls == # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 e6fb68cb078ba39076e65f7fb50533a00533e1cb 3798 3797 2016-08-15T18:35:28Z KeesCook 3 /* CONFIGs */ wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in [https://pax.grsecurity.net/ PaX], [https://grsecurity.net/features.php grsecurity], and piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Features will be more than finding bugs. Should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Get Involved = Want to get involved? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list] and introduce yourself. Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Work Areas = While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. While the following is far from a comprehensive list, it's at least a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] = Specific TODO Items = Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention: * Split thread_info off of kernel stack (under development on x86 already) * Move kernel stack to vmap area (under development on x86 already) * Implement kernel relocation and KASLR for ARM * Implement PAN emulation on arm64 for ARMv8.0 hardware (pre-8.0 emulates using Domains, 8.1 and later use hardware PAN) * Write a plugin to clear struct padding * Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings) * Reorganize and rename CONFIG_DEBUG_RODATA (and related options) to something without "DEBUG" in the name * arm64: Make CONFIG_DEBUG_RODATA mandatory * Convert remaining BPF JITs to eBPF JIT (with blinding) * Write lib/test_bpf.c tests for eBPF constant blinding * Further restriction of perf_event_open (perf_event_paranoid=3) = Recommended settings = People ask from time to time what a good security set of build CONFIGs and runtime sysctl are. This is a brain-dump of the various options for a particularly paranoid system. == CONFIGs == # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_RODATA=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. CONFIG_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR_STRONG=y # Blocks direct physical memory access. CONFIG_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targetted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. CONFIG_HARDENED_USERCOPY=y # Randomize allocator freelists. CONFIG_SLAB_FREELIST_RANDOM=y # Allow allocator validation checking to be enabled. CONFIG_SLUB_DEBUG=y # Dangerous; allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" === x86_32 === # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y === x86_64 === # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set === arm === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an out-of-tree Qualcomm kernel, this is similar to CONFIG_DEBUG_RODATA. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset === arm64 === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y == kernel command line options == # Enable allocator free poisoning. slub_debug=P === x86_64 === # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none == sysctls == # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 5357da35e3b3d2c28ec3eb4825163dec5be65b8e 3799 3798 2016-08-16T22:11:47Z KeesCook 3 /* kernel command line options */ wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in [https://pax.grsecurity.net/ PaX], [https://grsecurity.net/features.php grsecurity], and piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Features will be more than finding bugs. Should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Get Involved = Want to get involved? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list] and introduce yourself. Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Work Areas = While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. While the following is far from a comprehensive list, it's at least a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] = Specific TODO Items = Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention: * Split thread_info off of kernel stack (under development on x86 already) * Move kernel stack to vmap area (under development on x86 already) * Implement kernel relocation and KASLR for ARM * Implement PAN emulation on arm64 for ARMv8.0 hardware (pre-8.0 emulates using Domains, 8.1 and later use hardware PAN) * Write a plugin to clear struct padding * Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings) * Reorganize and rename CONFIG_DEBUG_RODATA (and related options) to something without "DEBUG" in the name * arm64: Make CONFIG_DEBUG_RODATA mandatory * Convert remaining BPF JITs to eBPF JIT (with blinding) * Write lib/test_bpf.c tests for eBPF constant blinding * Further restriction of perf_event_open (perf_event_paranoid=3) = Recommended settings = People ask from time to time what a good security set of build CONFIGs and runtime sysctl are. This is a brain-dump of the various options for a particularly paranoid system. == CONFIGs == # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_RODATA=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. CONFIG_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR_STRONG=y # Blocks direct physical memory access. CONFIG_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targetted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. CONFIG_HARDENED_USERCOPY=y # Randomize allocator freelists. CONFIG_SLAB_FREELIST_RANDOM=y # Allow allocator validation checking to be enabled. CONFIG_SLUB_DEBUG=y # Dangerous; allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" === x86_32 === # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y === x86_64 === # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set === arm === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an out-of-tree Qualcomm kernel, this is similar to CONFIG_DEBUG_RODATA. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset === arm64 === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y == kernel command line options == # Enable allocator free poisoning (requires CONFIG_SLUB_DEBUG=y). slub_debug=P === x86_64 === # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none == sysctls == # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 d296ac3809ca51fab34552b62bcaaf55ee9eb5e8 3800 3799 2016-08-31T10:59:03Z MarkRutland 5 CONFIG_DEBUG_RODATA will be mandatory for arm64 in v4.9 wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in [https://pax.grsecurity.net/ PaX], [https://grsecurity.net/features.php grsecurity], and piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Features will be more than finding bugs. Should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Get Involved = Want to get involved? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list] and introduce yourself. Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Work Areas = While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. While the following is far from a comprehensive list, it's at least a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] = Specific TODO Items = Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention: * Split thread_info off of kernel stack (under development on x86 already) * Move kernel stack to vmap area (under development on x86 already) * Implement kernel relocation and KASLR for ARM * Implement PAN emulation on arm64 for ARMv8.0 hardware (pre-8.0 emulates using Domains, 8.1 and later use hardware PAN) * Write a plugin to clear struct padding * Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings) * Reorganize and rename CONFIG_DEBUG_RODATA (and related options) to something without "DEBUG" in the name * arm64: Make CONFIG_DEBUG_RODATA mandatory (queued for v4.9) * Convert remaining BPF JITs to eBPF JIT (with blinding) * Write lib/test_bpf.c tests for eBPF constant blinding * Further restriction of perf_event_open (perf_event_paranoid=3) = Recommended settings = People ask from time to time what a good security set of build CONFIGs and runtime sysctl are. This is a brain-dump of the various options for a particularly paranoid system. == CONFIGs == # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_RODATA=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. CONFIG_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR_STRONG=y # Blocks direct physical memory access. CONFIG_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targetted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. CONFIG_HARDENED_USERCOPY=y # Randomize allocator freelists. CONFIG_SLAB_FREELIST_RANDOM=y # Allow allocator validation checking to be enabled. CONFIG_SLUB_DEBUG=y # Dangerous; allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" === x86_32 === # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y === x86_64 === # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set === arm === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an out-of-tree Qualcomm kernel, this is similar to CONFIG_DEBUG_RODATA. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset === arm64 === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y == kernel command line options == # Enable allocator free poisoning (requires CONFIG_SLUB_DEBUG=y). slub_debug=P === x86_64 === # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none == sysctls == # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 8c9458c01ad59bc2a24ba1b5ef963368af10a3c9 3818 3800 2016-09-27T21:33:31Z MarkRutland 5 Catalin Marinas is working on SW PAN for ARMv8.0 wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in [https://pax.grsecurity.net/ PaX], [https://grsecurity.net/features.php grsecurity], and piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Features will be more than finding bugs. Should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Get Involved = Want to get involved? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list] and introduce yourself. Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Work Areas = While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. While the following is far from a comprehensive list, it's at least a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] = Specific TODO Items = Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention: * Split thread_info off of kernel stack (under development on x86 already) * Move kernel stack to vmap area (under development on x86 already) * Implement kernel relocation and KASLR for ARM * Implement PAN emulation on arm64 for ARMv8.0 hardware (under development) * Write a plugin to clear struct padding * Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings) * Reorganize and rename CONFIG_DEBUG_RODATA (and related options) to something without "DEBUG" in the name * arm64: Make CONFIG_DEBUG_RODATA mandatory (queued for v4.9) * Convert remaining BPF JITs to eBPF JIT (with blinding) * Write lib/test_bpf.c tests for eBPF constant blinding * Further restriction of perf_event_open (perf_event_paranoid=3) = Recommended settings = People ask from time to time what a good security set of build CONFIGs and runtime sysctl are. This is a brain-dump of the various options for a particularly paranoid system. == CONFIGs == # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_RODATA=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. CONFIG_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR_STRONG=y # Blocks direct physical memory access. CONFIG_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targetted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. CONFIG_HARDENED_USERCOPY=y # Randomize allocator freelists. CONFIG_SLAB_FREELIST_RANDOM=y # Allow allocator validation checking to be enabled. CONFIG_SLUB_DEBUG=y # Dangerous; allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" === x86_32 === # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y === x86_64 === # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set === arm === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an out-of-tree Qualcomm kernel, this is similar to CONFIG_DEBUG_RODATA. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset === arm64 === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y == kernel command line options == # Enable allocator free poisoning (requires CONFIG_SLUB_DEBUG=y). slub_debug=P === x86_64 === # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none == sysctls == # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 d7a975da8db6447a59b54ac24779cb02bc991daf 3819 3818 2016-09-30T19:14:19Z KeesCook 3 /* sysctls */ wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in [https://pax.grsecurity.net/ PaX], [https://grsecurity.net/features.php grsecurity], and piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Features will be more than finding bugs. Should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Get Involved = Want to get involved? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list] and introduce yourself. Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Work Areas = While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. While the following is far from a comprehensive list, it's at least a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] = Specific TODO Items = Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention: * Split thread_info off of kernel stack (under development on x86 already) * Move kernel stack to vmap area (under development on x86 already) * Implement kernel relocation and KASLR for ARM * Implement PAN emulation on arm64 for ARMv8.0 hardware (under development) * Write a plugin to clear struct padding * Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings) * Reorganize and rename CONFIG_DEBUG_RODATA (and related options) to something without "DEBUG" in the name * arm64: Make CONFIG_DEBUG_RODATA mandatory (queued for v4.9) * Convert remaining BPF JITs to eBPF JIT (with blinding) * Write lib/test_bpf.c tests for eBPF constant blinding * Further restriction of perf_event_open (perf_event_paranoid=3) = Recommended settings = People ask from time to time what a good security set of build CONFIGs and runtime sysctl are. This is a brain-dump of the various options for a particularly paranoid system. == CONFIGs == # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_RODATA=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. CONFIG_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR_STRONG=y # Blocks direct physical memory access. CONFIG_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targetted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. CONFIG_HARDENED_USERCOPY=y # Randomize allocator freelists. CONFIG_SLAB_FREELIST_RANDOM=y # Allow allocator validation checking to be enabled. CONFIG_SLUB_DEBUG=y # Dangerous; allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" === x86_32 === # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y === x86_64 === # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set === arm === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an out-of-tree Qualcomm kernel, this is similar to CONFIG_DEBUG_RODATA. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset === arm64 === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y == kernel command line options == # Enable allocator free poisoning (requires CONFIG_SLUB_DEBUG=y). slub_debug=P === x86_64 === # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none == sysctls == # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 b0ec0484f3cb48cbc4e85d522b71a91f866d930e 3820 3819 2016-09-30T19:52:35Z KeesCook 3 /* CONFIGs */ wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in [https://pax.grsecurity.net/ PaX], [https://grsecurity.net/features.php grsecurity], and piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Features will be more than finding bugs. Should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Get Involved = Want to get involved? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list] and introduce yourself. Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Work Areas = While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. While the following is far from a comprehensive list, it's at least a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] = Specific TODO Items = Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention: * Split thread_info off of kernel stack (under development on x86 already) * Move kernel stack to vmap area (under development on x86 already) * Implement kernel relocation and KASLR for ARM * Implement PAN emulation on arm64 for ARMv8.0 hardware (under development) * Write a plugin to clear struct padding * Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings) * Reorganize and rename CONFIG_DEBUG_RODATA (and related options) to something without "DEBUG" in the name * arm64: Make CONFIG_DEBUG_RODATA mandatory (queued for v4.9) * Convert remaining BPF JITs to eBPF JIT (with blinding) * Write lib/test_bpf.c tests for eBPF constant blinding * Further restriction of perf_event_open (perf_event_paranoid=3) = Recommended settings = People ask from time to time what a good security set of build CONFIGs and runtime sysctl are. This is a brain-dump of the various options for a particularly paranoid system. == CONFIGs == # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_RODATA=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. CONFIG_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR_STRONG=y # Blocks direct physical memory access. CONFIG_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targetted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. CONFIG_HARDENED_USERCOPY=y # Randomize allocator freelists. CONFIG_SLAB_FREELIST_RANDOM=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Dangerous; allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" === x86_32 === # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y === x86_64 === # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set === arm === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an out-of-tree Qualcomm kernel, this is similar to CONFIG_DEBUG_RODATA. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset === arm64 === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y == kernel command line options == # Enable allocator free poisoning (requires CONFIG_SLUB_DEBUG=y). slub_debug=P === x86_64 === # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none == sysctls == # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 77fcb40d623e6734563e92f053a6ab9db2fdbc5f 3821 3820 2016-09-30T19:53:20Z KeesCook 3 /* kernel command line options */ wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in [https://pax.grsecurity.net/ PaX], [https://grsecurity.net/features.php grsecurity], and piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Features will be more than finding bugs. Should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Get Involved = Want to get involved? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list] and introduce yourself. Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Work Areas = While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. While the following is far from a comprehensive list, it's at least a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] = Specific TODO Items = Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention: * Split thread_info off of kernel stack (under development on x86 already) * Move kernel stack to vmap area (under development on x86 already) * Implement kernel relocation and KASLR for ARM * Implement PAN emulation on arm64 for ARMv8.0 hardware (under development) * Write a plugin to clear struct padding * Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings) * Reorganize and rename CONFIG_DEBUG_RODATA (and related options) to something without "DEBUG" in the name * arm64: Make CONFIG_DEBUG_RODATA mandatory (queued for v4.9) * Convert remaining BPF JITs to eBPF JIT (with blinding) * Write lib/test_bpf.c tests for eBPF constant blinding * Further restriction of perf_event_open (perf_event_paranoid=3) = Recommended settings = People ask from time to time what a good security set of build CONFIGs and runtime sysctl are. This is a brain-dump of the various options for a particularly paranoid system. == CONFIGs == # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_RODATA=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. CONFIG_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR_STRONG=y # Blocks direct physical memory access. CONFIG_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targetted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. CONFIG_HARDENED_USERCOPY=y # Randomize allocator freelists. CONFIG_SLAB_FREELIST_RANDOM=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Dangerous; allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" === x86_32 === # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y === x86_64 === # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set === arm === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an out-of-tree Qualcomm kernel, this is similar to CONFIG_DEBUG_RODATA. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset === arm64 === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y == kernel command line options == # Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poisoning=1 === x86_64 === # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none == sysctls == # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 a0d741b11b2719379b7d4eda189c87b2924efa57 3825 3821 2016-10-03T19:14:57Z KeesCook 3 /* kernel command line options */ wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in [https://pax.grsecurity.net/ PaX], [https://grsecurity.net/features.php grsecurity], and piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Features will be more than finding bugs. Should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Get Involved = Want to get involved? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list] and introduce yourself. Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Work Areas = While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. While the following is far from a comprehensive list, it's at least a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] = Specific TODO Items = Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention: * Split thread_info off of kernel stack (under development on x86 already) * Move kernel stack to vmap area (under development on x86 already) * Implement kernel relocation and KASLR for ARM * Implement PAN emulation on arm64 for ARMv8.0 hardware (under development) * Write a plugin to clear struct padding * Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings) * Reorganize and rename CONFIG_DEBUG_RODATA (and related options) to something without "DEBUG" in the name * arm64: Make CONFIG_DEBUG_RODATA mandatory (queued for v4.9) * Convert remaining BPF JITs to eBPF JIT (with blinding) * Write lib/test_bpf.c tests for eBPF constant blinding * Further restriction of perf_event_open (perf_event_paranoid=3) = Recommended settings = People ask from time to time what a good security set of build CONFIGs and runtime sysctl are. This is a brain-dump of the various options for a particularly paranoid system. == CONFIGs == # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_RODATA=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. CONFIG_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR_STRONG=y # Blocks direct physical memory access. CONFIG_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targetted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. CONFIG_HARDENED_USERCOPY=y # Randomize allocator freelists. CONFIG_SLAB_FREELIST_RANDOM=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Dangerous; allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" === x86_32 === # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y === x86_64 === # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set === arm === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an out-of-tree Qualcomm kernel, this is similar to CONFIG_DEBUG_RODATA. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset === arm64 === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y == kernel command line options == # Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poisoning=1 === x86_64 === # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none == sysctls == # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 a0dc6162ceeb1d44e9dfa20050d858f646711ba0 3826 3825 2016-10-03T19:15:15Z KeesCook 3 /* CONFIGs */ wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in [https://pax.grsecurity.net/ PaX], [https://grsecurity.net/features.php grsecurity], and piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Features will be more than finding bugs. Should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Get Involved = Want to get involved? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list] and introduce yourself. Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Work Areas = While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. While the following is far from a comprehensive list, it's at least a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] = Specific TODO Items = Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention: * Split thread_info off of kernel stack (under development on x86 already) * Move kernel stack to vmap area (under development on x86 already) * Implement kernel relocation and KASLR for ARM * Implement PAN emulation on arm64 for ARMv8.0 hardware (under development) * Write a plugin to clear struct padding * Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings) * Reorganize and rename CONFIG_DEBUG_RODATA (and related options) to something without "DEBUG" in the name * arm64: Make CONFIG_DEBUG_RODATA mandatory (queued for v4.9) * Convert remaining BPF JITs to eBPF JIT (with blinding) * Write lib/test_bpf.c tests for eBPF constant blinding * Further restriction of perf_event_open (perf_event_paranoid=3) = Recommended settings = People ask from time to time what a good security set of build CONFIGs and runtime sysctl are. This is a brain-dump of the various options for a particularly paranoid system. == CONFIGs == # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_RODATA=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. CONFIG_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR_STRONG=y # Blocks direct physical memory access. CONFIG_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targetted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. CONFIG_HARDENED_USERCOPY=y # Randomize allocator freelists. CONFIG_SLAB_FREELIST_RANDOM=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Dangerous; allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" === x86_32 === # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y === x86_64 === # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set === arm === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an out-of-tree Qualcomm kernel, this is similar to CONFIG_DEBUG_RODATA. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset === arm64 === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y == kernel command line options == # Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poisoning=1 === x86_64 === # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none == sysctls == # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 443b342931ea7ba7a58836d1b05cb45f1803eee8 3827 3826 2016-10-06T21:43:45Z KeesCook 3 /* CONFIGs */ wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in [https://pax.grsecurity.net/ PaX], [https://grsecurity.net/features.php grsecurity], and piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Features will be more than finding bugs. Should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Get Involved = Want to get involved? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list] and introduce yourself. Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Work Areas = While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. While the following is far from a comprehensive list, it's at least a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] = Specific TODO Items = Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention: * Split thread_info off of kernel stack (under development on x86 already) * Move kernel stack to vmap area (under development on x86 already) * Implement kernel relocation and KASLR for ARM * Implement PAN emulation on arm64 for ARMv8.0 hardware (under development) * Write a plugin to clear struct padding * Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings) * Reorganize and rename CONFIG_DEBUG_RODATA (and related options) to something without "DEBUG" in the name * arm64: Make CONFIG_DEBUG_RODATA mandatory (queued for v4.9) * Convert remaining BPF JITs to eBPF JIT (with blinding) * Write lib/test_bpf.c tests for eBPF constant blinding * Further restriction of perf_event_open (perf_event_paranoid=3) = Recommended settings = People ask from time to time what a good security set of build CONFIGs and runtime sysctl are. This is a brain-dump of the various options for a particularly paranoid system. == CONFIGs == # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_RODATA=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. CONFIG_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targetted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. CONFIG_HARDENED_USERCOPY=y # Randomize allocator freelists. CONFIG_SLAB_FREELIST_RANDOM=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" === x86_32 === # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y === x86_64 === # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set === arm === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an out-of-tree Qualcomm kernel, this is similar to CONFIG_DEBUG_RODATA. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset === arm64 === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y == kernel command line options == # Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poisoning=1 === x86_64 === # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none == sysctls == # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 1861cbc0d91540985d60b31349bd72ea3922c08f 3828 3827 2016-10-17T13:08:18Z MarkRutland 5 moving THREAD_INFO off of the stack is worked on by Mark Rutland for arm64, Heiko Carstens for s390 wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in [https://pax.grsecurity.net/ PaX], [https://grsecurity.net/features.php grsecurity], and piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Features will be more than finding bugs. Should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Get Involved = Want to get involved? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list] and introduce yourself. Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Work Areas = While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. While the following is far from a comprehensive list, it's at least a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] = Specific TODO Items = Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention: * Split thread_info off of kernel stack (under development on x86, arm64, and s390 already) * Move kernel stack to vmap area (under development on x86 already) * Implement kernel relocation and KASLR for ARM * Implement PAN emulation on arm64 for ARMv8.0 hardware (under development) * Write a plugin to clear struct padding * Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings) * Reorganize and rename CONFIG_DEBUG_RODATA (and related options) to something without "DEBUG" in the name * arm64: Make CONFIG_DEBUG_RODATA mandatory (queued for v4.9) * Convert remaining BPF JITs to eBPF JIT (with blinding) * Write lib/test_bpf.c tests for eBPF constant blinding * Further restriction of perf_event_open (perf_event_paranoid=3) = Recommended settings = People ask from time to time what a good security set of build CONFIGs and runtime sysctl are. This is a brain-dump of the various options for a particularly paranoid system. == CONFIGs == # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_RODATA=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. CONFIG_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targetted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. CONFIG_HARDENED_USERCOPY=y # Randomize allocator freelists. CONFIG_SLAB_FREELIST_RANDOM=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" === x86_32 === # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y === x86_64 === # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set === arm === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an out-of-tree Qualcomm kernel, this is similar to CONFIG_DEBUG_RODATA. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset === arm64 === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y == kernel command line options == # Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poisoning=1 === x86_64 === # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none == sysctls == # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 98cd5c4fa714aefcdcca52cd552ead34c7f12ef2 3829 3828 2016-10-18T20:46:54Z KeesCook 3 /* Specific TODO Items */ wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in [https://pax.grsecurity.net/ PaX], [https://grsecurity.net/features.php grsecurity], and piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Features will be more than finding bugs. Should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Get Involved = Want to get involved? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list] and introduce yourself. Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Work Areas = While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. While the following is far from a comprehensive list, it's at least a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] = Specific TODO Items = Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention: * Split thread_info off of kernel stack (under development on x86, arm64, and s390 already) * Move kernel stack to vmap area (under development on x86 already) * Implement kernel relocation and KASLR for ARM * Implement PAN emulation on arm64 for ARMv8.0 hardware (under development) * Write a plugin to clear struct padding * Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings) * Reorganize and rename CONFIG_DEBUG_RODATA (and related options) to something without "DEBUG" in the name * Make CONFIG_DEBUG_RODATA mandatory (arm64 queued for v4.9, other archs still need it) * Convert remaining BPF JITs to eBPF JIT (with blinding) * Write lib/test_bpf.c tests for eBPF constant blinding * Further restriction of perf_event_open (e.g. perf_event_paranoid=3) * Extend HARDENED_USERCOPY to other usercopy functions (e.g. csum_partial_copy_from_user, csum_and_copy_from_user, csum_and_copy_to_user, csum_partial_copy_nocheck) * Extend HARDENED_USERCOPY to use slab whitelisting * Extend HARDENED_USERCOPY to split user-facing malloc()s and in-kernel malloc()svmalloc stack guard pages * protect ARM vector table as fixed-location kernel target * disable kuser helpers on arm * harden and rename CONFIG_DEBUG_LIST better and default=y * add zeroing of copy_from_user on failure test to test_usercopy.c * consolidate all architecture's use of usercopy into asm-generic/uaccess.h (in progress) * add WARN path for page-spanning usercopy checks (instead of the separate CONFIG) * create UNEXPECTED(), like BUG() but without the lock-busting, etc * adjust usercopy CONFIG to be !DEVKMEM && STRICT_DEVMEM=y (PROC_KCORE is incompat with usercopy too) * provide mechanism to check for ro_after_init memory areas, and reject structures not marked ro_after_init in vmbus_register() = Recommended settings = People ask from time to time what a good security set of build CONFIGs and runtime sysctl are. This is a brain-dump of the various options for a particularly paranoid system. == CONFIGs == # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_RODATA=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. CONFIG_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targetted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. CONFIG_HARDENED_USERCOPY=y # Randomize allocator freelists. CONFIG_SLAB_FREELIST_RANDOM=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" === x86_32 === # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y === x86_64 === # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set === arm === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an out-of-tree Qualcomm kernel, this is similar to CONFIG_DEBUG_RODATA. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset === arm64 === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y == kernel command line options == # Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poisoning=1 === x86_64 === # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none == sysctls == # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 9454c0577b033c531d7261311fba0538d55aa703 3830 3829 2016-10-31T15:13:31Z KeesCook 3 /* Specific TODO Items */ wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in [https://pax.grsecurity.net/ PaX], [https://grsecurity.net/features.php grsecurity], and piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Features will be more than finding bugs. Should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Get Involved = Want to get involved? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list] and introduce yourself. Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Work Areas = While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. While the following is far from a comprehensive list, it's at least a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] = Specific TODO Items = Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention: * Split thread_info off of kernel stack (under development on x86, arm64, and s390 already) * Move kernel stack to vmap area (under development on x86 already) * Implement kernel relocation and KASLR for ARM * Implement PAN emulation on arm64 for ARMv8.0 hardware (under development) * Write a plugin to clear struct padding * Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings) * Reorganize and rename CONFIG_DEBUG_RODATA (and related options) to something without "DEBUG" in the name * Make CONFIG_DEBUG_RODATA mandatory (arm64 queued for v4.9, other archs still need it) * Convert remaining BPF JITs to eBPF JIT (with blinding) * Write lib/test_bpf.c tests for eBPF constant blinding * Further restriction of perf_event_open (e.g. perf_event_paranoid=3) * Extend HARDENED_USERCOPY to other usercopy functions (e.g. csum_partial_copy_from_user, csum_and_copy_from_user, csum_and_copy_to_user, csum_partial_copy_nocheck) * Extend HARDENED_USERCOPY to use slab whitelisting * Extend HARDENED_USERCOPY to split user-facing malloc()s and in-kernel malloc()svmalloc stack guard pages * protect ARM vector table as fixed-location kernel target * disable kuser helpers on arm * harden and rename CONFIG_DEBUG_LIST better and default=y * add zeroing of copy_from_user on failure test to test_usercopy.c * consolidate all architecture's use of usercopy into asm-generic/uaccess.h (in progress) * add WARN path for page-spanning usercopy checks (instead of the separate CONFIG) * create UNEXPECTED(), like BUG() but without the lock-busting, etc * adjust usercopy CONFIG to be !DEVKMEM && STRICT_DEVMEM=y (PROC_KCORE is incompat with usercopy too) * provide mechanism to check for ro_after_init memory areas, and reject structures not marked ro_after_init in vmbus_register() * expand use of __ro_after_init, especially in arch/arm64 = Recommended settings = People ask from time to time what a good security set of build CONFIGs and runtime sysctl are. This is a brain-dump of the various options for a particularly paranoid system. == CONFIGs == # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_RODATA=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. CONFIG_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targetted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. CONFIG_HARDENED_USERCOPY=y # Randomize allocator freelists. CONFIG_SLAB_FREELIST_RANDOM=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" === x86_32 === # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y === x86_64 === # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set === arm === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an out-of-tree Qualcomm kernel, this is similar to CONFIG_DEBUG_RODATA. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset === arm64 === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y == kernel command line options == # Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poisoning=1 === x86_64 === # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none == sysctls == # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 f325ea2ce5574a41528808b749a22882d1516608 3831 3830 2016-11-01T17:25:22Z KeesCook 3 /* kernel command line options */ Fix typo, thanks to Simon Ruderich wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in [https://pax.grsecurity.net/ PaX], [https://grsecurity.net/features.php grsecurity], and piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Features will be more than finding bugs. Should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Get Involved = Want to get involved? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list] and introduce yourself. Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Work Areas = While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. While the following is far from a comprehensive list, it's at least a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] = Specific TODO Items = Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention: * Split thread_info off of kernel stack (under development on x86, arm64, and s390 already) * Move kernel stack to vmap area (under development on x86 already) * Implement kernel relocation and KASLR for ARM * Implement PAN emulation on arm64 for ARMv8.0 hardware (under development) * Write a plugin to clear struct padding * Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings) * Reorganize and rename CONFIG_DEBUG_RODATA (and related options) to something without "DEBUG" in the name * Make CONFIG_DEBUG_RODATA mandatory (arm64 queued for v4.9, other archs still need it) * Convert remaining BPF JITs to eBPF JIT (with blinding) * Write lib/test_bpf.c tests for eBPF constant blinding * Further restriction of perf_event_open (e.g. perf_event_paranoid=3) * Extend HARDENED_USERCOPY to other usercopy functions (e.g. csum_partial_copy_from_user, csum_and_copy_from_user, csum_and_copy_to_user, csum_partial_copy_nocheck) * Extend HARDENED_USERCOPY to use slab whitelisting * Extend HARDENED_USERCOPY to split user-facing malloc()s and in-kernel malloc()svmalloc stack guard pages * protect ARM vector table as fixed-location kernel target * disable kuser helpers on arm * harden and rename CONFIG_DEBUG_LIST better and default=y * add zeroing of copy_from_user on failure test to test_usercopy.c * consolidate all architecture's use of usercopy into asm-generic/uaccess.h (in progress) * add WARN path for page-spanning usercopy checks (instead of the separate CONFIG) * create UNEXPECTED(), like BUG() but without the lock-busting, etc * adjust usercopy CONFIG to be !DEVKMEM && STRICT_DEVMEM=y (PROC_KCORE is incompat with usercopy too) * provide mechanism to check for ro_after_init memory areas, and reject structures not marked ro_after_init in vmbus_register() * expand use of __ro_after_init, especially in arch/arm64 = Recommended settings = People ask from time to time what a good security set of build CONFIGs and runtime sysctl are. This is a brain-dump of the various options for a particularly paranoid system. == CONFIGs == # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_RODATA=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. CONFIG_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targetted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. CONFIG_HARDENED_USERCOPY=y # Randomize allocator freelists. CONFIG_SLAB_FREELIST_RANDOM=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" === x86_32 === # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y === x86_64 === # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set === arm === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an out-of-tree Qualcomm kernel, this is similar to CONFIG_DEBUG_RODATA. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset === arm64 === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y == kernel command line options == # Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 === x86_64 === # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none == sysctls == # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 9d2b590ff0a929551de35ccfd484b1fa26142722 3832 3831 2016-12-13T16:22:36Z MarkRutland 5 Update with v4.9 details wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in [https://pax.grsecurity.net/ PaX], [https://grsecurity.net/features.php grsecurity], and piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Features will be more than finding bugs. Should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Get Involved = Want to get involved? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list] and introduce yourself. Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Work Areas = While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. While the following is far from a comprehensive list, it's at least a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] = Specific TODO Items = Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention: * Split thread_info off of kernel stack (done for x86, queued for arm64 and s390) * Move kernel stack to vmap area (done on x86, other archs still need it) * Implement kernel relocation and KASLR for ARM * Implement PAN emulation on arm64 for ARMv8.0 hardware (queued for v4.10) * Write a plugin to clear struct padding * Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings) * Reorganize and rename CONFIG_DEBUG_RODATA (and related options) to something without "DEBUG" in the name * Make CONFIG_DEBUG_RODATA mandatory (done for arm64 and x86, other archs still need it) * Convert remaining BPF JITs to eBPF JIT (with blinding) * Write lib/test_bpf.c tests for eBPF constant blinding * Further restriction of perf_event_open (e.g. perf_event_paranoid=3) * Extend HARDENED_USERCOPY to other usercopy functions (e.g. csum_partial_copy_from_user, csum_and_copy_from_user, csum_and_copy_to_user, csum_partial_copy_nocheck) * Extend HARDENED_USERCOPY to use slab whitelisting * Extend HARDENED_USERCOPY to split user-facing malloc()s and in-kernel malloc()svmalloc stack guard pages * protect ARM vector table as fixed-location kernel target * disable kuser helpers on arm * harden and rename CONFIG_DEBUG_LIST better and default=y * add zeroing of copy_from_user on failure test to test_usercopy.c * consolidate all architecture's use of usercopy into asm-generic/uaccess.h (in progress) * add WARN path for page-spanning usercopy checks (instead of the separate CONFIG) * create UNEXPECTED(), like BUG() but without the lock-busting, etc * adjust usercopy CONFIG to be !DEVKMEM && STRICT_DEVMEM=y (PROC_KCORE is incompat with usercopy too) * provide mechanism to check for ro_after_init memory areas, and reject structures not marked ro_after_init in vmbus_register() * expand use of __ro_after_init, especially in arch/arm64 = Recommended settings = People ask from time to time what a good security set of build CONFIGs and runtime sysctl are. This is a brain-dump of the various options for a particularly paranoid system. == CONFIGs == # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_RODATA=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. CONFIG_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targetted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. CONFIG_HARDENED_USERCOPY=y # Randomize allocator freelists. CONFIG_SLAB_FREELIST_RANDOM=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" === x86_32 === # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y === x86_64 === # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set === arm === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an out-of-tree Qualcomm kernel, this is similar to CONFIG_DEBUG_RODATA. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset === arm64 === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y == kernel command line options == # Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 === x86_64 === # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none == sysctls == # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 d1828847fa65c52f74f7c009d8b2b37b6a4c7d9f 3833 3832 2017-01-30T21:49:51Z KeesCook 3 /* Specific TODO Items */ wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in [https://pax.grsecurity.net/ PaX], [https://grsecurity.net/features.php grsecurity], and piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Features will be more than finding bugs. Should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Get Involved = Want to get involved? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list] and introduce yourself. Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Work Areas = While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. While the following is far from a comprehensive list, it's at least a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] = Specific TODO Items = Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention: * Split thread_info off of kernel stack (Done: x86, arm64, s390. Needed on arm, powerpc and others?) * Move kernel stack to vmap area (Done: x86, arm64, s390. Needed on powerpc and others?) * Implement kernel relocation and KASLR for ARM * Write a plugin to clear struct padding * Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings) * Reorganize and rename CONFIG_DEBUG_RODATA (and related options) to something without "DEBUG" in the name (in progress) * Make CONFIG_DEBUG_RODATA mandatory (done for arm64 and x86, other archs still need it) * Convert remaining BPF JITs to eBPF JIT (with blinding) * Write lib/test_bpf.c tests for eBPF constant blinding * Further restriction of perf_event_open (e.g. perf_event_paranoid=3) * Identify and extend HARDENED_USERCOPY to other usercopy functions (e.g. maybe csum_partial_copy_from_user, csum_and_copy_from_user, csum_and_copy_to_user, csum_partial_copy_nocheck?) * Extend HARDENED_USERCOPY to use slab whitelisting * Extend HARDENED_USERCOPY to split user-facing malloc()s and in-kernel malloc()svmalloc stack guard pages * protect ARM vector table as fixed-location kernel target * disable kuser helpers on arm * harden and rename CONFIG_DEBUG_LIST better and default=y * add zeroing of copy_from_user on failure test to test_usercopy.c * consolidate all architecture's use of usercopy into asm-generic/uaccess.h * add WARN path for page-spanning usercopy checks (instead of the separate CONFIG) * create UNEXPECTED(), like BUG() but without the lock-busting, etc * adjust usercopy CONFIG to be !DEVKMEM && STRICT_DEVMEM=y (PROC_KCORE is incompat with usercopy too) * provide mechanism to check for ro_after_init memory areas, and reject structures not marked ro_after_init in vmbus_register() * expand use of __ro_after_init, especially in arch/arm64 * Add stack-frame walking to usercopy implementations (Done: x86. In progress: arm64. Needed on arm, others?) = Recommended settings = People ask from time to time what a good security set of build CONFIGs and runtime sysctl are. This is a brain-dump of the various options for a particularly paranoid system. == CONFIGs == # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_RODATA=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. CONFIG_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targetted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. CONFIG_HARDENED_USERCOPY=y # Randomize allocator freelists. CONFIG_SLAB_FREELIST_RANDOM=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" === x86_32 === # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y === x86_64 === # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set === arm === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an out-of-tree Qualcomm kernel, this is similar to CONFIG_DEBUG_RODATA. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset === arm64 === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y == kernel command line options == # Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 === x86_64 === # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none == sysctls == # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 4709a9b9accd29a8d2a22ba978463e03f5e56762 3834 3833 2017-01-30T21:52:38Z KeesCook 3 /* CONFIGs */ wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in [https://pax.grsecurity.net/ PaX], [https://grsecurity.net/features.php grsecurity], and piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Features will be more than finding bugs. Should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Get Involved = Want to get involved? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list] and introduce yourself. Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Work Areas = While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. While the following is far from a comprehensive list, it's at least a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] = Specific TODO Items = Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention: * Split thread_info off of kernel stack (Done: x86, arm64, s390. Needed on arm, powerpc and others?) * Move kernel stack to vmap area (Done: x86, arm64, s390. Needed on powerpc and others?) * Implement kernel relocation and KASLR for ARM * Write a plugin to clear struct padding * Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings) * Reorganize and rename CONFIG_DEBUG_RODATA (and related options) to something without "DEBUG" in the name (in progress) * Make CONFIG_DEBUG_RODATA mandatory (done for arm64 and x86, other archs still need it) * Convert remaining BPF JITs to eBPF JIT (with blinding) * Write lib/test_bpf.c tests for eBPF constant blinding * Further restriction of perf_event_open (e.g. perf_event_paranoid=3) * Identify and extend HARDENED_USERCOPY to other usercopy functions (e.g. maybe csum_partial_copy_from_user, csum_and_copy_from_user, csum_and_copy_to_user, csum_partial_copy_nocheck?) * Extend HARDENED_USERCOPY to use slab whitelisting * Extend HARDENED_USERCOPY to split user-facing malloc()s and in-kernel malloc()svmalloc stack guard pages * protect ARM vector table as fixed-location kernel target * disable kuser helpers on arm * harden and rename CONFIG_DEBUG_LIST better and default=y * add zeroing of copy_from_user on failure test to test_usercopy.c * consolidate all architecture's use of usercopy into asm-generic/uaccess.h * add WARN path for page-spanning usercopy checks (instead of the separate CONFIG) * create UNEXPECTED(), like BUG() but without the lock-busting, etc * adjust usercopy CONFIG to be !DEVKMEM && STRICT_DEVMEM=y (PROC_KCORE is incompat with usercopy too) * provide mechanism to check for ro_after_init memory areas, and reject structures not marked ro_after_init in vmbus_register() * expand use of __ro_after_init, especially in arch/arm64 * Add stack-frame walking to usercopy implementations (Done: x86. In progress: arm64. Needed on arm, others?) = Recommended settings = People ask from time to time what a good security set of build CONFIGs and runtime sysctl are. This is a brain-dump of the various options for a particularly paranoid system. == CONFIGs == # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_RODATA=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. CONFIG_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targetted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_BUG_ON_DATA_CORRUPTION=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. CONFIG_HARDENED_USERCOPY=y # Randomize allocator freelists. CONFIG_SLAB_FREELIST_RANDOM=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" === x86_32 === # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y === x86_64 === # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set === arm === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an out-of-tree Qualcomm kernel, this is similar to CONFIG_DEBUG_RODATA. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset === arm64 === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y == kernel command line options == # Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 === x86_64 === # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none == sysctls == # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 417696dc1c4e716832788e18e1ffd4c0083c79d2 3835 3834 2017-02-02T23:00:59Z KeesCook 3 /* CONFIGs */ wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in [https://pax.grsecurity.net/ PaX], [https://grsecurity.net/features.php grsecurity], and piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Features will be more than finding bugs. Should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Get Involved = Want to get involved? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list] and introduce yourself. Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Work Areas = While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. While the following is far from a comprehensive list, it's at least a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] = Specific TODO Items = Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention: * Split thread_info off of kernel stack (Done: x86, arm64, s390. Needed on arm, powerpc and others?) * Move kernel stack to vmap area (Done: x86, arm64, s390. Needed on powerpc and others?) * Implement kernel relocation and KASLR for ARM * Write a plugin to clear struct padding * Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings) * Reorganize and rename CONFIG_DEBUG_RODATA (and related options) to something without "DEBUG" in the name (in progress) * Make CONFIG_DEBUG_RODATA mandatory (done for arm64 and x86, other archs still need it) * Convert remaining BPF JITs to eBPF JIT (with blinding) * Write lib/test_bpf.c tests for eBPF constant blinding * Further restriction of perf_event_open (e.g. perf_event_paranoid=3) * Identify and extend HARDENED_USERCOPY to other usercopy functions (e.g. maybe csum_partial_copy_from_user, csum_and_copy_from_user, csum_and_copy_to_user, csum_partial_copy_nocheck?) * Extend HARDENED_USERCOPY to use slab whitelisting * Extend HARDENED_USERCOPY to split user-facing malloc()s and in-kernel malloc()svmalloc stack guard pages * protect ARM vector table as fixed-location kernel target * disable kuser helpers on arm * harden and rename CONFIG_DEBUG_LIST better and default=y * add zeroing of copy_from_user on failure test to test_usercopy.c * consolidate all architecture's use of usercopy into asm-generic/uaccess.h * add WARN path for page-spanning usercopy checks (instead of the separate CONFIG) * create UNEXPECTED(), like BUG() but without the lock-busting, etc * adjust usercopy CONFIG to be !DEVKMEM && STRICT_DEVMEM=y (PROC_KCORE is incompat with usercopy too) * provide mechanism to check for ro_after_init memory areas, and reject structures not marked ro_after_init in vmbus_register() * expand use of __ro_after_init, especially in arch/arm64 * Add stack-frame walking to usercopy implementations (Done: x86. In progress: arm64. Needed on arm, others?) = Recommended settings = People ask from time to time what a good security set of build CONFIGs and runtime sysctl are. This is a brain-dump of the various options for a particularly paranoid system. == CONFIGs == # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_RODATA=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. CONFIG_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targetted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_BUG_ON_DATA_CORRUPTION=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. CONFIG_HARDENED_USERCOPY=y # Randomize allocator freelists. CONFIG_SLAB_FREELIST_RANDOM=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" === x86_32 === # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y === x86_64 === # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set === arm === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an out-of-tree Qualcomm kernel, this is similar to CONFIG_DEBUG_RODATA. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset === arm64 === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y == kernel command line options == # Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 === x86_64 === # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none == sysctls == # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 6d98fa9cf767f735c4fba8a9d12e4010e333f39d 0 174 3801 3739 2016-09-14T16:11:30Z KeesCook 3 /* Details */ wikitext text/x-wiki = Details = When an attacker has a write primitive, they can overwrite function pointers to redirect execution. Function pointers exist in a large number of places in the kernel ranging from function pointer tables (e.g. fops), to vector and descriptor tables. = Examples = * [https://outflux.net/blog/archives/2010/10/19/cve-2010-2963-v4l-compat-exploit/ security_operations overwrite] * [https://blogs.oracle.com/ksplice/entry/anatomy_of_an_exploit_cve IDT, timer_list_fops, or security_operations overwrite] = Mitigations = * make function pointer tables read-only (e.g. PAX_CONSTIFY_PLUGIN) * make sensitive targets that need only occasional updates only writable during updates (e.g. PAX_KERNEXEC) 335e195a3592683e01f6d5709c64dfcc95df0c5b 3802 3801 2016-09-14T16:13:26Z KeesCook 3 /* Mitigations */ wikitext text/x-wiki = Details = When an attacker has a write primitive, they can overwrite function pointers to redirect execution. Function pointers exist in a large number of places in the kernel ranging from function pointer tables (e.g. fops), to vector and descriptor tables. = Examples = * [https://outflux.net/blog/archives/2010/10/19/cve-2010-2963-v4l-compat-exploit/ security_operations overwrite] * [https://blogs.oracle.com/ksplice/entry/anatomy_of_an_exploit_cve IDT, timer_list_fops, or security_operations overwrite] = Mitigations = * use __ro_after_init on function pointer tables that are only written during __init so they are read-only during the rest of the kernel runtime. * make all function pointer tables read-only at compile time (e.g. PAX_CONSTIFY_PLUGIN) * make sensitive targets that need only occasional updates only writable during rare updates (e.g. PAX_KERNEXEC) d404a194c5445f79f8bca1f71e282b1ff9262d7f 3803 3802 2016-09-14T16:17:24Z KeesCook 3 /* Mitigations */ wikitext text/x-wiki = Details = When an attacker has a write primitive, they can overwrite function pointers to redirect execution. Function pointers exist in a large number of places in the kernel ranging from function pointer tables (e.g. fops), to vector and descriptor tables. = Examples = * [https://outflux.net/blog/archives/2010/10/19/cve-2010-2963-v4l-compat-exploit/ security_operations overwrite] * [https://blogs.oracle.com/ksplice/entry/anatomy_of_an_exploit_cve IDT, timer_list_fops, or security_operations overwrite] = Mitigations = * mark function pointer tables "const" when they can be statically assigned, making them read-only for the entire kernel runtime. * use __ro_after_init on function pointer tables that are only written during __init so they are read-only during the rest of the kernel runtime. * make all function pointer tables read-only at compile time (e.g. PAX_CONSTIFY_PLUGIN). * make sensitive targets that need only occasional updates only writable during rare updates (e.g. PAX_KERNEXEC). dbc9d173de078c07f7b64f43692eb21756714884 0 176 3804 3786 2016-09-15T03:46:47Z KeesCook 3 /* Mitigations */ wikitext text/x-wiki = Details = Sometimes an attacker won't be able to control the instruction pointer directly, but they will be able to redirect the dereference a structure or other pointer. In these cases, it is easiest to aim at malicious structures that have been built in userspace to perform the exploitation. Note that this is a superset that includes [[Exploit Methods/Userspace execution|Userspace execution]]. If we can protect against userspace access, we'll also be protecting against userspace execution. = Examples = * [https://github.com/geekben/towelroot/blob/master/towelroot.c cred structure] * [http://labs.bromium.com/2015/02/02/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/ fake kernel stack] * [http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=176155dac13f528e0a58c14dc322623219365d91 Bad casts] = Mitigations = * hardware segmentation: SMAP (x86), PAN (arm, arm64), Domains (arm) * emulated PAN (memory segmentation via segments, Domains, page table swapping, PCID, etc. e.g. PAX_MEMORY_UDEREF) Right now, the upstream options available for Privileged Access Never (PAN) are: {| class="wikitable" !colspan="2"|CPU ! Feature Name |- |rowspan="5"| ARM | v7 32-bit non-LPAE | CONFIG_CPU_SW_DOMAIN_PAN |- | v7 32-bit LPAE | future: CONFIG_ARM64_SW_TTBR0_PAN ([http://www.openwall.com/lists/kernel-hardening/2016/09/13/3 Catalin's series]) |- | v8.0 32-bit | future: CONFIG_ARM64_SW_TTBR0_PAN |- | v8.0 64-bit | future: CONFIG_ARM64_SW_TTBR0_PAN |- | v8.1 (since December 2014) | hardware PAN |- |rowspan="2"| x86 | pre-late-Broadwell |style="color: red;"| nothing |- | Broadwell+ (since October 2014) | hardware PAN (SMAP) |- |colspan="2"| s/390 | hardware PAN (Address Spaces) |- |colspan="2"| powerpc |style="color: red;"| nothing? |- |colspan="2"| MIPS |style="color: red;"| nothing (could use ASID switching?) |} 341da3107f8c6a1025a0c8b4168de7df4c2174b1 3805 3804 2016-09-15T03:47:59Z KeesCook 3 /* Mitigations */ wikitext text/x-wiki = Details = Sometimes an attacker won't be able to control the instruction pointer directly, but they will be able to redirect the dereference a structure or other pointer. In these cases, it is easiest to aim at malicious structures that have been built in userspace to perform the exploitation. Note that this is a superset that includes [[Exploit Methods/Userspace execution|Userspace execution]]. If we can protect against userspace access, we'll also be protecting against userspace execution. = Examples = * [https://github.com/geekben/towelroot/blob/master/towelroot.c cred structure] * [http://labs.bromium.com/2015/02/02/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/ fake kernel stack] * [http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=176155dac13f528e0a58c14dc322623219365d91 Bad casts] = Mitigations = * hardware segmentation: SMAP (x86), PAN (arm, arm64), Domains (arm) * emulated PAN (memory segmentation via segments, Domains, page table swapping, PCID, etc. e.g. PAX_MEMORY_UDEREF) Right now, the upstream options available for Privileged Access Never (PAN) are: {| class="wikitable" !colspan="2"|CPU ! Feature Name |- |rowspan="3"| ARM | v7 32-bit | CONFIG_CPU_SW_DOMAIN_PAN |- | v8.0 | future: CONFIG_ARM64_SW_TTBR0_PAN ([http://www.openwall.com/lists/kernel-hardening/2016/09/13/3 Catalin's series]) |- | v8.1 (since December 2014) | hardware PAN |- |rowspan="2"| x86 | pre-late-Broadwell |style="color: red;"| nothing |- | Broadwell+ (since October 2014) | hardware PAN (SMAP) |- |colspan="2"| s/390 | hardware PAN (Address Spaces) |- |colspan="2"| powerpc |style="color: red;"| nothing? |- |colspan="2"| MIPS |style="color: red;"| nothing (could use ASID switching?) |} 2d2a59d7282976d77a26829d6ff7fdcbe6b4ff98 3806 3805 2016-09-15T03:48:31Z KeesCook 3 /* Mitigations */ wikitext text/x-wiki = Details = Sometimes an attacker won't be able to control the instruction pointer directly, but they will be able to redirect the dereference a structure or other pointer. In these cases, it is easiest to aim at malicious structures that have been built in userspace to perform the exploitation. Note that this is a superset that includes [[Exploit Methods/Userspace execution|Userspace execution]]. If we can protect against userspace access, we'll also be protecting against userspace execution. = Examples = * [https://github.com/geekben/towelroot/blob/master/towelroot.c cred structure] * [http://labs.bromium.com/2015/02/02/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/ fake kernel stack] * [http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=176155dac13f528e0a58c14dc322623219365d91 Bad casts] = Mitigations = * hardware segmentation: SMAP (x86), PAN (arm, arm64), Domains (arm) * emulated PAN (memory segmentation via segments, Domains, page table swapping, PCID, etc. e.g. PAX_MEMORY_UDEREF) Right now, the upstream options available for Privileged Access Never (PAN) are: {| class="wikitable" !colspan="2"|CPU ! Feature Name |- |rowspan="3"| ARM | v7 (32-bit) | CONFIG_CPU_SW_DOMAIN_PAN |- | v8.0 | future: CONFIG_ARM64_SW_TTBR0_PAN ([http://www.openwall.com/lists/kernel-hardening/2016/09/13/3 Catalin's series]) |- | v8.1 (since December 2014) | hardware PAN |- |rowspan="2"| x86 | pre-late-Broadwell |style="color: red;"| nothing |- | Broadwell+ (since October 2014) | hardware PAN (SMAP) |- |colspan="2"| s/390 | hardware PAN (Address Spaces) |- |colspan="2"| powerpc |style="color: red;"| nothing? |- |colspan="2"| MIPS |style="color: red;"| nothing (could use ASID switching?) |} 9c902ccce52ab3aa448bc3664ffa7df2bc605cab 3808 3806 2016-09-15T03:49:46Z KeesCook 3 /* Mitigations */ wikitext text/x-wiki = Details = Sometimes an attacker won't be able to control the instruction pointer directly, but they will be able to redirect the dereference a structure or other pointer. In these cases, it is easiest to aim at malicious structures that have been built in userspace to perform the exploitation. Note that this is a superset that includes [[Exploit Methods/Userspace execution|Userspace execution]]. If we can protect against userspace access, we'll also be protecting against userspace execution. = Examples = * [https://github.com/geekben/towelroot/blob/master/towelroot.c cred structure] * [http://labs.bromium.com/2015/02/02/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/ fake kernel stack] * [http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=176155dac13f528e0a58c14dc322623219365d91 Bad casts] = Mitigations = * hardware segmentation: SMAP (x86), PAN (arm, arm64), Domains (arm) * emulated PAN (memory segmentation via segments, Domains, page table swapping, PCID, etc. e.g. PAX_MEMORY_UDEREF) Right now, the upstream options available for Privileged Access Never (PAN) are: {| class="wikitable" !colspan="2"|CPU ! Feature Name |- |rowspan="3"| ARM | v7 (32-bit) | CONFIG_CPU_SW_DOMAIN_PAN |- | v8.0 (64-bit) | future: CONFIG_ARM64_SW_TTBR0_PAN ([http://www.openwall.com/lists/kernel-hardening/2016/09/13/3 Catalin's series]) |- | v8.1 (defined since December 2014) | hardware PAN (none shipping) |- |rowspan="2"| x86 | pre-late-Broadwell |style="color: red;"| nothing |- | Broadwell+ (since October 2014) | hardware PAN (SMAP) |- |colspan="2"| s/390 | hardware PAN (Address Spaces) |- |colspan="2"| powerpc |style="color: red;"| nothing? |- |colspan="2"| MIPS |style="color: red;"| nothing (could use ASID switching?) |} 5712204670222a50753f08cbc80f4eecce43f030 3809 3808 2016-09-15T03:54:27Z KeesCook 3 /* Mitigations */ wikitext text/x-wiki = Details = Sometimes an attacker won't be able to control the instruction pointer directly, but they will be able to redirect the dereference a structure or other pointer. In these cases, it is easiest to aim at malicious structures that have been built in userspace to perform the exploitation. Note that this is a superset that includes [[Exploit Methods/Userspace execution|Userspace execution]]. If we can protect against userspace access, we'll also be protecting against userspace execution. = Examples = * [https://github.com/geekben/towelroot/blob/master/towelroot.c cred structure] * [http://labs.bromium.com/2015/02/02/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/ fake kernel stack] * [http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=176155dac13f528e0a58c14dc322623219365d91 Bad casts] = Mitigations = * hardware segmentation: SMAP (x86), PAN (arm, arm64), Domains (arm) * emulated PAN (memory segmentation via segments, Domains, page table swapping, PCID, etc. e.g. PAX_MEMORY_UDEREF) Right now, the upstream options available for Privileged Access Never (PAN) are: {| class="wikitable" !colspan="2"|CPU ! Feature Name |- |rowspan="3"| ARM | v7 (32-bit) | CONFIG_CPU_SW_DOMAIN_PAN (since Linux v4.3) |- | v8.0 (64-bit) | CONFIG_ARM64_SW_TTBR0_PAN (likely Linux v4.9 [http://www.openwall.com/lists/kernel-hardening/2016/09/13/3 Catalin's series]) |- | v8.1 (defined since December 2014) | hardware PAN (none shipping) |- |rowspan="2"| x86 | pre-late-Broadwell |style="color: red;"| nothing |- | Broadwell+ (since October 2014) | hardware PAN (SMAP) |- |colspan="2"| s/390 | hardware PAN (Address Spaces) |- |colspan="2"| powerpc |style="color: red;"| nothing? |- |colspan="2"| MIPS |style="color: red;"| nothing (could use ASID switching?) |} 76056e9ee0c2a6f18df47bbaa0ad7068a7ca5e51 3811 3809 2016-09-15T03:59:40Z KeesCook 3 /* Mitigations */ wikitext text/x-wiki = Details = Sometimes an attacker won't be able to control the instruction pointer directly, but they will be able to redirect the dereference a structure or other pointer. In these cases, it is easiest to aim at malicious structures that have been built in userspace to perform the exploitation. Note that this is a superset that includes [[Exploit Methods/Userspace execution|Userspace execution]]. If we can protect against userspace access, we'll also be protecting against userspace execution. = Examples = * [https://github.com/geekben/towelroot/blob/master/towelroot.c cred structure] * [http://labs.bromium.com/2015/02/02/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/ fake kernel stack] * [http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=176155dac13f528e0a58c14dc322623219365d91 Bad casts] = Mitigations = * hardware segmentation: SMAP (x86), PAN (arm, arm64), Domains (arm) * emulated PAN (memory segmentation via segments, Domains, page table swapping, PCID, etc. e.g. PAX_MEMORY_UDEREF) Right now, the upstream options available for Privileged Access Never (PAN) are: {| class="wikitable" !colspan="2"|CPU ! Feature Name |- |rowspan="3"| ARM | v7 (32-bit) | CONFIG_CPU_SW_DOMAIN_PAN (since Linux v4.3) |- | v8.0 (64-bit) | CONFIG_ARM64_SW_TTBR0_PAN (likely Linux v4.9 [http://www.openwall.com/lists/kernel-hardening/2016/09/13/3 Catalin's series]) |- | v8.1 (defined since December 2014) | hardware PAN (none shipping) |- |rowspan="2"| x86 | pre-late-Broadwell |style="color: red;"| nothing (could use PCID?) |- | Broadwell+ (since October 2014) | hardware PAN (SMAP) |- |colspan="2"| s/390 | hardware PAN (Address Spaces) |- |colspan="2"| powerpc |style="color: red;"| nothing? |- |colspan="2"| MIPS |style="color: red;"| nothing (could use ASID switching?) |} 3c80a2429aabe5be160d199201ea98a2bbfbd258 3815 3811 2016-09-15T19:48:32Z KeesCook 3 /* Mitigations */ wikitext text/x-wiki = Details = Sometimes an attacker won't be able to control the instruction pointer directly, but they will be able to redirect the dereference a structure or other pointer. In these cases, it is easiest to aim at malicious structures that have been built in userspace to perform the exploitation. Note that this is a superset that includes [[Exploit Methods/Userspace execution|Userspace execution]]. If we can protect against userspace access, we'll also be protecting against userspace execution. = Examples = * [https://github.com/geekben/towelroot/blob/master/towelroot.c cred structure] * [http://labs.bromium.com/2015/02/02/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/ fake kernel stack] * [http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=176155dac13f528e0a58c14dc322623219365d91 Bad casts] = Mitigations = * hardware segregation: SMAP (x86), PAN (arm, arm64), Domains (arm) * emulated PAN (memory segregation via segments, Domains, page table swapping, PCID, etc. e.g. PAX_MEMORY_UDEREF) Right now, the upstream options available for Privileged Access Never (PAN) are: {| class="wikitable" !colspan="2"|CPU ! Feature Name |- |rowspan="3"| ARM | v7 (32-bit) | CONFIG_CPU_SW_DOMAIN_PAN (since Linux v4.3) |- | v8.0 (64-bit) | CONFIG_ARM64_SW_TTBR0_PAN (likely Linux v4.9 [http://www.openwall.com/lists/kernel-hardening/2016/09/13/3 Catalin's series]) |- | v8.1 (defined since December 2014) | hardware PAN (none shipping) |- |rowspan="2"| x86 | pre-late-Broadwell |style="color: red;"| nothing (could use PCID?) |- | Broadwell+ (since October 2014) | hardware PAN (SMAP) |- |colspan="2"| s/390 | hardware PAN (Address Spaces) |- |colspan="2"| powerpc |style="color: red;"| nothing? |- |colspan="2"| MIPS |style="color: red;"| nothing (could use ASID switching?) |} 28bdff2060762d7d8e21f8132f8a62e949d819cb 3816 3815 2016-09-15T19:49:42Z KeesCook 3 /* Details */ wikitext text/x-wiki = Details = Sometimes an attacker won't be able to control the instruction pointer directly, but they will be able to redirect the dereference a structure or other pointer. In these cases, it is easiest to aim at malicious structures that have been built in userspace to perform the exploitation. Note that under some emulation situations, this can be a superset that includes [[Exploit Methods/Userspace execution|Userspace execution]]. (If we can protect against userspace access, we'll also be protecting against userspace execution.) Hardware protections tend to be separate, though, due to different memory paths for instruction fetch (execution) and read/write. = Examples = * [https://github.com/geekben/towelroot/blob/master/towelroot.c cred structure] * [http://labs.bromium.com/2015/02/02/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/ fake kernel stack] * [http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=176155dac13f528e0a58c14dc322623219365d91 Bad casts] = Mitigations = * hardware segregation: SMAP (x86), PAN (arm, arm64), Domains (arm) * emulated PAN (memory segregation via segments, Domains, page table swapping, PCID, etc. e.g. PAX_MEMORY_UDEREF) Right now, the upstream options available for Privileged Access Never (PAN) are: {| class="wikitable" !colspan="2"|CPU ! Feature Name |- |rowspan="3"| ARM | v7 (32-bit) | CONFIG_CPU_SW_DOMAIN_PAN (since Linux v4.3) |- | v8.0 (64-bit) | CONFIG_ARM64_SW_TTBR0_PAN (likely Linux v4.9 [http://www.openwall.com/lists/kernel-hardening/2016/09/13/3 Catalin's series]) |- | v8.1 (defined since December 2014) | hardware PAN (none shipping) |- |rowspan="2"| x86 | pre-late-Broadwell |style="color: red;"| nothing (could use PCID?) |- | Broadwell+ (since October 2014) | hardware PAN (SMAP) |- |colspan="2"| s/390 | hardware PAN (Address Spaces) |- |colspan="2"| powerpc |style="color: red;"| nothing? |- |colspan="2"| MIPS |style="color: red;"| nothing (could use ASID switching?) |} 94fad4d0e5eaa003606fd1e451cf437529d820df 3817 3816 2016-09-15T19:53:49Z KeesCook 3 /* Details */ wikitext text/x-wiki = Details = Sometimes an attacker won't be able to control the instruction pointer directly, but they will be able to redirect the dereference a structure or other pointer. In these cases, it is easiest to aim at malicious structures that have been built in userspace to perform the exploitation. Note that under some emulation situations, this can be a superset that includes [[Exploit Methods/Userspace execution|Userspace execution]]. (If we can protect against userspace access, we'll also be protecting against userspace execution.) Hardware protections tend to be separate, though, due to different memory paths for instruction fetch (execution) and data access (read/write). = Examples = * [https://github.com/geekben/towelroot/blob/master/towelroot.c cred structure] * [http://labs.bromium.com/2015/02/02/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/ fake kernel stack] * [http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=176155dac13f528e0a58c14dc322623219365d91 Bad casts] = Mitigations = * hardware segregation: SMAP (x86), PAN (arm, arm64), Domains (arm) * emulated PAN (memory segregation via segments, Domains, page table swapping, PCID, etc. e.g. PAX_MEMORY_UDEREF) Right now, the upstream options available for Privileged Access Never (PAN) are: {| class="wikitable" !colspan="2"|CPU ! Feature Name |- |rowspan="3"| ARM | v7 (32-bit) | CONFIG_CPU_SW_DOMAIN_PAN (since Linux v4.3) |- | v8.0 (64-bit) | CONFIG_ARM64_SW_TTBR0_PAN (likely Linux v4.9 [http://www.openwall.com/lists/kernel-hardening/2016/09/13/3 Catalin's series]) |- | v8.1 (defined since December 2014) | hardware PAN (none shipping) |- |rowspan="2"| x86 | pre-late-Broadwell |style="color: red;"| nothing (could use PCID?) |- | Broadwell+ (since October 2014) | hardware PAN (SMAP) |- |colspan="2"| s/390 | hardware PAN (Address Spaces) |- |colspan="2"| powerpc |style="color: red;"| nothing? |- |colspan="2"| MIPS |style="color: red;"| nothing (could use ASID switching?) |} 80ee0ea3f6e65977d63f0b753c66d0a57194ffb8 0 175 3807 3772 2016-09-15T03:49:03Z KeesCook 3 /* Mitigations */ wikitext text/x-wiki = Details = Once an attacker has gain control over the instruction pointers, it must be aimed somewhere. The place where attackers have the most control over memory layout tends to be in userspace, so it has been natural to place malicious code in userspace and have the kernel redirection execution there. (Frequently known as "ret2usr".) For more details, see [[Exploit Methods/Userspace data usage|Userspace access]], as that is technically a superset of userspace execution. = Examples = * See nearly every other exploit example listed under other [[Exploit Methods]] and [[Bug Classes]]. = Mitigations = * hardware segmentation: SMEP (x86), PXN (arm) * compiler instrumentation to set high bit on function calls * emulate memory segmentation via separate page tables (e.g. PAX_MEMORY_UDEREF) Right now, the upstream options available for Privileged eXecute Never (e.g. PXN, SMEP) are: {| class="wikitable" !colspan="2"|CPU ! Feature Name |- |rowspan="3"| ARM | v7 (32-bit) non-LPAE | CONFIG_CPU_SW_DOMAIN_PAN |- | v7 (32-bit) LPAE (e.g. Cortex-A7, A15+) | hardware PXN |- | v8.0+ (64-bit) | hardware PXN |- |rowspan="2"| x86 | pre-Ivy-Bridge |style="color: red;"| nothing |- | Ivy-Bridge+ (since May 2012) | hardware PXN (SMEP) |- |colspan="2"| s/390 | hardware PXN (Address Spaces) |- |colspan="2"| powerpc |style="color: red;"| nothing? |- |colspan="2"| MIPS |style="color: red;"| nothing (could use ASID switching?) |} ed2253965c0ecd7a07f7010ffeef5ac771fcf08d 3810 3807 2016-09-15T03:55:49Z KeesCook 3 /* Mitigations */ wikitext text/x-wiki = Details = Once an attacker has gain control over the instruction pointers, it must be aimed somewhere. The place where attackers have the most control over memory layout tends to be in userspace, so it has been natural to place malicious code in userspace and have the kernel redirection execution there. (Frequently known as "ret2usr".) For more details, see [[Exploit Methods/Userspace data usage|Userspace access]], as that is technically a superset of userspace execution. = Examples = * See nearly every other exploit example listed under other [[Exploit Methods]] and [[Bug Classes]]. = Mitigations = * hardware segmentation: SMEP (x86), PXN (arm) * compiler instrumentation to set high bit on function calls * emulate memory segmentation via separate page tables (e.g. PAX_MEMORY_UDEREF) Right now, the upstream options available for Privileged eXecute Never (e.g. PXN, SMEP) are: {| class="wikitable" !colspan="2"|CPU ! Feature Name |- |rowspan="3"| ARM | v7 (32-bit) non-LPAE | CONFIG_CPU_SW_DOMAIN_PAN (since Linux v4.3) |- | v7 (32-bit) LPAE (e.g. Cortex-A7, A15+) | hardware PXN (since Linux v3.19) |- | v8.0+ (64-bit) | hardware PXN |- |rowspan="2"| x86 | pre-Ivy-Bridge |style="color: red;"| nothing |- | Ivy-Bridge+ (since May 2012) | hardware PXN (SMEP) |- |colspan="2"| s/390 | hardware PXN (Address Spaces) |- |colspan="2"| powerpc |style="color: red;"| nothing? |- |colspan="2"| MIPS |style="color: red;"| nothing (could use ASID switching?) |} fe52391b8906bd73b94255d12e6bef797f83af72 3812 3810 2016-09-15T03:59:56Z KeesCook 3 /* Mitigations */ wikitext text/x-wiki = Details = Once an attacker has gain control over the instruction pointers, it must be aimed somewhere. The place where attackers have the most control over memory layout tends to be in userspace, so it has been natural to place malicious code in userspace and have the kernel redirection execution there. (Frequently known as "ret2usr".) For more details, see [[Exploit Methods/Userspace data usage|Userspace access]], as that is technically a superset of userspace execution. = Examples = * See nearly every other exploit example listed under other [[Exploit Methods]] and [[Bug Classes]]. = Mitigations = * hardware segmentation: SMEP (x86), PXN (arm) * compiler instrumentation to set high bit on function calls * emulate memory segmentation via separate page tables (e.g. PAX_MEMORY_UDEREF) Right now, the upstream options available for Privileged eXecute Never (e.g. PXN, SMEP) are: {| class="wikitable" !colspan="2"|CPU ! Feature Name |- |rowspan="3"| ARM | v7 (32-bit) non-LPAE | CONFIG_CPU_SW_DOMAIN_PAN (since Linux v4.3) |- | v7 (32-bit) LPAE (e.g. Cortex-A7, A15+) | hardware PXN (since Linux v3.19) |- | v8.0+ (64-bit) | hardware PXN |- |rowspan="2"| x86 | pre-Ivy-Bridge |style="color: red;"| nothing (could use PCID?) |- | Ivy-Bridge+ (since May 2012) | hardware PXN (SMEP) |- |colspan="2"| s/390 | hardware PXN (Address Spaces) |- |colspan="2"| powerpc |style="color: red;"| nothing? |- |colspan="2"| MIPS |style="color: red;"| nothing (could use ASID switching?) |} 755b69f55bcfa928ffb7b70771e7eba2b5651366 3813 3812 2016-09-15T19:47:20Z KeesCook 3 /* Mitigations */ wikitext text/x-wiki = Details = Once an attacker has gain control over the instruction pointers, it must be aimed somewhere. The place where attackers have the most control over memory layout tends to be in userspace, so it has been natural to place malicious code in userspace and have the kernel redirection execution there. (Frequently known as "ret2usr".) For more details, see [[Exploit Methods/Userspace data usage|Userspace access]], as that is technically a superset of userspace execution. = Examples = * See nearly every other exploit example listed under other [[Exploit Methods]] and [[Bug Classes]]. = Mitigations = * hardware segregation: SMEP (x86), PXN (arm) * compiler instrumentation to set high bit on function calls * emulate memory segregation via separate page tables (e.g. PAX_MEMORY_UDEREF) Right now, the upstream options available for Privileged eXecute Never (e.g. PXN, SMEP) are: {| class="wikitable" !colspan="2"|CPU ! Feature Name |- |rowspan="3"| ARM | v7 (32-bit) non-LPAE | CONFIG_CPU_SW_DOMAIN_PAN (since Linux v4.3) |- | v7 (32-bit) LPAE (e.g. Cortex-A7, A15+) | hardware PXN (since Linux v3.19) |- | v8.0+ (64-bit) | hardware PXN |- |rowspan="2"| x86 | pre-Ivy-Bridge |style="color: red;"| nothing (could use PCID?) |- | Ivy-Bridge+ (since May 2012) | hardware PXN (SMEP) |- |colspan="2"| s/390 | hardware PXN (Address Spaces) |- |colspan="2"| powerpc |style="color: red;"| nothing? |- |colspan="2"| MIPS |style="color: red;"| nothing (could use ASID switching?) |} d60692bb6859713e314b71a1f62cf83f3cd57488 3814 3813 2016-09-15T19:47:55Z KeesCook 3 /* Details */ wikitext text/x-wiki = Details = Once an attacker has gain control over the instruction pointers, it must be aimed somewhere. The place where attackers have the most control over memory layout tends to be in userspace, so it has been natural to place malicious code in userspace and have the kernel redirection execution there. (Frequently known as "ret2usr".) For more details, see [[Exploit Methods/Userspace data usage|Userspace access]], as that can be superset of userspace execution under some emulation situations. = Examples = * See nearly every other exploit example listed under other [[Exploit Methods]] and [[Bug Classes]]. = Mitigations = * hardware segregation: SMEP (x86), PXN (arm) * compiler instrumentation to set high bit on function calls * emulate memory segregation via separate page tables (e.g. PAX_MEMORY_UDEREF) Right now, the upstream options available for Privileged eXecute Never (e.g. PXN, SMEP) are: {| class="wikitable" !colspan="2"|CPU ! Feature Name |- |rowspan="3"| ARM | v7 (32-bit) non-LPAE | CONFIG_CPU_SW_DOMAIN_PAN (since Linux v4.3) |- | v7 (32-bit) LPAE (e.g. Cortex-A7, A15+) | hardware PXN (since Linux v3.19) |- | v8.0+ (64-bit) | hardware PXN |- |rowspan="2"| x86 | pre-Ivy-Bridge |style="color: red;"| nothing (could use PCID?) |- | Ivy-Bridge+ (since May 2012) | hardware PXN (SMEP) |- |colspan="2"| s/390 | hardware PXN (Address Spaces) |- |colspan="2"| powerpc |style="color: red;"| nothing? |- |colspan="2"| MIPS |style="color: red;"| nothing (could use ASID switching?) |} d9b00d812150e0bea331ce0bcdffac7571af1311 0 6 3822 3765 2016-10-03T14:39:05Z JamesMorris 2 wikitext text/x-wiki == Upcoming == * 2017 LSS TBA == Past == * [[Linux Security Summit 2016]], Toronto, Canada. August 25-26. === 2015 === * [[Linux Security Summit 2015]], Seattle, WA, USA. August 20-21. ===2014=== * [[Linux Security Summit 2014]], 18-19 August, Chicago, USA. Co-located with [http://events.linuxfoundation.org/events/linuxcon LinuxCon]. === 2013 === * [[Linux Security Summit 2013]] New Orleans, USA. === 2012 === * [[Linux Security Summit 2012]], San Diego, CA, USA. ===2011=== * [[Linux Security Summit 2011]], Santa Rosa, CA, USA. ===2010=== * [https://security.wiki.kernel.org/index.php/LinuxSecuritySummit2010 Linux Security Summit 2010], Boston MA, USA. ===2009=== *Security Microconf at the Linux Plumbers Conference 2009, September, Portland OR, USA. **CFP **LWN discussion *SELinux Developer Summit at LinuxCon 2009, September, Portland OR, USA. **Event Details *Security BoF (Birds of Feather) meeting at the Japan Linux Symposium, October 2009. Tokyo, Japan. **Enhanced Securities: Where Should We Go Next *Kernel Conference Australia, July 2009, Brisbane, Australia. *LCA security miniconf 20 January 2009, Hobart, Australia. f1e7b617eb8b293a5258aa85e069822d3a92e178 3823 3822 2016-10-03T14:39:27Z JamesMorris 2 wikitext text/x-wiki == Upcoming == * 2017 LSS TBA == Past == === 2016 === * [[Linux Security Summit 2016]], Toronto, Canada. August 25-26. === 2015 === * [[Linux Security Summit 2015]], Seattle, WA, USA. August 20-21. ===2014=== * [[Linux Security Summit 2014]], 18-19 August, Chicago, USA. Co-located with [http://events.linuxfoundation.org/events/linuxcon LinuxCon]. === 2013 === * [[Linux Security Summit 2013]] New Orleans, USA. === 2012 === * [[Linux Security Summit 2012]], San Diego, CA, USA. ===2011=== * [[Linux Security Summit 2011]], Santa Rosa, CA, USA. ===2010=== * [https://security.wiki.kernel.org/index.php/LinuxSecuritySummit2010 Linux Security Summit 2010], Boston MA, USA. ===2009=== *Security Microconf at the Linux Plumbers Conference 2009, September, Portland OR, USA. **CFP **LWN discussion *SELinux Developer Summit at LinuxCon 2009, September, Portland OR, USA. **Event Details *Security BoF (Birds of Feather) meeting at the Japan Linux Symposium, October 2009. Tokyo, Japan. **Enhanced Securities: Where Should We Go Next *Kernel Conference Australia, July 2009, Brisbane, Australia. *LCA security miniconf 20 January 2009, Hobart, Australia. 4bc82cc3e97adf061c8367bd67439964f7697c10 0 179 3824 3767 2016-10-03T14:40:28Z JamesMorris 2 wikitext text/x-wiki The Linux Security Summit for 2016 was held in Toronto, Canada, on 25th and 26th August. See the event web site for details: http://events.linuxfoundation.org/events/archive/2016/linux-security-summit d058acff59aad49f8c06fae86770344562bd51c9 0 178 3836 3761 2017-02-04T05:12:39Z DavidWindsor 6 /* Mitigations */ wikitext text/x-wiki = Details = When a memory allocation gets freed but there are still accidentally users of that memory, it is possible that an attacker could control the new memory allocation that fills the freed area, and then manipulate the contents in a way that the system uses its stale pointer and expects a different structure than is currently present. If there are function pointers contained in the structure, this allows for trivial execution control. = Examples = * [http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/ keyring use-after-free] = Mitigations = * clearing memory on free can stop attacks where there is no reallocation control (e.g. PAX_MEMORY_SANITIZE) * segregating memory used by the kernel and by userspace can stop attacks where this boundary is crossed (e.g. PAX_USERCOPY) * randomizing heap allocations can frustrate the reallocation efforts the attack needs to perform (e.g. OpenBSD malloc) * reference counter overflow protection (PAX_REFCOUNT, HARDENED_ATOMIC) 701d7dccac73fc6035d84e57c6ad46a2fd724f8e 3837 3836 2017-02-04T05:12:59Z DavidWindsor 6 /* Mitigations */ wikitext text/x-wiki = Details = When a memory allocation gets freed but there are still accidentally users of that memory, it is possible that an attacker could control the new memory allocation that fills the freed area, and then manipulate the contents in a way that the system uses its stale pointer and expects a different structure than is currently present. If there are function pointers contained in the structure, this allows for trivial execution control. = Examples = * [http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/ keyring use-after-free] = Mitigations = * clearing memory on free can stop attacks where there is no reallocation control (e.g. PAX_MEMORY_SANITIZE) * segregating memory used by the kernel and by userspace can stop attacks where this boundary is crossed (e.g. PAX_USERCOPY) * randomizing heap allocations can frustrate the reallocation efforts the attack needs to perform (e.g. OpenBSD malloc) * reference counter overflow protection (e.g. PAX_REFCOUNT, HARDENED_ATOMIC) 681f9132cba4c5c29c8dc99f4170e4b605afea4d 0 178 3838 3837 2017-02-04T05:13:36Z DavidWindsor 6 Undo revision 3837 by [[Special:Contributions/DavidWindsor|DavidWindsor]] ([[User talk:DavidWindsor|talk]]) wikitext text/x-wiki = Details = When a memory allocation gets freed but there are still accidentally users of that memory, it is possible that an attacker could control the new memory allocation that fills the freed area, and then manipulate the contents in a way that the system uses its stale pointer and expects a different structure than is currently present. If there are function pointers contained in the structure, this allows for trivial execution control. = Examples = * [http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/ keyring use-after-free] = Mitigations = * clearing memory on free can stop attacks where there is no reallocation control (e.g. PAX_MEMORY_SANITIZE) * segregating memory used by the kernel and by userspace can stop attacks where this boundary is crossed (e.g. PAX_USERCOPY) * randomizing heap allocations can frustrate the reallocation efforts the attack needs to perform (e.g. OpenBSD malloc) * reference counter overflow protection (PAX_REFCOUNT, HARDENED_ATOMIC) 701d7dccac73fc6035d84e57c6ad46a2fd724f8e 3839 3838 2017-02-04T05:13:56Z DavidWindsor 6 Undo revision 3836 by [[Special:Contributions/DavidWindsor|DavidWindsor]] ([[User talk:DavidWindsor|talk]]) wikitext text/x-wiki = Details = When a memory allocation gets freed but there are still accidentally users of that memory, it is possible that an attacker could control the new memory allocation that fills the freed area, and then manipulate the contents in a way that the system uses its stale pointer and expects a different structure than is currently present. If there are function pointers contained in the structure, this allows for trivial execution control. = Examples = * [http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/ keyring use-after-free] = Mitigations = * clearing memory on free can stop attacks where there is no reallocation control (e.g. PAX_MEMORY_SANITIZE) * segregating memory used by the kernel and by userspace can stop attacks where this boundary is crossed (e.g. PAX_USERCOPY) * randomizing heap allocations can frustrate the reallocation efforts the attack needs to perform (e.g. OpenBSD malloc) 6b0dbd88f3349cb2d35d70a8cf82228c50231f35 3840 3839 2017-02-04T05:14:40Z DavidWindsor 6 Add reference counter overflow protection to Mitigations wikitext text/x-wiki = Details = When a memory allocation gets freed but there are still accidentally users of that memory, it is possible that an attacker could control the new memory allocation that fills the freed area, and then manipulate the contents in a way that the system uses its stale pointer and expects a different structure than is currently present. If there are function pointers contained in the structure, this allows for trivial execution control. = Examples = * [http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/ keyring use-after-free] = Mitigations = * clearing memory on free can stop attacks where there is no reallocation control (e.g. PAX_MEMORY_SANITIZE) * segregating memory used by the kernel and by userspace can stop attacks where this boundary is crossed (e.g. PAX_USERCOPY) * randomizing heap allocations can frustrate the reallocation efforts the attack needs to perform (e.g. OpenBSD malloc) * reference counter overflow protection (e.g. PAX_REFCOUNT, HARDENED_ATOMIC) 681f9132cba4c5c29c8dc99f4170e4b605afea4d 0 162 3841 3835 2017-02-04T05:34:45Z DavidWindsor 6 Create sections for Completed Kernel Protections and HARDENED_ATOMIC subsection wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in [https://pax.grsecurity.net/ PaX], [https://grsecurity.net/features.php grsecurity], and piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Features will be more than finding bugs. Should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Get Involved = Want to get involved? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list] and introduce yourself. Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Work Areas = While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. While the following is far from a comprehensive list, it's at least a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] = Completed Kernel Protections = The following kernel protections have been already been accepted into the mainline Linux kernel, or are in some stage of development. ==== [[Protections/HARDENED_ATOMC|HARDENED_ATOMIC]] ==== : Kernel reference counter overflow protection = Specific TODO Items = Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention: * Split thread_info off of kernel stack (Done: x86, arm64, s390. Needed on arm, powerpc and others?) * Move kernel stack to vmap area (Done: x86, arm64, s390. Needed on powerpc and others?) * Implement kernel relocation and KASLR for ARM * Write a plugin to clear struct padding * Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings) * Reorganize and rename CONFIG_DEBUG_RODATA (and related options) to something without "DEBUG" in the name (in progress) * Make CONFIG_DEBUG_RODATA mandatory (done for arm64 and x86, other archs still need it) * Convert remaining BPF JITs to eBPF JIT (with blinding) * Write lib/test_bpf.c tests for eBPF constant blinding * Further restriction of perf_event_open (e.g. perf_event_paranoid=3) * Identify and extend HARDENED_USERCOPY to other usercopy functions (e.g. maybe csum_partial_copy_from_user, csum_and_copy_from_user, csum_and_copy_to_user, csum_partial_copy_nocheck?) * Extend HARDENED_USERCOPY to use slab whitelisting * Extend HARDENED_USERCOPY to split user-facing malloc()s and in-kernel malloc()svmalloc stack guard pages * protect ARM vector table as fixed-location kernel target * disable kuser helpers on arm * harden and rename CONFIG_DEBUG_LIST better and default=y * add zeroing of copy_from_user on failure test to test_usercopy.c * consolidate all architecture's use of usercopy into asm-generic/uaccess.h * add WARN path for page-spanning usercopy checks (instead of the separate CONFIG) * create UNEXPECTED(), like BUG() but without the lock-busting, etc * adjust usercopy CONFIG to be !DEVKMEM && STRICT_DEVMEM=y (PROC_KCORE is incompat with usercopy too) * provide mechanism to check for ro_after_init memory areas, and reject structures not marked ro_after_init in vmbus_register() * expand use of __ro_after_init, especially in arch/arm64 * Add stack-frame walking to usercopy implementations (Done: x86. In progress: arm64. Needed on arm, others?) = Recommended settings = People ask from time to time what a good security set of build CONFIGs and runtime sysctl are. This is a brain-dump of the various options for a particularly paranoid system. == CONFIGs == # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_RODATA=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. CONFIG_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targetted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_BUG_ON_DATA_CORRUPTION=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. CONFIG_HARDENED_USERCOPY=y # Randomize allocator freelists. CONFIG_SLAB_FREELIST_RANDOM=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" === x86_32 === # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y === x86_64 === # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set === arm === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an out-of-tree Qualcomm kernel, this is similar to CONFIG_DEBUG_RODATA. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset === arm64 === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y == kernel command line options == # Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 === x86_64 === # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none == sysctls == # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 f83b31d48f397f3af3d4e1c01f5d5105a6726574 3842 3841 2017-02-04T05:38:25Z DavidWindsor 6 Adjust linked page name to be consistent with existing naming scheme wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in [https://pax.grsecurity.net/ PaX], [https://grsecurity.net/features.php grsecurity], and piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Features will be more than finding bugs. Should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Get Involved = Want to get involved? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list] and introduce yourself. Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Work Areas = While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. While the following is far from a comprehensive list, it's at least a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] = Completed Kernel Protections = The following kernel protections have been already been accepted into the mainline Linux kernel, or are in some stage of development. ==== [[Kernel_Protections/HARDENED_ATOMC|HARDENED_ATOMIC]] ==== : Kernel reference counter overflow protection = Specific TODO Items = Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention: * Split thread_info off of kernel stack (Done: x86, arm64, s390. Needed on arm, powerpc and others?) * Move kernel stack to vmap area (Done: x86, arm64, s390. Needed on powerpc and others?) * Implement kernel relocation and KASLR for ARM * Write a plugin to clear struct padding * Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings) * Reorganize and rename CONFIG_DEBUG_RODATA (and related options) to something without "DEBUG" in the name (in progress) * Make CONFIG_DEBUG_RODATA mandatory (done for arm64 and x86, other archs still need it) * Convert remaining BPF JITs to eBPF JIT (with blinding) * Write lib/test_bpf.c tests for eBPF constant blinding * Further restriction of perf_event_open (e.g. perf_event_paranoid=3) * Identify and extend HARDENED_USERCOPY to other usercopy functions (e.g. maybe csum_partial_copy_from_user, csum_and_copy_from_user, csum_and_copy_to_user, csum_partial_copy_nocheck?) * Extend HARDENED_USERCOPY to use slab whitelisting * Extend HARDENED_USERCOPY to split user-facing malloc()s and in-kernel malloc()svmalloc stack guard pages * protect ARM vector table as fixed-location kernel target * disable kuser helpers on arm * harden and rename CONFIG_DEBUG_LIST better and default=y * add zeroing of copy_from_user on failure test to test_usercopy.c * consolidate all architecture's use of usercopy into asm-generic/uaccess.h * add WARN path for page-spanning usercopy checks (instead of the separate CONFIG) * create UNEXPECTED(), like BUG() but without the lock-busting, etc * adjust usercopy CONFIG to be !DEVKMEM && STRICT_DEVMEM=y (PROC_KCORE is incompat with usercopy too) * provide mechanism to check for ro_after_init memory areas, and reject structures not marked ro_after_init in vmbus_register() * expand use of __ro_after_init, especially in arch/arm64 * Add stack-frame walking to usercopy implementations (Done: x86. In progress: arm64. Needed on arm, others?) = Recommended settings = People ask from time to time what a good security set of build CONFIGs and runtime sysctl are. This is a brain-dump of the various options for a particularly paranoid system. == CONFIGs == # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_RODATA=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. CONFIG_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targetted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_BUG_ON_DATA_CORRUPTION=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. CONFIG_HARDENED_USERCOPY=y # Randomize allocator freelists. CONFIG_SLAB_FREELIST_RANDOM=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" === x86_32 === # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y === x86_64 === # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set === arm === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an out-of-tree Qualcomm kernel, this is similar to CONFIG_DEBUG_RODATA. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset === arm64 === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y == kernel command line options == # Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 === x86_64 === # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none == sysctls == # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 271640807dfbbd4159e74825b8ab051082881919 3844 3842 2017-02-04T06:44:15Z DavidWindsor 6 Fix link to HARDENED_ATOMIC wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in [https://pax.grsecurity.net/ PaX], [https://grsecurity.net/features.php grsecurity], and piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Features will be more than finding bugs. Should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Get Involved = Want to get involved? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list] and introduce yourself. Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Work Areas = While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. While the following is far from a comprehensive list, it's at least a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] = Completed Kernel Protections = The following kernel protections have been already been accepted into the mainline Linux kernel, or are in some stage of development. ==== [[Kernel_Protections/HARDENED_ATOMIC|HARDENED_ATOMIC]] ==== : Kernel reference counter overflow protection = Specific TODO Items = Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention: * Split thread_info off of kernel stack (Done: x86, arm64, s390. Needed on arm, powerpc and others?) * Move kernel stack to vmap area (Done: x86, arm64, s390. Needed on powerpc and others?) * Implement kernel relocation and KASLR for ARM * Write a plugin to clear struct padding * Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings) * Reorganize and rename CONFIG_DEBUG_RODATA (and related options) to something without "DEBUG" in the name (in progress) * Make CONFIG_DEBUG_RODATA mandatory (done for arm64 and x86, other archs still need it) * Convert remaining BPF JITs to eBPF JIT (with blinding) * Write lib/test_bpf.c tests for eBPF constant blinding * Further restriction of perf_event_open (e.g. perf_event_paranoid=3) * Identify and extend HARDENED_USERCOPY to other usercopy functions (e.g. maybe csum_partial_copy_from_user, csum_and_copy_from_user, csum_and_copy_to_user, csum_partial_copy_nocheck?) * Extend HARDENED_USERCOPY to use slab whitelisting * Extend HARDENED_USERCOPY to split user-facing malloc()s and in-kernel malloc()svmalloc stack guard pages * protect ARM vector table as fixed-location kernel target * disable kuser helpers on arm * harden and rename CONFIG_DEBUG_LIST better and default=y * add zeroing of copy_from_user on failure test to test_usercopy.c * consolidate all architecture's use of usercopy into asm-generic/uaccess.h * add WARN path for page-spanning usercopy checks (instead of the separate CONFIG) * create UNEXPECTED(), like BUG() but without the lock-busting, etc * adjust usercopy CONFIG to be !DEVKMEM && STRICT_DEVMEM=y (PROC_KCORE is incompat with usercopy too) * provide mechanism to check for ro_after_init memory areas, and reject structures not marked ro_after_init in vmbus_register() * expand use of __ro_after_init, especially in arch/arm64 * Add stack-frame walking to usercopy implementations (Done: x86. In progress: arm64. Needed on arm, others?) = Recommended settings = People ask from time to time what a good security set of build CONFIGs and runtime sysctl are. This is a brain-dump of the various options for a particularly paranoid system. == CONFIGs == # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_RODATA=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. CONFIG_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targetted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_BUG_ON_DATA_CORRUPTION=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. CONFIG_HARDENED_USERCOPY=y # Randomize allocator freelists. CONFIG_SLAB_FREELIST_RANDOM=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" === x86_32 === # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y === x86_64 === # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set === arm === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an out-of-tree Qualcomm kernel, this is similar to CONFIG_DEBUG_RODATA. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset === arm64 === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y == kernel command line options == # Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 === x86_64 === # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none == sysctls == # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 74dc20fe1e92a96323545753633b0e259967e0e1 3851 3844 2017-02-10T23:48:33Z KeesCook 3 /* Completed Kernel Protections */ wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in [https://pax.grsecurity.net/ PaX], [https://grsecurity.net/features.php grsecurity], and piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Features will be more than finding bugs. Should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Get Involved = Want to get involved? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list] and introduce yourself. Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Work Areas = While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. While the following is far from a comprehensive list, it's at least a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] = Documentation = For kernel protections already in upstream (or under active development) that have specific documentation: ==== [[Kernel_Protections/HARDENED_ATOMIC|refcount_t]] ==== : Kernel reference counter overflow protection = Specific TODO Items = Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention: * Split thread_info off of kernel stack (Done: x86, arm64, s390. Needed on arm, powerpc and others?) * Move kernel stack to vmap area (Done: x86, arm64, s390. Needed on powerpc and others?) * Implement kernel relocation and KASLR for ARM * Write a plugin to clear struct padding * Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings) * Reorganize and rename CONFIG_DEBUG_RODATA (and related options) to something without "DEBUG" in the name (in progress) * Make CONFIG_DEBUG_RODATA mandatory (done for arm64 and x86, other archs still need it) * Convert remaining BPF JITs to eBPF JIT (with blinding) * Write lib/test_bpf.c tests for eBPF constant blinding * Further restriction of perf_event_open (e.g. perf_event_paranoid=3) * Identify and extend HARDENED_USERCOPY to other usercopy functions (e.g. maybe csum_partial_copy_from_user, csum_and_copy_from_user, csum_and_copy_to_user, csum_partial_copy_nocheck?) * Extend HARDENED_USERCOPY to use slab whitelisting * Extend HARDENED_USERCOPY to split user-facing malloc()s and in-kernel malloc()svmalloc stack guard pages * protect ARM vector table as fixed-location kernel target * disable kuser helpers on arm * harden and rename CONFIG_DEBUG_LIST better and default=y * add zeroing of copy_from_user on failure test to test_usercopy.c * consolidate all architecture's use of usercopy into asm-generic/uaccess.h * add WARN path for page-spanning usercopy checks (instead of the separate CONFIG) * create UNEXPECTED(), like BUG() but without the lock-busting, etc * adjust usercopy CONFIG to be !DEVKMEM && STRICT_DEVMEM=y (PROC_KCORE is incompat with usercopy too) * provide mechanism to check for ro_after_init memory areas, and reject structures not marked ro_after_init in vmbus_register() * expand use of __ro_after_init, especially in arch/arm64 * Add stack-frame walking to usercopy implementations (Done: x86. In progress: arm64. Needed on arm, others?) = Recommended settings = People ask from time to time what a good security set of build CONFIGs and runtime sysctl are. This is a brain-dump of the various options for a particularly paranoid system. == CONFIGs == # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_RODATA=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. CONFIG_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targetted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_BUG_ON_DATA_CORRUPTION=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. CONFIG_HARDENED_USERCOPY=y # Randomize allocator freelists. CONFIG_SLAB_FREELIST_RANDOM=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" === x86_32 === # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y === x86_64 === # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set === arm === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an out-of-tree Qualcomm kernel, this is similar to CONFIG_DEBUG_RODATA. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset === arm64 === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y == kernel command line options == # Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 === x86_64 === # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none == sysctls == # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 6ac6dbd7b4acc6fd737d11375bf3fc63443e851c 3852 3851 2017-02-10T23:51:13Z KeesCook 3 /* Documentation */ wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in [https://pax.grsecurity.net/ PaX], [https://grsecurity.net/features.php grsecurity], and piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Features will be more than finding bugs. Should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Get Involved = Want to get involved? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list] and introduce yourself. Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Work Areas = While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. While the following is far from a comprehensive list, it's at least a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] = Documentation = For kernel protections already in upstream (or under active development) that have specific documentation: ==== [https://github.com/torvalds/linux/blob/master/Documentation/security/self-protection.txt Self-Protection Guidelines] ==== ==== [[Kernel_Protections/HARDENED_ATOMIC|refcount_t]] ==== : Kernel reference counter overflow protection = Specific TODO Items = Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention: * Split thread_info off of kernel stack (Done: x86, arm64, s390. Needed on arm, powerpc and others?) * Move kernel stack to vmap area (Done: x86, arm64, s390. Needed on powerpc and others?) * Implement kernel relocation and KASLR for ARM * Write a plugin to clear struct padding * Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings) * Reorganize and rename CONFIG_DEBUG_RODATA (and related options) to something without "DEBUG" in the name (in progress) * Make CONFIG_DEBUG_RODATA mandatory (done for arm64 and x86, other archs still need it) * Convert remaining BPF JITs to eBPF JIT (with blinding) * Write lib/test_bpf.c tests for eBPF constant blinding * Further restriction of perf_event_open (e.g. perf_event_paranoid=3) * Identify and extend HARDENED_USERCOPY to other usercopy functions (e.g. maybe csum_partial_copy_from_user, csum_and_copy_from_user, csum_and_copy_to_user, csum_partial_copy_nocheck?) * Extend HARDENED_USERCOPY to use slab whitelisting * Extend HARDENED_USERCOPY to split user-facing malloc()s and in-kernel malloc()svmalloc stack guard pages * protect ARM vector table as fixed-location kernel target * disable kuser helpers on arm * harden and rename CONFIG_DEBUG_LIST better and default=y * add zeroing of copy_from_user on failure test to test_usercopy.c * consolidate all architecture's use of usercopy into asm-generic/uaccess.h * add WARN path for page-spanning usercopy checks (instead of the separate CONFIG) * create UNEXPECTED(), like BUG() but without the lock-busting, etc * adjust usercopy CONFIG to be !DEVKMEM && STRICT_DEVMEM=y (PROC_KCORE is incompat with usercopy too) * provide mechanism to check for ro_after_init memory areas, and reject structures not marked ro_after_init in vmbus_register() * expand use of __ro_after_init, especially in arch/arm64 * Add stack-frame walking to usercopy implementations (Done: x86. In progress: arm64. Needed on arm, others?) = Recommended settings = People ask from time to time what a good security set of build CONFIGs and runtime sysctl are. This is a brain-dump of the various options for a particularly paranoid system. == CONFIGs == # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_RODATA=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. CONFIG_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targetted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_BUG_ON_DATA_CORRUPTION=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. CONFIG_HARDENED_USERCOPY=y # Randomize allocator freelists. CONFIG_SLAB_FREELIST_RANDOM=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" === x86_32 === # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y === x86_64 === # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set === arm === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an out-of-tree Qualcomm kernel, this is similar to CONFIG_DEBUG_RODATA. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset === arm64 === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y == kernel command line options == # Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 === x86_64 === # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none == sysctls == # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 841c5c03fa255c56bf47034da53fe2ccc91311dd 3853 3852 2017-02-10T23:51:59Z KeesCook 3 move docs section down to keep "work areas" and "TODOs" together wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in [https://pax.grsecurity.net/ PaX], [https://grsecurity.net/features.php grsecurity], and piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Features will be more than finding bugs. Should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Get Involved = Want to get involved? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list] and introduce yourself. Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Work Areas = While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. While the following is far from a comprehensive list, it's at least a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] = Specific TODO Items = Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention: * Split thread_info off of kernel stack (Done: x86, arm64, s390. Needed on arm, powerpc and others?) * Move kernel stack to vmap area (Done: x86, arm64, s390. Needed on powerpc and others?) * Implement kernel relocation and KASLR for ARM * Write a plugin to clear struct padding * Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings) * Reorganize and rename CONFIG_DEBUG_RODATA (and related options) to something without "DEBUG" in the name (in progress) * Make CONFIG_DEBUG_RODATA mandatory (done for arm64 and x86, other archs still need it) * Convert remaining BPF JITs to eBPF JIT (with blinding) * Write lib/test_bpf.c tests for eBPF constant blinding * Further restriction of perf_event_open (e.g. perf_event_paranoid=3) * Identify and extend HARDENED_USERCOPY to other usercopy functions (e.g. maybe csum_partial_copy_from_user, csum_and_copy_from_user, csum_and_copy_to_user, csum_partial_copy_nocheck?) * Extend HARDENED_USERCOPY to use slab whitelisting * Extend HARDENED_USERCOPY to split user-facing malloc()s and in-kernel malloc()svmalloc stack guard pages * protect ARM vector table as fixed-location kernel target * disable kuser helpers on arm * harden and rename CONFIG_DEBUG_LIST better and default=y * add zeroing of copy_from_user on failure test to test_usercopy.c * consolidate all architecture's use of usercopy into asm-generic/uaccess.h * add WARN path for page-spanning usercopy checks (instead of the separate CONFIG) * create UNEXPECTED(), like BUG() but without the lock-busting, etc * adjust usercopy CONFIG to be !DEVKMEM && STRICT_DEVMEM=y (PROC_KCORE is incompat with usercopy too) * provide mechanism to check for ro_after_init memory areas, and reject structures not marked ro_after_init in vmbus_register() * expand use of __ro_after_init, especially in arch/arm64 * Add stack-frame walking to usercopy implementations (Done: x86. In progress: arm64. Needed on arm, others?) = Documentation = For kernel protections already in upstream (or under active development) that have specific documentation: ==== [https://github.com/torvalds/linux/blob/master/Documentation/security/self-protection.txt Self-Protection Guidelines] ==== ==== [[Kernel_Protections/HARDENED_ATOMIC|refcount_t]] ==== : Kernel reference counter overflow protection = Recommended settings = People ask from time to time what a good security set of build CONFIGs and runtime sysctl are. This is a brain-dump of the various options for a particularly paranoid system. == CONFIGs == # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_RODATA=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. CONFIG_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targetted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_BUG_ON_DATA_CORRUPTION=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. CONFIG_HARDENED_USERCOPY=y # Randomize allocator freelists. CONFIG_SLAB_FREELIST_RANDOM=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" === x86_32 === # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y === x86_64 === # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set === arm === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an out-of-tree Qualcomm kernel, this is similar to CONFIG_DEBUG_RODATA. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset === arm64 === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y == kernel command line options == # Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 === x86_64 === # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none == sysctls == # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 679eb85fff3d087c423d376bdac502f65687bf80 3854 3853 2017-02-10T23:54:29Z KeesCook 3 /* Specific TODO Items */ wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in [https://pax.grsecurity.net/ PaX], [https://grsecurity.net/features.php grsecurity], and piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Features will be more than finding bugs. Should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Get Involved = Want to get involved? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list] and introduce yourself. Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Work Areas = While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. While the following is far from a comprehensive list, it's at least a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] = Specific TODO Items = Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention: * Split thread_info off of kernel stack (Done: x86, arm64, s390. Needed on arm, powerpc and others?) * Move kernel stack to vmap area (Done: x86, arm64, s390. Needed on powerpc and others?) * Implement kernel relocation and KASLR for ARM * Write a plugin to clear struct padding * Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings) * Reorganize and rename CONFIG_DEBUG_RODATA (and related options) to something without "DEBUG" in the name (in progress) * Make CONFIG_DEBUG_RODATA mandatory (done for arm64 and x86, other archs still need it) * Convert remaining BPF JITs to eBPF JIT (with blinding) * Write lib/test_bpf.c tests for eBPF constant blinding * Further restriction of perf_event_open (e.g. perf_event_paranoid=3) * Identify and extend HARDENED_USERCOPY to other usercopy functions (e.g. maybe csum_partial_copy_from_user, csum_and_copy_from_user, csum_and_copy_to_user, csum_partial_copy_nocheck?) * Extend HARDENED_USERCOPY to use slab whitelisting * Extend HARDENED_USERCOPY to split user-facing malloc()s and in-kernel malloc()svmalloc stack guard pages * protect ARM vector table as fixed-location kernel target * disable kuser helpers on arm * harden and rename CONFIG_DEBUG_LIST better and default=y * add zeroing of copy_from_user on failure test to test_usercopy.c * consolidate all architecture's use of usercopy into asm-generic/uaccess.h * add WARN path for page-spanning usercopy checks (instead of the separate CONFIG) * create UNEXPECTED(), like BUG() but without the lock-busting, etc * adjust usercopy CONFIG to be !DEVKMEM && STRICT_DEVMEM=y (PROC_KCORE is incompat with usercopy too) * provide mechanism to check for ro_after_init memory areas, and reject structures not marked ro_after_init in vmbus_register() * expand use of __ro_after_init, especially in arch/arm64 * Add stack-frame walking to usercopy implementations (Done: x86. In progress: arm64. Needed on arm, others?) * restrict autoloading of kernel modules (like GRKERNSEC_MODHARDEN) (In progress: [http://www.openwall.com/lists/kernel-hardening/2017/02/02/21 Timgad LSM]) = Documentation = For kernel protections already in upstream (or under active development) that have specific documentation: ==== [https://github.com/torvalds/linux/blob/master/Documentation/security/self-protection.txt Self-Protection Guidelines] ==== ==== [[Kernel_Protections/HARDENED_ATOMIC|refcount_t]] ==== : Kernel reference counter overflow protection = Recommended settings = People ask from time to time what a good security set of build CONFIGs and runtime sysctl are. This is a brain-dump of the various options for a particularly paranoid system. == CONFIGs == # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_RODATA=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. CONFIG_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targetted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_BUG_ON_DATA_CORRUPTION=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. CONFIG_HARDENED_USERCOPY=y # Randomize allocator freelists. CONFIG_SLAB_FREELIST_RANDOM=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" === x86_32 === # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y === x86_64 === # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set === arm === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an out-of-tree Qualcomm kernel, this is similar to CONFIG_DEBUG_RODATA. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset === arm64 === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y == kernel command line options == # Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 === x86_64 === # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none == sysctls == # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 a32a83586b9596d0f582d522bdf858df23b9e725 3855 3854 2017-02-13T22:29:41Z KeesCook 3 /* CONFIGs */ wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in [https://pax.grsecurity.net/ PaX], [https://grsecurity.net/features.php grsecurity], and piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Features will be more than finding bugs. Should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Get Involved = Want to get involved? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list] and introduce yourself. Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Work Areas = While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. While the following is far from a comprehensive list, it's at least a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] = Specific TODO Items = Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention: * Split thread_info off of kernel stack (Done: x86, arm64, s390. Needed on arm, powerpc and others?) * Move kernel stack to vmap area (Done: x86, arm64, s390. Needed on powerpc and others?) * Implement kernel relocation and KASLR for ARM * Write a plugin to clear struct padding * Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings) * Reorganize and rename CONFIG_DEBUG_RODATA (and related options) to something without "DEBUG" in the name (in progress) * Make CONFIG_DEBUG_RODATA mandatory (done for arm64 and x86, other archs still need it) * Convert remaining BPF JITs to eBPF JIT (with blinding) * Write lib/test_bpf.c tests for eBPF constant blinding * Further restriction of perf_event_open (e.g. perf_event_paranoid=3) * Identify and extend HARDENED_USERCOPY to other usercopy functions (e.g. maybe csum_partial_copy_from_user, csum_and_copy_from_user, csum_and_copy_to_user, csum_partial_copy_nocheck?) * Extend HARDENED_USERCOPY to use slab whitelisting * Extend HARDENED_USERCOPY to split user-facing malloc()s and in-kernel malloc()svmalloc stack guard pages * protect ARM vector table as fixed-location kernel target * disable kuser helpers on arm * harden and rename CONFIG_DEBUG_LIST better and default=y * add zeroing of copy_from_user on failure test to test_usercopy.c * consolidate all architecture's use of usercopy into asm-generic/uaccess.h * add WARN path for page-spanning usercopy checks (instead of the separate CONFIG) * create UNEXPECTED(), like BUG() but without the lock-busting, etc * adjust usercopy CONFIG to be !DEVKMEM && STRICT_DEVMEM=y (PROC_KCORE is incompat with usercopy too) * provide mechanism to check for ro_after_init memory areas, and reject structures not marked ro_after_init in vmbus_register() * expand use of __ro_after_init, especially in arch/arm64 * Add stack-frame walking to usercopy implementations (Done: x86. In progress: arm64. Needed on arm, others?) * restrict autoloading of kernel modules (like GRKERNSEC_MODHARDEN) (In progress: [http://www.openwall.com/lists/kernel-hardening/2017/02/02/21 Timgad LSM]) = Documentation = For kernel protections already in upstream (or under active development) that have specific documentation: ==== [https://github.com/torvalds/linux/blob/master/Documentation/security/self-protection.txt Self-Protection Guidelines] ==== ==== [[Kernel_Protections/HARDENED_ATOMIC|refcount_t]] ==== : Kernel reference counter overflow protection = Recommended settings = People ask from time to time what a good security set of build CONFIGs and runtime sysctl are. This is a brain-dump of the various options for a particularly paranoid system. == CONFIGs == # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_RODATA=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. CONFIG_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targetted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_BUG_ON_DATA_CORRUPTION=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. CONFIG_HARDENED_USERCOPY=y # Randomize allocator freelists. CONFIG_SLAB_FREELIST_RANDOM=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" === x86_32 === # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y === x86_64 === # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set === arm === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an out-of-tree Qualcomm kernel, this is similar to CONFIG_DEBUG_RODATA. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset === arm64 === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y == kernel command line options == # Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 === x86_64 === # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none == sysctls == # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 53b4a6057b203a9efac858e3d787c000123e66c6 3857 3855 2017-04-26T22:18:43Z KeesCook 3 /* Mission Statement */ wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in the [https://pax.grsecurity.net/ PaX] and [https://grsecurity.net/features.php grsecurity] [patches https://github.com/linux-scraping/linux-grsecurity], and in piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Features will be more than finding bugs. Should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Get Involved = Want to get involved? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list] and introduce yourself. Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Work Areas = While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. While the following is far from a comprehensive list, it's at least a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] = Specific TODO Items = Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention: * Split thread_info off of kernel stack (Done: x86, arm64, s390. Needed on arm, powerpc and others?) * Move kernel stack to vmap area (Done: x86, arm64, s390. Needed on powerpc and others?) * Implement kernel relocation and KASLR for ARM * Write a plugin to clear struct padding * Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings) * Reorganize and rename CONFIG_DEBUG_RODATA (and related options) to something without "DEBUG" in the name (in progress) * Make CONFIG_DEBUG_RODATA mandatory (done for arm64 and x86, other archs still need it) * Convert remaining BPF JITs to eBPF JIT (with blinding) * Write lib/test_bpf.c tests for eBPF constant blinding * Further restriction of perf_event_open (e.g. perf_event_paranoid=3) * Identify and extend HARDENED_USERCOPY to other usercopy functions (e.g. maybe csum_partial_copy_from_user, csum_and_copy_from_user, csum_and_copy_to_user, csum_partial_copy_nocheck?) * Extend HARDENED_USERCOPY to use slab whitelisting * Extend HARDENED_USERCOPY to split user-facing malloc()s and in-kernel malloc()svmalloc stack guard pages * protect ARM vector table as fixed-location kernel target * disable kuser helpers on arm * harden and rename CONFIG_DEBUG_LIST better and default=y * add zeroing of copy_from_user on failure test to test_usercopy.c * consolidate all architecture's use of usercopy into asm-generic/uaccess.h * add WARN path for page-spanning usercopy checks (instead of the separate CONFIG) * create UNEXPECTED(), like BUG() but without the lock-busting, etc * adjust usercopy CONFIG to be !DEVKMEM && STRICT_DEVMEM=y (PROC_KCORE is incompat with usercopy too) * provide mechanism to check for ro_after_init memory areas, and reject structures not marked ro_after_init in vmbus_register() * expand use of __ro_after_init, especially in arch/arm64 * Add stack-frame walking to usercopy implementations (Done: x86. In progress: arm64. Needed on arm, others?) * restrict autoloading of kernel modules (like GRKERNSEC_MODHARDEN) (In progress: [http://www.openwall.com/lists/kernel-hardening/2017/02/02/21 Timgad LSM]) = Documentation = For kernel protections already in upstream (or under active development) that have specific documentation: ==== [https://github.com/torvalds/linux/blob/master/Documentation/security/self-protection.txt Self-Protection Guidelines] ==== ==== [[Kernel_Protections/HARDENED_ATOMIC|refcount_t]] ==== : Kernel reference counter overflow protection = Recommended settings = People ask from time to time what a good security set of build CONFIGs and runtime sysctl are. This is a brain-dump of the various options for a particularly paranoid system. == CONFIGs == # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_RODATA=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. CONFIG_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targetted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_BUG_ON_DATA_CORRUPTION=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. CONFIG_HARDENED_USERCOPY=y # Randomize allocator freelists. CONFIG_SLAB_FREELIST_RANDOM=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" === x86_32 === # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y === x86_64 === # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set === arm === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an out-of-tree Qualcomm kernel, this is similar to CONFIG_DEBUG_RODATA. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset === arm64 === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y == kernel command line options == # Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 === x86_64 === # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none == sysctls == # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 7dea56d3f89f74036d76321e02655282e3f51368 3858 3857 2017-04-26T22:19:12Z KeesCook 3 /* Mission Statement */ wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in the [https://pax.grsecurity.net/ PaX] and [https://grsecurity.net/features.php grsecurity] [https://github.com/linux-scraping/linux-grsecurity patches], and in piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Features will be more than finding bugs. Should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Get Involved = Want to get involved? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list] and introduce yourself. Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Work Areas = While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. While the following is far from a comprehensive list, it's at least a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] = Specific TODO Items = Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention: * Split thread_info off of kernel stack (Done: x86, arm64, s390. Needed on arm, powerpc and others?) * Move kernel stack to vmap area (Done: x86, arm64, s390. Needed on powerpc and others?) * Implement kernel relocation and KASLR for ARM * Write a plugin to clear struct padding * Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings) * Reorganize and rename CONFIG_DEBUG_RODATA (and related options) to something without "DEBUG" in the name (in progress) * Make CONFIG_DEBUG_RODATA mandatory (done for arm64 and x86, other archs still need it) * Convert remaining BPF JITs to eBPF JIT (with blinding) * Write lib/test_bpf.c tests for eBPF constant blinding * Further restriction of perf_event_open (e.g. perf_event_paranoid=3) * Identify and extend HARDENED_USERCOPY to other usercopy functions (e.g. maybe csum_partial_copy_from_user, csum_and_copy_from_user, csum_and_copy_to_user, csum_partial_copy_nocheck?) * Extend HARDENED_USERCOPY to use slab whitelisting * Extend HARDENED_USERCOPY to split user-facing malloc()s and in-kernel malloc()svmalloc stack guard pages * protect ARM vector table as fixed-location kernel target * disable kuser helpers on arm * harden and rename CONFIG_DEBUG_LIST better and default=y * add zeroing of copy_from_user on failure test to test_usercopy.c * consolidate all architecture's use of usercopy into asm-generic/uaccess.h * add WARN path for page-spanning usercopy checks (instead of the separate CONFIG) * create UNEXPECTED(), like BUG() but without the lock-busting, etc * adjust usercopy CONFIG to be !DEVKMEM && STRICT_DEVMEM=y (PROC_KCORE is incompat with usercopy too) * provide mechanism to check for ro_after_init memory areas, and reject structures not marked ro_after_init in vmbus_register() * expand use of __ro_after_init, especially in arch/arm64 * Add stack-frame walking to usercopy implementations (Done: x86. In progress: arm64. Needed on arm, others?) * restrict autoloading of kernel modules (like GRKERNSEC_MODHARDEN) (In progress: [http://www.openwall.com/lists/kernel-hardening/2017/02/02/21 Timgad LSM]) = Documentation = For kernel protections already in upstream (or under active development) that have specific documentation: ==== [https://github.com/torvalds/linux/blob/master/Documentation/security/self-protection.txt Self-Protection Guidelines] ==== ==== [[Kernel_Protections/HARDENED_ATOMIC|refcount_t]] ==== : Kernel reference counter overflow protection = Recommended settings = People ask from time to time what a good security set of build CONFIGs and runtime sysctl are. This is a brain-dump of the various options for a particularly paranoid system. == CONFIGs == # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_RODATA=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. CONFIG_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targetted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_BUG_ON_DATA_CORRUPTION=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. CONFIG_HARDENED_USERCOPY=y # Randomize allocator freelists. CONFIG_SLAB_FREELIST_RANDOM=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" === x86_32 === # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y === x86_64 === # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set === arm === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an out-of-tree Qualcomm kernel, this is similar to CONFIG_DEBUG_RODATA. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset === arm64 === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y == kernel command line options == # Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 === x86_64 === # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none == sysctls == # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 1ced97a12a7062d25453c8d952df6531889f5bdd 3859 3858 2017-04-26T22:23:48Z KeesCook 3 /* Principles */ wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in the [https://pax.grsecurity.net/ PaX] and [https://grsecurity.net/features.php grsecurity] [https://github.com/linux-scraping/linux-grsecurity patches], and in piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Upstream development is evolutionary, not revolutionary, which means it can sometimes take time for features to become fully realized. * Features will be more than finding bugs, and should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Get Involved = Want to get involved? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list] and introduce yourself. Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Work Areas = While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. While the following is far from a comprehensive list, it's at least a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] = Specific TODO Items = Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention: * Split thread_info off of kernel stack (Done: x86, arm64, s390. Needed on arm, powerpc and others?) * Move kernel stack to vmap area (Done: x86, arm64, s390. Needed on powerpc and others?) * Implement kernel relocation and KASLR for ARM * Write a plugin to clear struct padding * Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings) * Reorganize and rename CONFIG_DEBUG_RODATA (and related options) to something without "DEBUG" in the name (in progress) * Make CONFIG_DEBUG_RODATA mandatory (done for arm64 and x86, other archs still need it) * Convert remaining BPF JITs to eBPF JIT (with blinding) * Write lib/test_bpf.c tests for eBPF constant blinding * Further restriction of perf_event_open (e.g. perf_event_paranoid=3) * Identify and extend HARDENED_USERCOPY to other usercopy functions (e.g. maybe csum_partial_copy_from_user, csum_and_copy_from_user, csum_and_copy_to_user, csum_partial_copy_nocheck?) * Extend HARDENED_USERCOPY to use slab whitelisting * Extend HARDENED_USERCOPY to split user-facing malloc()s and in-kernel malloc()svmalloc stack guard pages * protect ARM vector table as fixed-location kernel target * disable kuser helpers on arm * harden and rename CONFIG_DEBUG_LIST better and default=y * add zeroing of copy_from_user on failure test to test_usercopy.c * consolidate all architecture's use of usercopy into asm-generic/uaccess.h * add WARN path for page-spanning usercopy checks (instead of the separate CONFIG) * create UNEXPECTED(), like BUG() but without the lock-busting, etc * adjust usercopy CONFIG to be !DEVKMEM && STRICT_DEVMEM=y (PROC_KCORE is incompat with usercopy too) * provide mechanism to check for ro_after_init memory areas, and reject structures not marked ro_after_init in vmbus_register() * expand use of __ro_after_init, especially in arch/arm64 * Add stack-frame walking to usercopy implementations (Done: x86. In progress: arm64. Needed on arm, others?) * restrict autoloading of kernel modules (like GRKERNSEC_MODHARDEN) (In progress: [http://www.openwall.com/lists/kernel-hardening/2017/02/02/21 Timgad LSM]) = Documentation = For kernel protections already in upstream (or under active development) that have specific documentation: ==== [https://github.com/torvalds/linux/blob/master/Documentation/security/self-protection.txt Self-Protection Guidelines] ==== ==== [[Kernel_Protections/HARDENED_ATOMIC|refcount_t]] ==== : Kernel reference counter overflow protection = Recommended settings = People ask from time to time what a good security set of build CONFIGs and runtime sysctl are. This is a brain-dump of the various options for a particularly paranoid system. == CONFIGs == # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_RODATA=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. CONFIG_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targetted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_BUG_ON_DATA_CORRUPTION=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. CONFIG_HARDENED_USERCOPY=y # Randomize allocator freelists. CONFIG_SLAB_FREELIST_RANDOM=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" === x86_32 === # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y === x86_64 === # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set === arm === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an out-of-tree Qualcomm kernel, this is similar to CONFIG_DEBUG_RODATA. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset === arm64 === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y == kernel command line options == # Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 === x86_64 === # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none == sysctls == # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 576cb88272fe6edabbfccfecbdc709cf906a4421 3861 3859 2017-04-28T19:14:36Z KeesCook 3 /* Specific TODO Items */ wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in the [https://pax.grsecurity.net/ PaX] and [https://grsecurity.net/features.php grsecurity] [https://github.com/linux-scraping/linux-grsecurity patches], and in piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Upstream development is evolutionary, not revolutionary, which means it can sometimes take time for features to become fully realized. * Features will be more than finding bugs, and should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Get Involved = Want to get involved? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list] and introduce yourself. Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Work Areas = While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. While the following is far from a comprehensive list, it's at least a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] = Specific TODO Items = Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention: * Split thread_info off of kernel stack (Done: x86, arm64, s390. Needed on arm, powerpc and others?) * Move kernel stack to vmap area (Done: x86, s390. Needed on arm, arm64, powerpc and others?) * Implement kernel relocation and KASLR for ARM * Write a plugin to clear struct padding * Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings) * Make CONFIG_DEBUG_RODATA mandatory (done for arm64 and x86, other archs still need it) * Convert remaining BPF JITs to eBPF JIT (with blinding) * Write lib/test_bpf.c tests for eBPF constant blinding * Further restriction of perf_event_open (e.g. perf_event_paranoid=3) * Extend HARDENED_USERCOPY to use slab whitelisting (in progress) * Extend HARDENED_USERCOPY to split user-facing malloc()s and in-kernel malloc()svmalloc stack guard pages (in progress) * protect ARM vector table as fixed-location kernel target * disable kuser helpers on arm * rename CONFIG_DEBUG_LIST better and default=y * add WARN path for page-spanning usercopy checks (instead of the separate CONFIG) * create UNEXPECTED(), like BUG() but without the lock-busting, etc * create defconfig "make" target for by-default hardened Kconfigs (using guidelines below) * provide mechanism to check for ro_after_init memory areas, and reject structures not marked ro_after_init in vmbus_register() * expand use of __ro_after_init, especially in arch/arm64 * Add stack-frame walking to usercopy implementations (Done: x86. In progress: arm64. Needed on arm, others?) * restrict autoloading of kernel modules (like GRKERNSEC_MODHARDEN) (In progress: [http://www.openwall.com/lists/kernel-hardening/2017/02/02/21 Timgad LSM]) = Documentation = For kernel protections already in upstream (or under active development) that have specific documentation: ==== [https://github.com/torvalds/linux/blob/master/Documentation/security/self-protection.txt Self-Protection Guidelines] ==== ==== [[Kernel_Protections/HARDENED_ATOMIC|refcount_t]] ==== : Kernel reference counter overflow protection = Recommended settings = People ask from time to time what a good security set of build CONFIGs and runtime sysctl are. This is a brain-dump of the various options for a particularly paranoid system. == CONFIGs == # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_RODATA=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. CONFIG_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targetted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_BUG_ON_DATA_CORRUPTION=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. CONFIG_HARDENED_USERCOPY=y # Randomize allocator freelists. CONFIG_SLAB_FREELIST_RANDOM=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" === x86_32 === # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y === x86_64 === # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set === arm === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an out-of-tree Qualcomm kernel, this is similar to CONFIG_DEBUG_RODATA. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset === arm64 === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y == kernel command line options == # Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 === x86_64 === # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none == sysctls == # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 503160a2aadd42babfcafafc658d28222915be4e 3862 3861 2017-04-29T20:31:40Z KeesCook 3 /* CONFIGs */ wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in the [https://pax.grsecurity.net/ PaX] and [https://grsecurity.net/features.php grsecurity] [https://github.com/linux-scraping/linux-grsecurity patches], and in piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Upstream development is evolutionary, not revolutionary, which means it can sometimes take time for features to become fully realized. * Features will be more than finding bugs, and should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Get Involved = Want to get involved? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list] and introduce yourself. Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Work Areas = While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. While the following is far from a comprehensive list, it's at least a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] = Specific TODO Items = Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention: * Split thread_info off of kernel stack (Done: x86, arm64, s390. Needed on arm, powerpc and others?) * Move kernel stack to vmap area (Done: x86, s390. Needed on arm, arm64, powerpc and others?) * Implement kernel relocation and KASLR for ARM * Write a plugin to clear struct padding * Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings) * Make CONFIG_DEBUG_RODATA mandatory (done for arm64 and x86, other archs still need it) * Convert remaining BPF JITs to eBPF JIT (with blinding) * Write lib/test_bpf.c tests for eBPF constant blinding * Further restriction of perf_event_open (e.g. perf_event_paranoid=3) * Extend HARDENED_USERCOPY to use slab whitelisting (in progress) * Extend HARDENED_USERCOPY to split user-facing malloc()s and in-kernel malloc()svmalloc stack guard pages (in progress) * protect ARM vector table as fixed-location kernel target * disable kuser helpers on arm * rename CONFIG_DEBUG_LIST better and default=y * add WARN path for page-spanning usercopy checks (instead of the separate CONFIG) * create UNEXPECTED(), like BUG() but without the lock-busting, etc * create defconfig "make" target for by-default hardened Kconfigs (using guidelines below) * provide mechanism to check for ro_after_init memory areas, and reject structures not marked ro_after_init in vmbus_register() * expand use of __ro_after_init, especially in arch/arm64 * Add stack-frame walking to usercopy implementations (Done: x86. In progress: arm64. Needed on arm, others?) * restrict autoloading of kernel modules (like GRKERNSEC_MODHARDEN) (In progress: [http://www.openwall.com/lists/kernel-hardening/2017/02/02/21 Timgad LSM]) = Documentation = For kernel protections already in upstream (or under active development) that have specific documentation: ==== [https://github.com/torvalds/linux/blob/master/Documentation/security/self-protection.txt Self-Protection Guidelines] ==== ==== [[Kernel_Protections/HARDENED_ATOMIC|refcount_t]] ==== : Kernel reference counter overflow protection = Recommended settings = People ask from time to time what a good security set of build CONFIGs and runtime sysctl are. This is a brain-dump of the various options for a particularly paranoid system. == CONFIGs == # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_RODATA=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. CONFIG_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targetted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_BUG_ON_DATA_CORRUPTION=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. CONFIG_HARDENED_USERCOPY=y # Randomize allocator freelists. CONFIG_SLAB_FREELIST_RANDOM=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" === x86_32 === # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y === x86_64 === # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set === arm === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an out-of-tree Qualcomm kernel, this is similar to CONFIG_DEBUG_RODATA. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset === arm64 === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y == kernel command line options == # Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 === x86_64 === # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none == sysctls == # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 75fe6b3a4adec7e3087a07c10078ca7d7a11260c 3863 3862 2017-04-29T20:33:52Z KeesCook 3 /* CONFIGs */ wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in the [https://pax.grsecurity.net/ PaX] and [https://grsecurity.net/features.php grsecurity] [https://github.com/linux-scraping/linux-grsecurity patches], and in piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Upstream development is evolutionary, not revolutionary, which means it can sometimes take time for features to become fully realized. * Features will be more than finding bugs, and should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Get Involved = Want to get involved? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list] and introduce yourself. Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Work Areas = While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. While the following is far from a comprehensive list, it's at least a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] = Specific TODO Items = Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention: * Split thread_info off of kernel stack (Done: x86, arm64, s390. Needed on arm, powerpc and others?) * Move kernel stack to vmap area (Done: x86, s390. Needed on arm, arm64, powerpc and others?) * Implement kernel relocation and KASLR for ARM * Write a plugin to clear struct padding * Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings) * Make CONFIG_DEBUG_RODATA mandatory (done for arm64 and x86, other archs still need it) * Convert remaining BPF JITs to eBPF JIT (with blinding) * Write lib/test_bpf.c tests for eBPF constant blinding * Further restriction of perf_event_open (e.g. perf_event_paranoid=3) * Extend HARDENED_USERCOPY to use slab whitelisting (in progress) * Extend HARDENED_USERCOPY to split user-facing malloc()s and in-kernel malloc()svmalloc stack guard pages (in progress) * protect ARM vector table as fixed-location kernel target * disable kuser helpers on arm * rename CONFIG_DEBUG_LIST better and default=y * add WARN path for page-spanning usercopy checks (instead of the separate CONFIG) * create UNEXPECTED(), like BUG() but without the lock-busting, etc * create defconfig "make" target for by-default hardened Kconfigs (using guidelines below) * provide mechanism to check for ro_after_init memory areas, and reject structures not marked ro_after_init in vmbus_register() * expand use of __ro_after_init, especially in arch/arm64 * Add stack-frame walking to usercopy implementations (Done: x86. In progress: arm64. Needed on arm, others?) * restrict autoloading of kernel modules (like GRKERNSEC_MODHARDEN) (In progress: [http://www.openwall.com/lists/kernel-hardening/2017/02/02/21 Timgad LSM]) = Documentation = For kernel protections already in upstream (or under active development) that have specific documentation: ==== [https://github.com/torvalds/linux/blob/master/Documentation/security/self-protection.txt Self-Protection Guidelines] ==== ==== [[Kernel_Protections/HARDENED_ATOMIC|refcount_t]] ==== : Kernel reference counter overflow protection = Recommended settings = People ask from time to time what a good security set of build CONFIGs and runtime sysctl are. This is a brain-dump of the various options for a particularly paranoid system. == CONFIGs == # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_RODATA=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. CONFIG_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_BUG_ON_DATA_CORRUPTION=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. CONFIG_HARDENED_USERCOPY=y # Randomize allocator freelists. CONFIG_SLAB_FREELIST_RANDOM=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" === x86_32 === # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y === x86_64 === # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set === arm === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an out-of-tree Qualcomm kernel, this is similar to CONFIG_DEBUG_RODATA. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset === arm64 === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y == kernel command line options == # Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 === x86_64 === # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none == sysctls == # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 8a3bfd42dc736835ed37b5bb9fa5cf7974b80e00 3864 3863 2017-05-05T19:32:35Z KeesCook 3 rename RODATA, add PAN emu wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in the [https://pax.grsecurity.net/ PaX] and [https://grsecurity.net/features.php grsecurity] [https://github.com/linux-scraping/linux-grsecurity patches], and in piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Upstream development is evolutionary, not revolutionary, which means it can sometimes take time for features to become fully realized. * Features will be more than finding bugs, and should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Get Involved = Want to get involved? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list] and introduce yourself. Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Work Areas = While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. While the following is far from a comprehensive list, it's at least a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] = Specific TODO Items = Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention: * Split thread_info off of kernel stack (Done: x86, arm64, s390. Needed on arm, powerpc and others?) * Move kernel stack to vmap area (Done: x86, s390. Needed on arm, arm64, powerpc and others?) * Implement kernel relocation and KASLR for ARM * Write a plugin to clear struct padding * Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings) * Make CONFIG_DEBUG_RODATA mandatory (done for arm64 and x86, other archs still need it) * Convert remaining BPF JITs to eBPF JIT (with blinding) * Write lib/test_bpf.c tests for eBPF constant blinding * Further restriction of perf_event_open (e.g. perf_event_paranoid=3) * Extend HARDENED_USERCOPY to use slab whitelisting (in progress) * Extend HARDENED_USERCOPY to split user-facing malloc()s and in-kernel malloc()svmalloc stack guard pages (in progress) * protect ARM vector table as fixed-location kernel target * disable kuser helpers on arm * rename CONFIG_DEBUG_LIST better and default=y * add WARN path for page-spanning usercopy checks (instead of the separate CONFIG) * create UNEXPECTED(), like BUG() but without the lock-busting, etc * create defconfig "make" target for by-default hardened Kconfigs (using guidelines below) * provide mechanism to check for ro_after_init memory areas, and reject structures not marked ro_after_init in vmbus_register() * expand use of __ro_after_init, especially in arch/arm64 * Add stack-frame walking to usercopy implementations (Done: x86. In progress: arm64. Needed on arm, others?) * restrict autoloading of kernel modules (like GRKERNSEC_MODHARDEN) (In progress: [http://www.openwall.com/lists/kernel-hardening/2017/02/02/21 Timgad LSM]) = Documentation = For kernel protections already in upstream (or under active development) that have specific documentation: ==== [https://github.com/torvalds/linux/blob/master/Documentation/security/self-protection.txt Self-Protection Guidelines] ==== ==== [[Kernel_Protections/HARDENED_ATOMIC|refcount_t]] ==== : Kernel reference counter overflow protection = Recommended settings = People ask from time to time what a good security set of build CONFIGs and runtime sysctl are. This is a brain-dump of the various options for a particularly paranoid system. == CONFIGs == # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. CONFIG_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_BUG_ON_DATA_CORRUPTION=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. CONFIG_HARDENED_USERCOPY=y # Randomize allocator freelists. CONFIG_SLAB_FREELIST_RANDOM=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" === x86_32 === # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y === x86_64 === # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set === arm === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset === arm64 === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y == kernel command line options == # Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 === x86_64 === # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none == sysctls == # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 85693e1884eed8b731b874a227bba73c5bc9e615 3865 3864 2017-05-05T20:17:11Z KeesCook 3 /* CONFIGs */ add DEBUG_WX=y wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in the [https://pax.grsecurity.net/ PaX] and [https://grsecurity.net/features.php grsecurity] [https://github.com/linux-scraping/linux-grsecurity patches], and in piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Upstream development is evolutionary, not revolutionary, which means it can sometimes take time for features to become fully realized. * Features will be more than finding bugs, and should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Get Involved = Want to get involved? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list] and introduce yourself. Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Work Areas = While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. While the following is far from a comprehensive list, it's at least a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] = Specific TODO Items = Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention: * Split thread_info off of kernel stack (Done: x86, arm64, s390. Needed on arm, powerpc and others?) * Move kernel stack to vmap area (Done: x86, s390. Needed on arm, arm64, powerpc and others?) * Implement kernel relocation and KASLR for ARM * Write a plugin to clear struct padding * Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings) * Make CONFIG_DEBUG_RODATA mandatory (done for arm64 and x86, other archs still need it) * Convert remaining BPF JITs to eBPF JIT (with blinding) * Write lib/test_bpf.c tests for eBPF constant blinding * Further restriction of perf_event_open (e.g. perf_event_paranoid=3) * Extend HARDENED_USERCOPY to use slab whitelisting (in progress) * Extend HARDENED_USERCOPY to split user-facing malloc()s and in-kernel malloc()svmalloc stack guard pages (in progress) * protect ARM vector table as fixed-location kernel target * disable kuser helpers on arm * rename CONFIG_DEBUG_LIST better and default=y * add WARN path for page-spanning usercopy checks (instead of the separate CONFIG) * create UNEXPECTED(), like BUG() but without the lock-busting, etc * create defconfig "make" target for by-default hardened Kconfigs (using guidelines below) * provide mechanism to check for ro_after_init memory areas, and reject structures not marked ro_after_init in vmbus_register() * expand use of __ro_after_init, especially in arch/arm64 * Add stack-frame walking to usercopy implementations (Done: x86. In progress: arm64. Needed on arm, others?) * restrict autoloading of kernel modules (like GRKERNSEC_MODHARDEN) (In progress: [http://www.openwall.com/lists/kernel-hardening/2017/02/02/21 Timgad LSM]) = Documentation = For kernel protections already in upstream (or under active development) that have specific documentation: ==== [https://github.com/torvalds/linux/blob/master/Documentation/security/self-protection.txt Self-Protection Guidelines] ==== ==== [[Kernel_Protections/HARDENED_ATOMIC|refcount_t]] ==== : Kernel reference counter overflow protection = Recommended settings = People ask from time to time what a good security set of build CONFIGs and runtime sysctl are. This is a brain-dump of the various options for a particularly paranoid system. == CONFIGs == # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. CONFIG_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_BUG_ON_DATA_CORRUPTION=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. CONFIG_HARDENED_USERCOPY=y # Randomize allocator freelists. CONFIG_SLAB_FREELIST_RANDOM=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" === x86_32 === # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y === x86_64 === # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set === arm === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset === arm64 === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y == kernel command line options == # Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 === x86_64 === # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none == sysctls == # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 6d5a1294f13ebde996a36d8a9832a2f8de493f67 3866 3865 2017-05-10T21:52:45Z KeesCook 3 /* sysctls */ USER_NS wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in the [https://pax.grsecurity.net/ PaX] and [https://grsecurity.net/features.php grsecurity] [https://github.com/linux-scraping/linux-grsecurity patches], and in piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Upstream development is evolutionary, not revolutionary, which means it can sometimes take time for features to become fully realized. * Features will be more than finding bugs, and should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Get Involved = Want to get involved? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list] and introduce yourself. Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Work Areas = While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. While the following is far from a comprehensive list, it's at least a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] = Specific TODO Items = Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention: * Split thread_info off of kernel stack (Done: x86, arm64, s390. Needed on arm, powerpc and others?) * Move kernel stack to vmap area (Done: x86, s390. Needed on arm, arm64, powerpc and others?) * Implement kernel relocation and KASLR for ARM * Write a plugin to clear struct padding * Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings) * Make CONFIG_DEBUG_RODATA mandatory (done for arm64 and x86, other archs still need it) * Convert remaining BPF JITs to eBPF JIT (with blinding) * Write lib/test_bpf.c tests for eBPF constant blinding * Further restriction of perf_event_open (e.g. perf_event_paranoid=3) * Extend HARDENED_USERCOPY to use slab whitelisting (in progress) * Extend HARDENED_USERCOPY to split user-facing malloc()s and in-kernel malloc()svmalloc stack guard pages (in progress) * protect ARM vector table as fixed-location kernel target * disable kuser helpers on arm * rename CONFIG_DEBUG_LIST better and default=y * add WARN path for page-spanning usercopy checks (instead of the separate CONFIG) * create UNEXPECTED(), like BUG() but without the lock-busting, etc * create defconfig "make" target for by-default hardened Kconfigs (using guidelines below) * provide mechanism to check for ro_after_init memory areas, and reject structures not marked ro_after_init in vmbus_register() * expand use of __ro_after_init, especially in arch/arm64 * Add stack-frame walking to usercopy implementations (Done: x86. In progress: arm64. Needed on arm, others?) * restrict autoloading of kernel modules (like GRKERNSEC_MODHARDEN) (In progress: [http://www.openwall.com/lists/kernel-hardening/2017/02/02/21 Timgad LSM]) = Documentation = For kernel protections already in upstream (or under active development) that have specific documentation: ==== [https://github.com/torvalds/linux/blob/master/Documentation/security/self-protection.txt Self-Protection Guidelines] ==== ==== [[Kernel_Protections/HARDENED_ATOMIC|refcount_t]] ==== : Kernel reference counter overflow protection = Recommended settings = People ask from time to time what a good security set of build CONFIGs and runtime sysctl are. This is a brain-dump of the various options for a particularly paranoid system. == CONFIGs == # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. CONFIG_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_BUG_ON_DATA_CORRUPTION=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. CONFIG_HARDENED_USERCOPY=y # Randomize allocator freelists. CONFIG_SLAB_FREELIST_RANDOM=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" === x86_32 === # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y === x86_64 === # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set === arm === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset === arm64 === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y == kernel command line options == # Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 === x86_64 === # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none == sysctls == # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 144460b9ea0c3efe2eb2acb8fb9305939348c7e3 3867 3866 2017-06-05T19:27:43Z KeesCook 3 /* Get Involved */ wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in the [https://pax.grsecurity.net/ PaX] and [https://grsecurity.net/features.php grsecurity] [https://github.com/linux-scraping/linux-grsecurity patches], and in piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Upstream development is evolutionary, not revolutionary, which means it can sometimes take time for features to become fully realized. * Features will be more than finding bugs, and should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Get Involved = Want to get involved? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list]. == Introduce Yourself == Send an email to introduce yourself! Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. == Patch Contribution Guidelines == When contributing patches for the Linux kernel, be sure to follow the Linux kernel [https://www.kernel.org/doc/html/latest/process/coding-style.html Coding Style Guide] and read about [https://www.kernel.org/doc/html/latest/process/submitting-patches.html Submitting Patches]. Even if you're only sending your patches to the kernel-hardening mailing list for some early review, it's best to get as much of the coding style and submission semantics correct to avoid reviewers needing to recommend changes in those areas. As with any other Open Source project, it is particularly important that if you're working on upstreaming work from other Open Source projects, be sure your patches are giving credit to the original authors, that licenses are compatible, and that copyright notices are retained, etc. Additionally, Grsecurity has asked that contributors include this in commit messages: $CODE is {verbatim,modified} from Brad Spengler/PaX Team's code in the last public patch of grsecurity/PaX based on my understanding of the code. Changes or omissions from the original code are mine and don't reflect the original grsecurity/PaX code. = Work Areas = While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. While the following is far from a comprehensive list, it's at least a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] = Specific TODO Items = Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention: * Split thread_info off of kernel stack (Done: x86, arm64, s390. Needed on arm, powerpc and others?) * Move kernel stack to vmap area (Done: x86, s390. Needed on arm, arm64, powerpc and others?) * Implement kernel relocation and KASLR for ARM * Write a plugin to clear struct padding * Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings) * Make CONFIG_DEBUG_RODATA mandatory (done for arm64 and x86, other archs still need it) * Convert remaining BPF JITs to eBPF JIT (with blinding) * Write lib/test_bpf.c tests for eBPF constant blinding * Further restriction of perf_event_open (e.g. perf_event_paranoid=3) * Extend HARDENED_USERCOPY to use slab whitelisting (in progress) * Extend HARDENED_USERCOPY to split user-facing malloc()s and in-kernel malloc()svmalloc stack guard pages (in progress) * protect ARM vector table as fixed-location kernel target * disable kuser helpers on arm * rename CONFIG_DEBUG_LIST better and default=y * add WARN path for page-spanning usercopy checks (instead of the separate CONFIG) * create UNEXPECTED(), like BUG() but without the lock-busting, etc * create defconfig "make" target for by-default hardened Kconfigs (using guidelines below) * provide mechanism to check for ro_after_init memory areas, and reject structures not marked ro_after_init in vmbus_register() * expand use of __ro_after_init, especially in arch/arm64 * Add stack-frame walking to usercopy implementations (Done: x86. In progress: arm64. Needed on arm, others?) * restrict autoloading of kernel modules (like GRKERNSEC_MODHARDEN) (In progress: [http://www.openwall.com/lists/kernel-hardening/2017/02/02/21 Timgad LSM]) = Documentation = For kernel protections already in upstream (or under active development) that have specific documentation: ==== [https://github.com/torvalds/linux/blob/master/Documentation/security/self-protection.txt Self-Protection Guidelines] ==== ==== [[Kernel_Protections/HARDENED_ATOMIC|refcount_t]] ==== : Kernel reference counter overflow protection = Recommended settings = People ask from time to time what a good security set of build CONFIGs and runtime sysctl are. This is a brain-dump of the various options for a particularly paranoid system. == CONFIGs == # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. CONFIG_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_BUG_ON_DATA_CORRUPTION=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. CONFIG_HARDENED_USERCOPY=y # Randomize allocator freelists. CONFIG_SLAB_FREELIST_RANDOM=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" === x86_32 === # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y === x86_64 === # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set === arm === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset === arm64 === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y == kernel command line options == # Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 === x86_64 === # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none == sysctls == # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 e135d8d35f6a87e65ef451f54ed456e435fc560b 3868 3867 2017-06-05T19:29:03Z KeesCook 3 /* Patch Contribution Guidelines */ wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in the [https://pax.grsecurity.net/ PaX] and [https://grsecurity.net/features.php grsecurity] [https://github.com/linux-scraping/linux-grsecurity patches], and in piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Upstream development is evolutionary, not revolutionary, which means it can sometimes take time for features to become fully realized. * Features will be more than finding bugs, and should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Get Involved = Want to get involved? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list]. == Introduce Yourself == Send an email to introduce yourself! Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. == Patch Contribution Guidelines == When contributing patches for the Linux kernel, be sure to follow the Linux kernel [https://www.kernel.org/doc/html/latest/process/coding-style.html Coding Style Guide] and read about [https://www.kernel.org/doc/html/latest/process/submitting-patches.html Submitting Patches]. Even if you're only sending your patches to the kernel-hardening mailing list for some early review, it's best to get as much of the coding style and submission semantics correct to avoid reviewers needing to recommend changes in those areas. As with any other Open Source project, it is particularly important that if you're working on upstreaming work from other Open Source projects, be sure your patches are giving credit to the original authors, that licenses are compatible, and that copyright notices are retained, etc. Additionally, Grsecurity has asked that contributors include this in commit messages for non-trivial code ported from Grsecurity: $CODE is {verbatim,modified} from Brad Spengler/PaX Team's code in the last public patch of grsecurity/PaX based on my understanding of the code. Changes or omissions from the original code are mine and don't reflect the original grsecurity/PaX code. = Work Areas = While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. While the following is far from a comprehensive list, it's at least a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] = Specific TODO Items = Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention: * Split thread_info off of kernel stack (Done: x86, arm64, s390. Needed on arm, powerpc and others?) * Move kernel stack to vmap area (Done: x86, s390. Needed on arm, arm64, powerpc and others?) * Implement kernel relocation and KASLR for ARM * Write a plugin to clear struct padding * Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings) * Make CONFIG_DEBUG_RODATA mandatory (done for arm64 and x86, other archs still need it) * Convert remaining BPF JITs to eBPF JIT (with blinding) * Write lib/test_bpf.c tests for eBPF constant blinding * Further restriction of perf_event_open (e.g. perf_event_paranoid=3) * Extend HARDENED_USERCOPY to use slab whitelisting (in progress) * Extend HARDENED_USERCOPY to split user-facing malloc()s and in-kernel malloc()svmalloc stack guard pages (in progress) * protect ARM vector table as fixed-location kernel target * disable kuser helpers on arm * rename CONFIG_DEBUG_LIST better and default=y * add WARN path for page-spanning usercopy checks (instead of the separate CONFIG) * create UNEXPECTED(), like BUG() but without the lock-busting, etc * create defconfig "make" target for by-default hardened Kconfigs (using guidelines below) * provide mechanism to check for ro_after_init memory areas, and reject structures not marked ro_after_init in vmbus_register() * expand use of __ro_after_init, especially in arch/arm64 * Add stack-frame walking to usercopy implementations (Done: x86. In progress: arm64. Needed on arm, others?) * restrict autoloading of kernel modules (like GRKERNSEC_MODHARDEN) (In progress: [http://www.openwall.com/lists/kernel-hardening/2017/02/02/21 Timgad LSM]) = Documentation = For kernel protections already in upstream (or under active development) that have specific documentation: ==== [https://github.com/torvalds/linux/blob/master/Documentation/security/self-protection.txt Self-Protection Guidelines] ==== ==== [[Kernel_Protections/HARDENED_ATOMIC|refcount_t]] ==== : Kernel reference counter overflow protection = Recommended settings = People ask from time to time what a good security set of build CONFIGs and runtime sysctl are. This is a brain-dump of the various options for a particularly paranoid system. == CONFIGs == # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. CONFIG_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_BUG_ON_DATA_CORRUPTION=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. CONFIG_HARDENED_USERCOPY=y # Randomize allocator freelists. CONFIG_SLAB_FREELIST_RANDOM=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" === x86_32 === # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y === x86_64 === # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set === arm === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset === arm64 === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y == kernel command line options == # Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 === x86_64 === # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none == sysctls == # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 9dba6efaa5b258e3d96a7df3501bc48a43d388ab 3869 3868 2017-06-05T23:21:25Z KeesCook 3 /* Patch Contribution Guidelines */ wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in the [https://pax.grsecurity.net/ PaX] and [https://grsecurity.net/features.php grsecurity] [https://github.com/linux-scraping/linux-grsecurity patches], and in piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Upstream development is evolutionary, not revolutionary, which means it can sometimes take time for features to become fully realized. * Features will be more than finding bugs, and should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Get Involved = Want to get involved? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list]. == Introduce Yourself == Send an email to introduce yourself! Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. == Patch Contribution Guidelines == When contributing patches for the Linux kernel, be sure to follow the Linux kernel [https://www.kernel.org/doc/html/latest/process/coding-style.html Coding Style Guide] and read about [https://www.kernel.org/doc/html/latest/process/submitting-patches.html Submitting Patches]. Even if you're only sending your patches to the kernel-hardening mailing list for some early review, it's best to get as much of the coding style and submission semantics correct to avoid reviewers needing to recommend changes in those areas. As with any other Open Source project, it is particularly important that if you're working on upstreaming work from other Open Source projects, be sure your patches are giving credit to the original authors, that licenses are compatible, and that copyright notices are retained, etc. In the case of new files, or other places where a copyright notice would be expected to be added, be sure to retain all copyright notices from the other project. This may require some examination of commit history. For example, [https://github.com/linux-scraping/linux-grsecurity/blob/grsec-test/grsecurity/Makefile#L3 Grsecurity's copyright notice from their most recent public patch] does not include PaX Team's copyright notice, which is only listed in the patch for GCC plugins. For Grsecurity copyright, when more specific details are not easy to find, the following could be used: Copyright (C) 2001-2017 PaX Team, Bradley Spengler, Open Source Security Inc. Additionally, Grsecurity has asked that contributors include this in commit messages for non-trivial code ported from Grsecurity: $CODE is {verbatim,modified} from Brad Spengler/PaX Team's code in the last public patch of grsecurity/PaX based on my understanding of the code. Changes or omissions from the original code are mine and don't reflect the original grsecurity/PaX code. = Work Areas = While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. While the following is far from a comprehensive list, it's at least a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] = Specific TODO Items = Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention: * Split thread_info off of kernel stack (Done: x86, arm64, s390. Needed on arm, powerpc and others?) * Move kernel stack to vmap area (Done: x86, s390. Needed on arm, arm64, powerpc and others?) * Implement kernel relocation and KASLR for ARM * Write a plugin to clear struct padding * Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings) * Make CONFIG_DEBUG_RODATA mandatory (done for arm64 and x86, other archs still need it) * Convert remaining BPF JITs to eBPF JIT (with blinding) * Write lib/test_bpf.c tests for eBPF constant blinding * Further restriction of perf_event_open (e.g. perf_event_paranoid=3) * Extend HARDENED_USERCOPY to use slab whitelisting (in progress) * Extend HARDENED_USERCOPY to split user-facing malloc()s and in-kernel malloc()svmalloc stack guard pages (in progress) * protect ARM vector table as fixed-location kernel target * disable kuser helpers on arm * rename CONFIG_DEBUG_LIST better and default=y * add WARN path for page-spanning usercopy checks (instead of the separate CONFIG) * create UNEXPECTED(), like BUG() but without the lock-busting, etc * create defconfig "make" target for by-default hardened Kconfigs (using guidelines below) * provide mechanism to check for ro_after_init memory areas, and reject structures not marked ro_after_init in vmbus_register() * expand use of __ro_after_init, especially in arch/arm64 * Add stack-frame walking to usercopy implementations (Done: x86. In progress: arm64. Needed on arm, others?) * restrict autoloading of kernel modules (like GRKERNSEC_MODHARDEN) (In progress: [http://www.openwall.com/lists/kernel-hardening/2017/02/02/21 Timgad LSM]) = Documentation = For kernel protections already in upstream (or under active development) that have specific documentation: ==== [https://github.com/torvalds/linux/blob/master/Documentation/security/self-protection.txt Self-Protection Guidelines] ==== ==== [[Kernel_Protections/HARDENED_ATOMIC|refcount_t]] ==== : Kernel reference counter overflow protection = Recommended settings = People ask from time to time what a good security set of build CONFIGs and runtime sysctl are. This is a brain-dump of the various options for a particularly paranoid system. == CONFIGs == # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. CONFIG_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_BUG_ON_DATA_CORRUPTION=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. CONFIG_HARDENED_USERCOPY=y # Randomize allocator freelists. CONFIG_SLAB_FREELIST_RANDOM=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" === x86_32 === # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y === x86_64 === # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set === arm === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset === arm64 === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y == kernel command line options == # Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 === x86_64 === # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none == sysctls == # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 98d5f55613bea9ca3cd480057693655a9b63a269 3873 3869 2017-06-05T23:31:43Z KeesCook 3 this page is too long wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in the [https://pax.grsecurity.net/ PaX] and [https://grsecurity.net/features.php grsecurity] [https://github.com/linux-scraping/linux-grsecurity patches], and in piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Upstream development is evolutionary, not revolutionary, which means it can sometimes take time for features to become fully realized. * Features will be more than finding bugs, and should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Details = ==== [[Recommended_Settings|Recommended Kernel Settings]] ==== = Get Involved = Want to get involved? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list]. == Introduce Yourself == Send an email to introduce yourself! Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. == Patch Contribution Guidelines == When contributing patches for the Linux kernel, be sure to follow the Linux kernel [https://www.kernel.org/doc/html/latest/process/coding-style.html Coding Style Guide] and read about [https://www.kernel.org/doc/html/latest/process/submitting-patches.html Submitting Patches]. Even if you're only sending your patches to the kernel-hardening mailing list for some early review, it's best to get as much of the coding style and submission semantics correct to avoid reviewers needing to recommend changes in those areas. As with any other Open Source project, it is particularly important that if you're working on upstreaming work from other Open Source projects, be sure your patches are giving credit to the original authors, that licenses are compatible, and that copyright notices are retained, etc. In the case of new files, or other places where a copyright notice would be expected to be added, be sure to retain all copyright notices from the other project. This may require some examination of commit history. For example, [https://github.com/linux-scraping/linux-grsecurity/blob/grsec-test/grsecurity/Makefile#L3 Grsecurity's copyright notice from their most recent public patch] does not include PaX Team's copyright notice, which is only listed in the patch for GCC plugins. For Grsecurity copyright, when more specific details are not easy to find, the following could be used: Copyright (C) 2001-2017 PaX Team, Bradley Spengler, Open Source Security Inc. Additionally, Grsecurity has asked that contributors include this in commit messages for non-trivial code ported from Grsecurity: $CODE is {verbatim,modified} from Brad Spengler/PaX Team's code in the last public patch of grsecurity/PaX based on my understanding of the code. Changes or omissions from the original code are mine and don't reflect the original grsecurity/PaX code. = Work Areas = While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. While the following is far from a comprehensive list, it's at least a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] = Specific TODO Items = Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention: * Split thread_info off of kernel stack (Done: x86, arm64, s390. Needed on arm, powerpc and others?) * Move kernel stack to vmap area (Done: x86, s390. Needed on arm, arm64, powerpc and others?) * Implement kernel relocation and KASLR for ARM * Write a plugin to clear struct padding * Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings) * Make CONFIG_DEBUG_RODATA mandatory (done for arm64 and x86, other archs still need it) * Convert remaining BPF JITs to eBPF JIT (with blinding) * Write lib/test_bpf.c tests for eBPF constant blinding * Further restriction of perf_event_open (e.g. perf_event_paranoid=3) * Extend HARDENED_USERCOPY to use slab whitelisting (in progress) * Extend HARDENED_USERCOPY to split user-facing malloc()s and in-kernel malloc()svmalloc stack guard pages (in progress) * protect ARM vector table as fixed-location kernel target * disable kuser helpers on arm * rename CONFIG_DEBUG_LIST better and default=y * add WARN path for page-spanning usercopy checks (instead of the separate CONFIG) * create UNEXPECTED(), like BUG() but without the lock-busting, etc * create defconfig "make" target for by-default hardened Kconfigs (using guidelines below) * provide mechanism to check for ro_after_init memory areas, and reject structures not marked ro_after_init in vmbus_register() * expand use of __ro_after_init, especially in arch/arm64 * Add stack-frame walking to usercopy implementations (Done: x86. In progress: arm64. Needed on arm, others?) * restrict autoloading of kernel modules (like GRKERNSEC_MODHARDEN) (In progress: [http://www.openwall.com/lists/kernel-hardening/2017/02/02/21 Timgad LSM]) = Documentation = For kernel protections already in upstream (or under active development) that have specific documentation: ==== [https://github.com/torvalds/linux/blob/master/Documentation/security/self-protection.txt Self-Protection Guidelines] ==== ==== [[Kernel_Protections/HARDENED_ATOMIC|refcount_t]] ==== : Kernel reference counter overflow protection fa1f7bba73e9f0bd5bb8d45b88bf26db31118bc9 3875 3873 2017-06-05T23:33:35Z KeesCook 3 continue collapsing top-level topics into sub pages wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in the [https://pax.grsecurity.net/ PaX] and [https://grsecurity.net/features.php grsecurity] [https://github.com/linux-scraping/linux-grsecurity patches], and in piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Upstream development is evolutionary, not revolutionary, which means it can sometimes take time for features to become fully realized. * Features will be more than finding bugs, and should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Details = ==== [[Get_Involved|Get Involved]] ==== ==== [[Recommended_Settings|Recommended Kernel Settings]] ==== = Work Areas = While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. While the following is far from a comprehensive list, it's at least a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] = Specific TODO Items = Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention: * Split thread_info off of kernel stack (Done: x86, arm64, s390. Needed on arm, powerpc and others?) * Move kernel stack to vmap area (Done: x86, s390. Needed on arm, arm64, powerpc and others?) * Implement kernel relocation and KASLR for ARM * Write a plugin to clear struct padding * Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings) * Make CONFIG_DEBUG_RODATA mandatory (done for arm64 and x86, other archs still need it) * Convert remaining BPF JITs to eBPF JIT (with blinding) * Write lib/test_bpf.c tests for eBPF constant blinding * Further restriction of perf_event_open (e.g. perf_event_paranoid=3) * Extend HARDENED_USERCOPY to use slab whitelisting (in progress) * Extend HARDENED_USERCOPY to split user-facing malloc()s and in-kernel malloc()svmalloc stack guard pages (in progress) * protect ARM vector table as fixed-location kernel target * disable kuser helpers on arm * rename CONFIG_DEBUG_LIST better and default=y * add WARN path for page-spanning usercopy checks (instead of the separate CONFIG) * create UNEXPECTED(), like BUG() but without the lock-busting, etc * create defconfig "make" target for by-default hardened Kconfigs (using guidelines below) * provide mechanism to check for ro_after_init memory areas, and reject structures not marked ro_after_init in vmbus_register() * expand use of __ro_after_init, especially in arch/arm64 * Add stack-frame walking to usercopy implementations (Done: x86. In progress: arm64. Needed on arm, others?) * restrict autoloading of kernel modules (like GRKERNSEC_MODHARDEN) (In progress: [http://www.openwall.com/lists/kernel-hardening/2017/02/02/21 Timgad LSM]) = Documentation = For kernel protections already in upstream (or under active development) that have specific documentation: ==== [https://github.com/torvalds/linux/blob/master/Documentation/security/self-protection.txt Self-Protection Guidelines] ==== ==== [[Kernel_Protections/HARDENED_ATOMIC|refcount_t]] ==== : Kernel reference counter overflow protection d483ec23f502fd12f82062205c8e4746fb78e19a 3876 3875 2017-06-05T23:35:21Z KeesCook 3 wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in the [https://pax.grsecurity.net/ PaX] and [https://grsecurity.net/features.php grsecurity] [https://github.com/linux-scraping/linux-grsecurity patches], and in piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Upstream development is evolutionary, not revolutionary, which means it can sometimes take time for features to become fully realized. * Features will be more than finding bugs, and should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Details = ==== [[Kernel Self Protection Project/Get Involved|Get Involved]] ==== ==== [[Kernel Self Protection Project/Recommended_Settings|Recommended Kernel Settings]] ==== = Work Areas = While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. While the following is far from a comprehensive list, it's at least a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] = Specific TODO Items = Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention: * Split thread_info off of kernel stack (Done: x86, arm64, s390. Needed on arm, powerpc and others?) * Move kernel stack to vmap area (Done: x86, s390. Needed on arm, arm64, powerpc and others?) * Implement kernel relocation and KASLR for ARM * Write a plugin to clear struct padding * Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings) * Make CONFIG_DEBUG_RODATA mandatory (done for arm64 and x86, other archs still need it) * Convert remaining BPF JITs to eBPF JIT (with blinding) * Write lib/test_bpf.c tests for eBPF constant blinding * Further restriction of perf_event_open (e.g. perf_event_paranoid=3) * Extend HARDENED_USERCOPY to use slab whitelisting (in progress) * Extend HARDENED_USERCOPY to split user-facing malloc()s and in-kernel malloc()svmalloc stack guard pages (in progress) * protect ARM vector table as fixed-location kernel target * disable kuser helpers on arm * rename CONFIG_DEBUG_LIST better and default=y * add WARN path for page-spanning usercopy checks (instead of the separate CONFIG) * create UNEXPECTED(), like BUG() but without the lock-busting, etc * create defconfig "make" target for by-default hardened Kconfigs (using guidelines below) * provide mechanism to check for ro_after_init memory areas, and reject structures not marked ro_after_init in vmbus_register() * expand use of __ro_after_init, especially in arch/arm64 * Add stack-frame walking to usercopy implementations (Done: x86. In progress: arm64. Needed on arm, others?) * restrict autoloading of kernel modules (like GRKERNSEC_MODHARDEN) (In progress: [http://www.openwall.com/lists/kernel-hardening/2017/02/02/21 Timgad LSM]) = Documentation = For kernel protections already in upstream (or under active development) that have specific documentation: ==== [https://github.com/torvalds/linux/blob/master/Documentation/security/self-protection.txt Self-Protection Guidelines] ==== ==== [[Kernel_Protections/HARDENED_ATOMIC|refcount_t]] ==== : Kernel reference counter overflow protection 9480b0cd3cc851f046fa0711b6031640178b753b 3877 3876 2017-06-05T23:36:49Z KeesCook 3 /* Specific TODO Items */ DEBUG_RODATA was renamed wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in the [https://pax.grsecurity.net/ PaX] and [https://grsecurity.net/features.php grsecurity] [https://github.com/linux-scraping/linux-grsecurity patches], and in piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Upstream development is evolutionary, not revolutionary, which means it can sometimes take time for features to become fully realized. * Features will be more than finding bugs, and should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Details = ==== [[Kernel Self Protection Project/Get Involved|Get Involved]] ==== ==== [[Kernel Self Protection Project/Recommended_Settings|Recommended Kernel Settings]] ==== = Work Areas = While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. While the following is far from a comprehensive list, it's at least a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] = Specific TODO Items = Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention: * Split thread_info off of kernel stack (Done: x86, arm64, s390. Needed on arm, powerpc and others?) * Move kernel stack to vmap area (Done: x86, s390. Needed on arm, arm64, powerpc and others?) * Implement kernel relocation and KASLR for ARM * Write a plugin to clear struct padding * Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings) * Make CONFIG_STRICT_KERNEL_RWX and CONFIG_STRICT_MODULE_RWX mandatory (done for arm64 and x86, other archs still need it) * Convert remaining BPF JITs to eBPF JIT (with blinding) (In progress: arm) * Write lib/test_bpf.c tests for eBPF constant blinding * Further restriction of perf_event_open (e.g. perf_event_paranoid=3) * Extend HARDENED_USERCOPY to use slab whitelisting (in progress) * Extend HARDENED_USERCOPY to split user-facing malloc()s and in-kernel malloc()svmalloc stack guard pages (in progress) * protect ARM vector table as fixed-location kernel target * disable kuser helpers on arm * rename CONFIG_DEBUG_LIST better and default=y * add WARN path for page-spanning usercopy checks (instead of the separate CONFIG) * create UNEXPECTED(), like BUG() but without the lock-busting, etc * create defconfig "make" target for by-default hardened Kconfigs (using guidelines below) * provide mechanism to check for ro_after_init memory areas, and reject structures not marked ro_after_init in vmbus_register() * expand use of __ro_after_init, especially in arch/arm64 * Add stack-frame walking to usercopy implementations (Done: x86. In progress: arm64. Needed on arm, others?) * restrict autoloading of kernel modules (like GRKERNSEC_MODHARDEN) (In progress: [http://www.openwall.com/lists/kernel-hardening/2017/02/02/21 Timgad LSM]) = Documentation = For kernel protections already in upstream (or under active development) that have specific documentation: ==== [https://github.com/torvalds/linux/blob/master/Documentation/security/self-protection.txt Self-Protection Guidelines] ==== ==== [[Kernel_Protections/HARDENED_ATOMIC|refcount_t]] ==== : Kernel reference counter overflow protection e0c89bd29739494e61f57119877f21bc7de9591e 3879 3877 2017-06-05T23:39:04Z KeesCook 3 wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in the [https://pax.grsecurity.net/ PaX] and [https://grsecurity.net/features.php grsecurity] [https://github.com/linux-scraping/linux-grsecurity patches], and in piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Upstream development is evolutionary, not revolutionary, which means it can sometimes take time for features to become fully realized. * Features will be more than finding bugs, and should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Details = ==== [[Kernel Self Protection Project/Get Involved|Get Involved]] ==== ==== [[Kernel Self Protection Project/Work|Areas of Work Needed]] ==== ==== [[Kernel Self Protection Project/Recommended_Settings|Recommended Kernel Settings]] ==== = Documentation = For kernel protections already in upstream (or under active development) that have specific documentation: ==== [https://github.com/torvalds/linux/blob/master/Documentation/security/self-protection.txt Self-Protection Guidelines] ==== ==== [[Kernel_Protections/HARDENED_ATOMIC|refcount_t]] ==== : Kernel reference counter overflow protection 7148bf8761da0fa5c44928010de22a80f59d036b 3883 3879 2017-06-05T23:43:12Z KeesCook 3 /* Details */ wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in the [https://pax.grsecurity.net/ PaX] and [https://grsecurity.net/features.php grsecurity] [https://github.com/linux-scraping/linux-grsecurity patches], and in piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Upstream development is evolutionary, not revolutionary, which means it can sometimes take time for features to become fully realized. * Features will be more than finding bugs, and should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Details = Get to know the details of the project: ==== [[Kernel Self Protection Project/Get Involved|Get Involved]] ==== ==== [[Kernel Self Protection Project/Work|Areas of Work Needed]] ==== ==== [[Kernel Self Protection Project/Recommended_Settings|Recommended Kernel Settings]] ==== = Documentation = For kernel protections already in upstream (or under active development) that have specific documentation: ==== [https://github.com/torvalds/linux/blob/master/Documentation/security/self-protection.txt Self-Protection Guidelines] ==== ==== [[Kernel_Protections/HARDENED_ATOMIC|refcount_t]] ==== : Kernel reference counter overflow protection 46c5a864fe05d61780c42cd0cf0900036efca6f8 3884 3883 2017-06-05T23:43:29Z KeesCook 3 /* Details */ wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in the [https://pax.grsecurity.net/ PaX] and [https://grsecurity.net/features.php grsecurity] [https://github.com/linux-scraping/linux-grsecurity patches], and in piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Upstream development is evolutionary, not revolutionary, which means it can sometimes take time for features to become fully realized. * Features will be more than finding bugs, and should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Details = Specific details on the project: ==== [[Kernel Self Protection Project/Get Involved|Get Involved]] ==== ==== [[Kernel Self Protection Project/Work|Areas of Work Needed]] ==== ==== [[Kernel Self Protection Project/Recommended_Settings|Recommended Kernel Settings]] ==== = Documentation = For kernel protections already in upstream (or under active development) that have specific documentation: ==== [https://github.com/torvalds/linux/blob/master/Documentation/security/self-protection.txt Self-Protection Guidelines] ==== ==== [[Kernel_Protections/HARDENED_ATOMIC|refcount_t]] ==== : Kernel reference counter overflow protection be333798c6e114c9fad7100fd0f9e0a7a79575e6 0 181 3843 2017-02-04T06:42:17Z DavidWindsor 6 Add refcount_t API wikitext text/x-wiki = Summary = HARDENED_ATOMIC is a kernel self-protection feature that greatly helps with the mitigation of [[Bug Classes/Use after free|use-after-free]] bugs. It is based off of work done by the [https://pax.grsecurity.net PaX Team], originally called [https://forums.grsecurity.net/viewtopic.php?f=7&t=4173 PAX_REFCOUNT]. = Reference Counting API = HARDENED_ATOMIC introduces a new data type: <tt>refcount_t</tt>. This type is to be used for all kernel reference counters. The following operations are the kernel reference counting API. Please note that all operations are atomic, unless otherwise specified. ;'''<tt>REFCOUNT_INIT(unsigned int)</tt>''' : Initialize a <tt>refcount_t</tt> object. ;'''<tt>void refcount_set(refcount_t *, unsigned int)</tt>''' : Set a <tt>refcount_t</tt> object's internal value. ;'''<tt>unsigned int refcount_read(refcount_t *)</tt>''' : Returns the <tt>refcount_t</tt> object's internal value. ;'''<tt>bool refcount_add_not_zero(unsigned int v, refcount_t *r)</tt>''' : Add <tt>v</tt> to <tt>r</tt>. If <tt>r + v</tt> causes an overflow, the result of the addition operation is not saved to <tt>r</tt>. Returns <tt>true</tt> if the resulting value of <tt>r</tt> is non-zero, <tt>false</tt> otherwise. ;'''<tt>void refcount_add(unsigned int v, refcount_t *r)</tt>''' : Adds <tt>v</tt> to <tt>r</tt> and stores the value in <tt>r</tt>. ;'''<tt>bool refcount_inc_not_zero(refcount_t *r)</tt>''' : Increments <tt>r</tt> and tests whether <tt>r + 1</tt> causes an overflow. If an overflow does occur, the result of the increment operation is not saved to <tt>r</tt>. Will saturate at <tt>UINT_MAX</tt> and <tt>WARN</tt>. Returns <tt>true</tt> if the resulting value of <tt>r</tt> is non-zero, <tt>false</tt> otherwise. ;'''<tt>void refcount_inc(refcount_t *r)</tt>''' : Increment <tt>r</tt>. Will saturate at <tt>UINT_MAX</tt> and <tt>WARN</tt>. ;'''<tt>bool refcount_sub_and_test(unsigned int v, refcount_t *r)</tt>''' : Subtract <tt>v</tt> from <tt>r</tt> and tests whether <tt>r - v</tt> causes an underflow. If an underflow does occur, the result of the decrement operation is not saved to <tt>r</tt>. Will fail to decrement when saturated at <tt>UINT_MAX</tt>. Returns <tt>true</tt> if the resulting value of <tt>r</tt> is non-zero, <tt>false</tt> otherwise. ;'''<tt>void refcount_dec(refcount_t *r)</tt>''' : Decrement <tt>r</tt>. If <tt>r - 1</tt> causes an underflow, the result of the decrement operation is not saved to <tt>r</tt>. Will fail to decrement when saturated at <tt>UINT_MAX</tt>. ;'''<tt>bool refcount_dec_if_one(refcount_t *r)</tt>''' : Attempts to transition <tt>r</tt> from 1 to 0. If <tt>r</tt> is 1, decrement it to 0. Returns <tt>true</tt> if <tt>r</tt> was decremented, <tt>false</tt> otherwise. ;'''<tt>bool refcount_dec_not_one(refcount_t *r)</tt>''' : Decrement <tt>r</tt> unless the value of <tt>r</tt> is 1. Returns <tt>true</tt> if <tt>r</tt> was decremented, </tt>false</tt> otherwise. ;'''<tt>bool refcount_dec_and_mutex_lock(refcount_t *r, struct mutex *lock)</tt>''' : Decrement <tt>r</tt> and lock mutex if <tt>r</tt> becomes 0. Will <tt>WARN</tt> on underflow and fail to decrement if <tt>r</tt> is saturated at <tt>UINT_MAX</tt>. Returns <tt>true</tt> if <tt>r</tt> is 0 and mutex is held, <tt>false</tt> otherwise. ;'''<tt>bool refcount_dec_and_lock(refcount_t *r, spinlock_t *s)</tt>''' : Decrement <tt>r</tt> and lock spinlock if <tt>r</tt> becomes 0. Will <tt>WARN</tt> on underflow and fail to decrement if <tt>r</tt> is saturated at <tt>UINT_MAX</tt>. Returns <tt>true</tt> if <tt>r</tt> is 0 and spinlock is held, <tt>false</tt> otherwise. e8ce04edbe06688fef6b0c612069be6a6537e1b5 3845 3843 2017-02-04T11:19:13Z DavidWindsor 6 Minor language change in Summary wikitext text/x-wiki = Summary = HARDENED_ATOMIC is a kernel self-protection mechanism that greatly helps with the mitigation of [[Bug Classes/Use after free|use-after-free]] bugs. It is based off of work done by the [https://pax.grsecurity.net PaX Team], originally called [https://forums.grsecurity.net/viewtopic.php?f=7&t=4173 PAX_REFCOUNT]. = Reference Counting API = HARDENED_ATOMIC introduces a new data type: <tt>refcount_t</tt>. This type is to be used for all kernel reference counters. The following operations are the kernel reference counting API. Please note that all operations are atomic, unless otherwise specified. ;'''<tt>REFCOUNT_INIT(unsigned int)</tt>''' : Initialize a <tt>refcount_t</tt> object. ;'''<tt>void refcount_set(refcount_t *, unsigned int)</tt>''' : Set a <tt>refcount_t</tt> object's internal value. ;'''<tt>unsigned int refcount_read(refcount_t *)</tt>''' : Returns the <tt>refcount_t</tt> object's internal value. ;'''<tt>bool refcount_add_not_zero(unsigned int v, refcount_t *r)</tt>''' : Add <tt>v</tt> to <tt>r</tt>. If <tt>r + v</tt> causes an overflow, the result of the addition operation is not saved to <tt>r</tt>. Returns <tt>true</tt> if the resulting value of <tt>r</tt> is non-zero, <tt>false</tt> otherwise. ;'''<tt>void refcount_add(unsigned int v, refcount_t *r)</tt>''' : Adds <tt>v</tt> to <tt>r</tt> and stores the value in <tt>r</tt>. ;'''<tt>bool refcount_inc_not_zero(refcount_t *r)</tt>''' : Increments <tt>r</tt> and tests whether <tt>r + 1</tt> causes an overflow. If an overflow does occur, the result of the increment operation is not saved to <tt>r</tt>. Will saturate at <tt>UINT_MAX</tt> and <tt>WARN</tt>. Returns <tt>true</tt> if the resulting value of <tt>r</tt> is non-zero, <tt>false</tt> otherwise. ;'''<tt>void refcount_inc(refcount_t *r)</tt>''' : Increment <tt>r</tt>. Will saturate at <tt>UINT_MAX</tt> and <tt>WARN</tt>. ;'''<tt>bool refcount_sub_and_test(unsigned int v, refcount_t *r)</tt>''' : Subtract <tt>v</tt> from <tt>r</tt> and tests whether <tt>r - v</tt> causes an underflow. If an underflow does occur, the result of the decrement operation is not saved to <tt>r</tt>. Will fail to decrement when saturated at <tt>UINT_MAX</tt>. Returns <tt>true</tt> if the resulting value of <tt>r</tt> is non-zero, <tt>false</tt> otherwise. ;'''<tt>void refcount_dec(refcount_t *r)</tt>''' : Decrement <tt>r</tt>. If <tt>r - 1</tt> causes an underflow, the result of the decrement operation is not saved to <tt>r</tt>. Will fail to decrement when saturated at <tt>UINT_MAX</tt>. ;'''<tt>bool refcount_dec_if_one(refcount_t *r)</tt>''' : Attempts to transition <tt>r</tt> from 1 to 0. If <tt>r</tt> is 1, decrement it to 0. Returns <tt>true</tt> if <tt>r</tt> was decremented, <tt>false</tt> otherwise. ;'''<tt>bool refcount_dec_not_one(refcount_t *r)</tt>''' : Decrement <tt>r</tt> unless the value of <tt>r</tt> is 1. Returns <tt>true</tt> if <tt>r</tt> was decremented, </tt>false</tt> otherwise. ;'''<tt>bool refcount_dec_and_mutex_lock(refcount_t *r, struct mutex *lock)</tt>''' : Decrement <tt>r</tt> and lock mutex if <tt>r</tt> becomes 0. Will <tt>WARN</tt> on underflow and fail to decrement if <tt>r</tt> is saturated at <tt>UINT_MAX</tt>. Returns <tt>true</tt> if <tt>r</tt> is 0 and mutex is held, <tt>false</tt> otherwise. ;'''<tt>bool refcount_dec_and_lock(refcount_t *r, spinlock_t *s)</tt>''' : Decrement <tt>r</tt> and lock spinlock if <tt>r</tt> becomes 0. Will <tt>WARN</tt> on underflow and fail to decrement if <tt>r</tt> is saturated at <tt>UINT_MAX</tt>. Returns <tt>true</tt> if <tt>r</tt> is 0 and spinlock is held, <tt>false</tt> otherwise. 60f0105a5314ba367e0a06b78b5c71b3b31c68b9 3846 3845 2017-02-04T11:20:47Z DavidWindsor 6 Minor language change in Reference Counting API wikitext text/x-wiki = Summary = HARDENED_ATOMIC is a kernel self-protection mechanism that greatly helps with the mitigation of [[Bug Classes/Use after free|use-after-free]] bugs. It is based off of work done by the [https://pax.grsecurity.net PaX Team], originally called [https://forums.grsecurity.net/viewtopic.php?f=7&t=4173 PAX_REFCOUNT]. = Reference Counting API = HARDENED_ATOMIC introduces a new data type: <tt>refcount_t</tt>. This type is to be used for all kernel reference counters. The following is the kernel reference counting API. Please note that all operations are atomic, unless otherwise specified. ;'''<tt>REFCOUNT_INIT(unsigned int)</tt>''' : Initialize a <tt>refcount_t</tt> object. ;'''<tt>void refcount_set(refcount_t *, unsigned int)</tt>''' : Set a <tt>refcount_t</tt> object's internal value. ;'''<tt>unsigned int refcount_read(refcount_t *)</tt>''' : Returns the <tt>refcount_t</tt> object's internal value. ;'''<tt>bool refcount_add_not_zero(unsigned int v, refcount_t *r)</tt>''' : Add <tt>v</tt> to <tt>r</tt>. If <tt>r + v</tt> causes an overflow, the result of the addition operation is not saved to <tt>r</tt>. Returns <tt>true</tt> if the resulting value of <tt>r</tt> is non-zero, <tt>false</tt> otherwise. ;'''<tt>void refcount_add(unsigned int v, refcount_t *r)</tt>''' : Adds <tt>v</tt> to <tt>r</tt> and stores the value in <tt>r</tt>. ;'''<tt>bool refcount_inc_not_zero(refcount_t *r)</tt>''' : Increments <tt>r</tt> and tests whether <tt>r + 1</tt> causes an overflow. If an overflow does occur, the result of the increment operation is not saved to <tt>r</tt>. Will saturate at <tt>UINT_MAX</tt> and <tt>WARN</tt>. Returns <tt>true</tt> if the resulting value of <tt>r</tt> is non-zero, <tt>false</tt> otherwise. ;'''<tt>void refcount_inc(refcount_t *r)</tt>''' : Increment <tt>r</tt>. Will saturate at <tt>UINT_MAX</tt> and <tt>WARN</tt>. ;'''<tt>bool refcount_sub_and_test(unsigned int v, refcount_t *r)</tt>''' : Subtract <tt>v</tt> from <tt>r</tt> and tests whether <tt>r - v</tt> causes an underflow. If an underflow does occur, the result of the decrement operation is not saved to <tt>r</tt>. Will fail to decrement when saturated at <tt>UINT_MAX</tt>. Returns <tt>true</tt> if the resulting value of <tt>r</tt> is non-zero, <tt>false</tt> otherwise. ;'''<tt>void refcount_dec(refcount_t *r)</tt>''' : Decrement <tt>r</tt>. If <tt>r - 1</tt> causes an underflow, the result of the decrement operation is not saved to <tt>r</tt>. Will fail to decrement when saturated at <tt>UINT_MAX</tt>. ;'''<tt>bool refcount_dec_if_one(refcount_t *r)</tt>''' : Attempts to transition <tt>r</tt> from 1 to 0. If <tt>r</tt> is 1, decrement it to 0. Returns <tt>true</tt> if <tt>r</tt> was decremented, <tt>false</tt> otherwise. ;'''<tt>bool refcount_dec_not_one(refcount_t *r)</tt>''' : Decrement <tt>r</tt> unless the value of <tt>r</tt> is 1. Returns <tt>true</tt> if <tt>r</tt> was decremented, </tt>false</tt> otherwise. ;'''<tt>bool refcount_dec_and_mutex_lock(refcount_t *r, struct mutex *lock)</tt>''' : Decrement <tt>r</tt> and lock mutex if <tt>r</tt> becomes 0. Will <tt>WARN</tt> on underflow and fail to decrement if <tt>r</tt> is saturated at <tt>UINT_MAX</tt>. Returns <tt>true</tt> if <tt>r</tt> is 0 and mutex is held, <tt>false</tt> otherwise. ;'''<tt>bool refcount_dec_and_lock(refcount_t *r, spinlock_t *s)</tt>''' : Decrement <tt>r</tt> and lock spinlock if <tt>r</tt> becomes 0. Will <tt>WARN</tt> on underflow and fail to decrement if <tt>r</tt> is saturated at <tt>UINT_MAX</tt>. Returns <tt>true</tt> if <tt>r</tt> is 0 and spinlock is held, <tt>false</tt> otherwise. 469f8840d1ca941336a818eb870094134d864e57 3847 3846 2017-02-06T12:19:19Z DavidWindsor 6 Change <tt> tags to <code> wikitext text/x-wiki = Summary = HARDENED_ATOMIC is a kernel self-protection mechanism that greatly helps with the mitigation of [[Bug Classes/Use after free|use-after-free]] bugs. It is based off of work done by the [https://pax.grsecurity.net PaX Team], originally called [https://forums.grsecurity.net/viewtopic.php?f=7&t=4173 PAX_REFCOUNT]. = Reference Counting API = HARDENED_ATOMIC introduces a new data type: <code>refcount_t</code>. This type is to be used for all kernel reference counters. The following is the kernel reference counting API. Please note that all operations are atomic, unless otherwise specified. ;'''<code>REFCOUNT_INIT(unsigned int)</code>''' : Initialize a <code>refcount_t</code> object. ;'''<code>void refcount_set(refcount_t *, unsigned int)</code>''' : Set a <code>refcount_t</code> object's internal value. ;'''<code>unsigned int refcount_read(refcount_t *)</code>''' : Returns the <code>refcount_t</code> object's internal value. ;'''<code>bool refcount_add_not_zero(unsigned int v, refcount_t *r)</code>''' : Add <code>v</code> to <code>r</code>. If <code>r + v</code> causes an overflow, the result of the addition operation is not saved to <code>r</code>. Returns <code>true</code> if the resulting value of <code>r</code> is non-zero, <code>false</code> otherwise. ;'''<code>void refcount_add(unsigned int v, refcount_t *r)</code>''' : Adds <code>v</code> to <code>r</code> and stores the value in <code>r</code>. ;'''<code>bool refcount_inc_not_zero(refcount_t *r)</code>''' : Increments <code>r</code> and tests whether <code>r + 1</code> causes an overflow. If an overflow does occur, the result of the increment operation is not saved to <code>r</code>. Will saturate at <code>UINT_MAX</code> and <code>WARN</code>. Returns <code>true</code> if the resulting value of <code>r</code> is non-zero, <code>false</code> otherwise. ;'''<code>void refcount_inc(refcount_t *r)</code>''' : Increment <code>r</code>. Will saturate at <code>UINT_MAX</code> and <code>WARN</code>. ;'''<code>bool refcount_sub_and_test(unsigned int v, refcount_t *r)</code>''' : Subtract <code>v</code> from <code>r</code> and tests whether <code>r - v</code> causes an underflow. If an underflow does occur, the result of the decrement operation is not saved to <code>r</code>. Will fail to decrement when saturated at <code>UINT_MAX</code>. Returns <code>true</code> if the resulting value of <code>r</code> is non-zero, <code>false</code> otherwise. ;'''<code>void refcount_dec(refcount_t *r)</code>''' : Decrement <code>r</code>. If <code>r - 1</code> causes an underflow, the result of the decrement operation is not saved to <code>r</code>. Will fail to decrement when saturated at <code>UINT_MAX</code>. ;'''<code>bool refcount_dec_if_one(refcount_t *r)</code>''' : Attempts to transition <code>r</code> from 1 to 0. If <code>r</code> is 1, decrement it to 0. Returns <code>true</code> if <code>r</code> was decremented, <code>false</code> otherwise. ;'''<code>bool refcount_dec_not_one(refcount_t *r)</code>''' : Decrement <code>r</code> unless the value of <code>r</code> is 1. Returns <code>true</code> if <code>r</code> was decremented, </code>false</code> otherwise. ;'''<code>bool refcount_dec_and_mutex_lock(refcount_t *r, struct mutex *lock)</code>''' : Decrement <code>r</code> and lock mutex if <code>r</code> becomes 0. Will <code>WARN</code> on underflow and fail to decrement if <code>r</code> is saturated at <code>UINT_MAX</code>. Returns <code>true</code> if <code>r</code> is 0 and mutex is held, <code>false</code> otherwise. ;'''<code>bool refcount_dec_and_lock(refcount_t *r, spinlock_t *s)</code>''' : Decrement <code>r</code> and lock spinlock if <code>r</code> becomes 0. Will <code>WARN</code> on underflow and fail to decrement if <code>r</code> is saturated at <code>UINT_MAX</code>. Returns <code>true</code> if <code>r</code> is 0 and spinlock is held, <code>false</code> otherwise. d637ed2426eeb8feb3701fc94d5156e799ef534f 3848 3847 2017-02-06T14:45:47Z DavidWindsor 6 Add Examples section wikitext text/x-wiki = Summary = HARDENED_ATOMIC is a kernel self-protection mechanism that greatly helps with the mitigation of [[Bug Classes/Use after free|use-after-free]] bugs. It is based off of work done by the [https://pax.grsecurity.net PaX Team], originally called [https://forums.grsecurity.net/viewtopic.php?f=7&t=4173 PAX_REFCOUNT]. = Reference Counting API = HARDENED_ATOMIC introduces a new data type: <code>refcount_t</code>. This type is to be used for all kernel reference counters. The following is the kernel reference counting API. Please note that all operations are atomic, unless otherwise specified. ;'''<code>REFCOUNT_INIT(unsigned int)</code>''' : Initialize a <code>refcount_t</code> object. ;'''<code>void refcount_set(refcount_t *, unsigned int)</code>''' : Set a <code>refcount_t</code> object's internal value. ;'''<code>unsigned int refcount_read(refcount_t *)</code>''' : Returns the <code>refcount_t</code> object's internal value. ;'''<code>bool refcount_add_not_zero(unsigned int v, refcount_t *r)</code>''' : Add <code>v</code> to <code>r</code>. If <code>r + v</code> causes an overflow, the result of the addition operation is not saved to <code>r</code>. Returns <code>true</code> if the resulting value of <code>r</code> is non-zero, <code>false</code> otherwise. ;'''<code>void refcount_add(unsigned int v, refcount_t *r)</code>''' : Adds <code>v</code> to <code>r</code> and stores the value in <code>r</code>. ;'''<code>bool refcount_inc_not_zero(refcount_t *r)</code>''' : Increments <code>r</code> and tests whether <code>r + 1</code> causes an overflow. If an overflow does occur, the result of the increment operation is not saved to <code>r</code>. Will saturate at <code>UINT_MAX</code> and <code>WARN</code>. Returns <code>true</code> if the resulting value of <code>r</code> is non-zero, <code>false</code> otherwise. ;'''<code>void refcount_inc(refcount_t *r)</code>''' : Increment <code>r</code>. Will saturate at <code>UINT_MAX</code> and <code>WARN</code>. ;'''<code>bool refcount_sub_and_test(unsigned int v, refcount_t *r)</code>''' : Subtract <code>v</code> from <code>r</code> and tests whether <code>r - v</code> causes an underflow. If an underflow does occur, the result of the decrement operation is not saved to <code>r</code>. Will fail to decrement when saturated at <code>UINT_MAX</code>. Returns <code>true</code> if the resulting value of <code>r</code> is non-zero, <code>false</code> otherwise. ;'''<code>void refcount_dec(refcount_t *r)</code>''' : Decrement <code>r</code>. If <code>r - 1</code> causes an underflow, the result of the decrement operation is not saved to <code>r</code>. Will fail to decrement when saturated at <code>UINT_MAX</code>. ;'''<code>bool refcount_dec_if_one(refcount_t *r)</code>''' : Attempts to transition <code>r</code> from 1 to 0. If <code>r</code> is 1, decrement it to 0. Returns <code>true</code> if <code>r</code> was decremented, <code>false</code> otherwise. ;'''<code>bool refcount_dec_not_one(refcount_t *r)</code>''' : Decrement <code>r</code> unless the value of <code>r</code> is 1. Returns <code>true</code> if <code>r</code> was decremented, </code>false</code> otherwise. ;'''<code>bool refcount_dec_and_mutex_lock(refcount_t *r, struct mutex *lock)</code>''' : Decrement <code>r</code> and lock mutex if <code>r</code> becomes 0. Will <code>WARN</code> on underflow and fail to decrement if <code>r</code> is saturated at <code>UINT_MAX</code>. Returns <code>true</code> if <code>r</code> is 0 and mutex is held, <code>false</code> otherwise. ;'''<code>bool refcount_dec_and_lock(refcount_t *r, spinlock_t *s)</code>''' : Decrement <code>r</code> and lock spinlock if <code>r</code> becomes 0. Will <code>WARN</code> on underflow and fail to decrement if <code>r</code> is saturated at <code>UINT_MAX</code>. Returns <code>true</code> if <code>r</code> is 0 and spinlock is held, <code>false</code> otherwise. = Examples = The following use case is an instance of correct usage of the <code>refcount_t</code> API. The object being counted is <code>struct super_block</code>, which represents a virtual filesystem superblock, an object containing a particular filesystem's metadata such as block size, the root inode, etc. ==== Member Definition ==== This is the definition of the reference counter field in the <code>struct super_block</code> object. If the object being counted is a structure, the reference counter is typically defined as a field of the counted structure, as we see in <code>struct super_block</code> below. From <code>[http://lxr.free-electrons.com/source/include/linux/fs.h include/linux/fs.h]</code>: <code> struct super_block { ... refcount_t s_active; ... }; </code> ==== Object Initialization ==== When a counted object is created, its reference counter must be initialized to something sane, typically 1 (since, by virtue of being called in an "allocation" method, a user of the object already exists). From <code>[http://lxr.free-electrons.com/source/fs/super.c fs/super.c]</code>: <code> static struct super_block *alloc_super(struct file_system_type *type, int flags, struct user_namespace *user_ns) { struct super_block *s = kzalloc(sizeof(struct super_block), GFP_USER); ... refcount_set(&s->s_active, 1); ... } </code> ==== Getting a New Reference ==== This code is executed when a user wishes to obtain a new reference to a <code>struct super_block</code> object. The following code corresponds to the traditional reference counting "get" method. From <code>[http://lxr.free-electrons.com/source/fs/super.c fs/super.c]</code>: <code> static int grab_super(struct super_block *s) __releases(sb_lock) { s->s_count++; spin_unlock(&sb_lock); down_write(&s->s_umount); if ((s->s_flags & MS_BORN) && refcount_inc_not_zero(&s->s_active)) { put_super(s); return 1; } up_write(&s->s_umount); put_super(s); return 0; } </code> ==== Releasing an Existing Reference ==== This code is executed when a user currently holding a reference to a <code>struct super_block</code> object no longer needs the object and wants to release it. The following code corresponds to the traditional reference counting "put" method. From <code>[http://lxr.free-electrons.com/source/fs/super.c fs/super.c]</code>: <code> void deactivate_locked_super(struct super_block *s) { ... if (refcount_dec_and_test(&s->s_active)) { ... put_super(s); } } void deactivate_super(struct super_block *s) { if (!refcount_dec_not_one(&s->s_active)) { down_write(&s->s_umount);nnNnnn deactivate_locked_super(s); } } </code> 52f59e3706320bd730bece82672fb18a5f4a51c3 3849 3848 2017-02-06T14:53:47Z DavidWindsor 6 Minor language change in Summary wikitext text/x-wiki = Summary = HARDENED_ATOMIC is a kernel self-protection mechanism that greatly helps with the prevention of [[Bug Classes/Use after free|use-after-free]] bugs. It is based off of work done by the [https://pax.grsecurity.net PaX Team], originally called [https://forums.grsecurity.net/viewtopic.php?f=7&t=4173 PAX_REFCOUNT]. = Reference Counting API = HARDENED_ATOMIC introduces a new data type: <code>refcount_t</code>. This type is to be used for all kernel reference counters. The following is the kernel reference counting API. Please note that all operations are atomic, unless otherwise specified. ;'''<code>REFCOUNT_INIT(unsigned int)</code>''' : Initialize a <code>refcount_t</code> object. ;'''<code>void refcount_set(refcount_t *, unsigned int)</code>''' : Set a <code>refcount_t</code> object's internal value. ;'''<code>unsigned int refcount_read(refcount_t *)</code>''' : Returns the <code>refcount_t</code> object's internal value. ;'''<code>bool refcount_add_not_zero(unsigned int v, refcount_t *r)</code>''' : Add <code>v</code> to <code>r</code>. If <code>r + v</code> causes an overflow, the result of the addition operation is not saved to <code>r</code>. Returns <code>true</code> if the resulting value of <code>r</code> is non-zero, <code>false</code> otherwise. ;'''<code>void refcount_add(unsigned int v, refcount_t *r)</code>''' : Adds <code>v</code> to <code>r</code> and stores the value in <code>r</code>. ;'''<code>bool refcount_inc_not_zero(refcount_t *r)</code>''' : Increments <code>r</code> and tests whether <code>r + 1</code> causes an overflow. If an overflow does occur, the result of the increment operation is not saved to <code>r</code>. Will saturate at <code>UINT_MAX</code> and <code>WARN</code>. Returns <code>true</code> if the resulting value of <code>r</code> is non-zero, <code>false</code> otherwise. ;'''<code>void refcount_inc(refcount_t *r)</code>''' : Increment <code>r</code>. Will saturate at <code>UINT_MAX</code> and <code>WARN</code>. ;'''<code>bool refcount_sub_and_test(unsigned int v, refcount_t *r)</code>''' : Subtract <code>v</code> from <code>r</code> and tests whether <code>r - v</code> causes an underflow. If an underflow does occur, the result of the decrement operation is not saved to <code>r</code>. Will fail to decrement when saturated at <code>UINT_MAX</code>. Returns <code>true</code> if the resulting value of <code>r</code> is non-zero, <code>false</code> otherwise. ;'''<code>void refcount_dec(refcount_t *r)</code>''' : Decrement <code>r</code>. If <code>r - 1</code> causes an underflow, the result of the decrement operation is not saved to <code>r</code>. Will fail to decrement when saturated at <code>UINT_MAX</code>. ;'''<code>bool refcount_dec_if_one(refcount_t *r)</code>''' : Attempts to transition <code>r</code> from 1 to 0. If <code>r</code> is 1, decrement it to 0. Returns <code>true</code> if <code>r</code> was decremented, <code>false</code> otherwise. ;'''<code>bool refcount_dec_not_one(refcount_t *r)</code>''' : Decrement <code>r</code> unless the value of <code>r</code> is 1. Returns <code>true</code> if <code>r</code> was decremented, </code>false</code> otherwise. ;'''<code>bool refcount_dec_and_mutex_lock(refcount_t *r, struct mutex *lock)</code>''' : Decrement <code>r</code> and lock mutex if <code>r</code> becomes 0. Will <code>WARN</code> on underflow and fail to decrement if <code>r</code> is saturated at <code>UINT_MAX</code>. Returns <code>true</code> if <code>r</code> is 0 and mutex is held, <code>false</code> otherwise. ;'''<code>bool refcount_dec_and_lock(refcount_t *r, spinlock_t *s)</code>''' : Decrement <code>r</code> and lock spinlock if <code>r</code> becomes 0. Will <code>WARN</code> on underflow and fail to decrement if <code>r</code> is saturated at <code>UINT_MAX</code>. Returns <code>true</code> if <code>r</code> is 0 and spinlock is held, <code>false</code> otherwise. = Examples = The following use case is an instance of correct usage of the <code>refcount_t</code> API. The object being counted is <code>struct super_block</code>, which represents a virtual filesystem superblock, an object containing a particular filesystem's metadata such as block size, the root inode, etc. ==== Member Definition ==== This is the definition of the reference counter field in the <code>struct super_block</code> object. If the object being counted is a structure, the reference counter is typically defined as a field of the counted structure, as we see in <code>struct super_block</code> below. From <code>[http://lxr.free-electrons.com/source/include/linux/fs.h include/linux/fs.h]</code>: <code> struct super_block { ... refcount_t s_active; ... }; </code> ==== Object Initialization ==== When a counted object is created, its reference counter must be initialized to something sane, typically 1 (since, by virtue of being called in an "allocation" method, a user of the object already exists). From <code>[http://lxr.free-electrons.com/source/fs/super.c fs/super.c]</code>: <code> static struct super_block *alloc_super(struct file_system_type *type, int flags, struct user_namespace *user_ns) { struct super_block *s = kzalloc(sizeof(struct super_block), GFP_USER); ... refcount_set(&s->s_active, 1); ... } </code> ==== Getting a New Reference ==== This code is executed when a user wishes to obtain a new reference to a <code>struct super_block</code> object. The following code corresponds to the traditional reference counting "get" method. From <code>[http://lxr.free-electrons.com/source/fs/super.c fs/super.c]</code>: <code> static int grab_super(struct super_block *s) __releases(sb_lock) { s->s_count++; spin_unlock(&sb_lock); down_write(&s->s_umount); if ((s->s_flags & MS_BORN) && refcount_inc_not_zero(&s->s_active)) { put_super(s); return 1; } up_write(&s->s_umount); put_super(s); return 0; } </code> ==== Releasing an Existing Reference ==== This code is executed when a user currently holding a reference to a <code>struct super_block</code> object no longer needs the object and wants to release it. The following code corresponds to the traditional reference counting "put" method. From <code>[http://lxr.free-electrons.com/source/fs/super.c fs/super.c]</code>: <code> void deactivate_locked_super(struct super_block *s) { ... if (refcount_dec_and_test(&s->s_active)) { ... put_super(s); } } void deactivate_super(struct super_block *s) { if (!refcount_dec_not_one(&s->s_active)) { down_write(&s->s_umount);nnNnnn deactivate_locked_super(s); } } </code> 57baf1bac882b732a5b9d4bc6fc1789405b54661 3850 3849 2017-02-06T14:54:25Z DavidWindsor 6 Minor language change in Reference Counting API wikitext text/x-wiki = Summary = HARDENED_ATOMIC is a kernel self-protection mechanism that greatly helps with the prevention of [[Bug Classes/Use after free|use-after-free]] bugs. It is based off of work done by the [https://pax.grsecurity.net PaX Team], originally called [https://forums.grsecurity.net/viewtopic.php?f=7&t=4173 PAX_REFCOUNT]. = Reference Counting API = HARDENED_ATOMIC introduces a new data type: <code>refcount_t</code>. This type is to be used for all kernel reference counters. The following is the kernel reference counting API. ;'''<code>REFCOUNT_INIT(unsigned int)</code>''' : Initialize a <code>refcount_t</code> object. ;'''<code>void refcount_set(refcount_t *, unsigned int)</code>''' : Set a <code>refcount_t</code> object's internal value. ;'''<code>unsigned int refcount_read(refcount_t *)</code>''' : Returns the <code>refcount_t</code> object's internal value. ;'''<code>bool refcount_add_not_zero(unsigned int v, refcount_t *r)</code>''' : Add <code>v</code> to <code>r</code>. If <code>r + v</code> causes an overflow, the result of the addition operation is not saved to <code>r</code>. Returns <code>true</code> if the resulting value of <code>r</code> is non-zero, <code>false</code> otherwise. ;'''<code>void refcount_add(unsigned int v, refcount_t *r)</code>''' : Adds <code>v</code> to <code>r</code> and stores the value in <code>r</code>. ;'''<code>bool refcount_inc_not_zero(refcount_t *r)</code>''' : Increments <code>r</code> and tests whether <code>r + 1</code> causes an overflow. If an overflow does occur, the result of the increment operation is not saved to <code>r</code>. Will saturate at <code>UINT_MAX</code> and <code>WARN</code>. Returns <code>true</code> if the resulting value of <code>r</code> is non-zero, <code>false</code> otherwise. ;'''<code>void refcount_inc(refcount_t *r)</code>''' : Increment <code>r</code>. Will saturate at <code>UINT_MAX</code> and <code>WARN</code>. ;'''<code>bool refcount_sub_and_test(unsigned int v, refcount_t *r)</code>''' : Subtract <code>v</code> from <code>r</code> and tests whether <code>r - v</code> causes an underflow. If an underflow does occur, the result of the decrement operation is not saved to <code>r</code>. Will fail to decrement when saturated at <code>UINT_MAX</code>. Returns <code>true</code> if the resulting value of <code>r</code> is non-zero, <code>false</code> otherwise. ;'''<code>void refcount_dec(refcount_t *r)</code>''' : Decrement <code>r</code>. If <code>r - 1</code> causes an underflow, the result of the decrement operation is not saved to <code>r</code>. Will fail to decrement when saturated at <code>UINT_MAX</code>. ;'''<code>bool refcount_dec_if_one(refcount_t *r)</code>''' : Attempts to transition <code>r</code> from 1 to 0. If <code>r</code> is 1, decrement it to 0. Returns <code>true</code> if <code>r</code> was decremented, <code>false</code> otherwise. ;'''<code>bool refcount_dec_not_one(refcount_t *r)</code>''' : Decrement <code>r</code> unless the value of <code>r</code> is 1. Returns <code>true</code> if <code>r</code> was decremented, </code>false</code> otherwise. ;'''<code>bool refcount_dec_and_mutex_lock(refcount_t *r, struct mutex *lock)</code>''' : Decrement <code>r</code> and lock mutex if <code>r</code> becomes 0. Will <code>WARN</code> on underflow and fail to decrement if <code>r</code> is saturated at <code>UINT_MAX</code>. Returns <code>true</code> if <code>r</code> is 0 and mutex is held, <code>false</code> otherwise. ;'''<code>bool refcount_dec_and_lock(refcount_t *r, spinlock_t *s)</code>''' : Decrement <code>r</code> and lock spinlock if <code>r</code> becomes 0. Will <code>WARN</code> on underflow and fail to decrement if <code>r</code> is saturated at <code>UINT_MAX</code>. Returns <code>true</code> if <code>r</code> is 0 and spinlock is held, <code>false</code> otherwise. = Examples = The following use case is an instance of correct usage of the <code>refcount_t</code> API. The object being counted is <code>struct super_block</code>, which represents a virtual filesystem superblock, an object containing a particular filesystem's metadata such as block size, the root inode, etc. ==== Member Definition ==== This is the definition of the reference counter field in the <code>struct super_block</code> object. If the object being counted is a structure, the reference counter is typically defined as a field of the counted structure, as we see in <code>struct super_block</code> below. From <code>[http://lxr.free-electrons.com/source/include/linux/fs.h include/linux/fs.h]</code>: <code> struct super_block { ... refcount_t s_active; ... }; </code> ==== Object Initialization ==== When a counted object is created, its reference counter must be initialized to something sane, typically 1 (since, by virtue of being called in an "allocation" method, a user of the object already exists). From <code>[http://lxr.free-electrons.com/source/fs/super.c fs/super.c]</code>: <code> static struct super_block *alloc_super(struct file_system_type *type, int flags, struct user_namespace *user_ns) { struct super_block *s = kzalloc(sizeof(struct super_block), GFP_USER); ... refcount_set(&s->s_active, 1); ... } </code> ==== Getting a New Reference ==== This code is executed when a user wishes to obtain a new reference to a <code>struct super_block</code> object. The following code corresponds to the traditional reference counting "get" method. From <code>[http://lxr.free-electrons.com/source/fs/super.c fs/super.c]</code>: <code> static int grab_super(struct super_block *s) __releases(sb_lock) { s->s_count++; spin_unlock(&sb_lock); down_write(&s->s_umount); if ((s->s_flags & MS_BORN) && refcount_inc_not_zero(&s->s_active)) { put_super(s); return 1; } up_write(&s->s_umount); put_super(s); return 0; } </code> ==== Releasing an Existing Reference ==== This code is executed when a user currently holding a reference to a <code>struct super_block</code> object no longer needs the object and wants to release it. The following code corresponds to the traditional reference counting "put" method. From <code>[http://lxr.free-electrons.com/source/fs/super.c fs/super.c]</code>: <code> void deactivate_locked_super(struct super_block *s) { ... if (refcount_dec_and_test(&s->s_active)) { ... put_super(s); } } void deactivate_super(struct super_block *s) { if (!refcount_dec_not_one(&s->s_active)) { down_write(&s->s_umount);nnNnnn deactivate_locked_super(s); } } </code> e0deb871343d24a312a95939063e529132ff1236 0 6 3856 3823 2017-03-06T02:32:32Z JamesMorris 2 /* Upcoming */ wikitext text/x-wiki == Upcoming == * [http://events.linuxfoundation.org/events/linux-security-summit 2017 Linux Security Summit], Los Angeles, USA, Sept 14-15. == Past == === 2016 === * [[Linux Security Summit 2016]], Toronto, Canada. August 25-26. === 2015 === * [[Linux Security Summit 2015]], Seattle, WA, USA. August 20-21. ===2014=== * [[Linux Security Summit 2014]], 18-19 August, Chicago, USA. Co-located with [http://events.linuxfoundation.org/events/linuxcon LinuxCon]. === 2013 === * [[Linux Security Summit 2013]] New Orleans, USA. === 2012 === * [[Linux Security Summit 2012]], San Diego, CA, USA. ===2011=== * [[Linux Security Summit 2011]], Santa Rosa, CA, USA. ===2010=== * [https://security.wiki.kernel.org/index.php/LinuxSecuritySummit2010 Linux Security Summit 2010], Boston MA, USA. ===2009=== *Security Microconf at the Linux Plumbers Conference 2009, September, Portland OR, USA. **CFP **LWN discussion *SELinux Developer Summit at LinuxCon 2009, September, Portland OR, USA. **Event Details *Security BoF (Birds of Feather) meeting at the Japan Linux Symposium, October 2009. Tokyo, Japan. **Enhanced Securities: Where Should We Go Next *Kernel Conference Australia, July 2009, Brisbane, Australia. *LCA security miniconf 20 January 2009, Hobart, Australia. 60aa8b21a853a9d60af94a0e24c179479082d586 0 180 3860 3781 2017-04-26T23:02:21Z KeesCook 3 catch up wikitext text/x-wiki This is a list of various interesting security features since v3.4 and when they were introduced in the upstream kernel. Feel free to add anything more! {| class="wikitable" ! Version ! Feature |- | v3.5 | seccomp-bpf, x86 |- | v3.7 | PXN, arm64 |- |rowspan="3"| v3.8 | seccomp-bpf, arm |- | seccomp reported in /proc/$pid/status |- | finit_module syscall and LSM hook |- | v3.13 | remove %n from printf |- |rowspan="5"| v3.14 | ptdump, arm |- | kaslr, x86 |- | modules ro/nx, arm |- | stack-protector-strong |- | kexec_load_disabled |- |rowspan="3"| v3.15 | seccomp-bpf, mips |- | lkdtm WRITE_KERN |- | module aslr, x86 |- | v3.16 | harden sysctl writing |- |rowspan="2"| v3.17 | seccomp syscall and TSYNC |- | request_firmware LSM hook |- |rowspan="2"| v3.18 | kernel memory W^X, x86 |- | overlayfs v3.18 |- |rowspan="11"| v3.19 | kernel ro/nx, arm |- | modules ro/nx, arm64 |- | ptdump, arm64 |- | seccomp-bpf, arm64 |- | PXN, arm |- | crypto- module prefixing |- | ecryptfs one-byte heap write fix |- | arm64 mmap ASLR fix |- | vdso ASLR fix, x86_64 |- | vsyscall=none, x86_64 |- | vdso ASLR, mips |- |rowspan="3"| v4.0 | kernel ro/nx, arm64 |- | stack ASLR fix |- | seccomp-bpf, RET_ERRNO capped to 4095 |- |rowspan="3"| v4.1 | kernel stack buffer overflow detection, mips |- | INET_DIAG cookies fixed |- | ET_DYN ASLR separate from mmap ASLR |- |rowspan="4"| v4.3 | PAN emulation, arm |- | ambient capabilities |- | seccomp-bpf, powerpc |- | x86_32 direct socket calls |- | v4.4 | vsyscall CONFIG |- | v4.5 | ASLR entropy bits sysctl |- |rowspan="4"| v4.6 | KASLR, arm64 |- | RODATA on by default, arm64 |- | RODATA on by default, arm (ARMv7+) |- | RODATA mandatory, x86 |- |rowspan="5"| v4.7 | LoadPin LSM |- | KASLR text, MIPS |- | SLAB freelist ASLR |- | brk ASLR weakness fixed, arm64 compat |- | eBPF JIT blinding |- |rowspan="11"| v4.8 | SLUB freelist ASLR |- | KASLR text phys/virt split, x86_64 |- | KASLR memory, x86_64 |- | gcc-plugin infrastructure |- | fix _etext, arm |- | fix _etext, arm64 |- | HARDENED_USERCOPY lkdtm tests |- | KASLR with hibernation, x86 |- | seccomp vs ptrace fixed |- | HARDENED_USERCOPY |- | NX stack and heap, mips |- |rowspan="6"| v4.9 | latent_entropy plugin |- | vmap stack, x86 |- | thread_info in task_struct, x86 |- | random_page() cleanup |- | RODATA mandatory, arm64 |- | user_ns restrictions |- |rowspan="7"| v4.10 | CONFIG_DEBUG_LIST hardening |- | PAN emulation, arm64 v8.0 |- | thread_info in task-struct, arm64 |- | get_user zeroing fix, arm |- | report nnp |- | seed RNG from UEFI |- | CONFIG_DEBUG_WX, arm64 |- |} ff8e757db42cc132ebb31c5168f27b6452da8eb6 0 182 3870 2017-06-05T23:22:33Z KeesCook 3 Created page with "Want to get involved? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list]. = Introduce Yoursel..." wikitext text/x-wiki Want to get involved? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list]. = Introduce Yourself = Send an email to introduce yourself! Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Patch Contribution Guidelines = When contributing patches for the Linux kernel, be sure to follow the Linux kernel [https://www.kernel.org/doc/html/latest/process/coding-style.html Coding Style Guide] and read about [https://www.kernel.org/doc/html/latest/process/submitting-patches.html Submitting Patches]. Even if you're only sending your patches to the kernel-hardening mailing list for some early review, it's best to get as much of the coding style and submission semantics correct to avoid reviewers needing to recommend changes in those areas. As with any other Open Source project, it is particularly important that if you're working on upstreaming work from other Open Source projects, be sure your patches are giving credit to the original authors, that licenses are compatible, and that copyright notices are retained, etc. In the case of new files, or other places where a copyright notice would be expected to be added, be sure to retain all copyright notices from the other project. This may require some examination of commit history. For example, [https://github.com/linux-scraping/linux-grsecurity/blob/grsec-test/grsecurity/Makefile#L3 Grsecurity's copyright notice from their most recent public patch] does not include PaX Team's copyright notice, which is only listed in the patch for GCC plugins. For Grsecurity copyright, when more specific details are not easy to find, the following could be used: Copyright (C) 2001-2017 PaX Team, Bradley Spengler, Open Source Security Inc. Additionally, Grsecurity has asked that contributors include this in commit messages for non-trivial code ported from Grsecurity: $CODE is {verbatim,modified} from Brad Spengler/PaX Team's code in the last public patch of grsecurity/PaX based on my understanding of the code. Changes or omissions from the original code are mine and don't reflect the original grsecurity/PaX code. 43d35d81c26afbddabf63243bcc61c055b4f1705 3871 3870 2017-06-05T23:24:43Z KeesCook 3 Blanked the page wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 3874 3871 2017-06-05T23:32:27Z KeesCook 3 wikitext text/x-wiki Want to get involved? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list]. = Introduce Yourself = Send an email to introduce yourself! Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Patch Contribution Guidelines = When contributing patches for the Linux kernel, be sure to follow the Linux kernel [https://www.kernel.org/doc/html/latest/process/coding-style.html Coding Style Guide] and read about [https://www.kernel.org/doc/html/latest/process/submitting-patches.html Submitting Patches]. Even if you're only sending your patches to the kernel-hardening mailing list for some early review, it's best to get as much of the coding style and submission semantics correct to avoid reviewers needing to recommend changes in those areas. As with any other Open Source project, it is particularly important that if you're working on upstreaming work from other Open Source projects, be sure your patches are giving credit to the original authors, that licenses are compatible, and that copyright notices are retained, etc. In the case of new files, or other places where a copyright notice would be expected to be added, be sure to retain all copyright notices from the other project. This may require some examination of commit history. For example, [https://github.com/linux-scraping/linux-grsecurity/blob/grsec-test/grsecurity/Makefile#L3 Grsecurity's copyright notice from their most recent public patch] does not include PaX Team's copyright notice, which is only listed in the patch for GCC plugins. For Grsecurity copyright, when more specific details are not easy to find, the following could be used: Copyright (C) 2001-2017 PaX Team, Bradley Spengler, Open Source Security Inc. Additionally, Grsecurity has asked that contributors include this in commit messages for non-trivial code ported from Grsecurity: $CODE is {verbatim,modified} from Brad Spengler/PaX Team's code in the last public patch of grsecurity/PaX based on my understanding of the code. Changes or omissions from the original code are mine and don't reflect the original grsecurity/PaX code. 43d35d81c26afbddabf63243bcc61c055b4f1705 3880 3874 2017-06-05T23:39:44Z KeesCook 3 wikitext text/x-wiki Want to get involved in the [[Kernel Self Protection Project]]? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list]. = Introduce Yourself = Send an email to introduce yourself! Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Patch Contribution Guidelines = When contributing patches for the Linux kernel, be sure to follow the Linux kernel [https://www.kernel.org/doc/html/latest/process/coding-style.html Coding Style Guide] and read about [https://www.kernel.org/doc/html/latest/process/submitting-patches.html Submitting Patches]. Even if you're only sending your patches to the kernel-hardening mailing list for some early review, it's best to get as much of the coding style and submission semantics correct to avoid reviewers needing to recommend changes in those areas. As with any other Open Source project, it is particularly important that if you're working on upstreaming work from other Open Source projects, be sure your patches are giving credit to the original authors, that licenses are compatible, and that copyright notices are retained, etc. In the case of new files, or other places where a copyright notice would be expected to be added, be sure to retain all copyright notices from the other project. This may require some examination of commit history. For example, [https://github.com/linux-scraping/linux-grsecurity/blob/grsec-test/grsecurity/Makefile#L3 Grsecurity's copyright notice from their most recent public patch] does not include PaX Team's copyright notice, which is only listed in the patch for GCC plugins. For Grsecurity copyright, when more specific details are not easy to find, the following could be used: Copyright (C) 2001-2017 PaX Team, Bradley Spengler, Open Source Security Inc. Additionally, Grsecurity has asked that contributors include this in commit messages for non-trivial code ported from Grsecurity: $CODE is {verbatim,modified} from Brad Spengler/PaX Team's code in the last public patch of grsecurity/PaX based on my understanding of the code. Changes or omissions from the original code are mine and don't reflect the original grsecurity/PaX code. 0d81a8e8ef1fc2f427baeb4dbb06fdb62e603e3a 0 183 3872 2017-06-05T23:26:51Z KeesCook 3 Created page with "People ask from time to time what a good security set of build CONFIGs and runtime sysctl are. This is a brain-dump of the various options for a particularly paranoid system. ..." wikitext text/x-wiki People ask from time to time what a good security set of build CONFIGs and runtime sysctl are. This is a brain-dump of the various options for a particularly paranoid system. = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. CONFIG_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_BUG_ON_DATA_CORRUPTION=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. CONFIG_HARDENED_USERCOPY=y # Randomize allocator freelists. CONFIG_SLAB_FREELIST_RANDOM=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset === arm64 === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y = kernel command line options = # Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 d0ee335170ba4182e035244eb7a3dd388964760c 3882 3872 2017-06-05T23:42:00Z KeesCook 3 wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system: = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. CONFIG_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_BUG_ON_DATA_CORRUPTION=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. CONFIG_HARDENED_USERCOPY=y # Randomize allocator freelists. CONFIG_SLAB_FREELIST_RANDOM=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset === arm64 === # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y = kernel command line options = # Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 30669c4bb28a30f35f26e3557120a9eea0bf026c 3885 3882 2017-06-05T23:47:06Z KeesCook 3 /* CONFIGs */ wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system: = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. CONFIG_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_BUG_ON_DATA_CORRUPTION=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. CONFIG_HARDENED_USERCOPY=y # Randomize allocator freelists. CONFIG_SLAB_FREELIST_RANDOM=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y = kernel command line options = # Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 05b1d5822bcb731668f37fe506647793986094df 3886 3885 2017-06-23T19:13:42Z KeesCook 3 /* kernel command line options */ wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system: = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. CONFIG_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_BUG_ON_DATA_CORRUPTION=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. CONFIG_HARDENED_USERCOPY=y # Randomize allocator freelists. CONFIG_SLAB_FREELIST_RANDOM=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y = kernel command line options = # Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 d0d4a837e639695c4334f299e9bf261c4f513600 0 184 3878 2017-06-05T23:37:51Z KeesCook 3 Created page with "= Work Areas = While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. While the following is far from a comprehens..." wikitext text/x-wiki = Work Areas = While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. While the following is far from a comprehensive list, it's at least a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] = Specific TODO Items = Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention: * Split thread_info off of kernel stack (Done: x86, arm64, s390. Needed on arm, powerpc and others?) * Move kernel stack to vmap area (Done: x86, s390. Needed on arm, arm64, powerpc and others?) * Implement kernel relocation and KASLR for ARM * Write a plugin to clear struct padding * Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings) * Make CONFIG_STRICT_KERNEL_RWX and CONFIG_STRICT_MODULE_RWX mandatory (done for arm64 and x86, other archs still need it) * Convert remaining BPF JITs to eBPF JIT (with blinding) (In progress: arm) * Write lib/test_bpf.c tests for eBPF constant blinding * Further restriction of perf_event_open (e.g. perf_event_paranoid=3) * Extend HARDENED_USERCOPY to use slab whitelisting (in progress) * Extend HARDENED_USERCOPY to split user-facing malloc()s and in-kernel malloc()svmalloc stack guard pages (in progress) * protect ARM vector table as fixed-location kernel target * disable kuser helpers on arm * rename CONFIG_DEBUG_LIST better and default=y * add WARN path for page-spanning usercopy checks (instead of the separate CONFIG) * create UNEXPECTED(), like BUG() but without the lock-busting, etc * create defconfig "make" target for by-default hardened Kconfigs (using guidelines below) * provide mechanism to check for ro_after_init memory areas, and reject structures not marked ro_after_init in vmbus_register() * expand use of __ro_after_init, especially in arch/arm64 * Add stack-frame walking to usercopy implementations (Done: x86. In progress: arm64. Needed on arm, others?) * restrict autoloading of kernel modules (like GRKERNSEC_MODHARDEN) (In progress: [http://www.openwall.com/lists/kernel-hardening/2017/02/02/21 Timgad LSM]) dabf1dd762840e173262f89c0a0e2589b95dbaa8 3881 3878 2017-06-05T23:40:31Z KeesCook 3 wikitext text/x-wiki = Work Areas = The [[Kernel Self Protection Project]] has a lot of work to do! While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. The following is far from a comprehensive list, but it's at least a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] = Specific TODO Items = Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention: * Split thread_info off of kernel stack (Done: x86, arm64, s390. Needed on arm, powerpc and others?) * Move kernel stack to vmap area (Done: x86, s390. Needed on arm, arm64, powerpc and others?) * Implement kernel relocation and KASLR for ARM * Write a plugin to clear struct padding * Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings) * Make CONFIG_STRICT_KERNEL_RWX and CONFIG_STRICT_MODULE_RWX mandatory (done for arm64 and x86, other archs still need it) * Convert remaining BPF JITs to eBPF JIT (with blinding) (In progress: arm) * Write lib/test_bpf.c tests for eBPF constant blinding * Further restriction of perf_event_open (e.g. perf_event_paranoid=3) * Extend HARDENED_USERCOPY to use slab whitelisting (in progress) * Extend HARDENED_USERCOPY to split user-facing malloc()s and in-kernel malloc()svmalloc stack guard pages (in progress) * protect ARM vector table as fixed-location kernel target * disable kuser helpers on arm * rename CONFIG_DEBUG_LIST better and default=y * add WARN path for page-spanning usercopy checks (instead of the separate CONFIG) * create UNEXPECTED(), like BUG() but without the lock-busting, etc * create defconfig "make" target for by-default hardened Kconfigs (using guidelines below) * provide mechanism to check for ro_after_init memory areas, and reject structures not marked ro_after_init in vmbus_register() * expand use of __ro_after_init, especially in arch/arm64 * Add stack-frame walking to usercopy implementations (Done: x86. In progress: arm64. Needed on arm, others?) * restrict autoloading of kernel modules (like GRKERNSEC_MODHARDEN) (In progress: [http://www.openwall.com/lists/kernel-hardening/2017/02/02/21 Timgad LSM]) 3f59962a2959512e4fdaf8f7d2d9e8540b6f0a7a 0 185 3887 2017-07-11T11:25:21Z JamesMorris 2 Created page with "== Overview == The Linux Security Summit for 2017 will be held on 14th and 15th September, in Los Angeles, CA. See the event web site for details: http://events.linuxfoundat..." wikitext text/x-wiki == Overview == The Linux Security Summit for 2017 will be held on 14th and 15th September, in Los Angeles, CA. See the event web site for details: http://events.linuxfoundation.org/events/linux-security-summit == Program Committee == The Linux Security Summit for 2017 is organized by: * James Morris, Oracle * Serge Hallyn, Fermat, Inc. * Paul Moore, Red Hat * Stephen Smalley, NSA * Elena Reshetova, Intel * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM * David A. Wheeler, Institute for Defense Analyses 43e0d4aaa11db3c43444fb2c43908ed77d03eaee 0 6 3888 3856 2017-07-11T11:29:07Z JamesMorris 2 wikitext text/x-wiki == Upcoming == * [[Linux Security Summit 2017]], Los Angeles, USA, Sept 14-15. == Past == === 2016 === * [[Linux Security Summit 2016]], Toronto, Canada. August 25-26. === 2015 === * [[Linux Security Summit 2015]], Seattle, WA, USA. August 20-21. ===2014=== * [[Linux Security Summit 2014]], 18-19 August, Chicago, USA. Co-located with [http://events.linuxfoundation.org/events/linuxcon LinuxCon]. === 2013 === * [[Linux Security Summit 2013]] New Orleans, USA. === 2012 === * [[Linux Security Summit 2012]], San Diego, CA, USA. ===2011=== * [[Linux Security Summit 2011]], Santa Rosa, CA, USA. ===2010=== * [https://security.wiki.kernel.org/index.php/LinuxSecuritySummit2010 Linux Security Summit 2010], Boston MA, USA. ===2009=== *Security Microconf at the Linux Plumbers Conference 2009, September, Portland OR, USA. **CFP **LWN discussion *SELinux Developer Summit at LinuxCon 2009, September, Portland OR, USA. **Event Details *Security BoF (Birds of Feather) meeting at the Japan Linux Symposium, October 2009. Tokyo, Japan. **Enhanced Securities: Where Should We Go Next *Kernel Conference Australia, July 2009, Brisbane, Australia. *LCA security miniconf 20 January 2009, Hobart, Australia. fade6507df6ce931e636a5c6b90e4f7220a653ae 3906 3888 2017-10-16T06:10:35Z JamesMorris 2 wikitext text/x-wiki == Upcoming == * [[Kernel Summit Security Topic]], Prague, CZ, October 24. == Past == === 2017 === * [[Linux Security Summit 2017]], Los Angeles, USA, Sept 14-15. === 2016 === * [[Linux Security Summit 2016]], Toronto, Canada. August 25-26. === 2015 === * [[Linux Security Summit 2015]], Seattle, WA, USA. August 20-21. ===2014=== * [[Linux Security Summit 2014]], 18-19 August, Chicago, USA. Co-located with [http://events.linuxfoundation.org/events/linuxcon LinuxCon]. === 2013 === * [[Linux Security Summit 2013]] New Orleans, USA. === 2012 === * [[Linux Security Summit 2012]], San Diego, CA, USA. ===2011=== * [[Linux Security Summit 2011]], Santa Rosa, CA, USA. ===2010=== * [https://security.wiki.kernel.org/index.php/LinuxSecuritySummit2010 Linux Security Summit 2010], Boston MA, USA. ===2009=== *Security Microconf at the Linux Plumbers Conference 2009, September, Portland OR, USA. **CFP **LWN discussion *SELinux Developer Summit at LinuxCon 2009, September, Portland OR, USA. **Event Details *Security BoF (Birds of Feather) meeting at the Japan Linux Symposium, October 2009. Tokyo, Japan. **Enhanced Securities: Where Should We Go Next *Kernel Conference Australia, July 2009, Brisbane, Australia. *LCA security miniconf 20 January 2009, Hobart, Australia. 303a150b2dd7511aa786ddc2dca34906a7d3f131 3907 3906 2017-10-16T06:11:11Z JamesMorris 2 wikitext text/x-wiki == Upcoming == * [[Linux Kernel Summit 2017, Security Topic]], Prague, CZ, October 24. == Past == === 2017 === * [[Linux Security Summit 2017]], Los Angeles, USA, Sept 14-15. === 2016 === * [[Linux Security Summit 2016]], Toronto, Canada. August 25-26. === 2015 === * [[Linux Security Summit 2015]], Seattle, WA, USA. August 20-21. ===2014=== * [[Linux Security Summit 2014]], 18-19 August, Chicago, USA. Co-located with [http://events.linuxfoundation.org/events/linuxcon LinuxCon]. === 2013 === * [[Linux Security Summit 2013]] New Orleans, USA. === 2012 === * [[Linux Security Summit 2012]], San Diego, CA, USA. ===2011=== * [[Linux Security Summit 2011]], Santa Rosa, CA, USA. ===2010=== * [https://security.wiki.kernel.org/index.php/LinuxSecuritySummit2010 Linux Security Summit 2010], Boston MA, USA. ===2009=== *Security Microconf at the Linux Plumbers Conference 2009, September, Portland OR, USA. **CFP **LWN discussion *SELinux Developer Summit at LinuxCon 2009, September, Portland OR, USA. **Event Details *Security BoF (Birds of Feather) meeting at the Japan Linux Symposium, October 2009. Tokyo, Japan. **Enhanced Securities: Where Should We Go Next *Kernel Conference Australia, July 2009, Brisbane, Australia. *LCA security miniconf 20 January 2009, Hobart, Australia. f9b5aa003f7b47db1ed5203f55ff4487c3431a43 3908 3907 2017-10-16T06:16:59Z JamesMorris 2 wikitext text/x-wiki == Upcoming == * [[Linux Kernel Summit 2017, Security Session]], Prague, Czech Republic, October 24. == Past == === 2017 === * [[Linux Security Summit 2017]], Los Angeles, USA, Sept 14-15. === 2016 === * [[Linux Security Summit 2016]], Toronto, Canada. August 25-26. === 2015 === * [[Linux Security Summit 2015]], Seattle, WA, USA. August 20-21. ===2014=== * [[Linux Security Summit 2014]], 18-19 August, Chicago, USA. Co-located with [http://events.linuxfoundation.org/events/linuxcon LinuxCon]. === 2013 === * [[Linux Security Summit 2013]] New Orleans, USA. === 2012 === * [[Linux Security Summit 2012]], San Diego, CA, USA. ===2011=== * [[Linux Security Summit 2011]], Santa Rosa, CA, USA. ===2010=== * [https://security.wiki.kernel.org/index.php/LinuxSecuritySummit2010 Linux Security Summit 2010], Boston MA, USA. ===2009=== *Security Microconf at the Linux Plumbers Conference 2009, September, Portland OR, USA. **CFP **LWN discussion *SELinux Developer Summit at LinuxCon 2009, September, Portland OR, USA. **Event Details *Security BoF (Birds of Feather) meeting at the Japan Linux Symposium, October 2009. Tokyo, Japan. **Enhanced Securities: Where Should We Go Next *Kernel Conference Australia, July 2009, Brisbane, Australia. *LCA security miniconf 20 January 2009, Hobart, Australia. 1212fc9cfe129e0e710813dd5c6965a1fc41eb5a 3921 3908 2017-11-16T22:39:52Z JamesMorris 2 wikitext text/x-wiki == Upcoming == * [http://events.linuxfoundation.org/events/linux-security-summit-north-america Linux Security Summit North America 2018], Vancouver, Canada, August 27-28. * [http://events.linuxfoundation.org/events/linux-security-summit-europe Linux Security Summit Europe 2018], Edinburgh, UK, October 25-26. == Past == === 2017 === * [[Linux Kernel Summit 2017, Security Session]], Prague, Czech Republic, October 24. * [[Linux Security Summit 2017]], Los Angeles, USA, Sept 14-15. === 2016 === * [[Linux Security Summit 2016]], Toronto, Canada. August 25-26. === 2015 === * [[Linux Security Summit 2015]], Seattle, WA, USA. August 20-21. ===2014=== * [[Linux Security Summit 2014]], 18-19 August, Chicago, USA. Co-located with [http://events.linuxfoundation.org/events/linuxcon LinuxCon]. === 2013 === * [[Linux Security Summit 2013]] New Orleans, USA. === 2012 === * [[Linux Security Summit 2012]], San Diego, CA, USA. ===2011=== * [[Linux Security Summit 2011]], Santa Rosa, CA, USA. ===2010=== * [https://security.wiki.kernel.org/index.php/LinuxSecuritySummit2010 Linux Security Summit 2010], Boston MA, USA. ===2009=== *Security Microconf at the Linux Plumbers Conference 2009, September, Portland OR, USA. **CFP **LWN discussion *SELinux Developer Summit at LinuxCon 2009, September, Portland OR, USA. **Event Details *Security BoF (Birds of Feather) meeting at the Japan Linux Symposium, October 2009. Tokyo, Japan. **Enhanced Securities: Where Should We Go Next *Kernel Conference Australia, July 2009, Brisbane, Australia. *LCA security miniconf 20 January 2009, Hobart, Australia. 8c507ec8ffc98ac12f06e619c9d1d7f4614c384a 3922 3921 2017-11-16T22:40:08Z JamesMorris 2 /* 2017 */ wikitext text/x-wiki == Upcoming == * [http://events.linuxfoundation.org/events/linux-security-summit-north-america Linux Security Summit North America 2018], Vancouver, Canada, August 27-28. * [http://events.linuxfoundation.org/events/linux-security-summit-europe Linux Security Summit Europe 2018], Edinburgh, UK, October 25-26. == Past == === 2017 === * [[Linux Kernel Summit 2017, Security Session]], Prague, Czech Republic, October 24. * [[Linux Security Summit 2017]], Los Angeles, USA, Sept 14-15. === 2016 === * [[Linux Security Summit 2016]], Toronto, Canada. August 25-26. === 2015 === * [[Linux Security Summit 2015]], Seattle, WA, USA. August 20-21. ===2014=== * [[Linux Security Summit 2014]], 18-19 August, Chicago, USA. Co-located with [http://events.linuxfoundation.org/events/linuxcon LinuxCon]. === 2013 === * [[Linux Security Summit 2013]] New Orleans, USA. === 2012 === * [[Linux Security Summit 2012]], San Diego, CA, USA. ===2011=== * [[Linux Security Summit 2011]], Santa Rosa, CA, USA. ===2010=== * [https://security.wiki.kernel.org/index.php/LinuxSecuritySummit2010 Linux Security Summit 2010], Boston MA, USA. ===2009=== *Security Microconf at the Linux Plumbers Conference 2009, September, Portland OR, USA. **CFP **LWN discussion *SELinux Developer Summit at LinuxCon 2009, September, Portland OR, USA. **Event Details *Security BoF (Birds of Feather) meeting at the Japan Linux Symposium, October 2009. Tokyo, Japan. **Enhanced Securities: Where Should We Go Next *Kernel Conference Australia, July 2009, Brisbane, Australia. *LCA security miniconf 20 January 2009, Hobart, Australia. 19d822aeda3fba21c419f9cfc259ec9610734316 0 183 3889 3886 2017-07-25T03:35:50Z KeesCook 3 /* CONFIGs */ wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system: = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. CONFIG_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. CONFIG_HARDENED_USERCOPY=y # Randomize allocator freelists. CONFIG_SLAB_FREELIST_RANDOM=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y = kernel command line options = # Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 6a7c75dc50ee49d6a7d5f252dc84b9913405363c 3898 3889 2017-08-10T20:28:06Z KeesCook 3 /* CONFIGs */ CONFIG_SECURITY_SELINUX_DISABLE wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system: = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. CONFIG_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. CONFIG_HARDENED_USERCOPY=y # Randomize allocator freelists. CONFIG_SLAB_FREELIST_RANDOM=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y = kernel command line options = # Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 7f485b9461463d0617a5ff845e3d6f1dc10cf407 3903 3898 2017-09-18T22:27:40Z KeesCook 3 wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system: = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. CONFIG_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. CONFIG_HARDENED_USERCOPY=y # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_HARDENED=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y = kernel command line options = # Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 9f714548ff58e4f450fcb6c2b2b76bf65f8c41b3 3923 3903 2017-12-07T19:03:37Z KeesCook 3 /* CONFIGs */ wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system: = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. CONFIG_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. CONFIG_HARDENED_USERCOPY=y # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_HARDENED=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y = kernel command line options = # Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 1c616d669d27adcc3fab00c098e2e9aa59abbe6d 3924 3923 2018-02-22T02:42:41Z KeesCook 3 /* CONFIGs */ wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system: = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. CONFIG_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. CONFIG_HARDENED_USERCOPY=y # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y = kernel command line options = # Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 174d1ee9abcb020f9364be25695eacdf38df46e4 0 162 3890 3884 2017-08-04T05:18:17Z KeesCook 3 /* Documentation */ wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in the [https://pax.grsecurity.net/ PaX] and [https://grsecurity.net/features.php grsecurity] [https://github.com/linux-scraping/linux-grsecurity patches], and in piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Upstream development is evolutionary, not revolutionary, which means it can sometimes take time for features to become fully realized. * Features will be more than finding bugs, and should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Details = Specific details on the project: ==== [[Kernel Self Protection Project/Get Involved|Get Involved]] ==== ==== [[Kernel Self Protection Project/Work|Areas of Work Needed]] ==== ==== [[Kernel Self Protection Project/Recommended_Settings|Recommended Kernel Settings]] ==== = Documentation = For kernel protections already in upstream (or under active development) that have specific documentation: ==== [https://www.kernel.org/doc/html/latest/security/self-protection.html Self-Protection Guidelines] ==== ==== [[Kernel_Protections/HARDENED_ATOMIC|refcount_t]] ==== : Kernel reference counter overflow protection 3d378062f3e9ef0489b6b1fbed62671c0372f25e 3895 3890 2017-08-04T05:20:51Z KeesCook 3 /* Documentation */ wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in the [https://pax.grsecurity.net/ PaX] and [https://grsecurity.net/features.php grsecurity] [https://github.com/linux-scraping/linux-grsecurity patches], and in piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Upstream development is evolutionary, not revolutionary, which means it can sometimes take time for features to become fully realized. * Features will be more than finding bugs, and should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Details = Specific details on the project: ==== [[Kernel Self Protection Project/Get Involved|Get Involved]] ==== ==== [[Kernel Self Protection Project/Work|Areas of Work Needed]] ==== ==== [[Kernel Self Protection Project/Recommended_Settings|Recommended Kernel Settings]] ==== = Documentation = For kernel protections already in upstream (or under active development) that have specific documentation: ==== [https://www.kernel.org/doc/html/latest/security/self-protection.html Self-Protection Guidelines] ==== ==== [[Kernel_Protections/refcount_t|refcount_t]] ==== : Kernel reference counter overflow protection c139a810110f66fdb77bfc53deacff3f1656a622 0 181 3891 3850 2017-08-04T05:18:41Z KeesCook 3 KeesCook moved page [[Kernel Protections/HARDENED ATOMIC]] to [[Kernel Protections/refcount t]] wikitext text/x-wiki = Summary = HARDENED_ATOMIC is a kernel self-protection mechanism that greatly helps with the prevention of [[Bug Classes/Use after free|use-after-free]] bugs. It is based off of work done by the [https://pax.grsecurity.net PaX Team], originally called [https://forums.grsecurity.net/viewtopic.php?f=7&t=4173 PAX_REFCOUNT]. = Reference Counting API = HARDENED_ATOMIC introduces a new data type: <code>refcount_t</code>. This type is to be used for all kernel reference counters. The following is the kernel reference counting API. ;'''<code>REFCOUNT_INIT(unsigned int)</code>''' : Initialize a <code>refcount_t</code> object. ;'''<code>void refcount_set(refcount_t *, unsigned int)</code>''' : Set a <code>refcount_t</code> object's internal value. ;'''<code>unsigned int refcount_read(refcount_t *)</code>''' : Returns the <code>refcount_t</code> object's internal value. ;'''<code>bool refcount_add_not_zero(unsigned int v, refcount_t *r)</code>''' : Add <code>v</code> to <code>r</code>. If <code>r + v</code> causes an overflow, the result of the addition operation is not saved to <code>r</code>. Returns <code>true</code> if the resulting value of <code>r</code> is non-zero, <code>false</code> otherwise. ;'''<code>void refcount_add(unsigned int v, refcount_t *r)</code>''' : Adds <code>v</code> to <code>r</code> and stores the value in <code>r</code>. ;'''<code>bool refcount_inc_not_zero(refcount_t *r)</code>''' : Increments <code>r</code> and tests whether <code>r + 1</code> causes an overflow. If an overflow does occur, the result of the increment operation is not saved to <code>r</code>. Will saturate at <code>UINT_MAX</code> and <code>WARN</code>. Returns <code>true</code> if the resulting value of <code>r</code> is non-zero, <code>false</code> otherwise. ;'''<code>void refcount_inc(refcount_t *r)</code>''' : Increment <code>r</code>. Will saturate at <code>UINT_MAX</code> and <code>WARN</code>. ;'''<code>bool refcount_sub_and_test(unsigned int v, refcount_t *r)</code>''' : Subtract <code>v</code> from <code>r</code> and tests whether <code>r - v</code> causes an underflow. If an underflow does occur, the result of the decrement operation is not saved to <code>r</code>. Will fail to decrement when saturated at <code>UINT_MAX</code>. Returns <code>true</code> if the resulting value of <code>r</code> is non-zero, <code>false</code> otherwise. ;'''<code>void refcount_dec(refcount_t *r)</code>''' : Decrement <code>r</code>. If <code>r - 1</code> causes an underflow, the result of the decrement operation is not saved to <code>r</code>. Will fail to decrement when saturated at <code>UINT_MAX</code>. ;'''<code>bool refcount_dec_if_one(refcount_t *r)</code>''' : Attempts to transition <code>r</code> from 1 to 0. If <code>r</code> is 1, decrement it to 0. Returns <code>true</code> if <code>r</code> was decremented, <code>false</code> otherwise. ;'''<code>bool refcount_dec_not_one(refcount_t *r)</code>''' : Decrement <code>r</code> unless the value of <code>r</code> is 1. Returns <code>true</code> if <code>r</code> was decremented, </code>false</code> otherwise. ;'''<code>bool refcount_dec_and_mutex_lock(refcount_t *r, struct mutex *lock)</code>''' : Decrement <code>r</code> and lock mutex if <code>r</code> becomes 0. Will <code>WARN</code> on underflow and fail to decrement if <code>r</code> is saturated at <code>UINT_MAX</code>. Returns <code>true</code> if <code>r</code> is 0 and mutex is held, <code>false</code> otherwise. ;'''<code>bool refcount_dec_and_lock(refcount_t *r, spinlock_t *s)</code>''' : Decrement <code>r</code> and lock spinlock if <code>r</code> becomes 0. Will <code>WARN</code> on underflow and fail to decrement if <code>r</code> is saturated at <code>UINT_MAX</code>. Returns <code>true</code> if <code>r</code> is 0 and spinlock is held, <code>false</code> otherwise. = Examples = The following use case is an instance of correct usage of the <code>refcount_t</code> API. The object being counted is <code>struct super_block</code>, which represents a virtual filesystem superblock, an object containing a particular filesystem's metadata such as block size, the root inode, etc. ==== Member Definition ==== This is the definition of the reference counter field in the <code>struct super_block</code> object. If the object being counted is a structure, the reference counter is typically defined as a field of the counted structure, as we see in <code>struct super_block</code> below. From <code>[http://lxr.free-electrons.com/source/include/linux/fs.h include/linux/fs.h]</code>: <code> struct super_block { ... refcount_t s_active; ... }; </code> ==== Object Initialization ==== When a counted object is created, its reference counter must be initialized to something sane, typically 1 (since, by virtue of being called in an "allocation" method, a user of the object already exists). From <code>[http://lxr.free-electrons.com/source/fs/super.c fs/super.c]</code>: <code> static struct super_block *alloc_super(struct file_system_type *type, int flags, struct user_namespace *user_ns) { struct super_block *s = kzalloc(sizeof(struct super_block), GFP_USER); ... refcount_set(&s->s_active, 1); ... } </code> ==== Getting a New Reference ==== This code is executed when a user wishes to obtain a new reference to a <code>struct super_block</code> object. The following code corresponds to the traditional reference counting "get" method. From <code>[http://lxr.free-electrons.com/source/fs/super.c fs/super.c]</code>: <code> static int grab_super(struct super_block *s) __releases(sb_lock) { s->s_count++; spin_unlock(&sb_lock); down_write(&s->s_umount); if ((s->s_flags & MS_BORN) && refcount_inc_not_zero(&s->s_active)) { put_super(s); return 1; } up_write(&s->s_umount); put_super(s); return 0; } </code> ==== Releasing an Existing Reference ==== This code is executed when a user currently holding a reference to a <code>struct super_block</code> object no longer needs the object and wants to release it. The following code corresponds to the traditional reference counting "put" method. From <code>[http://lxr.free-electrons.com/source/fs/super.c fs/super.c]</code>: <code> void deactivate_locked_super(struct super_block *s) { ... if (refcount_dec_and_test(&s->s_active)) { ... put_super(s); } } void deactivate_super(struct super_block *s) { if (!refcount_dec_not_one(&s->s_active)) { down_write(&s->s_umount);nnNnnn deactivate_locked_super(s); } } </code> e0deb871343d24a312a95939063e529132ff1236 3893 3891 2017-08-04T05:19:12Z KeesCook 3 /* Summary */ wikitext text/x-wiki = Summary = The refcount_t API is a kernel self-protection mechanism that greatly helps with the prevention of [[Bug Classes/Use after free|use-after-free]] bugs. It is based off of work done by the [https://pax.grsecurity.net PaX Team], originally called [https://forums.grsecurity.net/viewtopic.php?f=7&t=4173 PAX_REFCOUNT]. = Reference Counting API = HARDENED_ATOMIC introduces a new data type: <code>refcount_t</code>. This type is to be used for all kernel reference counters. The following is the kernel reference counting API. ;'''<code>REFCOUNT_INIT(unsigned int)</code>''' : Initialize a <code>refcount_t</code> object. ;'''<code>void refcount_set(refcount_t *, unsigned int)</code>''' : Set a <code>refcount_t</code> object's internal value. ;'''<code>unsigned int refcount_read(refcount_t *)</code>''' : Returns the <code>refcount_t</code> object's internal value. ;'''<code>bool refcount_add_not_zero(unsigned int v, refcount_t *r)</code>''' : Add <code>v</code> to <code>r</code>. If <code>r + v</code> causes an overflow, the result of the addition operation is not saved to <code>r</code>. Returns <code>true</code> if the resulting value of <code>r</code> is non-zero, <code>false</code> otherwise. ;'''<code>void refcount_add(unsigned int v, refcount_t *r)</code>''' : Adds <code>v</code> to <code>r</code> and stores the value in <code>r</code>. ;'''<code>bool refcount_inc_not_zero(refcount_t *r)</code>''' : Increments <code>r</code> and tests whether <code>r + 1</code> causes an overflow. If an overflow does occur, the result of the increment operation is not saved to <code>r</code>. Will saturate at <code>UINT_MAX</code> and <code>WARN</code>. Returns <code>true</code> if the resulting value of <code>r</code> is non-zero, <code>false</code> otherwise. ;'''<code>void refcount_inc(refcount_t *r)</code>''' : Increment <code>r</code>. Will saturate at <code>UINT_MAX</code> and <code>WARN</code>. ;'''<code>bool refcount_sub_and_test(unsigned int v, refcount_t *r)</code>''' : Subtract <code>v</code> from <code>r</code> and tests whether <code>r - v</code> causes an underflow. If an underflow does occur, the result of the decrement operation is not saved to <code>r</code>. Will fail to decrement when saturated at <code>UINT_MAX</code>. Returns <code>true</code> if the resulting value of <code>r</code> is non-zero, <code>false</code> otherwise. ;'''<code>void refcount_dec(refcount_t *r)</code>''' : Decrement <code>r</code>. If <code>r - 1</code> causes an underflow, the result of the decrement operation is not saved to <code>r</code>. Will fail to decrement when saturated at <code>UINT_MAX</code>. ;'''<code>bool refcount_dec_if_one(refcount_t *r)</code>''' : Attempts to transition <code>r</code> from 1 to 0. If <code>r</code> is 1, decrement it to 0. Returns <code>true</code> if <code>r</code> was decremented, <code>false</code> otherwise. ;'''<code>bool refcount_dec_not_one(refcount_t *r)</code>''' : Decrement <code>r</code> unless the value of <code>r</code> is 1. Returns <code>true</code> if <code>r</code> was decremented, </code>false</code> otherwise. ;'''<code>bool refcount_dec_and_mutex_lock(refcount_t *r, struct mutex *lock)</code>''' : Decrement <code>r</code> and lock mutex if <code>r</code> becomes 0. Will <code>WARN</code> on underflow and fail to decrement if <code>r</code> is saturated at <code>UINT_MAX</code>. Returns <code>true</code> if <code>r</code> is 0 and mutex is held, <code>false</code> otherwise. ;'''<code>bool refcount_dec_and_lock(refcount_t *r, spinlock_t *s)</code>''' : Decrement <code>r</code> and lock spinlock if <code>r</code> becomes 0. Will <code>WARN</code> on underflow and fail to decrement if <code>r</code> is saturated at <code>UINT_MAX</code>. Returns <code>true</code> if <code>r</code> is 0 and spinlock is held, <code>false</code> otherwise. = Examples = The following use case is an instance of correct usage of the <code>refcount_t</code> API. The object being counted is <code>struct super_block</code>, which represents a virtual filesystem superblock, an object containing a particular filesystem's metadata such as block size, the root inode, etc. ==== Member Definition ==== This is the definition of the reference counter field in the <code>struct super_block</code> object. If the object being counted is a structure, the reference counter is typically defined as a field of the counted structure, as we see in <code>struct super_block</code> below. From <code>[http://lxr.free-electrons.com/source/include/linux/fs.h include/linux/fs.h]</code>: <code> struct super_block { ... refcount_t s_active; ... }; </code> ==== Object Initialization ==== When a counted object is created, its reference counter must be initialized to something sane, typically 1 (since, by virtue of being called in an "allocation" method, a user of the object already exists). From <code>[http://lxr.free-electrons.com/source/fs/super.c fs/super.c]</code>: <code> static struct super_block *alloc_super(struct file_system_type *type, int flags, struct user_namespace *user_ns) { struct super_block *s = kzalloc(sizeof(struct super_block), GFP_USER); ... refcount_set(&s->s_active, 1); ... } </code> ==== Getting a New Reference ==== This code is executed when a user wishes to obtain a new reference to a <code>struct super_block</code> object. The following code corresponds to the traditional reference counting "get" method. From <code>[http://lxr.free-electrons.com/source/fs/super.c fs/super.c]</code>: <code> static int grab_super(struct super_block *s) __releases(sb_lock) { s->s_count++; spin_unlock(&sb_lock); down_write(&s->s_umount); if ((s->s_flags & MS_BORN) && refcount_inc_not_zero(&s->s_active)) { put_super(s); return 1; } up_write(&s->s_umount); put_super(s); return 0; } </code> ==== Releasing an Existing Reference ==== This code is executed when a user currently holding a reference to a <code>struct super_block</code> object no longer needs the object and wants to release it. The following code corresponds to the traditional reference counting "put" method. From <code>[http://lxr.free-electrons.com/source/fs/super.c fs/super.c]</code>: <code> void deactivate_locked_super(struct super_block *s) { ... if (refcount_dec_and_test(&s->s_active)) { ... put_super(s); } } void deactivate_super(struct super_block *s) { if (!refcount_dec_not_one(&s->s_active)) { down_write(&s->s_umount);nnNnnn deactivate_locked_super(s); } } </code> 10331b752d60f28eb59c4d79eabf2ed95827ef54 3894 3893 2017-08-04T05:20:11Z KeesCook 3 /* Reference Counting API */ wikitext text/x-wiki = Summary = The refcount_t API is a kernel self-protection mechanism that greatly helps with the prevention of [[Bug Classes/Use after free|use-after-free]] bugs. It is based off of work done by the [https://pax.grsecurity.net PaX Team], originally called [https://forums.grsecurity.net/viewtopic.php?f=7&t=4173 PAX_REFCOUNT]. = Reference Counting API = Instead of the traditional <code>atomic_t</code>, reference counting uses a new data type: <code>refcount_t</code>. This type is to be used for all kernel reference counters. The following is the kernel reference counting API. ;'''<code>REFCOUNT_INIT(unsigned int)</code>''' : Initialize a <code>refcount_t</code> object. ;'''<code>void refcount_set(refcount_t *, unsigned int)</code>''' : Set a <code>refcount_t</code> object's internal value. ;'''<code>unsigned int refcount_read(refcount_t *)</code>''' : Returns the <code>refcount_t</code> object's internal value. ;'''<code>bool refcount_add_not_zero(unsigned int v, refcount_t *r)</code>''' : Add <code>v</code> to <code>r</code>. If <code>r + v</code> causes an overflow, the result of the addition operation is not saved to <code>r</code>. Returns <code>true</code> if the resulting value of <code>r</code> is non-zero, <code>false</code> otherwise. ;'''<code>void refcount_add(unsigned int v, refcount_t *r)</code>''' : Adds <code>v</code> to <code>r</code> and stores the value in <code>r</code>. ;'''<code>bool refcount_inc_not_zero(refcount_t *r)</code>''' : Increments <code>r</code> and tests whether <code>r + 1</code> causes an overflow. If an overflow does occur, the result of the increment operation is not saved to <code>r</code>. Will saturate at <code>UINT_MAX</code> and <code>WARN</code>. Returns <code>true</code> if the resulting value of <code>r</code> is non-zero, <code>false</code> otherwise. ;'''<code>void refcount_inc(refcount_t *r)</code>''' : Increment <code>r</code>. Will saturate at <code>UINT_MAX</code> and <code>WARN</code>. ;'''<code>bool refcount_sub_and_test(unsigned int v, refcount_t *r)</code>''' : Subtract <code>v</code> from <code>r</code> and tests whether <code>r - v</code> causes an underflow. If an underflow does occur, the result of the decrement operation is not saved to <code>r</code>. Will fail to decrement when saturated at <code>UINT_MAX</code>. Returns <code>true</code> if the resulting value of <code>r</code> is non-zero, <code>false</code> otherwise. ;'''<code>void refcount_dec(refcount_t *r)</code>''' : Decrement <code>r</code>. If <code>r - 1</code> causes an underflow, the result of the decrement operation is not saved to <code>r</code>. Will fail to decrement when saturated at <code>UINT_MAX</code>. ;'''<code>bool refcount_dec_if_one(refcount_t *r)</code>''' : Attempts to transition <code>r</code> from 1 to 0. If <code>r</code> is 1, decrement it to 0. Returns <code>true</code> if <code>r</code> was decremented, <code>false</code> otherwise. ;'''<code>bool refcount_dec_not_one(refcount_t *r)</code>''' : Decrement <code>r</code> unless the value of <code>r</code> is 1. Returns <code>true</code> if <code>r</code> was decremented, </code>false</code> otherwise. ;'''<code>bool refcount_dec_and_mutex_lock(refcount_t *r, struct mutex *lock)</code>''' : Decrement <code>r</code> and lock mutex if <code>r</code> becomes 0. Will <code>WARN</code> on underflow and fail to decrement if <code>r</code> is saturated at <code>UINT_MAX</code>. Returns <code>true</code> if <code>r</code> is 0 and mutex is held, <code>false</code> otherwise. ;'''<code>bool refcount_dec_and_lock(refcount_t *r, spinlock_t *s)</code>''' : Decrement <code>r</code> and lock spinlock if <code>r</code> becomes 0. Will <code>WARN</code> on underflow and fail to decrement if <code>r</code> is saturated at <code>UINT_MAX</code>. Returns <code>true</code> if <code>r</code> is 0 and spinlock is held, <code>false</code> otherwise. = Examples = The following use case is an instance of correct usage of the <code>refcount_t</code> API. The object being counted is <code>struct super_block</code>, which represents a virtual filesystem superblock, an object containing a particular filesystem's metadata such as block size, the root inode, etc. ==== Member Definition ==== This is the definition of the reference counter field in the <code>struct super_block</code> object. If the object being counted is a structure, the reference counter is typically defined as a field of the counted structure, as we see in <code>struct super_block</code> below. From <code>[http://lxr.free-electrons.com/source/include/linux/fs.h include/linux/fs.h]</code>: <code> struct super_block { ... refcount_t s_active; ... }; </code> ==== Object Initialization ==== When a counted object is created, its reference counter must be initialized to something sane, typically 1 (since, by virtue of being called in an "allocation" method, a user of the object already exists). From <code>[http://lxr.free-electrons.com/source/fs/super.c fs/super.c]</code>: <code> static struct super_block *alloc_super(struct file_system_type *type, int flags, struct user_namespace *user_ns) { struct super_block *s = kzalloc(sizeof(struct super_block), GFP_USER); ... refcount_set(&s->s_active, 1); ... } </code> ==== Getting a New Reference ==== This code is executed when a user wishes to obtain a new reference to a <code>struct super_block</code> object. The following code corresponds to the traditional reference counting "get" method. From <code>[http://lxr.free-electrons.com/source/fs/super.c fs/super.c]</code>: <code> static int grab_super(struct super_block *s) __releases(sb_lock) { s->s_count++; spin_unlock(&sb_lock); down_write(&s->s_umount); if ((s->s_flags & MS_BORN) && refcount_inc_not_zero(&s->s_active)) { put_super(s); return 1; } up_write(&s->s_umount); put_super(s); return 0; } </code> ==== Releasing an Existing Reference ==== This code is executed when a user currently holding a reference to a <code>struct super_block</code> object no longer needs the object and wants to release it. The following code corresponds to the traditional reference counting "put" method. From <code>[http://lxr.free-electrons.com/source/fs/super.c fs/super.c]</code>: <code> void deactivate_locked_super(struct super_block *s) { ... if (refcount_dec_and_test(&s->s_active)) { ... put_super(s); } } void deactivate_super(struct super_block *s) { if (!refcount_dec_not_one(&s->s_active)) { down_write(&s->s_umount);nnNnnn deactivate_locked_super(s); } } </code> e08a71009e4b52b9711c8c203646049792624c73 0 186 3892 2017-08-04T05:18:41Z KeesCook 3 KeesCook moved page [[Kernel Protections/HARDENED ATOMIC]] to [[Kernel Protections/refcount t]] wikitext text/x-wiki #REDIRECT [[Kernel Protections/refcount t]] f5bd4419f2e4a5399022ec47ce3b420a4ca50948 0 5 3896 3712 2017-08-09T07:28:20Z JamesMorris 2 /* Access Control */ wikitext text/x-wiki == Kernel Security Projects == === Access Control === * [http://vger.kernel.org/vger-lists.html#linux-security-module Linux Security Modules (LSM)], the API for access control frameworks ** Mailing list archive: http://kernsec.org/pipermail/linux-security-module-archive/ * [http://www.novell.com/linux/security/apparmor/ AppArmor], a pathname-based access control system * [http://selinuxproject.org/page/Main_Page Security Enhanced Linux (SELinux)], a flexible and fine-grained MAC framework * [http://www.schaufler-ca.com/ Smack], the Simplified Mandatory Access Control Kernel for Linux * [http://tomoyo.sourceforge.jp/ TOMOYO], another pathname-based access control system (LiveCD available) * [http://grsecurity.net/features.php grsecurity], extensive security enhancement patch for the Linux kernel (RBAC, chroot hardening, auditing, stack/heap protection randomization and more...) * [http://www.rsbac.org/why Rule Set Based Access Control (RSBAC)], Linux kernel patch implementing a security framework * [http://schreuders.org/FBAC-LSM FBAC-LSM] aims to provide easy to configure (functionality-based) application restrictions * [http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blob;f=Documentation/security/Yama.txt;hb=HEAD Yama] adds restrictions to ptrace, providing a programmatic way to declare relationships between processes === Integrity === This is a rapidly developing area, see the following LWN article for an overview: * [http://lwn.net/Articles/309441/ System integrity in Linux] === Privileges === * [http://www.friedhoff.org/posixfilecaps.html POSIX File Capabilities] ** [http://lwn.net/Articles/313047/ Filesystem capabilities in Fedora 10 LWN article] === Networking === There are several separately maintained projects relating to network security, including: * [http://www.netfilter.org/ Netfilter] packet filtering * Labeled Networking, including NetLabel, CIPSO, Labeled IPsec and SECMARK, see [http://paulmoore.livejournal.com/ Paul Moore's blog] * [http://www.nufw.org/ NuFW] authenticating firewall based on Netfilter === Storage === * [http://selinuxproject.org/page/Labeled_NFS Labeled NFS], a project to add MAC labeling support to the NFSv4 protocol * [http://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=blob;f=Documentation/device-mapper/verity.txt dm-verity], a device mapper target for efficient, integrity-assured block devices === Cryptography === The cryptographic subsystem is maintained separately by Herbert Xu, refer to the [http://vger.kernel.org/vger-lists.html#linux-crypto mailing list]. === Working Group === * [[Linux Security Workgroup]] === Self Protection === * [[Kernel Self Protection Project]] 99b0600061f391dcd2d85d7bec9a0f82abe83e09 3899 3896 2017-09-14T19:08:22Z JarkkoSakkinen 8 /* Integrity */ wikitext text/x-wiki == Kernel Security Projects == === Access Control === * [http://vger.kernel.org/vger-lists.html#linux-security-module Linux Security Modules (LSM)], the API for access control frameworks ** Mailing list archive: http://kernsec.org/pipermail/linux-security-module-archive/ * [http://www.novell.com/linux/security/apparmor/ AppArmor], a pathname-based access control system * [http://selinuxproject.org/page/Main_Page Security Enhanced Linux (SELinux)], a flexible and fine-grained MAC framework * [http://www.schaufler-ca.com/ Smack], the Simplified Mandatory Access Control Kernel for Linux * [http://tomoyo.sourceforge.jp/ TOMOYO], another pathname-based access control system (LiveCD available) * [http://grsecurity.net/features.php grsecurity], extensive security enhancement patch for the Linux kernel (RBAC, chroot hardening, auditing, stack/heap protection randomization and more...) * [http://www.rsbac.org/why Rule Set Based Access Control (RSBAC)], Linux kernel patch implementing a security framework * [http://schreuders.org/FBAC-LSM FBAC-LSM] aims to provide easy to configure (functionality-based) application restrictions * [http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blob;f=Documentation/security/Yama.txt;hb=HEAD Yama] adds restrictions to ptrace, providing a programmatic way to declare relationships between processes === Integrity === This is a rapidly developing area, see the following LWN article for an overview: * [[Linux Kernel Integrity]] * [http://lwn.net/Articles/309441/ System integrity in Linux] === Privileges === * [http://www.friedhoff.org/posixfilecaps.html POSIX File Capabilities] ** [http://lwn.net/Articles/313047/ Filesystem capabilities in Fedora 10 LWN article] === Networking === There are several separately maintained projects relating to network security, including: * [http://www.netfilter.org/ Netfilter] packet filtering * Labeled Networking, including NetLabel, CIPSO, Labeled IPsec and SECMARK, see [http://paulmoore.livejournal.com/ Paul Moore's blog] * [http://www.nufw.org/ NuFW] authenticating firewall based on Netfilter === Storage === * [http://selinuxproject.org/page/Labeled_NFS Labeled NFS], a project to add MAC labeling support to the NFSv4 protocol * [http://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=blob;f=Documentation/device-mapper/verity.txt dm-verity], a device mapper target for efficient, integrity-assured block devices === Cryptography === The cryptographic subsystem is maintained separately by Herbert Xu, refer to the [http://vger.kernel.org/vger-lists.html#linux-crypto mailing list]. === Working Group === * [[Linux Security Workgroup]] === Self Protection === * [[Kernel Self Protection Project]] cdb80d5672f9666aef279408b4eb088364ae0cb5 0 185 3897 3887 2017-08-10T14:54:51Z JamesMorris 2 wikitext text/x-wiki == Overview == The Linux Security Summit for 2017 will be held on 14th and 15th September, in Los Angeles, CA. See the event web site for details: http://events.linuxfoundation.org/events/linux-security-summit == Program Committee == The Linux Security Summit for 2017 is organized by: * James Morris, Oracle * Serge Hallyn, Cisco * Paul Moore, Red Hat * Stephen Smalley, NSA * Elena Reshetova, Intel * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM * David A. Wheeler, Institute for Defense Analyses d82963559b222e8ca2b3b85f24c5df6dded7fd41 0 187 3900 2017-09-14T19:16:03Z JarkkoSakkinen 8 Created page with "'''linux-integrity@vger.kernel.org''' is the mailing list for TPM and IMA targeted patches and discussion. For non-trivial patch sets, such as patch sets that touch multiple s..." wikitext text/x-wiki '''linux-integrity@vger.kernel.org''' is the mailing list for TPM and IMA targeted patches and discussion. For non-trivial patch sets, such as patch sets that touch multiple subsystems, it is recommended to CC them also to '''linux-security-module@vger.kernel.org''' mailing list for more broad screening. TPM and IMA have have their own maintainers and GIT trees: * '''IMA:''' Mimi Zohar, git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git * '''TPM:''' Jarkko Sakkinen, git://git.infradead.org/users/jjs/linux-tpmdd.git 2cc1e0cb565e3399bb6930a5ff2719a667a5aa34 3901 3900 2017-09-15T17:13:30Z JarkkoSakkinen 8 wikitext text/x-wiki '''linux-integrity@vger.kernel.org''' is the mailing list for TPM and IMA targeted patches and discussion. For non-trivial patch sets, such as patch sets that touch multiple subsystems, it is recommended to CC the '''linux-security-module@vger.kernel.org''' mailing list for more broad screening. TPM and IMA have have their own maintainers and GIT trees: * '''IMA:''' Mimi Zohar, git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git * '''TPM:''' Jarkko Sakkinen, git://git.infradead.org/users/jjs/linux-tpmdd.git 31e0e0534404fe8d7628d661db4975c4a6366890 3902 3901 2017-09-15T21:33:20Z JamesMorris 2 wikitext text/x-wiki '''linux-integrity@vger.kernel.org''' is the mailing list for TPM and IMA targeted patches and discussion. * Subscription information is here: http://vger.kernel.org/vger-lists.html#linux-integrity For non-trivial patch sets, such as patch sets that touch multiple subsystems, it is recommended to CC the '''linux-security-module@vger.kernel.org''' mailing list for more broad screening. TPM and IMA have have their own maintainers and GIT trees: * '''IMA:''' Mimi Zohar, git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git * '''TPM:''' Jarkko Sakkinen, git://git.infradead.org/users/jjs/linux-tpmdd.git 4e684325ad964fc6dabc646aa62bdcaa4f0239e7 3919 3902 2017-10-31T00:16:54Z PeterHuewe 9 Added a bunch of useful links to capture the current situation of TPM under Linux, maybe move to it's own page in the future. wikitext text/x-wiki '''linux-integrity@vger.kernel.org''' is the mailing list for TPM and IMA targeted patches and discussion. * Subscription information is here: http://vger.kernel.org/vger-lists.html#linux-integrity For non-trivial patch sets, such as patch sets that touch multiple subsystems, it is recommended to CC the '''linux-security-module@vger.kernel.org''' mailing list for more broad screening. TPM and IMA have have their own maintainers and GIT trees: * '''IMA:''' Mimi Zohar, git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git * '''TPM:''' Jarkko Sakkinen, git://git.infradead.org/users/jjs/linux-tpmdd.git == TPM 2.0 == The TPM 2.0 infrastructure in and around linux is currently moving fast. Here is a link list which tries to capture the current situation. === Books & Links === * A Practical Guide toTPM 2.0, free PDF, https://link.springer.com/book/10.1007/978-1-4302-6584-9 * TPM2.0 in Context, http://www.springer.com/de/book/9783319087436 * TCG Links https://trustedcomputinggroup.org/resources-using-trusted-platform-module-2-0-library-specification/ * Matthew Garrett's blog https://mjg59.dreamwidth.org/ (not only about tpm) * James Bottomley's blog https://blog.hansenpartnership.com (not only about tpm) === Intel TSS Stack === The Intel TSS Stack, compliant with the TCG SAPI specifications consists of * The Stack: https://github.com/01org/tpm2-tss * The Tools: https://github.com/01org/tpm2-tools * The Broker: https://github.com/01org/tpm2-abrmd (Access Broker & Resource Management Daemon) Interesting Links can be found here: * https://lenovopress.com/lp0599-technical-introduction-tpm-20-with-linux * http://www.jwsecure.com/2017/02/07/implementing-platform-protection-for-linux/ * https://github.com/01org/tpm2-tools/wiki/How-to-use-tpm2-tools (needs to be updated) * RSA signatures with TPM2.0 and OpenSSL https://dguerriblog.wordpress.com/ * https://archive.fosdem.org/2017/schedule/event/tpm2/attachments/slides/1517/export/events/attachments/tpm2/slides/1517/FOSDEM___TPM2_0_practical_usage.pdf * https://elinux.org/images/6/6e/ELC2017_TPM2-and-TSS_Tricca.pdf ==== Interesting Projects using Intel TSS Stack ==== Automated Full Disk De/Encryption with Clevis/Tang+TPM+Luks * http://redhat.slides.com/npmccallum/sad * https://github.com/latchset/clevis/pull/17 * https://github.com/martinezjavier/clevis/blob/tpm2-pin/doc/clevis-bind-luks-tpm2.md StrongSwan VPN Server + IMA + TPMSupport (Remote Attestation) * https://wiki.strongswan.org/projects/strongswan/wiki/TPMPlugin Others: * Remote Attestation https://01.org/opencit * https://github.com/irtimmer/tpm2-pk11 * https://github.com/rqou/tpm2-luks * https://robertou.com/tpm2-sealed-luks-encryption-keys.html * https://github.com/WindRiver-OpenSourceLabs/cryptfs-tpm2 === IBM TSS Stack === The IBM Stack follows a more pragmatic approach - the code can be found at * https://sourceforge.net/projects/ibmtpm20tss/ including tools and everything. James Bottomley has been actively developing against it * https://blog.hansenpartnership.com/using-your-tpm-as-a-secure-key-store/ * https://blog.hansenpartnership.com/tpm-enabling-gnome-keyring/ * https://blog.hansenpartnership.com/tpm2-and-linux/ It comes with its own * TPM2.0 Simulator https://sourceforge.net/projects/ibmswtpm2/ * Attestation client/server http://ibmswtpm.sourceforge.net/ibmacs.html == IMA == See https://sourceforge.net/p/linux-ima/wiki/Home/ for details. 590b1ad1e86c30a6c1149c01329e179d2c301240 3920 3919 2017-10-31T00:18:51Z PeterHuewe 9 wikitext text/x-wiki '''linux-integrity@vger.kernel.org''' is the mailing list for TPM and IMA targeted patches and discussion. * Subscription information is here: http://vger.kernel.org/vger-lists.html#linux-integrity For non-trivial patch sets, such as patch sets that touch multiple subsystems, it is recommended to CC the '''linux-security-module@vger.kernel.org''' mailing list for more broad screening. TPM and IMA have have their own maintainers and GIT trees: * '''IMA:''' Mimi Zohar, git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git * '''TPM:''' Jarkko Sakkinen, git://git.infradead.org/users/jjs/linux-tpmdd.git == TPM 2.0 == The TPM 2.0 infrastructure in and around linux is currently moving fast. Here is a link list which tries to capture the current situation. === Books & Links === * A Practical Guide toTPM 2.0, free PDF, https://link.springer.com/book/10.1007/978-1-4302-6584-9 * TPM2.0 in Context, http://www.springer.com/de/book/9783319087436 * TCG Links https://trustedcomputinggroup.org/resources-using-trusted-platform-module-2-0-library-specification/ * Matthew Garrett's blog https://mjg59.dreamwidth.org/ (not only about tpm) * James Bottomley's blog https://blog.hansenpartnership.com (not only about tpm) === Intel TSS Stack === The Intel TSS Stack, compliant with the TCG SAPI specifications consists of * The Stack: https://github.com/01org/tpm2-tss * The Tools: https://github.com/01org/tpm2-tools * The Broker: https://github.com/01org/tpm2-abrmd (Access Broker & Resource Management Daemon) Interesting Links can be found here: * https://lenovopress.com/lp0599-technical-introduction-tpm-20-with-linux * http://www.jwsecure.com/2017/02/07/implementing-platform-protection-for-linux/ * https://github.com/01org/tpm2-tools/wiki/How-to-use-tpm2-tools (needs to be updated) * RSA signatures with TPM2.0 and OpenSSL https://dguerriblog.wordpress.com/ * https://archive.fosdem.org/2017/schedule/event/tpm2/attachments/slides/1517/export/events/attachments/tpm2/slides/1517/FOSDEM___TPM2_0_practical_usage.pdf * https://elinux.org/images/6/6e/ELC2017_TPM2-and-TSS_Tricca.pdf ==== Interesting Projects using Intel TSS Stack ==== Automated Full Disk De/Encryption with Clevis/Tang+TPM+Luks * http://redhat.slides.com/npmccallum/sad * https://github.com/latchset/clevis/pull/17 * https://github.com/martinezjavier/clevis/blob/tpm2-pin/doc/clevis-bind-luks-tpm2.md StrongSwan VPN Server + IMA + TPMSupport (Remote Attestation) * https://wiki.strongswan.org/projects/strongswan/wiki/TPMPlugin Others: * Remote Attestation https://01.org/opencit * https://github.com/irtimmer/tpm2-pk11 * https://github.com/rqou/tpm2-luks * https://robertou.com/tpm2-sealed-luks-encryption-keys.html * https://github.com/WindRiver-OpenSourceLabs/cryptfs-tpm2 === IBM TSS Stack === The IBM Stack follows a more pragmatic approach - the code can be found at * https://sourceforge.net/projects/ibmtpm20tss/ including tools and everything. James Bottomley has been actively developing against it * https://blog.hansenpartnership.com/using-your-tpm-as-a-secure-key-store/ * https://blog.hansenpartnership.com/tpm-enabling-gnome-keyring/ * https://blog.hansenpartnership.com/tpm2-and-linux/ It comes with its own * TPM2.0 Simulator https://sourceforge.net/projects/ibmswtpm2/ * Attestation client/server http://ibmswtpm.sourceforge.net/ibmacs.html == IMA == See https://sourceforge.net/p/linux-ima/wiki/Home/ for details. d2447a47e5bca4f751ac038b2e1f559c9b6caa20 3931 3920 2018-03-15T14:03:54Z Stefanb 10 /* IMA */ wikitext text/x-wiki '''linux-integrity@vger.kernel.org''' is the mailing list for TPM and IMA targeted patches and discussion. * Subscription information is here: http://vger.kernel.org/vger-lists.html#linux-integrity For non-trivial patch sets, such as patch sets that touch multiple subsystems, it is recommended to CC the '''linux-security-module@vger.kernel.org''' mailing list for more broad screening. TPM and IMA have have their own maintainers and GIT trees: * '''IMA:''' Mimi Zohar, git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git * '''TPM:''' Jarkko Sakkinen, git://git.infradead.org/users/jjs/linux-tpmdd.git == TPM 2.0 == The TPM 2.0 infrastructure in and around linux is currently moving fast. Here is a link list which tries to capture the current situation. === Books & Links === * A Practical Guide toTPM 2.0, free PDF, https://link.springer.com/book/10.1007/978-1-4302-6584-9 * TPM2.0 in Context, http://www.springer.com/de/book/9783319087436 * TCG Links https://trustedcomputinggroup.org/resources-using-trusted-platform-module-2-0-library-specification/ * Matthew Garrett's blog https://mjg59.dreamwidth.org/ (not only about tpm) * James Bottomley's blog https://blog.hansenpartnership.com (not only about tpm) === Intel TSS Stack === The Intel TSS Stack, compliant with the TCG SAPI specifications consists of * The Stack: https://github.com/01org/tpm2-tss * The Tools: https://github.com/01org/tpm2-tools * The Broker: https://github.com/01org/tpm2-abrmd (Access Broker & Resource Management Daemon) Interesting Links can be found here: * https://lenovopress.com/lp0599-technical-introduction-tpm-20-with-linux * http://www.jwsecure.com/2017/02/07/implementing-platform-protection-for-linux/ * https://github.com/01org/tpm2-tools/wiki/How-to-use-tpm2-tools (needs to be updated) * RSA signatures with TPM2.0 and OpenSSL https://dguerriblog.wordpress.com/ * https://archive.fosdem.org/2017/schedule/event/tpm2/attachments/slides/1517/export/events/attachments/tpm2/slides/1517/FOSDEM___TPM2_0_practical_usage.pdf * https://elinux.org/images/6/6e/ELC2017_TPM2-and-TSS_Tricca.pdf ==== Interesting Projects using Intel TSS Stack ==== Automated Full Disk De/Encryption with Clevis/Tang+TPM+Luks * http://redhat.slides.com/npmccallum/sad * https://github.com/latchset/clevis/pull/17 * https://github.com/martinezjavier/clevis/blob/tpm2-pin/doc/clevis-bind-luks-tpm2.md StrongSwan VPN Server + IMA + TPMSupport (Remote Attestation) * https://wiki.strongswan.org/projects/strongswan/wiki/TPMPlugin Others: * Remote Attestation https://01.org/opencit * https://github.com/irtimmer/tpm2-pk11 * https://github.com/rqou/tpm2-luks * https://robertou.com/tpm2-sealed-luks-encryption-keys.html * https://github.com/WindRiver-OpenSourceLabs/cryptfs-tpm2 === IBM TSS Stack === The IBM Stack follows a more pragmatic approach - the code can be found at * https://sourceforge.net/projects/ibmtpm20tss/ including tools and everything. James Bottomley has been actively developing against it * https://blog.hansenpartnership.com/using-your-tpm-as-a-secure-key-store/ * https://blog.hansenpartnership.com/tpm-enabling-gnome-keyring/ * https://blog.hansenpartnership.com/tpm2-and-linux/ It comes with its own * TPM2.0 Simulator https://sourceforge.net/projects/ibmswtpm2/ * Attestation client/server http://ibmswtpm.sourceforge.net/ibmacs.html == IMA == See https://sourceforge.net/p/linux-ima/wiki/Home/ for details. IMA namespacing: [[IMA Namespacing design considerations]] 2263c717c16d923876f870c26dc9deb1a78556bb 0 4 3904 3486 2017-09-25T05:45:14Z JamesMorris 2 wikitext text/x-wiki To develop patches for the kernel security subsystem, use git to clone the linux-security tree: <code>$ git clone git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git</code> Unless otherwise requested, all development should be done against the '''next-general''' branch, which is automatically pulled into the linux-next tree. To track this branch: <code>$ git checkout --track -b my-next origin/next-general</code> You can also fetch this branch into an existing local kernel repository and manage it via git remote. Refer to the git documentation and the Kernel Hackers' Guide to git for more information. Patches for review and submission should be generated with git format-patch. If you want a git branch pulled directly, use git request-pull. A web-browsable interface via gitweb may be found at: http://git.kernel.org/?p=linux/kernel/git/jmorris/linux-security.git;a=summary Patches should be sent as inline text to linux-kernel @ vger.kernel.org, and preferably cc'd to linux-security-module @ vger.kernel.org and jmorris @ namei.org. == Notes for Subsystem Maintainers == * Code to be merged must be in -next for at least two weeks before I can submit to Linus (excepting urgent bugfixes) * This means it must be in my tree (which is pulled to -next) for at least that long, unless you separately push to -next * '''Your code must be submitted to my tree by -rc4''' * Once Linus' merge window opens, no new code can go into -next until -rc1. I can queue your code in a branch in my tree, or you can submit it after -rc1 * Ensure that the branch to be pulled merges cleanly into mine! 614483ba44f1fc721ff79a6e7449d6388cf617eb 3905 3904 2017-09-25T05:46:20Z JamesMorris 2 /* Notes for Subsystem Maintainers */ wikitext text/x-wiki To develop patches for the kernel security subsystem, use git to clone the linux-security tree: <code>$ git clone git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git</code> Unless otherwise requested, all development should be done against the '''next-general''' branch, which is automatically pulled into the linux-next tree. To track this branch: <code>$ git checkout --track -b my-next origin/next-general</code> You can also fetch this branch into an existing local kernel repository and manage it via git remote. Refer to the git documentation and the Kernel Hackers' Guide to git for more information. Patches for review and submission should be generated with git format-patch. If you want a git branch pulled directly, use git request-pull. A web-browsable interface via gitweb may be found at: http://git.kernel.org/?p=linux/kernel/git/jmorris/linux-security.git;a=summary Patches should be sent as inline text to linux-kernel @ vger.kernel.org, and preferably cc'd to linux-security-module @ vger.kernel.org and jmorris @ namei.org. == Notes for Subsystem Maintainers == * Code to be merged must be in next-testing for at least two weeks before I can submit to Linus (excepting urgent bugfixes) * This means it must be in my tree (which is pulled to -next) for at least that long, unless you separately push to linux-next (like SELinux does) * '''Your code must be submitted to my tree by -rc4''' * Once Linus' merge window opens, no new code can go into -next until -rc1. I can queue your code in a branch in my tree, or you can submit it after -rc1 * Ensure that the branch to be pulled merges cleanly into mine! 2ae44adafef87a41461763c9289c3a5df67ec374 0 188 3909 2017-10-16T06:17:18Z JamesMorris 2 Created page with "A security session has been accepted into the [http://events.linuxfoundation.org/events/linux-kernel-summit Linux Kernel Summit 2017] agenda. See Ted's announcement here: htt..." wikitext text/x-wiki A security session has been accepted into the [http://events.linuxfoundation.org/events/linux-kernel-summit Linux Kernel Summit 2017] agenda. See Ted's announcement here: https://lists.linuxfoundation.org/pipermail/ksummit-discuss/2017-October/004816.html This event will be open to all attendees of the [http://events.linuxfoundation.org/events/open-source-summit-europe Open Source Summit Europe 2017]. a8797867dcd8edf77df777f7109c4a29cea5e0ed 3910 3909 2017-10-16T06:23:24Z JamesMorris 2 wikitext text/x-wiki A security session has been accepted into the [http://events.linuxfoundation.org/events/linux-kernel-summit Linux Kernel Summit 2017] agenda. See Ted's announcement here: https://lists.linuxfoundation.org/pipermail/ksummit-discuss/2017-October/004816.html This event will be open to all attendees of the [http://events.linuxfoundation.org/events/open-source-summit-europe Open Source Summit Europe 2017]. A preliminary agenda for the security sessions is as follows: {| class="wikitable" |- ! Topic ! Presenter |- | Kernel Self Protection Project update | TPM update | Linux Security Summit summary |- | Kees Cook | Jarkko Sakkinen | James Morris |} This is likely to evolve. If you have any topics to propose for the security session, please post to ksummit-discuss and Cc: jmorris _at namei.org. 41f315e47d88545479bb1628d0cbde92832915f8 3911 3910 2017-10-16T06:25:00Z JamesMorris 2 wikitext text/x-wiki A security session has been accepted into the [http://events.linuxfoundation.org/events/linux-kernel-summit Linux Kernel Summit 2017] agenda. See Ted's announcement here: https://lists.linuxfoundation.org/pipermail/ksummit-discuss/2017-October/004816.html This event will be open to all attendees of the [http://events.linuxfoundation.org/events/open-source-summit-europe Open Source Summit Europe 2017]. A preliminary agenda for the security sessions is as follows: {| class="wikitable" |- ! Topic ! Presenter |- | Kernel Self Protection Project update | Kees Cook |- | TPM update | Jarkko Sakkinen - | Linux Security Summit summary | James Morris |} This is likely to evolve. If you have any topics to propose for the security session, please post to ksummit-discuss and Cc: jmorris _at namei.org. 494b18f6c2be65543cad4dece2d309af011f557b 3912 3911 2017-10-16T06:25:16Z JamesMorris 2 wikitext text/x-wiki A security session has been accepted into the [http://events.linuxfoundation.org/events/linux-kernel-summit Linux Kernel Summit 2017] agenda. See Ted's announcement here: https://lists.linuxfoundation.org/pipermail/ksummit-discuss/2017-October/004816.html This event will be open to all attendees of the [http://events.linuxfoundation.org/events/open-source-summit-europe Open Source Summit Europe 2017]. A preliminary agenda for the security sessions is as follows: {| class="wikitable" |- ! Topic ! Presenter |- | Kernel Self Protection Project update | Kees Cook |- | TPM update | Jarkko Sakkinen |- | Linux Security Summit summary | James Morris |} This is likely to evolve. If you have any topics to propose for the security session, please post to ksummit-discuss and Cc: jmorris _at namei.org. 45bfad2f4cb2598c3d80155aff8767ce8bd770a5 3913 3912 2017-10-16T06:26:55Z JamesMorris 2 wikitext text/x-wiki A security session has been accepted into the [http://events.linuxfoundation.org/events/linux-kernel-summit Linux Kernel Summit 2017] agenda. See Ted's announcement here: https://lists.linuxfoundation.org/pipermail/ksummit-discuss/2017-October/004816.html This event will be open to all attendees of the [http://events.linuxfoundation.org/events/open-source-summit-europe Open Source Summit Europe 2017]. A preliminary agenda for the security sessions is as follows: {| class="wikitable" |+ style="text-align: left;" | Preliminary agenda |- ! Topic ! Presenter |- | Kernel Self Protection Project update | Kees Cook |- | TPM update | Jarkko Sakkinen |- | Linux Security Summit summary | James Morris |} This is likely to evolve. If you have any topics to propose for the security session, please post to ksummit-discuss and Cc: jmorris _at namei.org. 836c944d0075ae1fc7bcca76e412b0f6371a55e4 3914 3913 2017-10-16T06:28:57Z JamesMorris 2 wikitext text/x-wiki A security session has been accepted into the [http://events.linuxfoundation.org/events/linux-kernel-summit Linux Kernel Summit 2017] agenda. See Ted's announcement here: https://lists.linuxfoundation.org/pipermail/ksummit-discuss/2017-October/004816.html This event will be open to all attendees of the [http://events.linuxfoundation.org/events/open-source-summit-europe Open Source Summit Europe 2017]. A preliminary agenda for the security sessions is as follows: {| class="wikitable" |+ style="text-align: left;" | Preliminary agenda |- ! Topic ! Presenter |- | Kernel Self Protection Project update | Kees Cook |- | TPM update | Jarkko Sakkinen |- | Linux Security Summit summary | James Morris |} This is likely to evolve. If you have any topics to propose for the security session, please post to [https://lists.linuxfoundation.org/mailman/listinfo/ksummit-discuss ksummit-discuss]. baec64da262ad0d55fba593fa71624c778be7b5d 3917 3914 2017-10-20T00:32:46Z JamesMorris 2 wikitext text/x-wiki A security session has been accepted into the [http://events.linuxfoundation.org/events/linux-kernel-summit Linux Kernel Summit 2017] agenda. See Ted's announcement here: https://lists.linuxfoundation.org/pipermail/ksummit-discuss/2017-October/004816.html This event will be open to all attendees of the [http://events.linuxfoundation.org/events/open-source-summit-europe Open Source Summit Europe 2017]. A preliminary agenda for the security sessions is as follows: {| class="wikitable" |+ style="text-align: left;" | Preliminary agenda |- ! Topic ! Presenter |- | Kernel Self Protection Project update | Kees Cook |- | TPM update | Jarkko Sakkinen |- | Linux Security Summit followup: security namespaces | James Morris |} This is likely to evolve. If you have any topics to propose for the security session, please post to [https://lists.linuxfoundation.org/mailman/listinfo/ksummit-discuss ksummit-discuss]. 34315f5a4ab4a5830c72c0d68a65f2a78c5259f0 0 1 3915 26 2017-10-18T01:58:04Z JamesMorris 2 wikitext text/x-wiki = Linux Kernel Security Subsystem = This is the Linux kernel security subsystem wiki, a resource for developers and users. == Resources== * [[Kernel Repository]] * [[Projects]] * [[Events]] ---- If you would like an account on this site, please email jmorris _at namei.org. fd4afe8438e6e8a80cb2f1ae655fdf82a62b776f 3916 3915 2017-10-18T01:58:23Z JamesMorris 2 /* Resources */ wikitext text/x-wiki = Linux Kernel Security Subsystem = This is the Linux kernel security subsystem wiki, a resource for developers and users. == Resources== * [[Kernel Repository]] * [[Projects]] * [[Events]] ---- If you would like an account on this site, please email ''jmorris _at namei.org''. 69ca17286eb76113a270db731a08173a99a1c73d 3918 3916 2017-10-30T23:37:25Z PeterHuewe 9 Added Link to Linux Integrity, as more pages will follow under that entry page. wikitext text/x-wiki = Linux Kernel Security Subsystem = This is the Linux kernel security subsystem wiki, a resource for developers and users. It also features resources for the [[Linux Kernel Integrity | Linux Kernel Integrity Subsystem]] == Resources== * [[Kernel Repository]] * [[Projects]] * [[Events]] ---- If you would like an account on this site, please email ''jmorris _at namei.org''. 92e888caaf1429bdc5533da5b79bad06fb6f10ec 3 189 3925 2018-03-14T21:52:10Z Stefanb 10 Created page with "== Namespacing IMA == Our goals are to enable IMA measurements, appraisal, and auditing inside a container using Linux namespaces. The intention is to introduce an IMA namesp..." wikitext text/x-wiki == Namespacing IMA == Our goals are to enable IMA measurements, appraisal, and auditing inside a container using Linux namespaces. The intention is to introduce an IMA namespace. === Background === IMA measurement is about logging files that were read or executables that were started on a machine. Current IMA supports for example measuring root's activties in the TCB, such as which programs were started by root. Which files are measured can be configured using an IMA policy. IMA appraisal is about only allowing files to be accessed that have been properly signed. This allows to lock down a machine if only signed files are allowed to be read or executed. Which files are appraised can be configured using an IMA policy. IMA auditing is about reporting system events, such as update of the policy or files that were measured. Which file activity is audited can be configured using an IMA policy. === IMA Namespacing Considerations === When namespacing IMA, we want to prevent the abuse of namespaces by users to do things that go undetected. A primary concern are activities of root in the TCB. Since root has all the rights on the system he could try to abuse his power by spawning new IMA namespaces do things there that affect the TCB but now would go undetected due to weaknesses in the IMA namespacing implementation. The following enumeration of IMA namespacing design points is supposed to guide the implementation: Support for IMA in namespaces should enable the following: - IMA policy for container (similar to the host): - there should be an initial default policy for every IMA namespace that measures activities inside the container - the policy can be overwritten once with a user-defined policy that may activate appraisal - CAP_SYS_ADMIN is currently gating the setting of the IMA policy; - setting the policy should be possibly without the almighty CAP_SYS_ADMIN - we may want to gate this with a new capability CAP_INTEGRITY_ADMIN that allows a user to set the IMA policy during container runtime - IMA policy extensions due to namespacing: - an IMA policy should allow rules that define whether activities in (all) child namespaces is to be measured (prevents huge logs on the host) and audited - to prevent root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be measured and audited in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - IMA measurements: - to prevent root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be measured and audited in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - IMA auditing: - to prevent root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be measured and audited in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - IMA appraisal and keys: - each IMA namespace should have its own keyring so that each container can have its files signed with different keys - the keys (certificates) for verifying signatures may be found inside containers - it should be possible to enforce that only certified keys are loaded onto a keyring, similar to .ima on the host - the CA public key used for verifying that public keys (certificates) used for verifying signatures may be found inside the container or could be known to the container management stack - TPM and measurements: - The IMA namespace that holds the logs should be configurable to extend PCRs; since the single TPM of the host cannot be shared by containers, each IMA namespace would have to be associated with its own TPM instance (vTPM); measurement on the initial IMA namespace are extended into the hardware TPM as done already - Extended attribute security.ima: - A container should be able to set the security.ima extended attribute - this should be possibly without the almighty CAP_SYS_ADMIN; - we may want to gate this with a new capability CAP_SECURITY_XATTR_ADMIN that allows setting security extended attributes inside a container, possibly only during container build-time - Extended attribute security.ima and bind mounting - It may be necessary that different namespaces be able to sign the same bind-mounted file with different keys (I am thinking of bind-mounted files that the container management stack modifies and that may need to be signed for the container to be able to access them.) - Extended attributes, such as seucrity.ima) may need to be virtualizeable (security.ima vs. security.ima@uid=1000 etc.) A concrete 'ab-use' case that we have to to avoid is the following: A user creates a privileged container that shares the host's mount namespace: it would be unexpected if there was an IMA policy active on the host that enforces file appraisal but in this case the IMA policy is not enforced since a (hypothetical) IMA namespace of the host was not joined because only the mount namespace of the host was joined. Now we have two choices here: We tie the mount and IMA namespaces together via single clone flag (as proposed in RFC patches) and joining the mount namespace automatically joins the associated IMA namespace (single setns()). Or we make user space responsible for it and say if a mount namespace is joined, find the associated IMA namespace and join both of them (2 setns() calls). Well, I think the former would be preferred over the latter. Let's assume we tie MNT and IMA namespaces together, then there are other scenarios with switching through the other namespaces (UTS, PID, IPC, NET, USER, CGROUP). I am not sure what is supposed to happen other than logging the activity active in the current IMA namespace: What should happen with IMA logging, appraisal, and auditing if we setns() through all available - PID namespaces and send signals: log, appraise, and audit file activity following IMA policy - IPC namespaces and send messages via IPC: same as for PID - UTS namespaces and setting hostname: same as for PID - NET namespaces and sending network traffic: same as for PID? - CGROUP namespaces and configuring cgroups: same as for PID? - USER: should now the keys of this USER namespace be active or the keys of the original user namespace used during the clone()? other than that, same as for PID? 1a26d394847bb58d47c1f155efb0d755780bc6ef 3926 3925 2018-03-15T12:57:23Z Stefanb 10 wikitext text/x-wiki == Namespacing IMA == Our goals are to enable IMA measurements, appraisal, and auditing inside a container using Linux namespaces. The intention is to introduce an IMA namespace. === Background === IMA measurement is about logging files that were read or executables that were started on a machine. Current IMA supports for example measuring root's activities in the TCB, such as which programs were started by root. Which files are measured can be configured using an IMA policy. IMA appraisal is about only allowing files to be accessed that have been properly signed. This allows to lock down a machine if only signed files are allowed to be read or executed. Which files are appraised can be configured using an IMA policy. File signatures are found in the security.iam extended attribute. The keys for verifying the signature are found in IMA specific keyrings .ima or _ima. IMA auditing is about reporting system events, such as update of the IMA policy or files that were measured. Which file activity is audited can be configured using an IMA policy. === IMA Namespacing Considerations === When namespacing IMA, we want to prevent the abuse of namespaces by users to do things that go undetected. A primary concern are activities of root in the TCB. Since root has all the rights on the system he could try to abuse his power by spawning new IMA namespaces do things there that affect the TCB but now would go undetected due to weaknesses in the IMA namespacing implementation. The following enumeration of IMA namespacing design points is supposed to guide the implementation: Support for IMA in namespaces should enable the following: - IMA policy for container (similar to the host): - there should be an initial default policy for every IMA namespace that measures activities inside the container - the policy can be overwritten once with a user-defined policy that may activate appraisal - CAP_SYS_ADMIN is currently gating the setting of the IMA policy; - setting the policy should be possibly without the almighty CAP_SYS_ADMIN - we may want to gate this with a new capability CAP_INTEGRITY_ADMIN that allows a user to set the IMA policy during container runtime - IMA policy extensions due to namespacing: - an IMA policy should allow rules that define whether activities in (all) child namespaces is to be measured (huge logs on the host) and audited or 'not'; a use case for not measuring may be found in cloud environments where containers come and go and the log on the host could possibly eat up a lot of memory - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured and audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - IMA measurements: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured'' and audited in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA auditing: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be measured and ''audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA appraisal and keys: - each IMA namespace should have its own keyring so that each container can have its files signed with different keys - the keys (certificates) for verifying signatures may be found inside containers - it should be possible to enforce that only certified keys are loaded onto a keyring, similar to .ima on the host - the CA public key used for verifying that public keys (certificates) used for verifying signatures may be found inside the container or could be known to the container management stack - IMA appraisal and namespacing: - If IMA appraisal is active on the host (per policy rules on the host), what is supposed to happen when (host) root executes files in a (nested) IMA namespace where an empty IMA policy has been set? We would measure and audit root's activities as described above. What about appraising? Would we traverse all the IMA namespaces back to the init_ima_ns and evaluate signatures against the appraisal policy set there and assume we would always find the keys in the init_user_ns? - TPM and measurements: - The IMA namespace that holds the logs should be configurable to extend PCRs; since the single TPM of the host cannot be shared by containers, each IMA namespace would have to be associated with its own TPM instance (vTPM); measurement on the initial IMA namespace are extended into the hardware TPM as done already - Extended attribute security.ima: - A container should be able to set the security.ima extended attribute - this should be possibly without the almighty CAP_SYS_ADMIN; - we may want to gate this with a new capability CAP_SECURITY_XATTR_ADMIN that allows setting security extended attributes inside a container, possibly only during container build-time - Extended attribute security.ima and bind mounting - It may be necessary that different namespaces be able to sign the same bind-mounted file with different keys (I am thinking of bind-mounted files that the container management stack modifies and that may need to be signed for the container to be able to access them.) - Extended attributes, such as seucrity.ima) may need to be virtualizeable (security.ima vs. security.ima@uid=1000 etc.) A concrete 'ab-use' case that we have to to avoid is the following: A user creates a privileged container that shares the host's mount namespace: it would be unexpected if there was an IMA policy active on the host that enforces file appraisal but in this case the IMA policy is not enforced since a (hypothetical) IMA namespace of the host was not joined because only the mount namespace of the host was joined. Now we have two choices here: We tie the mount and IMA namespaces together via single clone flag (as proposed in RFC patches) and joining the mount namespace automatically joins the associated IMA namespace (single setns()). Or we make user space responsible for it and say if a mount namespace is joined, find the associated IMA namespace and join both of them (2 setns() calls). Well, I think the former would be preferred over the latter. So either we tie the IMA namespace to some other existing namespace, preferably mount namespace, or we have it be independently created (new clone flag or by writing into a sysfs/securityfs file). == MNT and IMA Namespaces tied together == Let's assume we tie MNT and IMA namespaces together, then there are other scenarios with switching through the other namespaces (UTS, PID, IPC, NET, USER, CGROUP). I am not sure what is supposed to happen other than logging the activity active in the current IMA namespace: What should happen with IMA logging, appraisal, and auditing if we setns() through all available - PID namespaces and send signals: log, appraise, and audit file activity following IMA policy - IPC namespaces and send messages via IPC: same as for PID - UTS namespaces and setting hostname: same as for PID - NET namespaces and sending network traffic: same as for PID? - CGROUP namespaces and configuring cgroups: same as for PID? - USER: should now the keys of this USER namespace be active or the keys of the original user namespace used during the clone()? other than that, same as for PID? == Independent IMA Namespace == If we create an IMA namespace independently from any other mount namespace, what are we to gain from this or loose? The above ab-use case shows some problem associated with it. Do we have a solution for the item "IMA appraisal and namespacing" above? In the worst case, would it matter if root spawned a new IMA namespace, set a NULL policy and only have its activities measured and audited but not appraised? f14f6bd551105e4c369785a6a68467da0125a801 3927 3926 2018-03-15T12:58:52Z Stefanb 10 /* IMA Namespacing Considerations */ wikitext text/x-wiki == Namespacing IMA == Our goals are to enable IMA measurements, appraisal, and auditing inside a container using Linux namespaces. The intention is to introduce an IMA namespace. === Background === IMA measurement is about logging files that were read or executables that were started on a machine. Current IMA supports for example measuring root's activities in the TCB, such as which programs were started by root. Which files are measured can be configured using an IMA policy. IMA appraisal is about only allowing files to be accessed that have been properly signed. This allows to lock down a machine if only signed files are allowed to be read or executed. Which files are appraised can be configured using an IMA policy. File signatures are found in the security.iam extended attribute. The keys for verifying the signature are found in IMA specific keyrings .ima or _ima. IMA auditing is about reporting system events, such as update of the IMA policy or files that were measured. Which file activity is audited can be configured using an IMA policy. === IMA Namespacing Considerations === When namespacing IMA, we want to prevent the abuse of namespaces by users to do things that go undetected. A primary concern are activities of root in the TCB. Since root has all the rights on the system he could try to abuse his power by spawning new IMA namespaces do things there that affect the TCB but now would go undetected due to weaknesses in the IMA namespacing implementation. The following enumeration of IMA namespacing design points is supposed to guide the implementation and prevent such problems: Support for IMA in namespaces should enable the following: - IMA policy for container (similar to the host): - there should be an initial default policy for every IMA namespace that measures activities inside the container - the policy can be overwritten once with a user-defined policy that may activate appraisal - CAP_SYS_ADMIN is currently gating the setting of the IMA policy; - setting the policy should be possibly without the almighty CAP_SYS_ADMIN - we may want to gate this with a new capability CAP_INTEGRITY_ADMIN that allows a user to set the IMA policy during container runtime - IMA policy extensions due to namespacing: - an IMA policy should allow rules that define whether activities in (all) child namespaces is to be measured (huge logs on the host) and audited or 'not'; a use case for not measuring may be found in cloud environments where containers come and go and the log on the host could possibly eat up a lot of memory - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured and audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - IMA measurements: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured'' and audited in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA auditing: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be measured and ''audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA appraisal and keys: - each IMA namespace should have its own keyring so that each container can have its files signed with different keys - the keys (certificates) for verifying signatures may be found inside containers - it should be possible to enforce that only certified keys are loaded onto a keyring, similar to .ima on the host - the CA public key used for verifying that public keys (certificates) used for verifying signatures may be found inside the container or could be known to the container management stack - IMA appraisal and namespacing: - If IMA appraisal is active on the host (per policy rules on the host), what is supposed to happen when (host) root executes files in a (nested) IMA namespace where an empty IMA policy has been set? We would measure and audit root's activities as described above. What about appraising? Would we traverse all the IMA namespaces back to the init_ima_ns and evaluate signatures against the appraisal policy set there and assume we would always find the keys in the init_user_ns? - TPM and measurements: - The IMA namespace that holds the logs should be configurable to extend PCRs; since the single TPM of the host cannot be shared by containers, each IMA namespace would have to be associated with its own TPM instance (vTPM); measurement on the initial IMA namespace are extended into the hardware TPM as done already - Extended attribute security.ima: - A container should be able to set the security.ima extended attribute - this should be possibly without the almighty CAP_SYS_ADMIN; - we may want to gate this with a new capability CAP_SECURITY_XATTR_ADMIN that allows setting security extended attributes inside a container, possibly only during container build-time - Extended attribute security.ima and bind mounting - It may be necessary that different namespaces be able to sign the same bind-mounted file with different keys (I am thinking of bind-mounted files that the container management stack modifies and that may need to be signed for the container to be able to access them.) - Extended attributes, such as seucrity.ima) may need to be virtualizeable (security.ima vs. security.ima@uid=1000 etc.) A concrete 'ab-use' case that we have to to avoid is the following: A user creates a privileged container that shares the host's mount namespace: it would be unexpected if there was an IMA policy active on the host that enforces file appraisal but in this case the IMA policy is not enforced since a (hypothetical) IMA namespace of the host was not joined because only the mount namespace of the host was joined. Now we have two choices here: We tie the mount and IMA namespaces together via single clone flag (as proposed in RFC patches) and joining the mount namespace automatically joins the associated IMA namespace (single setns()). Or we make user space responsible for it and say if a mount namespace is joined, find the associated IMA namespace and join both of them (2 setns() calls). Well, I think the former would be preferred over the latter. So either we tie the IMA namespace to some other existing namespace, preferably mount namespace, or we have it be independently created (new clone flag or by writing into a sysfs/securityfs file). == MNT and IMA Namespaces tied together == Let's assume we tie MNT and IMA namespaces together, then there are other scenarios with switching through the other namespaces (UTS, PID, IPC, NET, USER, CGROUP). I am not sure what is supposed to happen other than logging the activity active in the current IMA namespace: What should happen with IMA logging, appraisal, and auditing if we setns() through all available - PID namespaces and send signals: log, appraise, and audit file activity following IMA policy - IPC namespaces and send messages via IPC: same as for PID - UTS namespaces and setting hostname: same as for PID - NET namespaces and sending network traffic: same as for PID? - CGROUP namespaces and configuring cgroups: same as for PID? - USER: should now the keys of this USER namespace be active or the keys of the original user namespace used during the clone()? other than that, same as for PID? == Independent IMA Namespace == If we create an IMA namespace independently from any other mount namespace, what are we to gain from this or loose? The above ab-use case shows some problem associated with it. Do we have a solution for the item "IMA appraisal and namespacing" above? In the worst case, would it matter if root spawned a new IMA namespace, set a NULL policy and only have its activities measured and audited but not appraised? 1ecb5205874d8ce3d6a06c6539bf657f8ee903f0 3928 3927 2018-03-15T13:00:19Z Stefanb 10 /* IMA Namespacing Considerations */ wikitext text/x-wiki == Namespacing IMA == Our goals are to enable IMA measurements, appraisal, and auditing inside a container using Linux namespaces. The intention is to introduce an IMA namespace. === Background === IMA measurement is about logging files that were read or executables that were started on a machine. Current IMA supports for example measuring root's activities in the TCB, such as which programs were started by root. Which files are measured can be configured using an IMA policy. IMA appraisal is about only allowing files to be accessed that have been properly signed. This allows to lock down a machine if only signed files are allowed to be read or executed. Which files are appraised can be configured using an IMA policy. File signatures are found in the security.iam extended attribute. The keys for verifying the signature are found in IMA specific keyrings .ima or _ima. IMA auditing is about reporting system events, such as update of the IMA policy or files that were measured. Which file activity is audited can be configured using an IMA policy. === IMA Namespacing Considerations === When namespacing IMA, we want to prevent the abuse of namespaces by users to do things that go undetected. A primary concern are activities of root in the TCB. Since root has all the rights on the system he could try to abuse his power by spawning new IMA namespaces do things there that affect the TCB but now would go undetected due to weaknesses in the IMA namespacing implementation. The following enumeration of IMA namespacing design points is supposed to guide the implementation and prevent such problems: Support for IMA in namespaces should enable the following: - IMA policy for container (similar to the host): - there should be an initial default policy for every IMA namespace that measures activities inside the container - the policy can be overwritten once with a user-defined policy that may activate appraisal - CAP_SYS_ADMIN is currently gating the setting of the IMA policy; - setting the policy should be possibly without the almighty CAP_SYS_ADMIN - we may want to gate this with a new capability CAP_INTEGRITY_ADMIN that allows a user to set the IMA policy during container runtime - IMA policy extensions due to namespacing: - an IMA policy should allow rules that define whether activities in (all) child namespaces is to be measured (huge logs on the host) and audited or 'not'; a use case for not measuring may be found in cloud environments where containers come and go and the log on the host could possibly eat up a lot of memory - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured and audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - IMA measurements: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured'' and audited in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA auditing: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be measured and ''audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA appraisal and keys: - each IMA namespace should have its own keyring so that each container can have its files signed with different keys - the keys (certificates) for verifying signatures may be found inside containers - it should be possible to enforce that only certified keys are loaded onto a keyring, similar to .ima on the host - the CA public key used for verifying that public keys (certificates) used for verifying signatures may be found inside the container or could be known to the container management stack - IMA appraisal and namespacing: - If IMA appraisal is active on the host (per policy rules on the host), what is supposed to happen when (host) root executes files in a (nested) IMA namespace where an empty IMA policy has been set? We would measure and audit root's activities as described above. What about appraising? Would we traverse all the IMA namespaces back to the init_ima_ns and evaluate signatures against the appraisal policy set there and assume we would always find the keys in the init_user_ns? - TPM and measurements: - The IMA namespace that holds the logs should be configurable to extend PCRs; since the single TPM of the host cannot be shared by containers, each IMA namespace would have to be associated with its own TPM instance (vTPM); measurement on the initial IMA namespace are extended into the hardware TPM as done already - Extended attribute security.ima: - A container should be able to set the security.ima extended attribute - this should be possibly without the almighty CAP_SYS_ADMIN; - we may want to gate this with a new capability CAP_SECURITY_XATTR_ADMIN that allows setting security extended attributes inside a container, possibly only during container build-time - Extended attribute security.ima and bind mounting - It may be necessary that different namespaces be able to sign the same bind-mounted file with different keys (I am thinking of bind-mounted files that the container management stack modifies and that may need to be signed for the container to be able to access them.) - Extended attributes, such as seucrity.ima) may need to be virtualizeable (security.ima vs. security.ima@uid=1000 etc.) A concrete 'ab-use' case that we have to to avoid is the following: A user creates a privileged container that shares the host's mount namespace: it would be unexpected if there was an IMA policy active on the host that enforces file appraisal but in this case the IMA policy is not enforced since a (hypothetical) IMA namespace of the host was not joined because only the mount namespace of the host was joined. Now we have two choices here: We tie the mount and IMA namespaces together via single clone flag (as proposed in RFC patches) and joining the mount namespace automatically joins the associated IMA namespace (single setns()). Or we make user space responsible for it and say if a mount namespace is joined, find the associated IMA namespace and join both of them (2 setns() calls). Well, I think the former would be preferred over the latter. So either we tie the IMA namespace to some other existing namespace, preferably mount namespace, or we have it be independently created (new clone flag or by writing into a sysfs/securityfs file). == MNT and IMA Namespaces tied together == Let's assume we tie MNT and IMA namespaces together, then there are other scenarios with switching through the other namespaces (UTS, PID, IPC, NET, USER, CGROUP). I am not sure what is supposed to happen other than logging the activity active in the current IMA namespace: What should happen with IMA logging, appraisal, and auditing if we setns() through all available - PID namespaces and send signals: log, appraise, and audit file activity following IMA policy - IPC namespaces and send messages via IPC: same as for PID - UTS namespaces and setting hostname: same as for PID - NET namespaces and sending network traffic: same as for PID? - CGROUP namespaces and configuring cgroups: same as for PID? - USER: should now the keys of this USER namespace be active or the keys of the original user namespace used during the clone()? other than that, same as for PID? == Independent IMA Namespace == If we create an IMA namespace independently from any other mount namespace, what are we to gain from this or loose? The above ab-use case shows some problem associated with it. Do we have a solution for the item "IMA appraisal and namespacing" above? In the worst case, would it matter if root spawned a new IMA namespace, set a NULL policy and only have its activities measured and audited but not appraised? 79d0f738273266066ade28e2303e8dcced818fc2 3929 3928 2018-03-15T13:01:40Z Stefanb 10 /* IMA Namespacing Considerations */ wikitext text/x-wiki == Namespacing IMA == Our goals are to enable IMA measurements, appraisal, and auditing inside a container using Linux namespaces. The intention is to introduce an IMA namespace. === Background === IMA measurement is about logging files that were read or executables that were started on a machine. Current IMA supports for example measuring root's activities in the TCB, such as which programs were started by root. Which files are measured can be configured using an IMA policy. IMA appraisal is about only allowing files to be accessed that have been properly signed. This allows to lock down a machine if only signed files are allowed to be read or executed. Which files are appraised can be configured using an IMA policy. File signatures are found in the security.iam extended attribute. The keys for verifying the signature are found in IMA specific keyrings .ima or _ima. IMA auditing is about reporting system events, such as update of the IMA policy or files that were measured. Which file activity is audited can be configured using an IMA policy. === IMA Namespacing Considerations === When namespacing IMA, we want to prevent the abuse of namespaces by users to do things that go undetected. A primary concern are activities of root in the TCB. Since root has all the rights on the system he could try to abuse his power by spawning new IMA namespaces do things there that affect the TCB but now would go undetected due to weaknesses in the IMA namespacing implementation. The following enumeration of IMA namespacing design points is supposed to guide the implementation and prevent such problems: Support for IMA in namespaces should enable the following: - IMA policy for container (similar to the host): - there should be an initial default policy for every IMA namespace that measures activities inside the container - the policy can be overwritten once with a user-defined policy that may activate appraisal - CAP_SYS_ADMIN is currently gating the setting of the IMA policy; - setting the policy should be possibly without the almighty CAP_SYS_ADMIN - we may want to gate this with a new capability CAP_INTEGRITY_ADMIN that allows a user to set the IMA policy during container runtime - IMA policy extensions due to namespacing: - an IMA policy should allow rules that define whether activities in (all) child namespaces is to be measured (huge logs on the host) and audited or 'not'; a use case for not measuring may be found in cloud environments where containers come and go and the log on the host could possibly eat up a lot of memory - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured and audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - IMA measurements: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured'' and audited in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA auditing: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be measured and ''audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA appraisal and keys: - each IMA namespace should have its own keyring so that each container can have its files signed with different keys - the keys (certificates) for verifying signatures may be found inside containers - it should be possible to enforce that only certified keys are loaded onto a keyring, similar to .ima on the host - the CA public key used for verifying that public keys (certificates) used for verifying signatures may be found inside the container or could be known to the container management stack - IMA appraisal and namespacing: - If IMA appraisal is active on the host (per policy rules on the host), what is supposed to happen when (host) root executes files in a (nested) IMA namespace where an empty IMA policy has been set? We would measure and audit root's activities as described above. What about appraising? Would we traverse all the IMA namespaces back to the init_ima_ns and evaluate signatures against the appraisal policy set there and assume we would always find the keys in the init_user_ns? - TPM and measurements: - The IMA namespace that holds the logs should be configurable to extend PCRs; since the single TPM of the host cannot be shared by containers, each IMA namespace would have to be associated with its own TPM instance (vTPM); measurement in the initial IMA namespace are extended into the hardware TPM as done already - Extended attribute security.ima: - A container should be able to set the security.ima extended attribute - this should be possibly without the almighty CAP_SYS_ADMIN; - we may want to gate this with a new capability CAP_SECURITY_XATTR_ADMIN that allows setting security extended attributes inside a container, possibly only during container build-time - Extended attribute security.ima and bind mounting - It may be necessary that different namespaces be able to sign the same bind-mounted file with different keys (I am thinking of bind-mounted files that the container management stack modifies and that may need to be signed for the container to be able to access them.) - Extended attributes, such as seucrity.ima) may need to be virtualizeable (security.ima vs. security.ima@uid=1000 etc.) A concrete 'ab-use' case that we have to to avoid is the following: A user creates a privileged container that shares the host's mount namespace: it would be unexpected if there was an IMA policy active on the host that enforces file appraisal but in this case the IMA policy is not enforced since a (hypothetical) IMA namespace of the host was not joined because only the mount namespace of the host was joined. Now we have two choices here: We tie the mount and IMA namespaces together via single clone flag (as proposed in RFC patches) and joining the mount namespace automatically joins the associated IMA namespace (single setns()). Or we make user space responsible for it and say if a mount namespace is joined, find the associated IMA namespace and join both of them (2 setns() calls). Well, I think the former would be preferred over the latter. So either we tie the IMA namespace to some other existing namespace, preferably mount namespace, or we have it be independently created (new clone flag or by writing into a sysfs/securityfs file). == MNT and IMA Namespaces tied together == Let's assume we tie MNT and IMA namespaces together, then there are other scenarios with switching through the other namespaces (UTS, PID, IPC, NET, USER, CGROUP). I am not sure what is supposed to happen other than logging the activity active in the current IMA namespace: What should happen with IMA logging, appraisal, and auditing if we setns() through all available - PID namespaces and send signals: log, appraise, and audit file activity following IMA policy - IPC namespaces and send messages via IPC: same as for PID - UTS namespaces and setting hostname: same as for PID - NET namespaces and sending network traffic: same as for PID? - CGROUP namespaces and configuring cgroups: same as for PID? - USER: should now the keys of this USER namespace be active or the keys of the original user namespace used during the clone()? other than that, same as for PID? == Independent IMA Namespace == If we create an IMA namespace independently from any other mount namespace, what are we to gain from this or loose? The above ab-use case shows some problem associated with it. Do we have a solution for the item "IMA appraisal and namespacing" above? In the worst case, would it matter if root spawned a new IMA namespace, set a NULL policy and only have its activities measured and audited but not appraised? 4015ae4b203953d72b4d68c30342fd62160b8178 3932 3929 2018-03-15T14:16:19Z Stefanb 10 Blanked the page wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 0 190 3930 2018-03-15T14:03:15Z Stefanb 10 Created page with "== Namespacing IMA == Our goals are to enable IMA measurements, appraisal, and auditing inside a container using Linux namespaces. The intention is to introduce an IMA namesp..." wikitext text/x-wiki == Namespacing IMA == Our goals are to enable IMA measurements, appraisal, and auditing inside a container using Linux namespaces. The intention is to introduce an IMA namespace. === Background === IMA measurement is about logging files that were read or executables that were started on a machine. Current IMA supports for example measuring root's activities in the TCB, such as which programs were started by root. Which files are measured can be configured using an IMA policy. IMA appraisal is about only allowing files to be accessed that have been properly signed. This allows to lock down a machine if only signed files are allowed to be read or executed. Which files are appraised can be configured using an IMA policy. File signatures are found in the security.iam extended attribute. The keys for verifying the signature are found in IMA specific keyrings .ima or _ima. IMA auditing is about reporting system events, such as update of the IMA policy or files that were measured. Which file activity is audited can be configured using an IMA policy. === IMA Namespacing Considerations === When namespacing IMA, we want to prevent the abuse of namespaces by users to do things that go undetected. A primary concern are activities of root in the TCB. Since root has all the rights on the system he could try to abuse his power by spawning new IMA namespaces do things there that affect the TCB but now would go undetected due to weaknesses in the IMA namespacing implementation. The following enumeration of IMA namespacing design points is supposed to guide the implementation and prevent such problems: Support for IMA in namespaces should enable the following: - IMA policy for container (similar to the host): - there should be an initial default policy for every IMA namespace that measures activities inside the container - the policy can be overwritten once with a user-defined policy that may activate appraisal - CAP_SYS_ADMIN is currently gating the setting of the IMA policy; - setting the policy should be possibly without the almighty CAP_SYS_ADMIN - we may want to gate this with a new capability CAP_INTEGRITY_ADMIN that allows a user to set the IMA policy during container runtime - IMA policy extensions due to namespacing: - an IMA policy should allow rules that define whether activities in (all) child namespaces is to be measured (huge logs on the host) and audited or 'not'; a use case for not measuring may be found in cloud environments where containers come and go and the log on the host could possibly eat up a lot of memory - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured and audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - IMA measurements: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured'' and audited in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA auditing: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be measured and ''audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA appraisal and keys: - each IMA namespace should have its own keyring so that each container can have its files signed with different keys - the keys (certificates) for verifying signatures may be found inside containers - it should be possible to enforce that only certified keys are loaded onto a keyring, similar to .ima on the host - the CA public key used for verifying that public keys (certificates) used for verifying signatures may be found inside the container or could be known to the container management stack - IMA appraisal and namespacing: - If IMA appraisal is active on the host (per policy rules on the host), what is supposed to happen when (host) root executes files in a (nested) IMA namespace where an empty IMA policy has been set? We would measure and audit root's activities as described above. What about appraising? Would we traverse all the IMA namespaces back to the init_ima_ns and evaluate signatures against the appraisal policy set there and assume we would always find the keys in the init_user_ns? - TPM and measurements: - The IMA namespace that holds the logs should be configurable to extend PCRs; since the single TPM of the host cannot be shared by containers, each IMA namespace would have to be associated with its own TPM instance (vTPM); measurement in the initial IMA namespace are extended into the hardware TPM as done already - Extended attribute security.ima: - A container should be able to set the security.ima extended attribute - this should be possibly without the almighty CAP_SYS_ADMIN; - we may want to gate this with a new capability CAP_SECURITY_XATTR_ADMIN that allows setting security extended attributes inside a container, possibly only during container build-time - Extended attribute security.ima and bind mounting - It may be necessary that different namespaces be able to sign the same bind-mounted file with different keys (I am thinking of bind-mounted files that the container management stack modifies and that may need to be signed for the container to be able to access them.) - Extended attributes, such as seucrity.ima) may need to be virtualizeable (security.ima vs. security.ima@uid=1000 etc.) A concrete 'ab-use' case that we have to to avoid is the following: A user creates a privileged container that shares the host's mount namespace: it would be unexpected if there was an IMA policy active on the host that enforces file appraisal but in this case the IMA policy is not enforced since a (hypothetical) IMA namespace of the host was not joined because only the mount namespace of the host was joined. Now we have two choices here: We tie the mount and IMA namespaces together via single clone flag (as proposed in RFC patches) and joining the mount namespace automatically joins the associated IMA namespace (single setns()). Or we make user space responsible for it and say if a mount namespace is joined, find the associated IMA namespace and join both of them (2 setns() calls). Well, I think the former would be preferred over the latter. So either we tie the IMA namespace to some other existing namespace, preferably mount namespace, or we have it be independently created (new clone flag or by writing into a sysfs/securityfs file). == MNT and IMA Namespaces tied together == Let's assume we tie MNT and IMA namespaces together, then there are other scenarios with switching through the other namespaces (UTS, PID, IPC, NET, USER, CGROUP). I am not sure what is supposed to happen other than logging the activity active in the current IMA namespace: What should happen with IMA logging, appraisal, and auditing if we setns() through all available - PID namespaces and send signals: log, appraise, and audit file activity following IMA policy - IPC namespaces and send messages via IPC: same as for PID - UTS namespaces and setting hostname: same as for PID - NET namespaces and sending network traffic: same as for PID? - CGROUP namespaces and configuring cgroups: same as for PID? - USER: should now the keys of this USER namespace be active or the keys of the original user namespace used during the clone()? other than that, same as for PID? == Independent IMA Namespace == If we create an IMA namespace independently from any other mount namespace, what are we to gain from this or loose? The above ab-use case shows some problem associated with it. Do we have a solution for the item "IMA appraisal and namespacing" above? In the worst case, would it matter if root spawned a new IMA namespace, set a NULL policy and only have its activities measured and audited but not appraised? 4015ae4b203953d72b4d68c30342fd62160b8178 3933 3930 2018-03-15T14:22:05Z Stefanb 10 wikitext text/x-wiki == Namespacing IMA == Our goals are to enable IMA-measurement, IMA-appraisal, and IMA-audit inside a container using Linux namespaces. The intention is to introduce an IMA namespace. === Background === IMA-measurement is about logging files that were read or executables that were started on a machine. Current IMA supports for example measuring root's activities in the TCB, such as which programs were started by root. Which files are measured can be configured using an IMA policy. IMA-appraisal is about only allowing files to be accessed that have been properly signed. This allows to lock down a machine if only signed files are allowed to be read or executed. Which files are appraised can be configured using an IMA policy. File signatures are found in the security.ima extended attribute. The keys for verifying the signature are found in IMA specific keyrings .ima or _ima. IMA-audit is about IMA related events, such as update of the IMA policy or files that were measured by IMA. Which file activity is audited can be configured using an IMA policy. === IMA Namespacing Considerations === When namespacing IMA we want to prevent the abuse of namespaces by users doing things that go undetected. A primary concern are activities of root in the TCB. Since root has all the rights on the system he could try to abuse his power by spawning new IMA namespaces do things there that affect the TCB but now would go undetected due to weaknesses in the IMA namespacing implementation. The following enumeration of IMA namespacing design points is supposed to guide the implementation and prevent such problems: Support for IMA in namespaces should enable the following: - IMA policy for container (similar to the host): - there should be an initial default policy for every IMA namespace that measures activities inside the container - the policy can be overwritten once with a user-defined policy that may activate appraisal - CAP_SYS_ADMIN is currently gating the setting of the IMA policy; - setting the policy should be possibly without the almighty CAP_SYS_ADMIN - we may want to gate this with a new capability CAP_INTEGRITY_ADMIN that allows a user to set the IMA policy during container runtime - IMA policy extensions due to namespacing: - an IMA policy should allow rules that define whether activities in (all) child namespaces is to be measured (huge logs on the host) and audited or 'not'; a use case for not measuring may be found in cloud environments where containers come and go and the log on the host could possibly eat up a lot of memory - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured and audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - IMA-measurement: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured'' and audited in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-audit: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be measured and ''audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-appraisal and keys: - each IMA namespace should have its own keyring so that each container can have its files signed with different keys - the keys (certificates) for verifying signatures may be found inside containers - it should be possible to enforce that only certified keys are loaded onto a keyring, similar to .ima on the host - the CA public key used for verifying that public keys (certificates) used for verifying signatures may be found inside the container or could be known to the container management stack - IMA-appraisal and namespacing: - If IMA-appraisal is active on the host (per policy rules on the host), what is supposed to happen when (host) root executes files in a (nested) IMA namespace where an empty IMA policy has been set? We would measure and audit root's activities as described above. What about appraising? Would we traverse all the IMA namespaces back to the init_ima_ns and evaluate signatures against the appraisal policy set there and assume we would always find the keys in the init_user_ns? - TPM and measurements: - The IMA namespace that holds the logs should be configurable to extend PCRs; since the single TPM of the host cannot be shared by containers, each IMA namespace would have to be associated with its own TPM instance (vTPM); measurement in the initial IMA namespace are extended into the hardware TPM as done already - Extended attribute security.ima: - A container should be able to set the security.ima extended attribute - this should be possibly without the almighty CAP_SYS_ADMIN; - we may want to gate this with a new capability CAP_SECURITY_XATTR_ADMIN that allows setting security extended attributes inside a container, possibly only during container build-time - Extended attribute security.ima and bind mounting - It may be necessary that different namespaces be able to sign the same bind-mounted file with different keys (I am thinking of bind-mounted files that the container management stack modifies and that may need to be signed for the container to be able to access them.) - Extended attributes, such as seucrity.ima) may need to be virtualizeable (security.ima vs. security.ima@uid=1000 etc.) A concrete 'ab-use' case that we have to to avoid is the following: A user creates a privileged container that shares the host's mount namespace: it would be unexpected if there was an IMA policy active on the host that enforces file appraisal but in this case the IMA policy is not enforced since a (hypothetical) IMA namespace of the host was not joined because only the mount namespace of the host was joined. Now we have two choices here: We tie the mount and IMA namespaces together via single clone flag (as proposed in RFC patches) and joining the mount namespace automatically joins the associated IMA namespace (single setns()). Or we make user space responsible for it and say if a mount namespace is joined, find the associated IMA namespace and join both of them (2 setns() calls). Well, I think the former would be preferred over the latter. So either we tie the IMA namespace to some other existing namespace, preferably mount namespace, or we have it be independently created (new clone flag or by writing into a sysfs/securityfs file). == MNT and IMA Namespaces tied together == Let's assume we tie MNT and IMA namespaces together, then there are other scenarios with switching through the other namespaces (UTS, PID, IPC, NET, USER, CGROUP). I am not sure what is supposed to happen other than logging the activity active in the current IMA namespace: What should happen with IMA logging, appraisal, and auditing if we setns() through all available - PID namespaces and send signals: log, appraise, and audit file activity following IMA policy - IPC namespaces and send messages via IPC: same as for PID - UTS namespaces and setting hostname: same as for PID - NET namespaces and sending network traffic: same as for PID? - CGROUP namespaces and configuring cgroups: same as for PID? - USER: should now the keys of this USER namespace be active or the keys of the original user namespace used during the clone()? other than that, same as for PID? == Independent IMA Namespace == If we create an IMA namespace independently from any other mount namespace, what are we to gain from this or loose? The above ab-use case shows some problem associated with it. Do we have a solution for the item "IMA-appraisal and namespacing" above? In the worst case, would it matter if root spawned a new IMA namespace, set a NULL policy and only have its activities measured and audited but not appraised? b1ca7b89f34ade41c4ec3f65e4e2af256da89e7c 3934 3933 2018-03-15T14:30:36Z Stefanb 10 wikitext text/x-wiki == Namespacing IMA == Our goals are to enable IMA-measurement, IMA-appraisal, and IMA-audit inside a container using Linux namespaces. The intention is to introduce an IMA namespace. === Background === IMA-measurement is about logging files that were read or executables that were started on a machine. Current IMA supports for example measuring root's activities in the TCB, such as which programs were started by root. Which files are measured can be configured using an IMA policy. IMA-appraisal is about only allowing files to be accessed that have been properly signed. This allows to lock down a machine if only signed files are allowed to be read or executed. Which files are appraised can be configured using an IMA policy. File signatures are found in the security.ima extended attribute. The keys for verifying the signature are found in IMA specific keyrings .ima or _ima. IMA-audit is about reporting accesses to files and generating audit records of file hash measurements. Which file activity is audited can be configured using an IMA policy. === IMA Namespacing Considerations === When namespacing IMA we certainly want to prevent the abuse of namespaces by users doing things that go undetected. A primary concern are activities of root in the TCB. Since root has all the rights on the system he could try to abuse his power by spawning new IMA namespaces do things there that affect the TCB but now would go undetected due to weaknesses in the IMA namespacing implementation. The following enumeration of IMA namespacing design points is supposed to guide the implementation and prevent such problems: Support for IMA in namespaces should enable the following: - IMA policy for container (similar to the host): - there should be an initial default policy for every IMA namespace that measures activities inside the container - the policy can be overwritten once with a user-defined policy that may activate appraisal - CAP_SYS_ADMIN is currently gating the setting of the IMA policy; - setting the policy should be possibly without the almighty CAP_SYS_ADMIN - we may want to gate this with a new capability CAP_INTEGRITY_ADMIN that allows a user to set the IMA policy during container runtime - IMA policy extensions due to namespacing: - an IMA policy should allow rules that define whether activities in (all) child namespaces is to be measured (huge logs on the host) and audited or 'not'; a use case for not measuring may be found in cloud environments where containers come and go and the log on the host could possibly eat up a lot of memory - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured and audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - IMA-measurement: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured'' and audited in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-audit: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be measured and ''audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-appraisal and keys: - each IMA namespace should have its own keyring so that each container can have its files signed with different keys - the keys (certificates) for verifying signatures may be found inside containers - it should be possible to enforce that only certified keys are loaded onto a keyring, similar to .ima on the host - the CA public key used for verifying that public keys (certificates) used for verifying signatures may be found inside the container or could be known to the container management stack - IMA-appraisal and namespacing: - If IMA-appraisal is active on the host (per policy rules on the host), what is supposed to happen when (host) root executes files in a (nested) IMA namespace where an empty IMA policy has been set? We would measure and audit root's activities as described above. What about appraising? Would we traverse all the IMA namespaces back to the init_ima_ns and evaluate signatures against the appraisal policy set there and assume we would always find the keys in the init_user_ns? - TPM and measurements: - The IMA namespace that holds the logs should be configurable to extend PCRs; since the single TPM of the host cannot be shared by containers, each IMA namespace would have to be associated with its own TPM instance (vTPM); measurement in the initial IMA namespace are extended into the hardware TPM as done already - Extended attribute security.ima: - A container should be able to set the security.ima extended attribute - this should be possibly without the almighty CAP_SYS_ADMIN; - we may want to gate this with a new capability CAP_SECURITY_XATTR_ADMIN that allows setting security extended attributes inside a container, possibly only during container build-time - Extended attribute security.ima and bind mounting - It may be necessary that different namespaces be able to sign the same bind-mounted file with different keys (I am thinking of bind-mounted files that the container management stack modifies and that may need to be signed for the container to be able to access them.) - Extended attributes, such as seucrity.ima) may need to be virtualizeable (security.ima vs. security.ima@uid=1000 etc.) A concrete 'ab-use' case that we have to to avoid is the following: A user creates a privileged container that shares the host's mount namespace: it would be unexpected if there was an IMA policy active on the host that enforces file appraisal but in this case the IMA policy is not enforced since a (hypothetical) IMA namespace of the host was not joined because only the mount namespace of the host was joined. Now we have two choices here: We tie the mount and IMA namespaces together via single clone flag (as proposed in RFC patches) and joining the mount namespace automatically joins the associated IMA namespace (single setns()). Or we make user space responsible for it and say if a mount namespace is joined, find the associated IMA namespace and join both of them (2 setns() calls). Well, I think the former would be preferred over the latter. So either we tie the IMA namespace to some other existing namespace, preferably mount namespace, or we have it be independently created (new clone flag or by writing into a sysfs/securityfs file). == MNT and IMA Namespaces tied together == Let's assume we tie MNT and IMA namespaces together, then there are other scenarios with switching through the other namespaces (UTS, PID, IPC, NET, USER, CGROUP). I am not sure what is supposed to happen other than logging the activity active in the current IMA namespace: What should happen with IMA logging, appraisal, and auditing if we setns() through all available - PID namespaces and send signals: log, appraise, and audit file activity following IMA policy - IPC namespaces and send messages via IPC: same as for PID - UTS namespaces and setting hostname: same as for PID - NET namespaces and sending network traffic: same as for PID? - CGROUP namespaces and configuring cgroups: same as for PID? - USER: should now the keys of this USER namespace be active or the keys of the original user namespace used during the clone()? other than that, same as for PID? == Independent IMA Namespace == If we create an IMA namespace independently from any other mount namespace, what are we to gain from this or loose? The above ab-use case shows some problem associated with it. Do we have a solution for the item "IMA-appraisal and namespacing" above? In the worst case, would it matter if root spawned a new IMA namespace, set a NULL policy and only have its activities measured and audited but not appraised? 24f74f73f7700928d5d446d016bce8ca32a86d53 3935 3934 2018-03-15T14:31:21Z Stefanb 10 /* IMA Namespacing Considerations */ wikitext text/x-wiki == Namespacing IMA == Our goals are to enable IMA-measurement, IMA-appraisal, and IMA-audit inside a container using Linux namespaces. The intention is to introduce an IMA namespace. === Background === IMA-measurement is about logging files that were read or executables that were started on a machine. Current IMA supports for example measuring root's activities in the TCB, such as which programs were started by root. Which files are measured can be configured using an IMA policy. IMA-appraisal is about only allowing files to be accessed that have been properly signed. This allows to lock down a machine if only signed files are allowed to be read or executed. Which files are appraised can be configured using an IMA policy. File signatures are found in the security.ima extended attribute. The keys for verifying the signature are found in IMA specific keyrings .ima or _ima. IMA-audit is about reporting accesses to files and generating audit records of file hash measurements. Which file activity is audited can be configured using an IMA policy. === IMA Namespacing Considerations === When namespacing IMA we certainly want to prevent the abuse of namespaces by users doing things that go undetected. A primary concern are activities of root in the TCB. Since root has all the rights on the system he could try to abuse his power by spawning new IMA namespaces and do things there that affect the TCB but now would go undetected due to weaknesses in the IMA namespacing implementation. The following enumeration of IMA namespacing design points is supposed to guide the implementation and prevent such problems: Support for IMA in namespaces should enable the following: - IMA policy for container (similar to the host): - there should be an initial default policy for every IMA namespace that measures activities inside the container - the policy can be overwritten once with a user-defined policy that may activate appraisal - CAP_SYS_ADMIN is currently gating the setting of the IMA policy; - setting the policy should be possibly without the almighty CAP_SYS_ADMIN - we may want to gate this with a new capability CAP_INTEGRITY_ADMIN that allows a user to set the IMA policy during container runtime - IMA policy extensions due to namespacing: - an IMA policy should allow rules that define whether activities in (all) child namespaces is to be measured (huge logs on the host) and audited or 'not'; a use case for not measuring may be found in cloud environments where containers come and go and the log on the host could possibly eat up a lot of memory - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured and audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - IMA-measurement: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured'' and audited in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-audit: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be measured and ''audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-appraisal and keys: - each IMA namespace should have its own keyring so that each container can have its files signed with different keys - the keys (certificates) for verifying signatures may be found inside containers - it should be possible to enforce that only certified keys are loaded onto a keyring, similar to .ima on the host - the CA public key used for verifying that public keys (certificates) used for verifying signatures may be found inside the container or could be known to the container management stack - IMA-appraisal and namespacing: - If IMA-appraisal is active on the host (per policy rules on the host), what is supposed to happen when (host) root executes files in a (nested) IMA namespace where an empty IMA policy has been set? We would measure and audit root's activities as described above. What about appraising? Would we traverse all the IMA namespaces back to the init_ima_ns and evaluate signatures against the appraisal policy set there and assume we would always find the keys in the init_user_ns? - TPM and measurements: - The IMA namespace that holds the logs should be configurable to extend PCRs; since the single TPM of the host cannot be shared by containers, each IMA namespace would have to be associated with its own TPM instance (vTPM); measurement in the initial IMA namespace are extended into the hardware TPM as done already - Extended attribute security.ima: - A container should be able to set the security.ima extended attribute - this should be possibly without the almighty CAP_SYS_ADMIN; - we may want to gate this with a new capability CAP_SECURITY_XATTR_ADMIN that allows setting security extended attributes inside a container, possibly only during container build-time - Extended attribute security.ima and bind mounting - It may be necessary that different namespaces be able to sign the same bind-mounted file with different keys (I am thinking of bind-mounted files that the container management stack modifies and that may need to be signed for the container to be able to access them.) - Extended attributes, such as seucrity.ima) may need to be virtualizeable (security.ima vs. security.ima@uid=1000 etc.) A concrete 'ab-use' case that we have to to avoid is the following: A user creates a privileged container that shares the host's mount namespace: it would be unexpected if there was an IMA policy active on the host that enforces file appraisal but in this case the IMA policy is not enforced since a (hypothetical) IMA namespace of the host was not joined because only the mount namespace of the host was joined. Now we have two choices here: We tie the mount and IMA namespaces together via single clone flag (as proposed in RFC patches) and joining the mount namespace automatically joins the associated IMA namespace (single setns()). Or we make user space responsible for it and say if a mount namespace is joined, find the associated IMA namespace and join both of them (2 setns() calls). Well, I think the former would be preferred over the latter. So either we tie the IMA namespace to some other existing namespace, preferably mount namespace, or we have it be independently created (new clone flag or by writing into a sysfs/securityfs file). == MNT and IMA Namespaces tied together == Let's assume we tie MNT and IMA namespaces together, then there are other scenarios with switching through the other namespaces (UTS, PID, IPC, NET, USER, CGROUP). I am not sure what is supposed to happen other than logging the activity active in the current IMA namespace: What should happen with IMA logging, appraisal, and auditing if we setns() through all available - PID namespaces and send signals: log, appraise, and audit file activity following IMA policy - IPC namespaces and send messages via IPC: same as for PID - UTS namespaces and setting hostname: same as for PID - NET namespaces and sending network traffic: same as for PID? - CGROUP namespaces and configuring cgroups: same as for PID? - USER: should now the keys of this USER namespace be active or the keys of the original user namespace used during the clone()? other than that, same as for PID? == Independent IMA Namespace == If we create an IMA namespace independently from any other mount namespace, what are we to gain from this or loose? The above ab-use case shows some problem associated with it. Do we have a solution for the item "IMA-appraisal and namespacing" above? In the worst case, would it matter if root spawned a new IMA namespace, set a NULL policy and only have its activities measured and audited but not appraised? c346c467e324f0e58754d13ab9bcaeb02ed093d5 3936 3935 2018-03-15T14:32:04Z Stefanb 10 /* Independent IMA Namespace */ wikitext text/x-wiki == Namespacing IMA == Our goals are to enable IMA-measurement, IMA-appraisal, and IMA-audit inside a container using Linux namespaces. The intention is to introduce an IMA namespace. === Background === IMA-measurement is about logging files that were read or executables that were started on a machine. Current IMA supports for example measuring root's activities in the TCB, such as which programs were started by root. Which files are measured can be configured using an IMA policy. IMA-appraisal is about only allowing files to be accessed that have been properly signed. This allows to lock down a machine if only signed files are allowed to be read or executed. Which files are appraised can be configured using an IMA policy. File signatures are found in the security.ima extended attribute. The keys for verifying the signature are found in IMA specific keyrings .ima or _ima. IMA-audit is about reporting accesses to files and generating audit records of file hash measurements. Which file activity is audited can be configured using an IMA policy. === IMA Namespacing Considerations === When namespacing IMA we certainly want to prevent the abuse of namespaces by users doing things that go undetected. A primary concern are activities of root in the TCB. Since root has all the rights on the system he could try to abuse his power by spawning new IMA namespaces and do things there that affect the TCB but now would go undetected due to weaknesses in the IMA namespacing implementation. The following enumeration of IMA namespacing design points is supposed to guide the implementation and prevent such problems: Support for IMA in namespaces should enable the following: - IMA policy for container (similar to the host): - there should be an initial default policy for every IMA namespace that measures activities inside the container - the policy can be overwritten once with a user-defined policy that may activate appraisal - CAP_SYS_ADMIN is currently gating the setting of the IMA policy; - setting the policy should be possibly without the almighty CAP_SYS_ADMIN - we may want to gate this with a new capability CAP_INTEGRITY_ADMIN that allows a user to set the IMA policy during container runtime - IMA policy extensions due to namespacing: - an IMA policy should allow rules that define whether activities in (all) child namespaces is to be measured (huge logs on the host) and audited or 'not'; a use case for not measuring may be found in cloud environments where containers come and go and the log on the host could possibly eat up a lot of memory - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured and audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - IMA-measurement: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured'' and audited in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-audit: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be measured and ''audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-appraisal and keys: - each IMA namespace should have its own keyring so that each container can have its files signed with different keys - the keys (certificates) for verifying signatures may be found inside containers - it should be possible to enforce that only certified keys are loaded onto a keyring, similar to .ima on the host - the CA public key used for verifying that public keys (certificates) used for verifying signatures may be found inside the container or could be known to the container management stack - IMA-appraisal and namespacing: - If IMA-appraisal is active on the host (per policy rules on the host), what is supposed to happen when (host) root executes files in a (nested) IMA namespace where an empty IMA policy has been set? We would measure and audit root's activities as described above. What about appraising? Would we traverse all the IMA namespaces back to the init_ima_ns and evaluate signatures against the appraisal policy set there and assume we would always find the keys in the init_user_ns? - TPM and measurements: - The IMA namespace that holds the logs should be configurable to extend PCRs; since the single TPM of the host cannot be shared by containers, each IMA namespace would have to be associated with its own TPM instance (vTPM); measurement in the initial IMA namespace are extended into the hardware TPM as done already - Extended attribute security.ima: - A container should be able to set the security.ima extended attribute - this should be possibly without the almighty CAP_SYS_ADMIN; - we may want to gate this with a new capability CAP_SECURITY_XATTR_ADMIN that allows setting security extended attributes inside a container, possibly only during container build-time - Extended attribute security.ima and bind mounting - It may be necessary that different namespaces be able to sign the same bind-mounted file with different keys (I am thinking of bind-mounted files that the container management stack modifies and that may need to be signed for the container to be able to access them.) - Extended attributes, such as seucrity.ima) may need to be virtualizeable (security.ima vs. security.ima@uid=1000 etc.) A concrete 'ab-use' case that we have to to avoid is the following: A user creates a privileged container that shares the host's mount namespace: it would be unexpected if there was an IMA policy active on the host that enforces file appraisal but in this case the IMA policy is not enforced since a (hypothetical) IMA namespace of the host was not joined because only the mount namespace of the host was joined. Now we have two choices here: We tie the mount and IMA namespaces together via single clone flag (as proposed in RFC patches) and joining the mount namespace automatically joins the associated IMA namespace (single setns()). Or we make user space responsible for it and say if a mount namespace is joined, find the associated IMA namespace and join both of them (2 setns() calls). Well, I think the former would be preferred over the latter. So either we tie the IMA namespace to some other existing namespace, preferably mount namespace, or we have it be independently created (new clone flag or by writing into a sysfs/securityfs file). == MNT and IMA Namespaces tied together == Let's assume we tie MNT and IMA namespaces together, then there are other scenarios with switching through the other namespaces (UTS, PID, IPC, NET, USER, CGROUP). I am not sure what is supposed to happen other than logging the activity active in the current IMA namespace: What should happen with IMA logging, appraisal, and auditing if we setns() through all available - PID namespaces and send signals: log, appraise, and audit file activity following IMA policy - IPC namespaces and send messages via IPC: same as for PID - UTS namespaces and setting hostname: same as for PID - NET namespaces and sending network traffic: same as for PID? - CGROUP namespaces and configuring cgroups: same as for PID? - USER: should now the keys of this USER namespace be active or the keys of the original user namespace used during the clone()? other than that, same as for PID? == Independent IMA Namespace == If we create an IMA namespace independently from any other mount namespace, what are we to gain from this or loose? The above ab-use case shows some problem associated with it. Do we have a solution for the item "IMA-appraisal and namespacing" above? In the worst case, would it matter if root spawned a new IMA namespace, set a NULL policy, and only have its activities measured and audited but not appraised? 6c2b7f4ff68a14b15c7ef83c609779b99d7f3169 3937 3936 2018-03-15T14:34:31Z Stefanb 10 /* Background */ wikitext text/x-wiki == Namespacing IMA == Our goals are to enable IMA-measurement, IMA-appraisal, and IMA-audit inside a container using Linux namespaces. The intention is to introduce an IMA namespace. === Background === IMA-measurement is about logging files that were read or executables that were started on a machine. Current IMA supports for example measuring root's activities in the TCB, such as which programs were started by root. Which files are measured can be configured using an IMA policy. IMA-appraisal is about only allowing files to be accessed that have been properly signed. This allows to lock down a machine if only signed files are allowed to be read or executed. Which files are appraised can be configured using an IMA policy. File signatures are found in the security.ima extended attribute. The keys for verifying the signature are found in IMA specific keyrings .ima or _ima. IMA-audit is about reporting accesses to files and generating audit records of file hash measurements. Which file activity is audited can be configured using an IMA policy. The audit records can be used to augment existing security analytics software and be used for system forensics. === IMA Namespacing Considerations === When namespacing IMA we certainly want to prevent the abuse of namespaces by users doing things that go undetected. A primary concern are activities of root in the TCB. Since root has all the rights on the system he could try to abuse his power by spawning new IMA namespaces and do things there that affect the TCB but now would go undetected due to weaknesses in the IMA namespacing implementation. The following enumeration of IMA namespacing design points is supposed to guide the implementation and prevent such problems: Support for IMA in namespaces should enable the following: - IMA policy for container (similar to the host): - there should be an initial default policy for every IMA namespace that measures activities inside the container - the policy can be overwritten once with a user-defined policy that may activate appraisal - CAP_SYS_ADMIN is currently gating the setting of the IMA policy; - setting the policy should be possibly without the almighty CAP_SYS_ADMIN - we may want to gate this with a new capability CAP_INTEGRITY_ADMIN that allows a user to set the IMA policy during container runtime - IMA policy extensions due to namespacing: - an IMA policy should allow rules that define whether activities in (all) child namespaces is to be measured (huge logs on the host) and audited or 'not'; a use case for not measuring may be found in cloud environments where containers come and go and the log on the host could possibly eat up a lot of memory - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured and audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - IMA-measurement: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured'' and audited in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-audit: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be measured and ''audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-appraisal and keys: - each IMA namespace should have its own keyring so that each container can have its files signed with different keys - the keys (certificates) for verifying signatures may be found inside containers - it should be possible to enforce that only certified keys are loaded onto a keyring, similar to .ima on the host - the CA public key used for verifying that public keys (certificates) used for verifying signatures may be found inside the container or could be known to the container management stack - IMA-appraisal and namespacing: - If IMA-appraisal is active on the host (per policy rules on the host), what is supposed to happen when (host) root executes files in a (nested) IMA namespace where an empty IMA policy has been set? We would measure and audit root's activities as described above. What about appraising? Would we traverse all the IMA namespaces back to the init_ima_ns and evaluate signatures against the appraisal policy set there and assume we would always find the keys in the init_user_ns? - TPM and measurements: - The IMA namespace that holds the logs should be configurable to extend PCRs; since the single TPM of the host cannot be shared by containers, each IMA namespace would have to be associated with its own TPM instance (vTPM); measurement in the initial IMA namespace are extended into the hardware TPM as done already - Extended attribute security.ima: - A container should be able to set the security.ima extended attribute - this should be possibly without the almighty CAP_SYS_ADMIN; - we may want to gate this with a new capability CAP_SECURITY_XATTR_ADMIN that allows setting security extended attributes inside a container, possibly only during container build-time - Extended attribute security.ima and bind mounting - It may be necessary that different namespaces be able to sign the same bind-mounted file with different keys (I am thinking of bind-mounted files that the container management stack modifies and that may need to be signed for the container to be able to access them.) - Extended attributes, such as seucrity.ima) may need to be virtualizeable (security.ima vs. security.ima@uid=1000 etc.) A concrete 'ab-use' case that we have to to avoid is the following: A user creates a privileged container that shares the host's mount namespace: it would be unexpected if there was an IMA policy active on the host that enforces file appraisal but in this case the IMA policy is not enforced since a (hypothetical) IMA namespace of the host was not joined because only the mount namespace of the host was joined. Now we have two choices here: We tie the mount and IMA namespaces together via single clone flag (as proposed in RFC patches) and joining the mount namespace automatically joins the associated IMA namespace (single setns()). Or we make user space responsible for it and say if a mount namespace is joined, find the associated IMA namespace and join both of them (2 setns() calls). Well, I think the former would be preferred over the latter. So either we tie the IMA namespace to some other existing namespace, preferably mount namespace, or we have it be independently created (new clone flag or by writing into a sysfs/securityfs file). == MNT and IMA Namespaces tied together == Let's assume we tie MNT and IMA namespaces together, then there are other scenarios with switching through the other namespaces (UTS, PID, IPC, NET, USER, CGROUP). I am not sure what is supposed to happen other than logging the activity active in the current IMA namespace: What should happen with IMA logging, appraisal, and auditing if we setns() through all available - PID namespaces and send signals: log, appraise, and audit file activity following IMA policy - IPC namespaces and send messages via IPC: same as for PID - UTS namespaces and setting hostname: same as for PID - NET namespaces and sending network traffic: same as for PID? - CGROUP namespaces and configuring cgroups: same as for PID? - USER: should now the keys of this USER namespace be active or the keys of the original user namespace used during the clone()? other than that, same as for PID? == Independent IMA Namespace == If we create an IMA namespace independently from any other mount namespace, what are we to gain from this or loose? The above ab-use case shows some problem associated with it. Do we have a solution for the item "IMA-appraisal and namespacing" above? In the worst case, would it matter if root spawned a new IMA namespace, set a NULL policy, and only have its activities measured and audited but not appraised? 84dcac79158e42b405e57fb7fac5fedd734ef647 0 190 3938 3937 2018-03-15T14:45:49Z Stefanb 10 /* IMA Namespacing Considerations */ wikitext text/x-wiki == Namespacing IMA == Our goals are to enable IMA-measurement, IMA-appraisal, and IMA-audit inside a container using Linux namespaces. The intention is to introduce an IMA namespace. === Background === IMA-measurement is about logging files that were read or executables that were started on a machine. Current IMA supports for example measuring root's activities in the TCB, such as which programs were started by root. Which files are measured can be configured using an IMA policy. IMA-appraisal is about only allowing files to be accessed that have been properly signed. This allows to lock down a machine if only signed files are allowed to be read or executed. Which files are appraised can be configured using an IMA policy. File signatures are found in the security.ima extended attribute. The keys for verifying the signature are found in IMA specific keyrings .ima or _ima. IMA-audit is about reporting accesses to files and generating audit records of file hash measurements. Which file activity is audited can be configured using an IMA policy. The audit records can be used to augment existing security analytics software and be used for system forensics. === IMA Namespacing Considerations === When namespacing IMA we certainly want to prevent the abuse of namespaces by users doing things that go undetected. A primary concern are activities of root in the TCB. Since root has all the rights on the system he could try to abuse his power by spawning new IMA namespaces and do things there that affect the TCB but now would go undetected due to weaknesses in the IMA namespacing implementation. The following enumeration of IMA namespacing design points is supposed to guide the implementation and prevent such problems: Support for IMA in namespaces should enable the following: - IMA policy for container (similar to the host): - there should be an initial default policy for every IMA namespace that measures activities inside the container - the policy can be overwritten once with a user-defined policy that may activate appraisal - CAP_SYS_ADMIN is currently gating the setting of the IMA policy; - setting the policy should be possibly without the almighty CAP_SYS_ADMIN - we may want to gate this with a new capability CAP_INTEGRITY_ADMIN that allows a user to set the IMA policy during container runtime - IMA policy extensions due to namespacing: - an IMA policy should allow rules that define whether activities in (all) child namespaces is to be measured (huge logs on the host) and audited or 'not'; a use case for not measuring may be found in cloud environments where containers come and go and the log on the host could possibly eat up a lot of memory - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured and audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - IMA-measurement: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured'' and audited in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-audit: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be measured and ''audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-appraisal and keys: - each IMA namespace should have its own keyring so that each container can have its files signed with different keys - the keys (certificates) for verifying signatures may be found inside containers - it should be possible to enforce that only certified keys are loaded onto a keyring, similar to .ima on the host - the CA public key used for verifying that public keys (certificates) used for verifying signatures may be found inside the container or could be known to the container management stack - IMA-appraisal and namespacing: - If IMA-appraisal is active on the host (per policy rules on the host), what is supposed to happen when (host) root executes files in a (nested) IMA namespace where an empty IMA policy has been set? We would measure and audit root's activities as described above. What about appraising? Would we traverse all the IMA namespaces back to the init_ima_ns and evaluate signatures against the appraisal policy set there and assume we would always find the keys in the init_user_ns? - TPM and measurements: - The IMA namespace that holds the logs should be configurable to extend PCRs; since the single TPM of the host cannot be shared by containers, each IMA namespace would have to be associated with its own TPM instance (vTPM); measurement in the initial IMA namespace are extended into the hardware TPM as done already - Extended attribute security.ima: - A container should be able to set the security.ima extended attribute - this should be possibly without the almighty CAP_SYS_ADMIN; - we may want to gate this with a new capability CAP_SECURITY_XATTR_ADMIN that allows setting security extended attributes inside a container, possibly only during container build-time - Extended attribute security.ima and bind mounting - It may be necessary that different namespaces be able to sign the same bind-mounted file with different keys (I am thinking of bind-mounted files that the container management stack modifies and that may need to be signed for the container to be able to access them.) - Extended attributes, such as seucrity.ima) may need to be virtualizeable (security.ima vs. security.ima@uid=1000 etc.) A concrete 'ab-use' case that we have to to avoid is the following: Root creates a privileged container that shares the host's mount namespace but creates a new IMA namespace with an empty policy: it would be unexpected if there was an IMA policy active on the host that enforces file appraisal but in this case the IMA policy is not enforced since a (hypothetical) IMA namespace of the host was not joined because only the mount namespace of the host was joined. Now we have two choices here: We tie the mount and IMA namespaces together via single clone flag (as proposed in RFC patches) and joining the mount namespace automatically joins the associated IMA namespace (single setns()). Or we make user space responsible for it and say if a mount namespace is joined, find the associated IMA namespace and join both of them (2 setns() calls). Well, I think the former would be preferred over the latter. So either we tie the IMA namespace to some other existing namespace, preferably mount namespace, or we have it be independently created (new clone flag or by writing into a sysfs/securityfs file). == MNT and IMA Namespaces tied together == Let's assume we tie MNT and IMA namespaces together, then there are other scenarios with switching through the other namespaces (UTS, PID, IPC, NET, USER, CGROUP). I am not sure what is supposed to happen other than logging the activity active in the current IMA namespace: What should happen with IMA logging, appraisal, and auditing if we setns() through all available - PID namespaces and send signals: log, appraise, and audit file activity following IMA policy - IPC namespaces and send messages via IPC: same as for PID - UTS namespaces and setting hostname: same as for PID - NET namespaces and sending network traffic: same as for PID? - CGROUP namespaces and configuring cgroups: same as for PID? - USER: should now the keys of this USER namespace be active or the keys of the original user namespace used during the clone()? other than that, same as for PID? == Independent IMA Namespace == If we create an IMA namespace independently from any other mount namespace, what are we to gain from this or loose? The above ab-use case shows some problem associated with it. Do we have a solution for the item "IMA-appraisal and namespacing" above? In the worst case, would it matter if root spawned a new IMA namespace, set a NULL policy, and only have its activities measured and audited but not appraised? 5b0025eb7516d885f0cdb79f1b486b41c023e759 3939 3938 2018-03-15T15:04:29Z Stefanb 10 /* IMA Namespacing Considerations */ wikitext text/x-wiki == Namespacing IMA == Our goals are to enable IMA-measurement, IMA-appraisal, and IMA-audit inside a container using Linux namespaces. The intention is to introduce an IMA namespace. === Background === IMA-measurement is about logging files that were read or executables that were started on a machine. Current IMA supports for example measuring root's activities in the TCB, such as which programs were started by root. Which files are measured can be configured using an IMA policy. IMA-appraisal is about only allowing files to be accessed that have been properly signed. This allows to lock down a machine if only signed files are allowed to be read or executed. Which files are appraised can be configured using an IMA policy. File signatures are found in the security.ima extended attribute. The keys for verifying the signature are found in IMA specific keyrings .ima or _ima. IMA-audit is about reporting accesses to files and generating audit records of file hash measurements. Which file activity is audited can be configured using an IMA policy. The audit records can be used to augment existing security analytics software and be used for system forensics. === IMA Namespacing Considerations === When namespacing IMA we certainly want to prevent the abuse of namespaces by users doing things that go undetected. A primary concern are activities of root in the TCB. Since root has all the rights on the system he could try to abuse his power by spawning new IMA namespaces and do things there that affect the TCB but now would go undetected due to weaknesses in the IMA namespacing implementation. The following enumeration of IMA namespacing design points is supposed to guide the implementation and prevent such problems: Support for IMA in namespaces should enable the following: - IMA policy for container (similar to the host): - there should be an initial default policy for every IMA namespace that measures activities inside the container - the policy can be overwritten once with a user-defined policy that may activate appraisal - CAP_SYS_ADMIN is currently gating the setting of the IMA policy; - setting the policy should be possibly without the almighty CAP_SYS_ADMIN - we may want to gate this with a new capability CAP_INTEGRITY_ADMIN that allows a user to set the IMA policy during container runtime - IMA policy extensions due to namespacing: - an IMA policy should allow rules that define whether activities in (all) child namespaces is to be measured (huge logs on the host) and audited or 'not'; a use case for not measuring may be found in cloud environments where containers come and go and the log on the host could possibly eat up a lot of memory - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured and audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - IMA-measurement: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured'' and audited in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-audit: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be measured and ''audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-appraisal and keys: - each IMA namespace should have its own keyring so that each container can have its files signed with different keys - the keys (certificates) for verifying signatures may be found inside containers - it should be possible to enforce that only certified keys are loaded onto a keyring, similar to .ima on the host - the CA public key used for verifying that public keys (certificates) used for verifying signatures may be found inside the container or could be known to the container management stack - IMA-appraisal and namespacing: - If IMA-appraisal is active on the host (per policy rules on the host), what is supposed to happen when (host) root executes files in a (nested) IMA namespace where an empty IMA policy has been set? We would measure and audit root's activities as described above. What about appraising? Would we traverse all the IMA namespaces back to the init_ima_ns and evaluate signatures against the appraisal policy set there and assume we would always find the keys in the init_user_ns? - TPM and measurements: - The IMA namespace that holds the logs should be configurable to extend PCRs; since the single TPM of the host cannot be shared by containers, each IMA namespace would have to be associated with its own TPM instance (vTPM); measurement in the initial IMA namespace are extended into the hardware TPM as done already - Extended attribute security.ima: - A container should be able to set the security.ima extended attribute - this should be possibly without the almighty CAP_SYS_ADMIN; - we may want to gate this with a new capability CAP_SECURITY_XATTR_ADMIN that allows setting security extended attributes inside a container, possibly only during container build-time - Extended attribute security.ima and bind mounting - It may be necessary that different namespaces be able to sign the same bind-mounted file with different keys (I am thinking of bind-mounted files that the container management stack modifies and that may need to be signed for the container to be able to access them.) - Extended attributes, such as seucrity.ima) may need to be virtualizeable (security.ima vs. security.ima@uid=1000 etc.) A concrete 'ab-use' case that we have to to avoid is the following: Root creates a container that shares the host's mount namespace but creates a new IMA namespace with an empty policy: it would be unexpected if there was an IMA policy active on the host that enforces file appraisal but in this case the IMA policy is not enforced since a (hypothetical) IMA namespace of the host was not joined because only the mount namespace of the host was joined and a new IMA namespace was created. Now we have two choices here: We tie the mount and IMA namespaces together via single clone flag (as proposed in RFC patches) and joining the mount namespace automatically joins the associated IMA namespace (single setns()). This eliminates being able to create independent IMA namespace. Or we make user space responsible for it and say if a mount namespace is joined, find the associated IMA namespace and join both of them (2 setns() calls). Well, I think the former would be preferred over the latter. So either we tie the IMA namespace to some other existing namespace, preferably mount namespace, or we have it be independently created (new clone flag or by writing into a sysfs/securityfs file). == MNT and IMA Namespaces tied together == Let's assume we tie MNT and IMA namespaces together, then there are other scenarios with switching through the other namespaces (UTS, PID, IPC, NET, USER, CGROUP). I am not sure what is supposed to happen other than logging the activity active in the current IMA namespace: What should happen with IMA logging, appraisal, and auditing if we setns() through all available - PID namespaces and send signals: log, appraise, and audit file activity following IMA policy - IPC namespaces and send messages via IPC: same as for PID - UTS namespaces and setting hostname: same as for PID - NET namespaces and sending network traffic: same as for PID? - CGROUP namespaces and configuring cgroups: same as for PID? - USER: should now the keys of this USER namespace be active or the keys of the original user namespace used during the clone()? other than that, same as for PID? == Independent IMA Namespace == If we create an IMA namespace independently from any other mount namespace, what are we to gain from this or loose? The above ab-use case shows some problem associated with it. Do we have a solution for the item "IMA-appraisal and namespacing" above? In the worst case, would it matter if root spawned a new IMA namespace, set a NULL policy, and only have its activities measured and audited but not appraised? 750e134bf380f796e3a660a41feaf5f184251f52 3940 3939 2018-03-15T17:13:37Z Stefanb 10 /* IMA Namespacing Considerations */ wikitext text/x-wiki == Namespacing IMA == Our goals are to enable IMA-measurement, IMA-appraisal, and IMA-audit inside a container using Linux namespaces. The intention is to introduce an IMA namespace. === Background === IMA-measurement is about logging files that were read or executables that were started on a machine. Current IMA supports for example measuring root's activities in the TCB, such as which programs were started by root. Which files are measured can be configured using an IMA policy. IMA-appraisal is about only allowing files to be accessed that have been properly signed. This allows to lock down a machine if only signed files are allowed to be read or executed. Which files are appraised can be configured using an IMA policy. File signatures are found in the security.ima extended attribute. The keys for verifying the signature are found in IMA specific keyrings .ima or _ima. IMA-audit is about reporting accesses to files and generating audit records of file hash measurements. Which file activity is audited can be configured using an IMA policy. The audit records can be used to augment existing security analytics software and be used for system forensics. === IMA Namespacing Considerations === When namespacing IMA we certainly want to prevent the abuse of namespaces by users doing things that go undetected. A primary concern are activities of root in the TCB. Since root has all the rights on the system he could try to abuse his power by spawning new IMA namespaces and do things there that affect the TCB but now would go undetected due to weaknesses in the IMA namespacing implementation. The following enumeration of IMA namespacing design points is supposed to guide the implementation and prevent such problems: Support for IMA in namespaces should enable the following: - IMA policy for container (similar to the host): - there should be an initial default policy for every IMA namespace that measures activities inside the container - the policy can be overwritten once with a user-defined policy that may activate appraisal - CAP_SYS_ADMIN is currently gating the setting of the IMA policy; - setting the policy should be possibly without the almighty CAP_SYS_ADMIN - we may want to gate this with a new capability CAP_INTEGRITY_ADMIN that allows a user to set the IMA policy during container runtime - IMA policy extensions due to namespacing: - an IMA policy should allow rules that define whether activities in (all) child namespaces is to be measured (huge logs on the host) and audited or 'not'; a use case for not measuring may be found in cloud environments where containers come and go and the log on the host could possibly eat up a lot of memory - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured and audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - IMA-measurement: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured'' and audited in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-audit: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be measured and ''audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-appraisal and keys: - each IMA namespace should have its own keyring so that each container can have its files signed with different keys - the keys (certificates) for verifying signatures may be found inside containers - it should be possible to enforce that only certified keys are loaded onto a keyring, similar to .ima on the host - the CA public key used for verifying that public keys (certificates) used for verifying signatures may be found inside the container or could be known to the container management stack - IMA-appraisal and namespacing: - If IMA-appraisal is active on the host (per policy rules on the host), what is supposed to happen when (host) root executes files in a (nested) IMA namespace where an empty IMA policy has been set? We would measure and audit root's activities as described above. What about appraising? Would we traverse all the IMA namespaces back to the init_ima_ns and evaluate signatures against the appraisal policy set there and assume we would always find the keys in the init_user_ns? Maybe the following would be a solution for appraising file accesses with keys assumed in the current user_ns: for imans from current-IMA-NS backwards up to and including init_ima_ns: if policy(imans) has appraisal rules for this file: if file appraisal fails fail access else allow access break - TPM and measurements: - The IMA namespace that holds the logs should be configurable to extend PCRs; since the single TPM of the host cannot be shared by containers, each IMA namespace would have to be associated with its own TPM instance (vTPM); measurement in the initial IMA namespace are extended into the hardware TPM as done already - Extended attribute security.ima: - A container should be able to set the security.ima extended attribute - this should be possibly without the almighty CAP_SYS_ADMIN; - we may want to gate this with a new capability CAP_SECURITY_XATTR_ADMIN that allows setting security extended attributes inside a container, possibly only during container build-time - Extended attribute security.ima and bind mounting - It may be necessary that different namespaces be able to sign the same bind-mounted file with different keys (I am thinking of bind-mounted files that the container management stack modifies and that may need to be signed for the container to be able to access them.) - Extended attributes, such as seucrity.ima) may need to be virtualizeable (security.ima vs. security.ima@uid=1000 etc.) A concrete 'ab-use' case that we have to to avoid is the following: Root creates a container that shares the host's mount namespace but creates a new IMA namespace with an empty policy: it would be unexpected if there was an IMA policy active on the host that enforces file appraisal but in this case the IMA policy is not enforced since a (hypothetical) IMA namespace of the host was not joined because only the mount namespace of the host was joined and a new IMA namespace was created. Now we have two choices here: We tie the mount and IMA namespaces together via single clone flag (as proposed in RFC patches) and joining the mount namespace automatically joins the associated IMA namespace (single setns()). This eliminates being able to create independent IMA namespace. Or we make user space responsible for it and say if a mount namespace is joined, find the associated IMA namespace and join both of them (2 setns() calls). Well, I think the former would be preferred over the latter. So either we tie the IMA namespace to some other existing namespace, preferably mount namespace, or we have it be independently created (new clone flag or by writing into a sysfs/securityfs file). == MNT and IMA Namespaces tied together == Let's assume we tie MNT and IMA namespaces together, then there are other scenarios with switching through the other namespaces (UTS, PID, IPC, NET, USER, CGROUP). I am not sure what is supposed to happen other than logging the activity active in the current IMA namespace: What should happen with IMA logging, appraisal, and auditing if we setns() through all available - PID namespaces and send signals: log, appraise, and audit file activity following IMA policy - IPC namespaces and send messages via IPC: same as for PID - UTS namespaces and setting hostname: same as for PID - NET namespaces and sending network traffic: same as for PID? - CGROUP namespaces and configuring cgroups: same as for PID? - USER: should now the keys of this USER namespace be active or the keys of the original user namespace used during the clone()? other than that, same as for PID? == Independent IMA Namespace == If we create an IMA namespace independently from any other mount namespace, what are we to gain from this or loose? The above ab-use case shows some problem associated with it. Do we have a solution for the item "IMA-appraisal and namespacing" above? In the worst case, would it matter if root spawned a new IMA namespace, set a NULL policy, and only have its activities measured and audited but not appraised? 76258fb1ade728cfc134728e009ec4dd00c767d7 3941 3940 2018-03-15T17:14:01Z Stefanb 10 /* IMA Namespacing Considerations */ wikitext text/x-wiki == Namespacing IMA == Our goals are to enable IMA-measurement, IMA-appraisal, and IMA-audit inside a container using Linux namespaces. The intention is to introduce an IMA namespace. === Background === IMA-measurement is about logging files that were read or executables that were started on a machine. Current IMA supports for example measuring root's activities in the TCB, such as which programs were started by root. Which files are measured can be configured using an IMA policy. IMA-appraisal is about only allowing files to be accessed that have been properly signed. This allows to lock down a machine if only signed files are allowed to be read or executed. Which files are appraised can be configured using an IMA policy. File signatures are found in the security.ima extended attribute. The keys for verifying the signature are found in IMA specific keyrings .ima or _ima. IMA-audit is about reporting accesses to files and generating audit records of file hash measurements. Which file activity is audited can be configured using an IMA policy. The audit records can be used to augment existing security analytics software and be used for system forensics. === IMA Namespacing Considerations === When namespacing IMA we certainly want to prevent the abuse of namespaces by users doing things that go undetected. A primary concern are activities of root in the TCB. Since root has all the rights on the system he could try to abuse his power by spawning new IMA namespaces and do things there that affect the TCB but now would go undetected due to weaknesses in the IMA namespacing implementation. The following enumeration of IMA namespacing design points is supposed to guide the implementation and prevent such problems: Support for IMA in namespaces should enable the following: - IMA policy for container (similar to the host): - there should be an initial default policy for every IMA namespace that measures activities inside the container - the policy can be overwritten once with a user-defined policy that may activate appraisal - CAP_SYS_ADMIN is currently gating the setting of the IMA policy; - setting the policy should be possibly without the almighty CAP_SYS_ADMIN - we may want to gate this with a new capability CAP_INTEGRITY_ADMIN that allows a user to set the IMA policy during container runtime - IMA policy extensions due to namespacing: - an IMA policy should allow rules that define whether activities in (all) child namespaces is to be measured (huge logs on the host) and audited or 'not'; a use case for not measuring may be found in cloud environments where containers come and go and the log on the host could possibly eat up a lot of memory - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured and audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - IMA-measurement: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured'' and audited in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-audit: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be measured and ''audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-appraisal and keys: - each IMA namespace should have its own keyring so that each container can have its files signed with different keys - the keys (certificates) for verifying signatures may be found inside containers - it should be possible to enforce that only certified keys are loaded onto a keyring, similar to .ima on the host - the CA public key used for verifying that public keys (certificates) used for verifying signatures may be found inside the container or could be known to the container management stack - IMA-appraisal and namespacing: - If IMA-appraisal is active on the host (per policy rules on the host), what is supposed to happen when (host) root executes files in a (nested) IMA namespace where an empty IMA policy has been set? We would measure and audit root's activities as described above. What about appraising? Would we traverse all the IMA namespaces back to the init_ima_ns and evaluate signatures against the appraisal policy set there and assume we would always find the keys in the init_user_ns? Maybe the following would be a solution for appraising file accesses with keys assumed in the current user_ns: for imans from current-IMA-NS backwards up to and including init_ima_ns: if policy(imans) has appraisal rules for this file: if file appraisal fails fail access else allow access break - TPM and measurements: - The IMA namespace that holds the logs should be configurable to extend PCRs; since the single TPM of the host cannot be shared by containers, each IMA namespace would have to be associated with its own TPM instance (vTPM); measurement in the initial IMA namespace are extended into the hardware TPM as done already - Extended attribute security.ima: - A container should be able to set the security.ima extended attribute - this should be possibly without the almighty CAP_SYS_ADMIN; - we may want to gate this with a new capability CAP_SECURITY_XATTR_ADMIN that allows setting security extended attributes inside a container, possibly only during container build-time - Extended attribute security.ima and bind mounting - It may be necessary that different namespaces be able to sign the same bind-mounted file with different keys (I am thinking of bind-mounted files that the container management stack modifies and that may need to be signed for the container to be able to access them.) - Extended attributes, such as seucrity.ima) may need to be virtualizeable (security.ima vs. security.ima@uid=1000 etc.) A concrete 'ab-use' case that we have to to avoid is the following: Root creates a container that shares the host's mount namespace but creates a new IMA namespace with an empty policy: it would be unexpected if there was an IMA policy active on the host that enforces file appraisal but in this case the IMA policy is not enforced since a (hypothetical) IMA namespace of the host was not joined because only the mount namespace of the host was joined and a new IMA namespace was created. Now we have two choices here: We tie the mount and IMA namespaces together via single clone flag (as proposed in RFC patches) and joining the mount namespace automatically joins the associated IMA namespace (single setns()). This eliminates being able to create independent IMA namespace. Or we make user space responsible for it and say if a mount namespace is joined, find the associated IMA namespace and join both of them (2 setns() calls). Well, I think the former would be preferred over the latter. So either we tie the IMA namespace to some other existing namespace, preferably mount namespace, or we have it be independently created (new clone flag or by writing into a sysfs/securityfs file). == MNT and IMA Namespaces tied together == Let's assume we tie MNT and IMA namespaces together, then there are other scenarios with switching through the other namespaces (UTS, PID, IPC, NET, USER, CGROUP). I am not sure what is supposed to happen other than logging the activity active in the current IMA namespace: What should happen with IMA logging, appraisal, and auditing if we setns() through all available - PID namespaces and send signals: log, appraise, and audit file activity following IMA policy - IPC namespaces and send messages via IPC: same as for PID - UTS namespaces and setting hostname: same as for PID - NET namespaces and sending network traffic: same as for PID? - CGROUP namespaces and configuring cgroups: same as for PID? - USER: should now the keys of this USER namespace be active or the keys of the original user namespace used during the clone()? other than that, same as for PID? == Independent IMA Namespace == If we create an IMA namespace independently from any other mount namespace, what are we to gain from this or loose? The above ab-use case shows some problem associated with it. Do we have a solution for the item "IMA-appraisal and namespacing" above? In the worst case, would it matter if root spawned a new IMA namespace, set a NULL policy, and only have its activities measured and audited but not appraised? 5b9fa24eea1c0203e944d2e7d8fef1b3954cf6c5 3942 3941 2018-03-15T17:19:33Z Stefanb 10 /* IMA Namespacing Considerations */ wikitext text/x-wiki == Namespacing IMA == Our goals are to enable IMA-measurement, IMA-appraisal, and IMA-audit inside a container using Linux namespaces. The intention is to introduce an IMA namespace. === Background === IMA-measurement is about logging files that were read or executables that were started on a machine. Current IMA supports for example measuring root's activities in the TCB, such as which programs were started by root. Which files are measured can be configured using an IMA policy. IMA-appraisal is about only allowing files to be accessed that have been properly signed. This allows to lock down a machine if only signed files are allowed to be read or executed. Which files are appraised can be configured using an IMA policy. File signatures are found in the security.ima extended attribute. The keys for verifying the signature are found in IMA specific keyrings .ima or _ima. IMA-audit is about reporting accesses to files and generating audit records of file hash measurements. Which file activity is audited can be configured using an IMA policy. The audit records can be used to augment existing security analytics software and be used for system forensics. === IMA Namespacing Considerations === When namespacing IMA we certainly want to prevent the abuse of namespaces by users doing things that go undetected. A primary concern are activities of root in the TCB. Since root has all the rights on the system he could try to abuse his power by spawning new IMA namespaces and do things there that affect the TCB but now would go undetected due to weaknesses in the IMA namespacing implementation. The following enumeration of IMA namespacing design points is supposed to guide the implementation and prevent such problems: Support for IMA in namespaces should enable the following: - IMA policy for container (similar to the host): - there should be an initial default policy for every IMA namespace that measures activities inside the container - the policy can be overwritten once with a user-defined policy that may activate appraisal - CAP_SYS_ADMIN is currently gating the setting of the IMA policy; - setting the policy should be possibly without the almighty CAP_SYS_ADMIN - we may want to gate this with a new capability CAP_INTEGRITY_ADMIN that allows a user to set the IMA policy during container runtime - IMA policy extensions due to namespacing: - an IMA policy should allow rules that define whether activities in (all) child namespaces is to be measured (huge logs on the host) and audited or 'not'; a use case for not measuring may be found in cloud environments where containers come and go and the log on the host could possibly eat up a lot of memory - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured and audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - IMA-measurement: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured'' and audited in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-audit: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be measured and ''audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-appraisal and keys: - each IMA namespace should have its own keyring so that each container can have its files signed with different keys - the keys (certificates) for verifying signatures may be found inside containers - it should be possible to enforce that only certified keys are loaded onto a keyring, similar to .ima on the host - the CA public key used for verifying that public keys (certificates) used for verifying signatures may be found inside the container or could be known to the container management stack - IMA-appraisal and namespacing: - If IMA-appraisal is active on the host (per policy rules on the host), what is supposed to happen when (host) root executes files in a (nested) IMA namespace where an empty IMA policy has been set? We would measure and audit root's activities as described above. What about appraising? Would we traverse all the IMA namespaces back to the init_ima_ns and evaluate signatures against the appraisal policy set there and assume we would always find the keys in the init_user_ns? Maybe the following would be a solution for appraising file accesses by (host) root with the key used for signature verfication assumed in the current user_ns (we never pick any other user_ns than this one for trying to find a key): for imans from current-IMA-NS backwards up to and including init_ima_ns: if policy(imans) has appraisal rules for this file: if file appraisal fails fail access else allow access break - TPM and measurements: - The IMA namespace that holds the logs should be configurable to extend PCRs; since the single TPM of the host cannot be shared by containers, each IMA namespace would have to be associated with its own TPM instance (vTPM); measurement in the initial IMA namespace are extended into the hardware TPM as done already - Extended attribute security.ima: - A container should be able to set the security.ima extended attribute - this should be possibly without the almighty CAP_SYS_ADMIN; - we may want to gate this with a new capability CAP_SECURITY_XATTR_ADMIN that allows setting security extended attributes inside a container, possibly only during container build-time - Extended attribute security.ima and bind mounting - It may be necessary that different namespaces be able to sign the same bind-mounted file with different keys (I am thinking of bind-mounted files that the container management stack modifies and that may need to be signed for the container to be able to access them.) - Extended attributes, such as seucrity.ima) may need to be virtualizeable (security.ima vs. security.ima@uid=1000 etc.) A concrete 'ab-use' case that we have to to avoid is the following: Root creates a container that shares the host's mount namespace but creates a new IMA namespace with an empty policy: it would be unexpected if there was an IMA policy active on the host that enforces file appraisal but in this case the IMA policy is not enforced since a (hypothetical) IMA namespace of the host was not joined because only the mount namespace of the host was joined and a new IMA namespace was created. Now we have two choices here: We tie the mount and IMA namespaces together via single clone flag (as proposed in RFC patches) and joining the mount namespace automatically joins the associated IMA namespace (single setns()). This eliminates being able to create independent IMA namespace. Or we make user space responsible for it and say if a mount namespace is joined, find the associated IMA namespace and join both of them (2 setns() calls). Well, I think the former would be preferred over the latter. So either we tie the IMA namespace to some other existing namespace, preferably mount namespace, or we have it be independently created (new clone flag or by writing into a sysfs/securityfs file). == MNT and IMA Namespaces tied together == Let's assume we tie MNT and IMA namespaces together, then there are other scenarios with switching through the other namespaces (UTS, PID, IPC, NET, USER, CGROUP). I am not sure what is supposed to happen other than logging the activity active in the current IMA namespace: What should happen with IMA logging, appraisal, and auditing if we setns() through all available - PID namespaces and send signals: log, appraise, and audit file activity following IMA policy - IPC namespaces and send messages via IPC: same as for PID - UTS namespaces and setting hostname: same as for PID - NET namespaces and sending network traffic: same as for PID? - CGROUP namespaces and configuring cgroups: same as for PID? - USER: should now the keys of this USER namespace be active or the keys of the original user namespace used during the clone()? other than that, same as for PID? == Independent IMA Namespace == If we create an IMA namespace independently from any other mount namespace, what are we to gain from this or loose? The above ab-use case shows some problem associated with it. Do we have a solution for the item "IMA-appraisal and namespacing" above? In the worst case, would it matter if root spawned a new IMA namespace, set a NULL policy, and only have its activities measured and audited but not appraised? 684d39b938841f38bff6841132c7848a53aa42e2 3943 3942 2018-03-15T17:23:54Z Stefanb 10 /* IMA Namespacing Considerations */ wikitext text/x-wiki == Namespacing IMA == Our goals are to enable IMA-measurement, IMA-appraisal, and IMA-audit inside a container using Linux namespaces. The intention is to introduce an IMA namespace. === Background === IMA-measurement is about logging files that were read or executables that were started on a machine. Current IMA supports for example measuring root's activities in the TCB, such as which programs were started by root. Which files are measured can be configured using an IMA policy. IMA-appraisal is about only allowing files to be accessed that have been properly signed. This allows to lock down a machine if only signed files are allowed to be read or executed. Which files are appraised can be configured using an IMA policy. File signatures are found in the security.ima extended attribute. The keys for verifying the signature are found in IMA specific keyrings .ima or _ima. IMA-audit is about reporting accesses to files and generating audit records of file hash measurements. Which file activity is audited can be configured using an IMA policy. The audit records can be used to augment existing security analytics software and be used for system forensics. === IMA Namespacing Considerations === When namespacing IMA we certainly want to prevent the abuse of namespaces by users doing things that go undetected. A primary concern are activities of root in the TCB. Since root has all the rights on the system he could try to abuse his power by spawning new IMA namespaces and do things there that affect the TCB but now would go undetected due to weaknesses in the IMA namespacing implementation. The following enumeration of IMA namespacing design points is supposed to guide the implementation and prevent such problems: Support for IMA in namespaces should enable the following: - IMA policy for container (similar to the host): - there should be an initial default policy for every IMA namespace that measures activities inside the container - the policy can be overwritten once with a user-defined policy that may activate appraisal - CAP_SYS_ADMIN is currently gating the setting of the IMA policy; - setting the policy should be possibly without the almighty CAP_SYS_ADMIN - we may want to gate this with a new capability CAP_INTEGRITY_ADMIN that allows a user to set the IMA policy during container runtime - IMA policy extensions due to namespacing: - an IMA policy should allow rules that define whether activities in (all) child namespaces is to be measured (huge logs on the host) and audited or 'not'; a use case for not measuring may be found in cloud environments where containers come and go and the log on the host could possibly eat up a lot of memory - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured and audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - IMA-measurement: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured'' and audited in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-audit: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be measured and ''audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-appraisal and keys: - each IMA namespace should have its own keyring so that each container can have its files signed with different keys - the keys (certificates) for verifying signatures may be found inside containers - it should be possible to enforce that only certified keys are loaded onto a keyring, similar to .ima on the host - the CA public key used for verifying that public keys (certificates) used for verifying signatures may be found inside the container or could be known to the container management stack - IMA-appraisal and namespacing: - If IMA-appraisal is active on the host (per policy rules on the host), what is supposed to happen when (host) root executes files in a (nested) IMA namespace where an empty IMA policy has been set? We would measure and audit root's activities as described above. What about appraising? Would we traverse all the IMA namespaces back to the init_ima_ns and evaluate signatures against the appraisal policy set there and assume we would always find the keys in the init_user_ns? Maybe the following would be a solution for appraising file accesses by (host) root with the key used for signature verification assumed in the init_user_ns: for imans from current-IMA-NS backwards up to and including init_ima_ns: if policy(imans) has appraisal rules for this file: if file appraisal fails fail access else allow access break - TPM and measurements: - The IMA namespace that holds the logs should be configurable to extend PCRs; since the single TPM of the host cannot be shared by containers, each IMA namespace would have to be associated with its own TPM instance (vTPM); measurement in the initial IMA namespace are extended into the hardware TPM as done already - Extended attribute security.ima: - A container should be able to set the security.ima extended attribute - this should be possibly without the almighty CAP_SYS_ADMIN; - we may want to gate this with a new capability CAP_SECURITY_XATTR_ADMIN that allows setting security extended attributes inside a container, possibly only during container build-time - Extended attribute security.ima and bind mounting - It may be necessary that different namespaces be able to sign the same bind-mounted file with different keys (I am thinking of bind-mounted files that the container management stack modifies and that may need to be signed for the container to be able to access them.) - Extended attributes, such as seucrity.ima) may need to be virtualizeable (security.ima vs. security.ima@uid=1000 etc.) A concrete 'ab-use' case that we have to to avoid is the following: Root creates a container that shares the host's mount namespace but creates a new IMA namespace with an empty policy: it would be unexpected if there was an IMA policy active on the host that enforces file appraisal but in this case the IMA policy is not enforced since a (hypothetical) IMA namespace of the host was not joined because only the mount namespace of the host was joined and a new IMA namespace was created. Now we have two choices here: We tie the mount and IMA namespaces together via single clone flag (as proposed in RFC patches) and joining the mount namespace automatically joins the associated IMA namespace (single setns()). This eliminates being able to create independent IMA namespace. Or we make user space responsible for it and say if a mount namespace is joined, find the associated IMA namespace and join both of them (2 setns() calls). Well, I think the former would be preferred over the latter. So either we tie the IMA namespace to some other existing namespace, preferably mount namespace, or we have it be independently created (new clone flag or by writing into a sysfs/securityfs file). == MNT and IMA Namespaces tied together == Let's assume we tie MNT and IMA namespaces together, then there are other scenarios with switching through the other namespaces (UTS, PID, IPC, NET, USER, CGROUP). I am not sure what is supposed to happen other than logging the activity active in the current IMA namespace: What should happen with IMA logging, appraisal, and auditing if we setns() through all available - PID namespaces and send signals: log, appraise, and audit file activity following IMA policy - IPC namespaces and send messages via IPC: same as for PID - UTS namespaces and setting hostname: same as for PID - NET namespaces and sending network traffic: same as for PID? - CGROUP namespaces and configuring cgroups: same as for PID? - USER: should now the keys of this USER namespace be active or the keys of the original user namespace used during the clone()? other than that, same as for PID? == Independent IMA Namespace == If we create an IMA namespace independently from any other mount namespace, what are we to gain from this or loose? The above ab-use case shows some problem associated with it. Do we have a solution for the item "IMA-appraisal and namespacing" above? In the worst case, would it matter if root spawned a new IMA namespace, set a NULL policy, and only have its activities measured and audited but not appraised? 9cd93fda556859dbfb4316db010970fbe8ad4a61 3944 3943 2018-03-15T17:28:25Z Stefanb 10 /* IMA Namespacing Considerations */ wikitext text/x-wiki == Namespacing IMA == Our goals are to enable IMA-measurement, IMA-appraisal, and IMA-audit inside a container using Linux namespaces. The intention is to introduce an IMA namespace. === Background === IMA-measurement is about logging files that were read or executables that were started on a machine. Current IMA supports for example measuring root's activities in the TCB, such as which programs were started by root. Which files are measured can be configured using an IMA policy. IMA-appraisal is about only allowing files to be accessed that have been properly signed. This allows to lock down a machine if only signed files are allowed to be read or executed. Which files are appraised can be configured using an IMA policy. File signatures are found in the security.ima extended attribute. The keys for verifying the signature are found in IMA specific keyrings .ima or _ima. IMA-audit is about reporting accesses to files and generating audit records of file hash measurements. Which file activity is audited can be configured using an IMA policy. The audit records can be used to augment existing security analytics software and be used for system forensics. === IMA Namespacing Considerations === When namespacing IMA we certainly want to prevent the abuse of namespaces by users doing things that go undetected. A primary concern are activities of root in the TCB. Since root has all the rights on the system he could try to abuse his power by spawning new IMA namespaces and do things there that affect the TCB but now would go undetected due to weaknesses in the IMA namespacing implementation. The following enumeration of IMA namespacing design points is supposed to guide the implementation and prevent such problems: Support for IMA in namespaces should enable the following: - IMA policy for container (similar to the host): - there should be an initial default policy for every IMA namespace that measures activities inside the container - the policy can be overwritten once with a user-defined policy that may activate appraisal - CAP_SYS_ADMIN is currently gating the setting of the IMA policy; - setting the policy should be possibly without the almighty CAP_SYS_ADMIN - we may want to gate this with a new capability CAP_INTEGRITY_ADMIN that allows a user to set the IMA policy during container runtime - IMA policy extensions due to namespacing: - an IMA policy should allow rules that define whether activities in (all) child namespaces is to be measured (huge logs on the host) and audited or 'not'; a use case for not measuring may be found in cloud environments where containers come and go and the log on the host could possibly eat up a lot of memory - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured and audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - IMA-measurement: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured'' and audited in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-audit: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be measured and ''audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-appraisal and keys: - each IMA namespace should have its own keyring so that each container can have its files signed with different keys - the keys (certificates) for verifying signatures may be found inside containers - it should be possible to enforce that only certified keys are loaded onto a keyring, similar to .ima on the host - the CA public key used for verifying that public keys (certificates) used for verifying signatures may be found inside the container or could be known to the container management stack - IMA-appraisal and namespacing: - If IMA-appraisal is active on the host (per policy rules on the host), what is supposed to happen when (host) root executes files in a (nested) IMA namespace where an empty IMA policy has been set? We would measure and audit root's activities as described above. What about appraising? Would we traverse all the IMA namespaces back to the init_ima_ns and evaluate signatures against the appraisal policy set there and assume we would always find the keys in the init_user_ns? Maybe the following would be a solution for appraising file accesses by (host) root with the key used for signature verification assumed in the init_user_ns; this is a step after evaluating the file access with the current IMA namespace's policy and the currently active USER namespace where the key can be found for imans from current-IMA-NS backwards up to and including init_ima_ns: if policy(imans) has appraisal rules for this file: if file appraisal fails fail access else allow access break or simplified (again after evaluating file access with the current IMA namespace's policy and the currently active USER namespace where the key can be found) Appraise with policy if init_ima_ns and key found in .ima or _ima keyring in init_user_ns. - TPM and measurements: - The IMA namespace that holds the logs should be configurable to extend PCRs; since the single TPM of the host cannot be shared by containers, each IMA namespace would have to be associated with its own TPM instance (vTPM); measurement in the initial IMA namespace are extended into the hardware TPM as done already - Extended attribute security.ima: - A container should be able to set the security.ima extended attribute - this should be possibly without the almighty CAP_SYS_ADMIN; - we may want to gate this with a new capability CAP_SECURITY_XATTR_ADMIN that allows setting security extended attributes inside a container, possibly only during container build-time - Extended attribute security.ima and bind mounting - It may be necessary that different namespaces be able to sign the same bind-mounted file with different keys (I am thinking of bind-mounted files that the container management stack modifies and that may need to be signed for the container to be able to access them.) - Extended attributes, such as seucrity.ima) may need to be virtualizeable (security.ima vs. security.ima@uid=1000 etc.) A concrete 'ab-use' case that we have to to avoid is the following: Root creates a container that shares the host's mount namespace but creates a new IMA namespace with an empty policy: it would be unexpected if there was an IMA policy active on the host that enforces file appraisal but in this case the IMA policy is not enforced since a (hypothetical) IMA namespace of the host was not joined because only the mount namespace of the host was joined and a new IMA namespace was created. Now we have two choices here: We tie the mount and IMA namespaces together via single clone flag (as proposed in RFC patches) and joining the mount namespace automatically joins the associated IMA namespace (single setns()). This eliminates being able to create independent IMA namespace. Or we make user space responsible for it and say if a mount namespace is joined, find the associated IMA namespace and join both of them (2 setns() calls). Well, I think the former would be preferred over the latter. So either we tie the IMA namespace to some other existing namespace, preferably mount namespace, or we have it be independently created (new clone flag or by writing into a sysfs/securityfs file). == MNT and IMA Namespaces tied together == Let's assume we tie MNT and IMA namespaces together, then there are other scenarios with switching through the other namespaces (UTS, PID, IPC, NET, USER, CGROUP). I am not sure what is supposed to happen other than logging the activity active in the current IMA namespace: What should happen with IMA logging, appraisal, and auditing if we setns() through all available - PID namespaces and send signals: log, appraise, and audit file activity following IMA policy - IPC namespaces and send messages via IPC: same as for PID - UTS namespaces and setting hostname: same as for PID - NET namespaces and sending network traffic: same as for PID? - CGROUP namespaces and configuring cgroups: same as for PID? - USER: should now the keys of this USER namespace be active or the keys of the original user namespace used during the clone()? other than that, same as for PID? == Independent IMA Namespace == If we create an IMA namespace independently from any other mount namespace, what are we to gain from this or loose? The above ab-use case shows some problem associated with it. Do we have a solution for the item "IMA-appraisal and namespacing" above? In the worst case, would it matter if root spawned a new IMA namespace, set a NULL policy, and only have its activities measured and audited but not appraised? b7a5f96e91d92d84e19cfe629b43f59ec6991af5 3945 3944 2018-03-15T17:29:00Z Stefanb 10 /* IMA Namespacing Considerations */ wikitext text/x-wiki == Namespacing IMA == Our goals are to enable IMA-measurement, IMA-appraisal, and IMA-audit inside a container using Linux namespaces. The intention is to introduce an IMA namespace. === Background === IMA-measurement is about logging files that were read or executables that were started on a machine. Current IMA supports for example measuring root's activities in the TCB, such as which programs were started by root. Which files are measured can be configured using an IMA policy. IMA-appraisal is about only allowing files to be accessed that have been properly signed. This allows to lock down a machine if only signed files are allowed to be read or executed. Which files are appraised can be configured using an IMA policy. File signatures are found in the security.ima extended attribute. The keys for verifying the signature are found in IMA specific keyrings .ima or _ima. IMA-audit is about reporting accesses to files and generating audit records of file hash measurements. Which file activity is audited can be configured using an IMA policy. The audit records can be used to augment existing security analytics software and be used for system forensics. === IMA Namespacing Considerations === When namespacing IMA we certainly want to prevent the abuse of namespaces by users doing things that go undetected. A primary concern are activities of root in the TCB. Since root has all the rights on the system he could try to abuse his power by spawning new IMA namespaces and do things there that affect the TCB but now would go undetected due to weaknesses in the IMA namespacing implementation. The following enumeration of IMA namespacing design points is supposed to guide the implementation and prevent such problems: Support for IMA in namespaces should enable the following: - IMA policy for container (similar to the host): - there should be an initial default policy for every IMA namespace that measures activities inside the container - the policy can be overwritten once with a user-defined policy that may activate appraisal - CAP_SYS_ADMIN is currently gating the setting of the IMA policy; - setting the policy should be possibly without the almighty CAP_SYS_ADMIN - we may want to gate this with a new capability CAP_INTEGRITY_ADMIN that allows a user to set the IMA policy during container runtime - IMA policy extensions due to namespacing: - an IMA policy should allow rules that define whether activities in (all) child namespaces is to be measured (huge logs on the host) and audited or 'not'; a use case for not measuring may be found in cloud environments where containers come and go and the log on the host could possibly eat up a lot of memory - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured and audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - IMA-measurement: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured'' and audited in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-audit: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be measured and ''audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-appraisal and keys: - each IMA namespace should have its own keyring so that each container can have its files signed with different keys - the keys (certificates) for verifying signatures may be found inside containers - it should be possible to enforce that only certified keys are loaded onto a keyring, similar to .ima on the host - the CA public key used for verifying that public keys (certificates) used for verifying signatures may be found inside the container or could be known to the container management stack - IMA-appraisal and namespacing: - If IMA-appraisal is active on the host (per policy rules on the host), what is supposed to happen when (host) root executes files in a (nested) IMA namespace where an empty IMA policy has been set? We would measure and audit root's activities as described above. What about appraising? Would we traverse all the IMA namespaces back to the init_ima_ns and evaluate signatures against the appraisal policy set there and assume we would always find the keys in the init_user_ns? Maybe the following would be a solution for appraising file accesses by (host) root with the key used for signature verification assumed in the init_user_ns; this is a step after evaluating the file access with the current IMA namespace's policy and the currently active USER namespace where the key can be found for imans from current-IMA-NS backwards up to and including init_ima_ns: if policy(imans) has appraisal rules for this file: if file appraisal fails fail access else allow access break or simplified (again after evaluating file access with the current IMA namespace's policy and the currently active USER namespace where the key can be found) Appraise with policy if init_ima_ns and key found in .ima or _ima keyring in init_user_ns. - TPM and measurements: - The IMA namespace that holds the logs should be configurable to extend PCRs; since the single TPM of the host cannot be shared by containers, each IMA namespace would have to be associated with its own TPM instance (vTPM); measurement in the initial IMA namespace are extended into the hardware TPM as done already - Extended attribute security.ima: - A container should be able to set the security.ima extended attribute - this should be possibly without the almighty CAP_SYS_ADMIN; - we may want to gate this with a new capability CAP_SECURITY_XATTR_ADMIN that allows setting security extended attributes inside a container, possibly only during container build-time - Extended attribute security.ima and bind mounting - It may be necessary that different namespaces be able to sign the same bind-mounted file with different keys (I am thinking of bind-mounted files that the container management stack modifies and that may need to be signed for the container to be able to access them.) - Extended attributes, such as seucrity.ima) may need to be virtualizeable (security.ima vs. security.ima@uid=1000 etc.) A concrete 'ab-use' case that we have to to avoid is the following: Root creates a container that shares the host's mount namespace but creates a new IMA namespace with an empty policy: it would be unexpected if there was an IMA policy active on the host that enforces file appraisal but in this case the IMA policy is not enforced since a (hypothetical) IMA namespace of the host was not joined because only the mount namespace of the host was joined and a new IMA namespace was created. Now we have two choices here: We tie the mount and IMA namespaces together via single clone flag (as proposed in RFC patches) and joining the mount namespace automatically joins the associated IMA namespace (single setns()). This eliminates being able to create independent IMA namespace. Or we make user space responsible for it and say if a mount namespace is joined, find the associated IMA namespace and join both of them (2 setns() calls). Well, I think the former would be preferred over the latter. So either we tie the IMA namespace to some other existing namespace, preferably mount namespace, or we have it be independently created (new clone flag or by writing into a sysfs/securityfs file). == MNT and IMA Namespaces tied together == Let's assume we tie MNT and IMA namespaces together, then there are other scenarios with switching through the other namespaces (UTS, PID, IPC, NET, USER, CGROUP). I am not sure what is supposed to happen other than logging the activity active in the current IMA namespace: What should happen with IMA logging, appraisal, and auditing if we setns() through all available - PID namespaces and send signals: log, appraise, and audit file activity following IMA policy - IPC namespaces and send messages via IPC: same as for PID - UTS namespaces and setting hostname: same as for PID - NET namespaces and sending network traffic: same as for PID? - CGROUP namespaces and configuring cgroups: same as for PID? - USER: should now the keys of this USER namespace be active or the keys of the original user namespace used during the clone()? other than that, same as for PID? == Independent IMA Namespace == If we create an IMA namespace independently from any other mount namespace, what are we to gain from this or loose? The above ab-use case shows some problem associated with it. Do we have a solution for the item "IMA-appraisal and namespacing" above? In the worst case, would it matter if root spawned a new IMA namespace, set a NULL policy, and only have its activities measured and audited but not appraised? d3f2c8893bd80c844cb53ef6d323243086f620e6 3946 3945 2018-03-15T17:29:52Z Stefanb 10 /* IMA Namespacing Considerations */ wikitext text/x-wiki == Namespacing IMA == Our goals are to enable IMA-measurement, IMA-appraisal, and IMA-audit inside a container using Linux namespaces. The intention is to introduce an IMA namespace. === Background === IMA-measurement is about logging files that were read or executables that were started on a machine. Current IMA supports for example measuring root's activities in the TCB, such as which programs were started by root. Which files are measured can be configured using an IMA policy. IMA-appraisal is about only allowing files to be accessed that have been properly signed. This allows to lock down a machine if only signed files are allowed to be read or executed. Which files are appraised can be configured using an IMA policy. File signatures are found in the security.ima extended attribute. The keys for verifying the signature are found in IMA specific keyrings .ima or _ima. IMA-audit is about reporting accesses to files and generating audit records of file hash measurements. Which file activity is audited can be configured using an IMA policy. The audit records can be used to augment existing security analytics software and be used for system forensics. === IMA Namespacing Considerations === When namespacing IMA we certainly want to prevent the abuse of namespaces by users doing things that go undetected. A primary concern are activities of root in the TCB. Since root has all the rights on the system he could try to abuse his power by spawning new IMA namespaces and do things there that affect the TCB but now would go undetected due to weaknesses in the IMA namespacing implementation. The following enumeration of IMA namespacing design points is supposed to guide the implementation and prevent such problems: Support for IMA in namespaces should enable the following: - IMA policy for container (similar to the host): - there should be an initial default policy for every IMA namespace that measures activities inside the container - the policy can be overwritten once with a user-defined policy that may activate appraisal - CAP_SYS_ADMIN is currently gating the setting of the IMA policy; - setting the policy should be possibly without the almighty CAP_SYS_ADMIN - we may want to gate this with a new capability CAP_INTEGRITY_ADMIN that allows a user to set the IMA policy during container runtime - IMA policy extensions due to namespacing: - an IMA policy should allow rules that define whether activities in (all) child namespaces is to be measured (huge logs on the host) and audited or 'not'; a use case for not measuring may be found in cloud environments where containers come and go and the log on the host could possibly eat up a lot of memory - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured and audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - IMA-measurement: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured'' and audited in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-audit: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be measured and ''audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-appraisal and keys: - each IMA namespace should have its own keyring so that each container can have its files signed with different keys - the keys (certificates) for verifying signatures may be found inside containers - it should be possible to enforce that only certified keys are loaded onto a keyring, similar to .ima on the host - the CA public key used for verifying that public keys (certificates) used for verifying signatures may be found inside the container or could be known to the container management stack - IMA-appraisal and namespacing: - If IMA-appraisal is active on the host (per policy rules on the host), what is supposed to happen when (host) root executes files in a (nested) IMA namespace where an empty IMA policy has been set? We would measure and audit root's activities as described above. What about appraising? Would we traverse all the IMA namespaces back to the init_ima_ns and evaluate signatures against the appraisal policy set there and assume we would always find the keys in the init_user_ns? Maybe the following would be a solution for appraising file accesses by (host) root with the key used for signature verification assumed in the init_user_ns; this is a step after evaluating the file access with the current IMA namespace's policy and the currently active USER namespace where the key can be found for imans from current-IMA-NS backwards up to and including init_ima_ns: if policy(imans) has appraisal rules for this file: if file appraisal fails fail access else allow access break or simplified (again after evaluating file access with the current IMA namespace's policy and the currently active USER namespace where the key can be found) Appraise with policy of init_ima_ns and key found in .ima or _ima keyring in init_user_ns. - TPM and measurements: - The IMA namespace that holds the logs should be configurable to extend PCRs; since the single TPM of the host cannot be shared by containers, each IMA namespace would have to be associated with its own TPM instance (vTPM); measurement in the initial IMA namespace are extended into the hardware TPM as done already - Extended attribute security.ima: - A container should be able to set the security.ima extended attribute - this should be possibly without the almighty CAP_SYS_ADMIN; - we may want to gate this with a new capability CAP_SECURITY_XATTR_ADMIN that allows setting security extended attributes inside a container, possibly only during container build-time - Extended attribute security.ima and bind mounting - It may be necessary that different namespaces be able to sign the same bind-mounted file with different keys (I am thinking of bind-mounted files that the container management stack modifies and that may need to be signed for the container to be able to access them.) - Extended attributes, such as seucrity.ima) may need to be virtualizeable (security.ima vs. security.ima@uid=1000 etc.) A concrete 'ab-use' case that we have to to avoid is the following: Root creates a container that shares the host's mount namespace but creates a new IMA namespace with an empty policy: it would be unexpected if there was an IMA policy active on the host that enforces file appraisal but in this case the IMA policy is not enforced since a (hypothetical) IMA namespace of the host was not joined because only the mount namespace of the host was joined and a new IMA namespace was created. Now we have two choices here: We tie the mount and IMA namespaces together via single clone flag (as proposed in RFC patches) and joining the mount namespace automatically joins the associated IMA namespace (single setns()). This eliminates being able to create independent IMA namespace. Or we make user space responsible for it and say if a mount namespace is joined, find the associated IMA namespace and join both of them (2 setns() calls). Well, I think the former would be preferred over the latter. So either we tie the IMA namespace to some other existing namespace, preferably mount namespace, or we have it be independently created (new clone flag or by writing into a sysfs/securityfs file). == MNT and IMA Namespaces tied together == Let's assume we tie MNT and IMA namespaces together, then there are other scenarios with switching through the other namespaces (UTS, PID, IPC, NET, USER, CGROUP). I am not sure what is supposed to happen other than logging the activity active in the current IMA namespace: What should happen with IMA logging, appraisal, and auditing if we setns() through all available - PID namespaces and send signals: log, appraise, and audit file activity following IMA policy - IPC namespaces and send messages via IPC: same as for PID - UTS namespaces and setting hostname: same as for PID - NET namespaces and sending network traffic: same as for PID? - CGROUP namespaces and configuring cgroups: same as for PID? - USER: should now the keys of this USER namespace be active or the keys of the original user namespace used during the clone()? other than that, same as for PID? == Independent IMA Namespace == If we create an IMA namespace independently from any other mount namespace, what are we to gain from this or loose? The above ab-use case shows some problem associated with it. Do we have a solution for the item "IMA-appraisal and namespacing" above? In the worst case, would it matter if root spawned a new IMA namespace, set a NULL policy, and only have its activities measured and audited but not appraised? b88d2eeaea7c7dd74b9008a2de41998d0eb5b176 3947 3946 2018-03-15T17:48:56Z Stefanb 10 /* IMA Namespacing Considerations */ wikitext text/x-wiki == Namespacing IMA == Our goals are to enable IMA-measurement, IMA-appraisal, and IMA-audit inside a container using Linux namespaces. The intention is to introduce an IMA namespace. === Background === IMA-measurement is about logging files that were read or executables that were started on a machine. Current IMA supports for example measuring root's activities in the TCB, such as which programs were started by root. Which files are measured can be configured using an IMA policy. IMA-appraisal is about only allowing files to be accessed that have been properly signed. This allows to lock down a machine if only signed files are allowed to be read or executed. Which files are appraised can be configured using an IMA policy. File signatures are found in the security.ima extended attribute. The keys for verifying the signature are found in IMA specific keyrings .ima or _ima. IMA-audit is about reporting accesses to files and generating audit records of file hash measurements. Which file activity is audited can be configured using an IMA policy. The audit records can be used to augment existing security analytics software and be used for system forensics. === IMA Namespacing Considerations === When namespacing IMA we certainly want to prevent the abuse of namespaces by users doing things that go undetected. A primary concern are activities of root in the TCB. Since root has all the rights on the system he could try to abuse his power by spawning new IMA namespaces and do things there that affect the TCB but now would go undetected due to weaknesses in the IMA namespacing implementation. The following enumeration of IMA namespacing design points is supposed to guide the implementation and prevent such problems: Support for IMA in namespaces should enable the following: - IMA policy for container (similar to the host): - there should be an initial default policy for every IMA namespace that measures activities inside the container - the policy can be overwritten once with a user-defined policy that may activate appraisal - CAP_SYS_ADMIN is currently gating the setting of the IMA policy; - setting the policy should be possibly without the almighty CAP_SYS_ADMIN - we may want to gate this with a new capability CAP_INTEGRITY_ADMIN that allows a user to set the IMA policy during container runtime - IMA policy extensions due to namespacing: - an IMA policy should allow rules that define whether activities in (all) child namespaces is to be measured (huge logs on the host) and audited or 'not'; a use case for not measuring may be found in cloud environments where containers come and go and the log on the host could possibly eat up a lot of memory - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured and audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - IMA-measurement: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured'' and audited in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-audit: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be measured and ''audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-appraisal and keys: - each IMA namespace should have its own keyring so that each container can have its files signed with different keys - the keys (certificates) for verifying signatures may be found inside containers - it should be possible to enforce that only certified keys are loaded onto a keyring, similar to .ima on the host - the CA public key used for verifying that public keys (certificates) used for verifying signatures may be found inside the container or could be known to the container management stack - IMA-appraisal and namespacing: - If IMA-appraisal is active on the host (per policy rules on the host), what is supposed to happen when (host) root executes files in a (nested) IMA namespace where an empty IMA policy has been set? We would measure and audit root's activities as described above. What about appraising? Would we traverse all the IMA namespaces back to the init_ima_ns and evaluate signatures against the appraisal policy set there and assume we would always find the keys in the init_user_ns? Maybe the following would be a solution for appraising file accesses by (host) root with the key used for signature verification assumed in the init_user_ns; this is a step after evaluating the file access with the current IMA namespace's policy and the currently active USER namespace where the key can be found for imans from current-IMA-NS backwards up to and including init_ima_ns: if policy(imans) has appraisal rules for this file: if file appraisal fails fail access else allow access break or simplified (again after evaluating file access with the current IMA namespace's policy and the currently active USER namespace where the key can be found) Appraise with policy of init_ima_ns and key found in .ima or _ima keyring of init_user_ns. - TPM and measurements: - The IMA namespace that holds the logs should be configurable to extend PCRs; since the single TPM of the host cannot be shared by containers, each IMA namespace would have to be associated with its own TPM instance (vTPM); measurement in the initial IMA namespace are extended into the hardware TPM as done already - Extended attribute security.ima: - A container should be able to set the security.ima extended attribute - this should be possibly without the almighty CAP_SYS_ADMIN; - we may want to gate this with a new capability CAP_SECURITY_XATTR_ADMIN that allows setting security extended attributes inside a container, possibly only during container build-time - Extended attribute security.ima and bind mounting - It may be necessary that different namespaces be able to sign the same bind-mounted file with different keys (I am thinking of bind-mounted files that the container management stack modifies and that may need to be signed for the container to be able to access them.) - Extended attributes, such as seucrity.ima) may need to be virtualizeable (security.ima vs. security.ima@uid=1000 etc.) A concrete 'ab-use' case that we have to to avoid is the following: Root creates a container that shares the host's mount namespace but creates a new IMA namespace with an empty policy: it would be unexpected if there was an IMA policy active on the host that enforces file appraisal but in this case the IMA policy is not enforced since a (hypothetical) IMA namespace of the host was not joined because only the mount namespace of the host was joined and a new IMA namespace was created. Now we have two choices here: We tie the mount and IMA namespaces together via single clone flag (as proposed in RFC patches) and joining the mount namespace automatically joins the associated IMA namespace (single setns()). This eliminates being able to create independent IMA namespace. Or we make user space responsible for it and say if a mount namespace is joined, find the associated IMA namespace and join both of them (2 setns() calls). Well, I think the former would be preferred over the latter. So either we tie the IMA namespace to some other existing namespace, preferably mount namespace, or we have it be independently created (new clone flag or by writing into a sysfs/securityfs file). == MNT and IMA Namespaces tied together == Let's assume we tie MNT and IMA namespaces together, then there are other scenarios with switching through the other namespaces (UTS, PID, IPC, NET, USER, CGROUP). I am not sure what is supposed to happen other than logging the activity active in the current IMA namespace: What should happen with IMA logging, appraisal, and auditing if we setns() through all available - PID namespaces and send signals: log, appraise, and audit file activity following IMA policy - IPC namespaces and send messages via IPC: same as for PID - UTS namespaces and setting hostname: same as for PID - NET namespaces and sending network traffic: same as for PID? - CGROUP namespaces and configuring cgroups: same as for PID? - USER: should now the keys of this USER namespace be active or the keys of the original user namespace used during the clone()? other than that, same as for PID? == Independent IMA Namespace == If we create an IMA namespace independently from any other mount namespace, what are we to gain from this or loose? The above ab-use case shows some problem associated with it. Do we have a solution for the item "IMA-appraisal and namespacing" above? In the worst case, would it matter if root spawned a new IMA namespace, set a NULL policy, and only have its activities measured and audited but not appraised? 94a328318996bd00d7bca4d352f74a7742b5d053 3948 3947 2018-03-15T17:52:01Z Stefanb 10 /* IMA Namespacing Considerations */ wikitext text/x-wiki == Namespacing IMA == Our goals are to enable IMA-measurement, IMA-appraisal, and IMA-audit inside a container using Linux namespaces. The intention is to introduce an IMA namespace. === Background === IMA-measurement is about logging files that were read or executables that were started on a machine. Current IMA supports for example measuring root's activities in the TCB, such as which programs were started by root. Which files are measured can be configured using an IMA policy. IMA-appraisal is about only allowing files to be accessed that have been properly signed. This allows to lock down a machine if only signed files are allowed to be read or executed. Which files are appraised can be configured using an IMA policy. File signatures are found in the security.ima extended attribute. The keys for verifying the signature are found in IMA specific keyrings .ima or _ima. IMA-audit is about reporting accesses to files and generating audit records of file hash measurements. Which file activity is audited can be configured using an IMA policy. The audit records can be used to augment existing security analytics software and be used for system forensics. === IMA Namespacing Considerations === When namespacing IMA we certainly want to prevent the abuse of namespaces by users doing things that go undetected. A primary concern are activities of root in the TCB. Since root has all the rights on the system he could try to abuse his power by spawning new IMA namespaces and do things there that affect the TCB but now would go undetected due to weaknesses in the IMA namespacing implementation. The following enumeration of IMA namespacing design points is supposed to guide the implementation and prevent such problems: Support for IMA in namespaces should enable the following: - IMA policy for container (similar to the host): - there should be an initial default policy for every IMA namespace that measures activities inside the container - the policy can be overwritten once with a user-defined policy that may activate appraisal - CAP_SYS_ADMIN is currently gating the setting of the IMA policy; - setting the policy should be possibly without the almighty CAP_SYS_ADMIN - we may want to gate this with a new capability CAP_INTEGRITY_ADMIN that allows a user to set the IMA policy during container runtime - IMA policy extensions due to namespacing: - an IMA policy should allow rules that define whether activities in (all) child namespaces is to be measured (huge logs on the host) and audited or 'not'; a use case for not measuring may be found in cloud environments where containers come and go and the log on the host could possibly eat up a lot of memory - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured and audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - IMA-measurement: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured'' and audited in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-audit: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be measured and ''audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-appraisal and keys: - each IMA namespace should have its own keyring so that each container can have its files signed with different keys - the keys (certificates) for verifying signatures may be found inside containers - it should be possible to enforce that only certified keys are loaded onto a keyring, similar to .ima on the host - the CA public key used for verifying that public keys (certificates) used for verifying signatures may be found inside the container or could be known to the container management stack - IMA-appraisal and namespacing: - If IMA-appraisal is active on the host (per policy rules on the host), what is supposed to happen when (host) root executes files in a (nested) IMA namespace where an empty IMA policy has been set? We would measure and audit root's activities as described above. What about appraising? Would we traverse all the IMA namespaces back to the init_ima_ns and evaluate signatures against the appraisal policy set there and assume we would always find the keys in the init_user_ns? Maybe the following would be a solution for appraising file accesses by (host) root with the key used for signature verification assumed in the init_user_ns; this is a step after evaluating the file access with the current IMA namespace's policy and the currently active USER namespace where the key can be found for imans from current-IMA-NS backwards up to and including init_ima_ns: if policy(imans) has appraisal rules for this file: if file appraisal fails fail access else allow access break or simplified (again after evaluating file access with the current IMA namespace's policy and the currently active USER namespace where the key can be found) Appraise with policy of init_ima_ns and key found in .ima or _ima keyring of init_user_ns. - TPM and measurements: - The IMA namespace that holds the logs should be configurable to extend PCRs; since the single TPM of the host cannot be shared by containers, each IMA namespace would have to be associated with its own TPM instance (vTPM); measurement in the initial IMA namespace are extended into the hardware TPM as done already - Extended attribute security.ima: - A container should be able to set the security.ima extended attribute - this should be possibly without the almighty CAP_SYS_ADMIN; - we may want to gate this with a new capability CAP_SECURITY_XATTR_ADMIN that allows setting security extended attributes inside a container, possibly only during container build-time - Extended attribute security.ima and bind mounting - It may be necessary that different namespaces be able to sign the same bind-mounted file with different keys (I am thinking of bind-mounted files that the container management stack modifies and that may need to be signed for the container to be able to access them.) - Extended attributes, such as seucrity.ima) may need to be virtualizeable (security.ima vs. security.ima@uid=1000 etc.) == MNT and IMA Namespaces tied together == Let's assume we tie MNT and IMA namespaces together, then there are other scenarios with switching through the other namespaces (UTS, PID, IPC, NET, USER, CGROUP). I am not sure what is supposed to happen other than logging the activity active in the current IMA namespace: What should happen with IMA logging, appraisal, and auditing if we setns() through all available - PID namespaces and send signals: log, appraise, and audit file activity following IMA policy - IPC namespaces and send messages via IPC: same as for PID - UTS namespaces and setting hostname: same as for PID - NET namespaces and sending network traffic: same as for PID? - CGROUP namespaces and configuring cgroups: same as for PID? - USER: should now the keys of this USER namespace be active or the keys of the original user namespace used during the clone()? other than that, same as for PID? == Independent IMA Namespace == If we create an IMA namespace independently from any other mount namespace, what are we to gain from this or loose? The above ab-use case shows some problem associated with it. Do we have a solution for the item "IMA-appraisal and namespacing" above? In the worst case, would it matter if root spawned a new IMA namespace, set a NULL policy, and only have its activities measured and audited but not appraised? 592789b4081059661c7a9249649310b420e1edc0 3949 3948 2018-03-15T17:52:39Z Stefanb 10 wikitext text/x-wiki == Namespacing IMA == Our goals are to enable IMA-measurement, IMA-appraisal, and IMA-audit inside a container using Linux namespaces. The intention is to introduce an IMA namespace. === Background === IMA-measurement is about logging files that were read or executables that were started on a machine. Current IMA supports for example measuring root's activities in the TCB, such as which programs were started by root. Which files are measured can be configured using an IMA policy. IMA-appraisal is about only allowing files to be accessed that have been properly signed. This allows to lock down a machine if only signed files are allowed to be read or executed. Which files are appraised can be configured using an IMA policy. File signatures are found in the security.ima extended attribute. The keys for verifying the signature are found in IMA specific keyrings .ima or _ima. IMA-audit is about reporting accesses to files and generating audit records of file hash measurements. Which file activity is audited can be configured using an IMA policy. The audit records can be used to augment existing security analytics software and be used for system forensics. === IMA Namespacing Considerations === When namespacing IMA we certainly want to prevent the abuse of namespaces by users doing things that go undetected. A primary concern are activities of root in the TCB. Since root has all the rights on the system he could try to abuse his power by spawning new IMA namespaces and do things there that affect the TCB but now would go undetected due to weaknesses in the IMA namespacing implementation. The following enumeration of IMA namespacing design points is supposed to guide the implementation and prevent such problems: Support for IMA in namespaces should enable the following: - IMA policy for container (similar to the host): - there should be an initial default policy for every IMA namespace that measures activities inside the container - the policy can be overwritten once with a user-defined policy that may activate appraisal - CAP_SYS_ADMIN is currently gating the setting of the IMA policy; - setting the policy should be possibly without the almighty CAP_SYS_ADMIN - we may want to gate this with a new capability CAP_INTEGRITY_ADMIN that allows a user to set the IMA policy during container runtime - IMA policy extensions due to namespacing: - an IMA policy should allow rules that define whether activities in (all) child namespaces is to be measured (huge logs on the host) and audited or 'not'; a use case for not measuring may be found in cloud environments where containers come and go and the log on the host could possibly eat up a lot of memory - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured and audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - IMA-measurement: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured'' and audited in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-audit: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be measured and ''audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-appraisal and keys: - each IMA namespace should have its own keyring so that each container can have its files signed with different keys - the keys (certificates) for verifying signatures may be found inside containers - it should be possible to enforce that only certified keys are loaded onto a keyring, similar to .ima on the host - the CA public key used for verifying that public keys (certificates) used for verifying signatures may be found inside the container or could be known to the container management stack - IMA-appraisal and namespacing: - If IMA-appraisal is active on the host (per policy rules on the host), what is supposed to happen when (host) root executes files in a (nested) IMA namespace where an empty IMA policy has been set? We would measure and audit root's activities as described above. What about appraising? Would we traverse all the IMA namespaces back to the init_ima_ns and evaluate signatures against the appraisal policy set there and assume we would always find the keys in the init_user_ns? Maybe the following would be a solution for appraising file accesses by (host) root with the key used for signature verification assumed in the init_user_ns; this is a step after evaluating the file access with the current IMA namespace's policy and the currently active USER namespace where the key can be found for imans from current-IMA-NS backwards up to and including init_ima_ns: if policy(imans) has appraisal rules for this file: if file appraisal fails fail access else allow access break or simplified (again after evaluating file access with the current IMA namespace's policy and the currently active USER namespace where the key can be found) Appraise with policy of init_ima_ns and key found in .ima or _ima keyring of init_user_ns. - TPM and measurements: - The IMA namespace that holds the logs should be configurable to extend PCRs; since the single TPM of the host cannot be shared by containers, each IMA namespace would have to be associated with its own TPM instance (vTPM); measurement in the initial IMA namespace are extended into the hardware TPM as done already - Extended attribute security.ima: - A container should be able to set the security.ima extended attribute - this should be possibly without the almighty CAP_SYS_ADMIN; - we may want to gate this with a new capability CAP_SECURITY_XATTR_ADMIN that allows setting security extended attributes inside a container, possibly only during container build-time - Extended attribute security.ima and bind mounting - It may be necessary that different namespaces be able to sign the same bind-mounted file with different keys (I am thinking of bind-mounted files that the container management stack modifies and that may need to be signed for the container to be able to access them.) - Extended attributes, such as seucrity.ima) may need to be virtualizeable (security.ima vs. security.ima@uid=1000 etc.) 6c70094c3539012a0e71ce2865640c405d531c44 3950 3949 2018-03-15T17:57:08Z Stefanb 10 wikitext text/x-wiki == Namespacing IMA == Our goals are to enable IMA-measurement, IMA-appraisal, and IMA-audit inside a container using Linux namespaces. The intention is to introduce an IMA namespace. === Background === IMA-measurement is about logging files that were read or executables that were started on a machine. Current IMA supports for example measuring root's activities in the TCB, such as which programs were started by root. Which files are measured can be configured using an IMA policy. IMA-appraisal is about only allowing files to be accessed that have been properly signed. This allows to lock down a machine if only signed files are allowed to be read or executed. Which files are appraised can be configured using an IMA policy. File signatures are found in the security.ima extended attribute. The keys for verifying the signature are found in IMA specific keyrings .ima or _ima. IMA-audit is about reporting accesses to files and generating audit records of file hash measurements. Which file activity is audited can be configured using an IMA policy. The audit records can be used to augment existing security analytics software and be used for system forensics. === IMA Namespacing Considerations === When namespacing IMA we certainly want to prevent the abuse of namespaces by users doing things that go undetected. A primary concern are activities of root in the TCB. Since root has all the rights on the system he could try to abuse his power by spawning new IMA namespaces and do things there that affect the TCB but now would go undetected due to weaknesses in the IMA namespacing implementation. The following enumeration of IMA namespacing design points is supposed to guide the implementation and prevent such problems: Support for IMA in namespaces should enable the following: - IMA policy for container (similar to the host): - there should be an initial default policy for every IMA namespace that measures activities inside the container - the policy can be overwritten once with a user-defined policy that may activate appraisal - CAP_SYS_ADMIN is currently gating the setting of the IMA policy; - setting the policy should be possibly without the almighty CAP_SYS_ADMIN - we may want to gate this with a new capability CAP_INTEGRITY_ADMIN that allows a user to set the IMA policy during container runtime - IMA policy extensions due to namespacing: - an IMA policy should allow rules that define whether activities in (all) child namespaces is to be measured (huge logs on the host) and audited or 'not'; a use case for not measuring may be found in cloud environments where containers come and go and the log on the host could possibly eat up a lot of memory - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured and audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - IMA-measurement: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured'' and audited in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-audit: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be measured and ''audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-appraisal and keys: - each IMA namespace should have its own keyring so that each container can have its files signed with different keys - the keys (certificates) for verifying signatures may be found inside containers - it should be possible to enforce that only certified keys are loaded onto a keyring, similar to .ima on the host - the CA public key used for verifying that public keys (certificates) used for verifying signatures may be found inside the container or could be known to the container management stack - IMA-appraisal and namespacing: - If IMA-appraisal is active on the host (per policy rules on the host), what is supposed to happen when (host) root executes files in a (nested) IMA namespace where an empty IMA policy has been set? We would measure and audit root's activities as described above. What about appraising? Would we traverse all the IMA namespaces back to the init_ima_ns and evaluate signatures against the appraisal policy set there and assume we would always find the keys in the init_user_ns? Maybe the following would be a solution for appraising file accesses by (host) root with the key used for signature verification assumed in the init_user_ns; this is a step after evaluating the file access with the current IMA namespace's policy and the currently active USER namespace where the key can be found for imans from current-IMA-NS backwards up to and including init_ima_ns: if policy(imans) has appraisal rules for this file: if file appraisal fails fail access else allow access break or simplified (again after evaluating file access with the current IMA namespace's policy and the currently active USER namespace where the key can be found) Appraise with policy of init_ima_ns and key found in .ima or _ima keyring of init_user_ns. - TPM and measurements: - The IMA namespace that holds the logs should be configurable to extend PCRs; since the single TPM of the host cannot be shared by containers, each IMA namespace would have to be associated with its own TPM instance (vTPM); measurement in the initial IMA namespace are extended into the hardware TPM as done already - Extended attribute security.ima: - A container should be able to set the security.ima extended attribute - this should be possibly without the almighty CAP_SYS_ADMIN; - we may want to gate this with a new capability CAP_SECURITY_XATTR_ADMIN that allows setting security extended attributes inside a container, possibly only during container build-time - Extended attribute security.ima and bind mounting - It may be necessary that different namespaces be able to sign the same bind-mounted file with different keys (I am thinking of bind-mounted files that the container management stack modifies and that may need to be signed for the container to be able to access them.) - Extended attributes, such as seucrity.ima) may need to be virtualizeable (security.ima vs. security.ima@uid=1000 etc.) Possible abuse-scenarios may include switching through the namespaces (UTS, PID, IPC, NET, USER, CGROUP, MNT). I am not sure what is supposed to happen other than logging the activity active in the current IMA namespace: What should happen with IMA logging, appraisal, and auditing if we setns() through all available - PID namespaces and send signals: log, appraise, and audit file activity following IMA policy with special handling for (host) root - IPC namespaces and send messages via IPC: same as for PID - UTS namespaces and setting hostname: same as for PID - NET namespaces and sending network traffic: same as for PID - CGROUP namespaces and configuring cgroups: same as for PID - USER: should now the keys of this USER namespace be active or the keys of the original user namespace used during the clone()? [we may need to adapt the current implementation...] other than that, same as for PID? - MNT namespaces and access files or execute program: same as for PID 7f18e2c99df6c3dc688ed1d697ce9e6842cf49ab 3951 3950 2018-03-15T17:58:00Z Stefanb 10 /* IMA Namespacing Considerations */ wikitext text/x-wiki == Namespacing IMA == Our goals are to enable IMA-measurement, IMA-appraisal, and IMA-audit inside a container using Linux namespaces. The intention is to introduce an IMA namespace. === Background === IMA-measurement is about logging files that were read or executables that were started on a machine. Current IMA supports for example measuring root's activities in the TCB, such as which programs were started by root. Which files are measured can be configured using an IMA policy. IMA-appraisal is about only allowing files to be accessed that have been properly signed. This allows to lock down a machine if only signed files are allowed to be read or executed. Which files are appraised can be configured using an IMA policy. File signatures are found in the security.ima extended attribute. The keys for verifying the signature are found in IMA specific keyrings .ima or _ima. IMA-audit is about reporting accesses to files and generating audit records of file hash measurements. Which file activity is audited can be configured using an IMA policy. The audit records can be used to augment existing security analytics software and be used for system forensics. === IMA Namespacing Considerations === When namespacing IMA we certainly want to prevent the abuse of namespaces by users doing things that go undetected. A primary concern are activities of root in the TCB. Since root has all the rights on the system he could try to abuse his power by spawning new IMA namespaces and do things there that affect the TCB but now would go undetected due to weaknesses in the IMA namespacing implementation. The following enumeration of IMA namespacing design points is supposed to guide the implementation and prevent such problems: Support for IMA in namespaces should enable the following: - IMA policy for container (similar to the host): - there should be an initial default policy for every IMA namespace that measures activities inside the container - the policy can be overwritten once with a user-defined policy that may activate appraisal - CAP_SYS_ADMIN is currently gating the setting of the IMA policy; - setting the policy should be possibly without the almighty CAP_SYS_ADMIN - we may want to gate this with a new capability CAP_INTEGRITY_ADMIN that allows a user to set the IMA policy during container runtime - IMA policy extensions due to namespacing: - an IMA policy should allow rules that define whether activities in (all) child namespaces is to be measured (huge logs on the host) and audited or 'not'; a use case for not measuring may be found in cloud environments where containers come and go and the log on the host could possibly eat up a lot of memory - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured and audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - IMA-measurement: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured'' and audited in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-audit: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be measured and ''audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-appraisal and keys: - each IMA namespace should have its own keyring so that each container can have its files signed with different keys - the keys (certificates) for verifying signatures may be found inside containers - it should be possible to enforce that only certified keys are loaded onto a keyring, similar to .ima on the host - the CA public key used for verifying that public keys (certificates) used for verifying signatures may be found inside the container or could be known to the container management stack - IMA-appraisal and namespacing: - If IMA-appraisal is active on the host (per policy rules on the host), what is supposed to happen when (host) root executes files in a (nested) IMA namespace where an empty IMA policy has been set? We would measure and audit root's activities as described above. What about appraising? Would we traverse all the IMA namespaces back to the init_ima_ns and evaluate signatures against the appraisal policy set there and assume we would always find the keys in the init_user_ns? Maybe the following would be a solution for appraising file accesses by (host) root with the key used for signature verification assumed in the init_user_ns; this is a step after evaluating the file access with the current IMA namespace's policy and the currently active USER namespace where the key can be found for imans from current-IMA-NS backwards up to and including init_ima_ns: if policy(imans) has appraisal rules for this file: if file appraisal fails fail access else allow access break or simplified (again after evaluating file access with the current IMA namespace's policy and the currently active USER namespace where the key can be found) Appraise with policy of init_ima_ns and key found in .ima or _ima keyring of init_user_ns. - TPM and measurements: - The IMA namespace that holds the logs should be configurable to extend PCRs; since the single TPM of the host cannot be shared by containers, each IMA namespace would have to be associated with its own TPM instance (vTPM); measurement in the initial IMA namespace are extended into the hardware TPM as done already - Extended attribute security.ima: - A container should be able to set the security.ima extended attribute - this should be possibly without the almighty CAP_SYS_ADMIN; - we may want to gate this with a new capability CAP_SECURITY_XATTR_ADMIN that allows setting security extended attributes inside a container, possibly only during container build-time - Extended attribute security.ima and bind mounting - It may be necessary that different namespaces be able to sign the same bind-mounted file with different keys (I am thinking of bind-mounted files that the container management stack modifies and that may need to be signed for the container to be able to access them.) - Extended attributes, such as seucrity.ima) may need to be virtualizeable (security.ima vs. security.ima@uid=1000 etc.) Possible abuse-scenarios may include switching through the namespaces (UTS, PID, IPC, NET, USER, CGROUP, MNT). I am not sure what is supposed to happen other than logging the activity active in the current IMA namespace: What should happen with IMA logging, appraisal, and auditing if we setns() through all available - PID namespaces and send signals: log, appraise, and audit file activity following IMA policy with special handling for (host) root - IPC namespaces and send messages via IPC: same as for PID - UTS namespaces and setting hostname: same as for PID - NET namespaces and sending network traffic: same as for PID - CGROUP namespaces and configuring cgroups: same as for PID - USER: should now the keys of this USER namespace be active or the keys of the original user namespace used during the clone()? [we may need to adapt the current implementation...] other than that, same as for PID? - MNT namespaces and access files or execute program: same as for PID 855c3f9240e792fc4a7fe1a77c1d7f78951c3558 3952 3951 2018-03-15T18:41:26Z Stefanb 10 /* IMA Namespacing Considerations */ wikitext text/x-wiki == Namespacing IMA == Our goals are to enable IMA-measurement, IMA-appraisal, and IMA-audit inside a container using Linux namespaces. The intention is to introduce an IMA namespace. === Background === IMA-measurement is about logging files that were read or executables that were started on a machine. Current IMA supports for example measuring root's activities in the TCB, such as which programs were started by root. Which files are measured can be configured using an IMA policy. IMA-appraisal is about only allowing files to be accessed that have been properly signed. This allows to lock down a machine if only signed files are allowed to be read or executed. Which files are appraised can be configured using an IMA policy. File signatures are found in the security.ima extended attribute. The keys for verifying the signature are found in IMA specific keyrings .ima or _ima. IMA-audit is about reporting accesses to files and generating audit records of file hash measurements. Which file activity is audited can be configured using an IMA policy. The audit records can be used to augment existing security analytics software and be used for system forensics. === IMA Namespacing Considerations === When namespacing IMA we certainly want to prevent the abuse of namespaces by users doing things that go undetected. A primary concern are activities of root in the TCB. Since root has all the rights on the system he could try to abuse his power by spawning new IMA namespaces and do things there that affect the TCB but now would go undetected due to weaknesses in the IMA namespacing implementation. The following enumeration of IMA namespacing design points is supposed to guide the implementation and prevent such problems: Support for IMA in namespaces should enable the following: - IMA policy for container (similar to the host): - there should be an initial default policy for every IMA namespace that measures activities inside the container - the policy can be overwritten once with a user-defined policy that may activate appraisal - CAP_SYS_ADMIN is currently gating the setting of the IMA policy; - setting the policy should be possibly without the almighty CAP_SYS_ADMIN - we may want to gate this with a new capability CAP_INTEGRITY_ADMIN that allows a user to set the IMA policy during container runtime - IMA policy extensions due to namespacing: - an IMA policy should allow rules that define whether activities in (all) child namespaces is to be measured (huge logs on the host) and audited or 'not'; a use case for not measuring may be found in cloud environments where containers come and go and the log on the host could possibly eat up a lot of memory - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured and audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - IMA-measurement: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured'' and audited in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-audit: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be measured and ''audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-appraisal and keys: - each IMA namespace should have its own keyring so that each container can have its files signed with different keys - the keys (certificates) for verifying signatures may be found inside containers - it should be possible to enforce that only certified keys are loaded onto a keyring, similar to .ima on the host - the CA public key used for verifying that public keys (certificates) used for verifying signatures may be found inside the container or could be known to the container management stack - IMA-appraisal and namespacing: - If IMA-appraisal is active on the host (per policy rules on the host), what is supposed to happen when (host) root executes files in a (nested) IMA namespace where an empty IMA policy has been set? We would measure and audit root's activities as described above. What about appraising? Would we traverse all the IMA namespaces back to the init_ima_ns and evaluate signatures against the appraisal policy set there and assume we would always find the keys in the init_user_ns? Maybe the following would be a solution for appraising file accesses by (host) root with the key used for signature verification assumed in the init_user_ns; this is a step after evaluating the file access with the current IMA namespace's policy and the currently active USER namespace where the key can be found for imans from current-IMA-NS backwards up to and including init_ima_ns: if policy(imans) has appraisal rules for this file: if file appraisal fails fail access else allow access break or simplified (again after evaluating file access with the current IMA namespace's policy and the currently active USER namespace where the key can be found) Appraise with policy of init_ima_ns and key found in .ima or _ima keyring of init_user_ns. - TPM and measurements: - The IMA namespace that holds the logs should be configurable to extend PCRs; since the single TPM of the host cannot be shared by containers, each IMA namespace would have to be associated with its own TPM instance (vTPM); measurement in the initial IMA namespace are extended into the hardware TPM as done already - Extended attribute security.ima: - A container should be able to set the security.ima extended attribute - this should be possibly without the almighty CAP_SYS_ADMIN; - we may want to gate this with a new capability CAP_SECURITY_XATTR_ADMIN that allows setting security extended attributes inside a container, possibly only during container build-time - Extended attribute security.ima and bind mounting - It may be necessary that different namespaces be able to sign the same bind-mounted file with different keys (I am thinking of bind-mounted files that the container management stack modifies and that may need to be signed for the container to be able to access them.) - Extended attributes, such as security.ima) may need to be virtualizeable (security.ima vs. security.ima@uid=1000 etc.) Possible abuse-scenarios may include switching through the namespaces (UTS, PID, IPC, NET, USER, CGROUP, MNT). I am not sure what is supposed to happen other than logging the activity active in the current IMA namespace: What should happen with IMA logging, appraisal, and auditing if we setns() through all available - PID namespaces and send signals: log, appraise, and audit file activity following IMA policy with special handling for (host) root - IPC namespaces and send messages via IPC: same as for PID - UTS namespaces and setting hostname: same as for PID - NET namespaces and sending network traffic: same as for PID - CGROUP namespaces and configuring cgroups: same as for PID - USER: should now the keys of this USER namespace be active or the keys of the original user namespace used during the clone()? [we may need to adapt the current implementation...] other than that, same as for PID? - MNT namespaces and access files or execute program: same as for PID d4deb5725999563445dbc0e7bb04aac321f69811 3953 3952 2018-03-17T13:44:11Z Stefanb 10 /* IMA Namespacing Considerations */ wikitext text/x-wiki == Namespacing IMA == Our goals are to enable IMA-measurement, IMA-appraisal, and IMA-audit inside a container using Linux namespaces. The intention is to introduce an IMA namespace. === Background === IMA-measurement is about logging files that were read or executables that were started on a machine. Current IMA supports for example measuring root's activities in the TCB, such as which programs were started by root. Which files are measured can be configured using an IMA policy. IMA-appraisal is about only allowing files to be accessed that have been properly signed. This allows to lock down a machine if only signed files are allowed to be read or executed. Which files are appraised can be configured using an IMA policy. File signatures are found in the security.ima extended attribute. The keys for verifying the signature are found in IMA specific keyrings .ima or _ima. IMA-audit is about reporting accesses to files and generating audit records of file hash measurements. Which file activity is audited can be configured using an IMA policy. The audit records can be used to augment existing security analytics software and be used for system forensics. === IMA Namespacing Considerations === When namespacing IMA we certainly want to prevent the abuse of namespaces by users doing things that go undetected. A primary concern are activities of root in the TCB. Since root has all the rights on the system he could try to abuse his power by spawning new IMA namespaces and do things there that affect the TCB but now would go undetected due to weaknesses in the IMA namespacing implementation. The following enumeration of IMA namespacing design points is supposed to guide the implementation and prevent such problems: Support for IMA in namespaces should enable the following: - IMA policy for container (similar to the host): - there should be an initial default policy for every IMA namespace that measures activities inside the container - the policy can be overwritten once with a user-defined policy that may activate appraisal - CAP_SYS_ADMIN is currently gating the setting of the IMA policy; - setting the policy should be possibly without the almighty CAP_SYS_ADMIN - we may want to gate this with a new capability CAP_INTEGRITY_ADMIN that allows a user to set the IMA policy during container runtime - IMA policy extensions due to namespacing: - an IMA policy should allow rules that define whether activities in (all) child namespaces is to be measured (huge logs on the host) and audited or 'not'; a use case for not measuring may be found in cloud environments where containers come and go and the log on the host could possibly eat up a lot of memory - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured and audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - IMA-measurement: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured'' and audited in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-audit: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be measured and ''audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-appraisal and keys: - each IMA namespace should have its own keyring so that each container can have its files signed with different keys - the keys (certificates) for verifying signatures may be found inside containers - it should be possible to enforce that only certified keys are loaded onto a keyring, similar to .ima on the host - the CA public key used for verifying that public keys (certificates) used for verifying signatures may be found inside the container or could be known to the container management stack - IMA-appraisal and namespacing: - If IMA-appraisal is active on the host (per policy rules on the host), what is supposed to happen when (host) root executes files in a (nested) IMA namespace where an empty IMA policy has been set? We would measure and audit root's activities as described above. What about appraising? Would we traverse all the IMA namespaces back to the init_ima_ns and evaluate signatures against the appraisal policy set there and assume we would always find the keys in the init_user_ns? Maybe the following would be a solution for appraising file accesses by (host) root with the key used for signature verification assumed in the init_user_ns; this is a step after evaluating the file access with the current IMA namespace's policy and the currently active USER namespace where the key can be found for imans from current-IMA-NS backwards up to and including init_ima_ns: if policy(imans) has appraisal rules for this file: if file appraisal fails fail access else allow access break or simplified (again after evaluating file access with the current IMA namespace's policy and the currently active USER namespace where the key can be found) Appraise with policy of init_ima_ns and key found in .ima or _ima keyring of init_user_ns. - TPM and measurements: - The IMA namespace that holds the logs should be configurable to extend PCRs; since the single TPM of the host cannot be shared by containers, each IMA namespace would have to be associated with its own TPM instance (vTPM); measurement in the initial IMA namespace are extended into the hardware TPM as done already - Each IMA namespace should only have access to the sysfs entries of its own TPM instance; ideally, sysfs would only show a single TPM device entry when viewed from an IMA namespace; an alternative may be that all devices are shown but refuse read/write access to their files if it is initiated from the 'wrong' IMA namespace - Extended attribute security.ima: - A container should be able to set the security.ima extended attribute - this should be possibly without the almighty CAP_SYS_ADMIN; - we may want to gate this with a new capability CAP_SECURITY_XATTR_ADMIN that allows setting security extended attributes inside a container, possibly only during container build-time - Extended attribute security.ima and bind mounting - It may be necessary that different namespaces be able to sign the same bind-mounted file with different keys (I am thinking of bind-mounted files that the container management stack modifies and that may need to be signed for the container to be able to access them.) - Extended attributes, such as security.ima) may need to be virtualizeable (security.ima vs. security.ima@uid=1000 etc.) - SecurityFS: - every IMA namespace should have (read/write) access to the entries that are associated with its IMA namespace - the organization of IMA's securityfs directory structure should reflect the child-parent relationship of IMA namespaces; - there should be a directory called 'namespaces' where each child namespace would have a directory with the name of the IMA namespace's inode ('IMANS:4768263432') that leads to the files holding the information about that namespace Possible abuse-scenarios may include switching through the namespaces (UTS, PID, IPC, NET, USER, CGROUP, MNT). I am not sure what is supposed to happen other than logging the activity active in the current IMA namespace: What should happen with IMA logging, appraisal, and auditing if we setns() through all available - PID namespaces and send signals: log, appraise, and audit file activity following IMA policy with special handling for (host) root - IPC namespaces and send messages via IPC: same as for PID - UTS namespaces and setting hostname: same as for PID - NET namespaces and sending network traffic: same as for PID - CGROUP namespaces and configuring cgroups: same as for PID - USER: should now the keys of this USER namespace be active or the keys of the original user namespace used during the clone()? [we may need to adapt the current implementation...] other than that, same as for PID? - MNT namespaces and access files or execute program: same as for PID e61cc6cc939cd0302cad2d842bf0b3b7802d9961 3954 3953 2018-03-17T13:44:29Z Stefanb 10 /* IMA Namespacing Considerations */ wikitext text/x-wiki == Namespacing IMA == Our goals are to enable IMA-measurement, IMA-appraisal, and IMA-audit inside a container using Linux namespaces. The intention is to introduce an IMA namespace. === Background === IMA-measurement is about logging files that were read or executables that were started on a machine. Current IMA supports for example measuring root's activities in the TCB, such as which programs were started by root. Which files are measured can be configured using an IMA policy. IMA-appraisal is about only allowing files to be accessed that have been properly signed. This allows to lock down a machine if only signed files are allowed to be read or executed. Which files are appraised can be configured using an IMA policy. File signatures are found in the security.ima extended attribute. The keys for verifying the signature are found in IMA specific keyrings .ima or _ima. IMA-audit is about reporting accesses to files and generating audit records of file hash measurements. Which file activity is audited can be configured using an IMA policy. The audit records can be used to augment existing security analytics software and be used for system forensics. === IMA Namespacing Considerations === When namespacing IMA we certainly want to prevent the abuse of namespaces by users doing things that go undetected. A primary concern are activities of root in the TCB. Since root has all the rights on the system he could try to abuse his power by spawning new IMA namespaces and do things there that affect the TCB but now would go undetected due to weaknesses in the IMA namespacing implementation. The following enumeration of IMA namespacing design points is supposed to guide the implementation and prevent such problems: Support for IMA in namespaces should enable the following: - IMA policy for container (similar to the host): - there should be an initial default policy for every IMA namespace that measures activities inside the container - the policy can be overwritten once with a user-defined policy that may activate appraisal - CAP_SYS_ADMIN is currently gating the setting of the IMA policy; - setting the policy should be possibly without the almighty CAP_SYS_ADMIN - we may want to gate this with a new capability CAP_INTEGRITY_ADMIN that allows a user to set the IMA policy during container runtime - IMA policy extensions due to namespacing: - an IMA policy should allow rules that define whether activities in (all) child namespaces is to be measured (huge logs on the host) and audited or 'not'; a use case for not measuring may be found in cloud environments where containers come and go and the log on the host could possibly eat up a lot of memory - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured and audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - IMA-measurement: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured'' and audited in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-audit: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be measured and ''audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-appraisal and keys: - each IMA namespace should have its own keyring so that each container can have its files signed with different keys - the keys (certificates) for verifying signatures may be found inside containers - it should be possible to enforce that only certified keys are loaded onto a keyring, similar to .ima on the host - the CA public key used for verifying that public keys (certificates) used for verifying signatures may be found inside the container or could be known to the container management stack - IMA-appraisal and namespacing: - If IMA-appraisal is active on the host (per policy rules on the host), what is supposed to happen when (host) root executes files in a (nested) IMA namespace where an empty IMA policy has been set? We would measure and audit root's activities as described above. What about appraising? Would we traverse all the IMA namespaces back to the init_ima_ns and evaluate signatures against the appraisal policy set there and assume we would always find the keys in the init_user_ns? Maybe the following would be a solution for appraising file accesses by (host) root with the key used for signature verification assumed in the init_user_ns; this is a step after evaluating the file access with the current IMA namespace's policy and the currently active USER namespace where the key can be found for imans from current-IMA-NS backwards up to and including init_ima_ns: if policy(imans) has appraisal rules for this file: if file appraisal fails fail access else allow access break or simplified (again after evaluating file access with the current IMA namespace's policy and the currently active USER namespace where the key can be found) Appraise with policy of init_ima_ns and key found in .ima or _ima keyring of init_user_ns. - TPM and measurements: - The IMA namespace that holds the logs should be configurable to extend PCRs; since the single TPM of the host cannot be shared by containers, each IMA namespace would have to be associated with its own TPM instance (vTPM); measurement in the initial IMA namespace are extended into the hardware TPM as done already - Each IMA namespace should only have access to the sysfs entries of its own TPM instance; ideally, sysfs would only show a single TPM device entry when viewed from an IMA namespace; an alternative may be that all devices are shown but refuse read/write access to their files if it is initiated from the 'wrong' IMA namespace - Extended attribute security.ima: - A container should be able to set the security.ima extended attribute - this should be possibly without the almighty CAP_SYS_ADMIN; - we may want to gate this with a new capability CAP_SECURITY_XATTR_ADMIN that allows setting security extended attributes inside a container, possibly only during container build-time - Extended attribute security.ima and bind mounting - It may be necessary that different namespaces be able to sign the same bind-mounted file with different keys (I am thinking of bind-mounted files that the container management stack modifies and that may need to be signed for the container to be able to access them.) - Extended attributes, such as security.ima) may need to be virtualizeable (security.ima vs. security.ima@uid=1000 etc.) - SecurityFS: - every IMA namespace should have (read/write) access to the entries that are associated with its IMA namespace - the organization of IMA's securityfs directory structure should reflect the child-parent relationship of IMA namespaces; - there should be a directory called 'namespaces' where each child namespace would have a directory with the name of the IMA namespace's inode ('IMANS:4768263432') that leads to the files holding the information about that namespace Possible abuse-scenarios may include switching through the namespaces (UTS, PID, IPC, NET, USER, CGROUP, MNT). I am not sure what is supposed to happen other than logging the activity active in the current IMA namespace: What should happen with IMA logging, appraisal, and auditing if we setns() through all available - PID namespaces and send signals: log, appraise, and audit file activity following IMA policy with special handling for (host) root - IPC namespaces and send messages via IPC: same as for PID - UTS namespaces and setting hostname: same as for PID - NET namespaces and sending network traffic: same as for PID - CGROUP namespaces and configuring cgroups: same as for PID - USER: should now the keys of this USER namespace be active or the keys of the original user namespace used during the clone()? [we may need to adapt the current implementation...] other than that, same as for PID? - MNT namespaces and access files or execute program: same as for PID 35c12c6091ca49559d8a29a8f17e0e00e19ae8d6 3955 3954 2018-03-17T15:58:34Z Stefanb 10 /* IMA Namespacing Considerations */ wikitext text/x-wiki == Namespacing IMA == Our goals are to enable IMA-measurement, IMA-appraisal, and IMA-audit inside a container using Linux namespaces. The intention is to introduce an IMA namespace. === Background === IMA-measurement is about logging files that were read or executables that were started on a machine. Current IMA supports for example measuring root's activities in the TCB, such as which programs were started by root. Which files are measured can be configured using an IMA policy. IMA-appraisal is about only allowing files to be accessed that have been properly signed. This allows to lock down a machine if only signed files are allowed to be read or executed. Which files are appraised can be configured using an IMA policy. File signatures are found in the security.ima extended attribute. The keys for verifying the signature are found in IMA specific keyrings .ima or _ima. IMA-audit is about reporting accesses to files and generating audit records of file hash measurements. Which file activity is audited can be configured using an IMA policy. The audit records can be used to augment existing security analytics software and be used for system forensics. === IMA Namespacing Considerations === When namespacing IMA we certainly want to prevent the abuse of namespaces by users doing things that go undetected. A primary concern are activities of root in the TCB. Since root has all the rights on the system he could try to abuse his power by spawning new IMA namespaces and do things there that affect the TCB but now would go undetected due to weaknesses in the IMA namespacing implementation. The following enumeration of IMA namespacing design points is supposed to guide the implementation and prevent such problems: Support for IMA in namespaces should enable the following: - IMA policy for container (similar to the host): - there should be an initial default policy for every IMA namespace that measures activities inside the container - the policy can be overwritten once with a user-defined policy that may activate appraisal - CAP_SYS_ADMIN is currently gating the setting of the IMA policy; - setting the policy should be possibly without the almighty CAP_SYS_ADMIN - we may want to gate this with a new capability CAP_INTEGRITY_ADMIN that allows a user to set the IMA policy during container runtime - IMA policy extensions due to namespacing: - an IMA policy should allow rules that define whether activities in (all) child namespaces is to be measured (huge logs on the host) and audited or 'not'; a use case for not measuring may be found in cloud environments where containers come and go and the log on the host could possibly eat up a lot of memory - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured and audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - IMA-measurement: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured'' and audited in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-audit: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be measured and ''audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-appraisal and keys: - each IMA namespace should have its own keyring so that each container can have its files signed with different keys - the keys (certificates) for verifying signatures may be found inside containers - it should be possible to enforce that only certified keys are loaded onto a keyring, similar to .ima on the host - the CA public key used for verifying that public keys (certificates) used for verifying signatures may be found inside the container or could be known to the container management stack - IMA-appraisal and namespacing: - If IMA-appraisal is active on the host (per policy rules on the host), what is supposed to happen when (host) root executes files in a (nested) IMA namespace where an empty IMA policy has been set? We would measure and audit root's activities as described above. What about appraising? Would we traverse all the IMA namespaces back to the init_ima_ns and evaluate signatures against the appraisal policy set there and assume we would always find the keys in the init_user_ns? Maybe the following would be a solution for appraising file accesses by (host) root with the key used for signature verification assumed in the init_user_ns; this is a step after evaluating the file access with the current IMA namespace's policy and the currently active USER namespace where the key can be found for imans from current-IMA-NS backwards up to and including init_ima_ns: if policy(imans) has appraisal rules for this file: if file appraisal fails fail access else allow access break or simplified (again after evaluating file access with the current IMA namespace's policy and the currently active USER namespace where the key can be found) Appraise with policy of init_ima_ns and key found in .ima or _ima keyring of init_user_ns. - TPM and measurements: - The IMA namespace that holds the logs should be configurable to extend PCRs; since the single TPM of the host cannot be shared by containers, each IMA namespace would have to be associated with its own TPM instance (vTPM); measurement in the initial IMA namespace are extended into the hardware TPM as done already - Each IMA namespace should only have access to the sysfs entries of its own TPM instance; ideally, sysfs would only show a single TPM device entry when viewed from an IMA namespace; an alternative may be that all devices are shown but refuse read/write access to their files if it is initiated from the 'wrong' IMA namespace - Extended attribute security.ima: - A container should be able to set the security.ima extended attribute - this should be possibly without the almighty CAP_SYS_ADMIN; - we may want to gate this with a new capability CAP_SECURITY_XATTR_ADMIN that allows setting security extended attributes inside a container, possibly only during container build-time - Extended attribute security.ima and bind mounting - It may be necessary that different namespaces be able to sign the same bind-mounted file with different keys (I am thinking of bind-mounted files that the container management stack modifies and that may need to be signed for the container to be able to access them.) - Extended attributes, such as security.ima) may need to be virtualizeable (security.ima vs. security.ima@uid=1000 etc.) - SecurityFS: - every IMA namespace should have (read/write) access to the entries that are associated with its IMA namespace - the organization of IMA's securityfs directory structure should reflect the child-parent relationship of IMA namespaces; - there should be a directory called 'namespaces' where each child namespace would have a directory with the name of the IMA namespace's inode ('IMANS:4768263432') that leads to the files holding the information about that namespace Possible abuse-scenarios may include switching through the namespaces (UTS, PID, IPC, NET, USER, CGROUP, MNT). I am not sure what is supposed to happen other than logging the activity active in the current IMA namespace: What should happen with IMA logging, appraisal, and auditing if we setns() through all available - PID namespaces and send signals: log, appraise, and audit file activity following IMA policy with special handling for (host) root - IPC namespaces and send messages via IPC: same as for PID - UTS namespaces and setting hostname: same as for PID - NET namespaces and sending network traffic: same as for PID - CGROUP namespaces and configuring cgroups: same as for PID - USER: should now the keys of this USER namespace be active or the keys of the original user namespace used during the clone()? [we may need to adapt the current implementation...] other than that, same as for PID? - MNT namespaces and access files or execute program: same as for PID; if active IMA namespace policy requires file appraisal, files would need to be signed with key from keyring in current USER namespace d9ba8e7708b1fbb220f72314f5eafabe1b879e80 3956 3955 2018-03-19T13:41:49Z Stefanb 10 /* IMA Namespacing Considerations */ wikitext text/x-wiki == Namespacing IMA == Our goals are to enable IMA-measurement, IMA-appraisal, and IMA-audit inside a container using Linux namespaces. The intention is to introduce an IMA namespace. === Background === IMA-measurement is about logging files that were read or executables that were started on a machine. Current IMA supports for example measuring root's activities in the TCB, such as which programs were started by root. Which files are measured can be configured using an IMA policy. IMA-appraisal is about only allowing files to be accessed that have been properly signed. This allows to lock down a machine if only signed files are allowed to be read or executed. Which files are appraised can be configured using an IMA policy. File signatures are found in the security.ima extended attribute. The keys for verifying the signature are found in IMA specific keyrings .ima or _ima. IMA-audit is about reporting accesses to files and generating audit records of file hash measurements. Which file activity is audited can be configured using an IMA policy. The audit records can be used to augment existing security analytics software and be used for system forensics. === IMA Namespacing Considerations === When namespacing IMA we certainly want to prevent the abuse of namespaces by users doing things that go undetected. A primary concern are activities of root in the TCB. Since root has all the rights on the system he could try to abuse his power by spawning new IMA namespaces and do things there that affect the TCB but now would go undetected due to weaknesses in the IMA namespacing implementation. The following enumeration of IMA namespacing design points is supposed to guide the implementation and prevent such problems: Support for IMA in namespaces should enable the following: - IMA policy for container (similar to the host): - there should be an initial default policy for every IMA namespace that measures activities inside the container - the policy can be overwritten once with a user-defined policy that may activate appraisal; this policy would be indepebdent of that of the host - CAP_SYS_ADMIN is currently gating the setting of the IMA policy; - setting the policy should be possibly without the almighty CAP_SYS_ADMIN - we may want to gate this with a new capability CAP_INTEGRITY_ADMIN that allows a user to set the IMA policy during container runtime - IMA policy extensions due to namespacing: - an IMA policy should allow rules that define whether activities in (all) child namespaces is to be measured (huge logs on the host) and audited or 'not'; a use case for not measuring may be found in cloud environments where containers come and go and the log on the host could possibly eat up a lot of memory - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured and audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - IMA-measurement: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured'' and audited in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-audit: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be measured and ''audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-appraisal and keys: - each IMA namespace should have its own keyring so that each container can have its files signed with different keys - the keys (certificates) for verifying signatures may be found inside containers - it should be possible to enforce that only certified keys are loaded onto a keyring, similar to .ima on the host - the CA public key used for verifying that public keys (certificates) used for verifying signatures may be found inside the container or could be known to the container management stack - IMA-appraisal and namespacing: - If IMA-appraisal is active on the host (per policy rules on the host), what is supposed to happen when (host) root executes files in a (nested) IMA namespace where an empty IMA policy has been set? We would measure and audit root's activities as described above. What about appraising? Would we traverse all the IMA namespaces back to the init_ima_ns and evaluate signatures against the appraisal policy set there and assume we would always find the keys in the init_user_ns? Maybe the following would be a solution for appraising file accesses by (host) root with the key used for signature verification assumed in the init_user_ns; this is a step after evaluating the file access with the current IMA namespace's policy and the currently active USER namespace where the key can be found for imans from current-IMA-NS backwards up to and including init_ima_ns: if policy(imans) has appraisal rules for this file: if file appraisal fails fail access else allow access break or simplified (again after evaluating file access with the current IMA namespace's policy and the currently active USER namespace where the key can be found) Appraise with policy of init_ima_ns and key found in .ima or _ima keyring of init_user_ns. - TPM and measurements: - The IMA namespace that holds the logs should be configurable to extend PCRs; since the single TPM of the host cannot be shared by containers, each IMA namespace would have to be associated with its own TPM instance (vTPM); measurement in the initial IMA namespace are extended into the hardware TPM as done already - Each IMA namespace should only have access to the sysfs entries of its own TPM instance; ideally, sysfs would only show a single TPM device entry when viewed from an IMA namespace; an alternative may be that all devices are shown but refuse read/write access to their files if it is initiated from the 'wrong' IMA namespace - Extended attribute security.ima: - A container should be able to set the security.ima extended attribute - this should be possibly without the almighty CAP_SYS_ADMIN; - we may want to gate this with a new capability CAP_SECURITY_XATTR_ADMIN that allows setting security extended attributes inside a container, possibly only during container build-time - Extended attribute security.ima and bind mounting - It may be necessary that different namespaces be able to sign the same bind-mounted file with different keys (I am thinking of bind-mounted files that the container management stack modifies and that may need to be signed for the container to be able to access them.) - Extended attributes, such as security.ima) may need to be virtualizeable (security.ima vs. security.ima@uid=1000 etc.) - SecurityFS: - every IMA namespace should have (read/write) access to the entries that are associated with its IMA namespace - the organization of IMA's securityfs directory structure should reflect the child-parent relationship of IMA namespaces; - there should be a directory called 'namespaces' where each child namespace would have a directory with the name of the IMA namespace's inode ('IMANS:4768263432') that leads to the files holding the information about that namespace Possible abuse-scenarios may include switching through the namespaces (UTS, PID, IPC, NET, USER, CGROUP, MNT). I am not sure what is supposed to happen other than logging the activity active in the current IMA namespace: What should happen with IMA logging, appraisal, and auditing if we setns() through all available - PID namespaces and send signals: log, appraise, and audit file activity following IMA policy with special handling for (host) root - IPC namespaces and send messages via IPC: same as for PID - UTS namespaces and setting hostname: same as for PID - NET namespaces and sending network traffic: same as for PID - CGROUP namespaces and configuring cgroups: same as for PID - USER: should now the keys of this USER namespace be active or the keys of the original user namespace used during the clone()? [we may need to adapt the current implementation...] other than that, same as for PID? - MNT namespaces and access files or execute program: same as for PID; if active IMA namespace policy requires file appraisal, files would need to be signed with key from keyring in current USER namespace 8a3d55001df8249e9bd42e692296d4b24d2dd333 3957 3956 2018-03-19T13:42:03Z Stefanb 10 /* IMA Namespacing Considerations */ wikitext text/x-wiki == Namespacing IMA == Our goals are to enable IMA-measurement, IMA-appraisal, and IMA-audit inside a container using Linux namespaces. The intention is to introduce an IMA namespace. === Background === IMA-measurement is about logging files that were read or executables that were started on a machine. Current IMA supports for example measuring root's activities in the TCB, such as which programs were started by root. Which files are measured can be configured using an IMA policy. IMA-appraisal is about only allowing files to be accessed that have been properly signed. This allows to lock down a machine if only signed files are allowed to be read or executed. Which files are appraised can be configured using an IMA policy. File signatures are found in the security.ima extended attribute. The keys for verifying the signature are found in IMA specific keyrings .ima or _ima. IMA-audit is about reporting accesses to files and generating audit records of file hash measurements. Which file activity is audited can be configured using an IMA policy. The audit records can be used to augment existing security analytics software and be used for system forensics. === IMA Namespacing Considerations === When namespacing IMA we certainly want to prevent the abuse of namespaces by users doing things that go undetected. A primary concern are activities of root in the TCB. Since root has all the rights on the system he could try to abuse his power by spawning new IMA namespaces and do things there that affect the TCB but now would go undetected due to weaknesses in the IMA namespacing implementation. The following enumeration of IMA namespacing design points is supposed to guide the implementation and prevent such problems: Support for IMA in namespaces should enable the following: - IMA policy for container (similar to the host): - there should be an initial default policy for every IMA namespace that measures activities inside the container - the policy can be overwritten once with a user-defined policy that may activate appraisal; this policy would be independent of that of the host - CAP_SYS_ADMIN is currently gating the setting of the IMA policy; - setting the policy should be possibly without the almighty CAP_SYS_ADMIN - we may want to gate this with a new capability CAP_INTEGRITY_ADMIN that allows a user to set the IMA policy during container runtime - IMA policy extensions due to namespacing: - an IMA policy should allow rules that define whether activities in (all) child namespaces is to be measured (huge logs on the host) and audited or 'not'; a use case for not measuring may be found in cloud environments where containers come and go and the log on the host could possibly eat up a lot of memory - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured and audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - IMA-measurement: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured'' and audited in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-audit: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be measured and ''audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-appraisal and keys: - each IMA namespace should have its own keyring so that each container can have its files signed with different keys - the keys (certificates) for verifying signatures may be found inside containers - it should be possible to enforce that only certified keys are loaded onto a keyring, similar to .ima on the host - the CA public key used for verifying that public keys (certificates) used for verifying signatures may be found inside the container or could be known to the container management stack - IMA-appraisal and namespacing: - If IMA-appraisal is active on the host (per policy rules on the host), what is supposed to happen when (host) root executes files in a (nested) IMA namespace where an empty IMA policy has been set? We would measure and audit root's activities as described above. What about appraising? Would we traverse all the IMA namespaces back to the init_ima_ns and evaluate signatures against the appraisal policy set there and assume we would always find the keys in the init_user_ns? Maybe the following would be a solution for appraising file accesses by (host) root with the key used for signature verification assumed in the init_user_ns; this is a step after evaluating the file access with the current IMA namespace's policy and the currently active USER namespace where the key can be found for imans from current-IMA-NS backwards up to and including init_ima_ns: if policy(imans) has appraisal rules for this file: if file appraisal fails fail access else allow access break or simplified (again after evaluating file access with the current IMA namespace's policy and the currently active USER namespace where the key can be found) Appraise with policy of init_ima_ns and key found in .ima or _ima keyring of init_user_ns. - TPM and measurements: - The IMA namespace that holds the logs should be configurable to extend PCRs; since the single TPM of the host cannot be shared by containers, each IMA namespace would have to be associated with its own TPM instance (vTPM); measurement in the initial IMA namespace are extended into the hardware TPM as done already - Each IMA namespace should only have access to the sysfs entries of its own TPM instance; ideally, sysfs would only show a single TPM device entry when viewed from an IMA namespace; an alternative may be that all devices are shown but refuse read/write access to their files if it is initiated from the 'wrong' IMA namespace - Extended attribute security.ima: - A container should be able to set the security.ima extended attribute - this should be possibly without the almighty CAP_SYS_ADMIN; - we may want to gate this with a new capability CAP_SECURITY_XATTR_ADMIN that allows setting security extended attributes inside a container, possibly only during container build-time - Extended attribute security.ima and bind mounting - It may be necessary that different namespaces be able to sign the same bind-mounted file with different keys (I am thinking of bind-mounted files that the container management stack modifies and that may need to be signed for the container to be able to access them.) - Extended attributes, such as security.ima) may need to be virtualizeable (security.ima vs. security.ima@uid=1000 etc.) - SecurityFS: - every IMA namespace should have (read/write) access to the entries that are associated with its IMA namespace - the organization of IMA's securityfs directory structure should reflect the child-parent relationship of IMA namespaces; - there should be a directory called 'namespaces' where each child namespace would have a directory with the name of the IMA namespace's inode ('IMANS:4768263432') that leads to the files holding the information about that namespace Possible abuse-scenarios may include switching through the namespaces (UTS, PID, IPC, NET, USER, CGROUP, MNT). I am not sure what is supposed to happen other than logging the activity active in the current IMA namespace: What should happen with IMA logging, appraisal, and auditing if we setns() through all available - PID namespaces and send signals: log, appraise, and audit file activity following IMA policy with special handling for (host) root - IPC namespaces and send messages via IPC: same as for PID - UTS namespaces and setting hostname: same as for PID - NET namespaces and sending network traffic: same as for PID - CGROUP namespaces and configuring cgroups: same as for PID - USER: should now the keys of this USER namespace be active or the keys of the original user namespace used during the clone()? [we may need to adapt the current implementation...] other than that, same as for PID? - MNT namespaces and access files or execute program: same as for PID; if active IMA namespace policy requires file appraisal, files would need to be signed with key from keyring in current USER namespace 5c47d19e3ef0293b97d5a0a27cc0208ce3fe8478 3958 3957 2018-03-19T14:24:24Z Stefanb 10 wikitext text/x-wiki == Namespacing IMA == Our goals are to enable IMA-measurement, IMA-appraisal, and IMA-audit inside a container using Linux namespaces. The intention is to introduce an IMA namespace. === Background === IMA-measurement is about logging files that were read or executables that were started on a machine. Current IMA supports for example measuring root's activities in the TCB, such as which programs were started by root. Which files are measured can be configured using an IMA policy. IMA-appraisal is about only allowing files to be accessed that have been properly signed. This allows to lock down a machine if only signed files are allowed to be read or executed. Which files are appraised can be configured using an IMA policy. File signatures are found in the security.ima extended attribute. The keys for verifying the signature are found in IMA specific keyrings .ima or _ima. IMA-audit is about reporting accesses to files and generating audit records of file hash measurements. Which file activity is audited can be configured using an IMA policy. The audit records can be used to augment existing security analytics software and be used for system forensics. === IMA Namespacing Considerations === When namespacing IMA we certainly want to prevent the abuse of namespaces by users doing things that go undetected. A primary concern are activities of root in the TCB. Since root has all the rights on the system he could try to abuse his power by spawning new IMA namespaces and do things there that affect the TCB but now would go undetected due to weaknesses in the IMA namespacing implementation. The following enumeration of IMA namespacing design points is supposed to guide the implementation and prevent such problems: Support for IMA in namespaces should enable the following: - IMA policy for container (similar to the host): - there should be an initial default policy for every IMA namespace that measures activities inside the container - the policy can be overwritten once with a user-defined policy that may activate appraisal; this policy would be independent of that of the host - CAP_SYS_ADMIN is currently gating the setting of the IMA policy; - setting the policy should be possibly without the almighty CAP_SYS_ADMIN - we may want to gate this with a new capability CAP_INTEGRITY_ADMIN that allows a user to set the IMA policy during container runtime - IMA policy extensions due to namespacing: - an IMA policy should allow rules that define whether activities in (all) child namespaces is to be measured (huge logs on the host) and audited or 'not'; a use case for not measuring may be found in cloud environments where containers come and go and the log on the host could possibly eat up a lot of memory - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured and audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - IMA-measurement: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured'' and audited in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-audit: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be measured and ''audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-appraisal and keys: - each IMA namespace should have its own keyring so that each container can have its files signed with different keys - the keys (certificates) for verifying signatures may be found inside containers - it should be possible to enforce that only certified keys are loaded onto a keyring, similar to .ima on the host - the CA public key used for verifying that public keys (certificates) used for verifying signatures may be found inside the container or could be known to the container management stack - IMA-appraisal and namespacing: - If IMA-appraisal is active on the host (per policy rules on the host), what is supposed to happen when (host) root executes files in a (nested) IMA namespace where an empty IMA policy has been set? We would measure and audit root's activities as described above. What about appraising? Would we traverse all the IMA namespaces back to the init_ima_ns and evaluate signatures against the appraisal policy set there and assume we would always find the keys in the init_user_ns? Maybe the following would be a solution for appraising file accesses by (host) root with the key used for signature verification assumed in the init_user_ns; this is a step after evaluating the file access with the current IMA namespace's policy and the currently active USER namespace where the key can be found for imans from current-IMA-NS backwards up to and including init_ima_ns: if policy(imans) has appraisal rules for this file: if file appraisal fails fail access else allow access break or simplified (again after evaluating file access with the current IMA namespace's policy and the currently active USER namespace where the key can be found) Appraise with policy of init_ima_ns and key found in .ima or _ima keyring of init_user_ns. - TPM and measurements: - The IMA namespace that holds the logs should be configurable to extend PCRs; since the single TPM of the host cannot be shared by containers, each IMA namespace would have to be associated with its own TPM instance (vTPM); measurement in the initial IMA namespace are extended into the hardware TPM as done already - Each IMA namespace should only have access to the sysfs entries of its own TPM instance; ideally, sysfs would only show a single TPM device entry when viewed from an IMA namespace; an alternative may be that all devices are shown but refuse read/write access to their files if it is initiated from the 'wrong' IMA namespace - Extended attribute security.ima: - A container should be able to set the security.ima extended attribute - this should be possibly without the almighty CAP_SYS_ADMIN; - we may want to gate this with a new capability CAP_SECURITY_XATTR_ADMIN that allows setting security extended attributes inside a container, possibly only during container build-time - Extended attribute security.ima and bind mounting - It may be necessary that different namespaces be able to sign the same bind-mounted file with different keys (I am thinking of bind-mounted files that the container management stack modifies and that may need to be signed for the container to be able to access them.) - Extended attributes, such as security.ima) may need to be virtualizeable (security.ima vs. security.ima@uid=1000 etc.) - SecurityFS: - every IMA namespace should have (read/write) access to the entries that are associated with its IMA namespace - the organization of IMA's securityfs directory structure should reflect the child-parent relationship of IMA namespaces; - there should be a directory called 'namespaces' where each child namespace would have a directory with the name of the IMA namespace's inode ('IMANS:4768263432') that leads to the files holding the information about that namespace Possible abuse-scenarios may include switching through the namespaces (UTS, PID, IPC, NET, USER, CGROUP, MNT). I am not sure what is supposed to happen other than logging the activity active in the current IMA namespace: What should happen with IMA logging, appraisal, and auditing if we setns() through all available - PID namespaces and send signals: log, appraise, and audit file activity following IMA policy with special handling for (host) root - IPC namespaces and send messages via IPC: same as for PID - UTS namespaces and setting hostname: same as for PID - NET namespaces and sending network traffic: same as for PID - CGROUP namespaces and configuring cgroups: same as for PID - USER: should now the keys of this USER namespace be active or the keys of the original user namespace used during the clone()? [we may need to adapt the current implementation...] other than that, same as for PID? - MNT namespaces and access files or execute program: same as for PID; if active IMA namespace policy requires file appraisal, files would need to be signed with key from keyring in current USER namespace == Standalone IMA namespace versus IMA namespace attached to MOUNT namespace or USER namespace == The first set of posted patches attached the IMA namespace to the MOUNT namespace and shared the CLONE_NEWNS flag. Whenever a new mount namespace was created, it also created a new IMA namespace. Similarly, a setns() on a MOUNT namespace would also join the conjoint IMA namespace. File measurements and appraisal of an IMA policy would work on the files in the MOUNT namespace. The key used for the appraisal would be in the currently setns()'d USER namespace (currently implementation of IMA would need to be fixed in that regard). This proposed implementation was rejected. Another choice is to attach the IMA namespace to the USER namespace. An IMA file measurement and appraisal policy would become activated when the conjoint USER and IMA namespaces are joint using setns() for example. Side effects of this include that joining a USER namespace activates an IMA policy, that, if appraisal is active, start appraising file accesses. The last choice is to have IMA be a stand-alone namespace that is spawned using its own CLONE flag. An IMA file measurement and appraisal policy would be activated when the IMA namespace is joint using setns() for example. If the appropriate set of MOUNT namespaces and USER namespace, providing file signatures and keys for signature verification respectively, is also joined, then only file appraisal will result in working file accesses. The last two choices have their advantages and disadvantages. In order to avoid side effects on existing USER namespaces, the 3rd choice seems better suited. Though a system with IMA appraisal active in IMA namespaces will have restrictions when switching through MNT and possibly USER namespaces using setns(). Restrictions are related to file appraisal and possibly file access denials as well as file measurements. 1a1d66ddb3552c6b192675558d3b8fb1db698ac5 3959 3958 2018-03-19T14:28:00Z Stefanb 10 /* Standalone IMA namespace versus IMA namespace attached to MOUNT namespace or USER namespace */ wikitext text/x-wiki == Namespacing IMA == Our goals are to enable IMA-measurement, IMA-appraisal, and IMA-audit inside a container using Linux namespaces. The intention is to introduce an IMA namespace. === Background === IMA-measurement is about logging files that were read or executables that were started on a machine. Current IMA supports for example measuring root's activities in the TCB, such as which programs were started by root. Which files are measured can be configured using an IMA policy. IMA-appraisal is about only allowing files to be accessed that have been properly signed. This allows to lock down a machine if only signed files are allowed to be read or executed. Which files are appraised can be configured using an IMA policy. File signatures are found in the security.ima extended attribute. The keys for verifying the signature are found in IMA specific keyrings .ima or _ima. IMA-audit is about reporting accesses to files and generating audit records of file hash measurements. Which file activity is audited can be configured using an IMA policy. The audit records can be used to augment existing security analytics software and be used for system forensics. === IMA Namespacing Considerations === When namespacing IMA we certainly want to prevent the abuse of namespaces by users doing things that go undetected. A primary concern are activities of root in the TCB. Since root has all the rights on the system he could try to abuse his power by spawning new IMA namespaces and do things there that affect the TCB but now would go undetected due to weaknesses in the IMA namespacing implementation. The following enumeration of IMA namespacing design points is supposed to guide the implementation and prevent such problems: Support for IMA in namespaces should enable the following: - IMA policy for container (similar to the host): - there should be an initial default policy for every IMA namespace that measures activities inside the container - the policy can be overwritten once with a user-defined policy that may activate appraisal; this policy would be independent of that of the host - CAP_SYS_ADMIN is currently gating the setting of the IMA policy; - setting the policy should be possibly without the almighty CAP_SYS_ADMIN - we may want to gate this with a new capability CAP_INTEGRITY_ADMIN that allows a user to set the IMA policy during container runtime - IMA policy extensions due to namespacing: - an IMA policy should allow rules that define whether activities in (all) child namespaces is to be measured (huge logs on the host) and audited or 'not'; a use case for not measuring may be found in cloud environments where containers come and go and the log on the host could possibly eat up a lot of memory - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured and audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - IMA-measurement: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured'' and audited in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-audit: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be measured and ''audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-appraisal and keys: - each IMA namespace should have its own keyring so that each container can have its files signed with different keys - the keys (certificates) for verifying signatures may be found inside containers - it should be possible to enforce that only certified keys are loaded onto a keyring, similar to .ima on the host - the CA public key used for verifying that public keys (certificates) used for verifying signatures may be found inside the container or could be known to the container management stack - IMA-appraisal and namespacing: - If IMA-appraisal is active on the host (per policy rules on the host), what is supposed to happen when (host) root executes files in a (nested) IMA namespace where an empty IMA policy has been set? We would measure and audit root's activities as described above. What about appraising? Would we traverse all the IMA namespaces back to the init_ima_ns and evaluate signatures against the appraisal policy set there and assume we would always find the keys in the init_user_ns? Maybe the following would be a solution for appraising file accesses by (host) root with the key used for signature verification assumed in the init_user_ns; this is a step after evaluating the file access with the current IMA namespace's policy and the currently active USER namespace where the key can be found for imans from current-IMA-NS backwards up to and including init_ima_ns: if policy(imans) has appraisal rules for this file: if file appraisal fails fail access else allow access break or simplified (again after evaluating file access with the current IMA namespace's policy and the currently active USER namespace where the key can be found) Appraise with policy of init_ima_ns and key found in .ima or _ima keyring of init_user_ns. - TPM and measurements: - The IMA namespace that holds the logs should be configurable to extend PCRs; since the single TPM of the host cannot be shared by containers, each IMA namespace would have to be associated with its own TPM instance (vTPM); measurement in the initial IMA namespace are extended into the hardware TPM as done already - Each IMA namespace should only have access to the sysfs entries of its own TPM instance; ideally, sysfs would only show a single TPM device entry when viewed from an IMA namespace; an alternative may be that all devices are shown but refuse read/write access to their files if it is initiated from the 'wrong' IMA namespace - Extended attribute security.ima: - A container should be able to set the security.ima extended attribute - this should be possibly without the almighty CAP_SYS_ADMIN; - we may want to gate this with a new capability CAP_SECURITY_XATTR_ADMIN that allows setting security extended attributes inside a container, possibly only during container build-time - Extended attribute security.ima and bind mounting - It may be necessary that different namespaces be able to sign the same bind-mounted file with different keys (I am thinking of bind-mounted files that the container management stack modifies and that may need to be signed for the container to be able to access them.) - Extended attributes, such as security.ima) may need to be virtualizeable (security.ima vs. security.ima@uid=1000 etc.) - SecurityFS: - every IMA namespace should have (read/write) access to the entries that are associated with its IMA namespace - the organization of IMA's securityfs directory structure should reflect the child-parent relationship of IMA namespaces; - there should be a directory called 'namespaces' where each child namespace would have a directory with the name of the IMA namespace's inode ('IMANS:4768263432') that leads to the files holding the information about that namespace Possible abuse-scenarios may include switching through the namespaces (UTS, PID, IPC, NET, USER, CGROUP, MNT). I am not sure what is supposed to happen other than logging the activity active in the current IMA namespace: What should happen with IMA logging, appraisal, and auditing if we setns() through all available - PID namespaces and send signals: log, appraise, and audit file activity following IMA policy with special handling for (host) root - IPC namespaces and send messages via IPC: same as for PID - UTS namespaces and setting hostname: same as for PID - NET namespaces and sending network traffic: same as for PID - CGROUP namespaces and configuring cgroups: same as for PID - USER: should now the keys of this USER namespace be active or the keys of the original user namespace used during the clone()? [we may need to adapt the current implementation...] other than that, same as for PID? - MNT namespaces and access files or execute program: same as for PID; if active IMA namespace policy requires file appraisal, files would need to be signed with key from keyring in current USER namespace == Standalone IMA namespace versus IMA namespace attached to MOUNT namespace or USER namespace == 1) The first set of posted patches '''attached the IMA namespace to the MOUNT namespace''' and shared the CLONE_NEWNS flag. Whenever a new mount namespace was created, it also created a new IMA namespace. Similarly, a setns() on a MOUNT namespace would also join the conjoint IMA namespace. File measurements and appraisal of an IMA policy would work on the files in the MOUNT namespace. The key used for the appraisal would be in the currently setns()'d USER namespace (the current implementation of IMA would need to be fixed in that regard). This proposed implementation of conjoint MOUNT and IMA namespaces was rejected. 2) Another choice is to '''attach the IMA namespace to the USER namespace'''. An IMA file measurement and appraisal policy would become activated when the conjoint USER and IMA namespaces are joined using setns() for example. Side effects of this include that joining a USER namespace activates an IMA policy, that, if appraisal is active, start appraising file accesses, which may include file access denials. 3) The last choice is to have IMA be a '''stand-alone namespace''' that is spawned using its own CLONE flag. An IMA file measurement and appraisal policy would be activated when the IMA namespace is joint using setns() for example. If the appropriate set of MOUNT namespaces and USER namespace, providing file signatures and keys for signature verification respectively, is also joined, then only file appraisal will result in working file accesses, otherwise file accesses may be denied. The last two choices have their advantages and disadvantages. In order to avoid side effects on existing USER namespaces, the 3rd choice seems better suited. Though a system with IMA appraisal active in IMA namespaces will have restrictions when switching through MNT and possibly USER namespaces using setns(). Restrictions are related to file appraisal and possibly file access denials as well as file measurements. 40ef09d75524268d0be5dd1263be37d6402732b2 3960 3959 2018-04-12T13:34:51Z Stefanb 10 Reformatting of text in boxes to fit on printed landscape page wikitext text/x-wiki == Namespacing IMA == Our goals are to enable IMA-measurement, IMA-appraisal, and IMA-audit inside a container using Linux namespaces. The intention is to introduce an IMA namespace. === Background === IMA-measurement is about logging files that were read or executables that were started on a machine. Current IMA supports for example measuring root's activities in the TCB, such as which programs were started by root. Which files are measured can be configured using an IMA policy. IMA-appraisal is about only allowing files to be accessed that have been properly signed. This allows to lock down a machine if only signed files are allowed to be read or executed. Which files are appraised can be configured using an IMA policy. File signatures are found in the security.ima extended attribute. The keys for verifying the signature are found in IMA specific keyrings .ima or _ima. IMA-audit is about reporting accesses to files and generating audit records of file hash measurements. Which file activity is audited can be configured using an IMA policy. The audit records can be used to augment existing security analytics software and be used for system forensics. === IMA Namespacing Considerations === When namespacing IMA we certainly want to prevent the abuse of namespaces by users doing things that go undetected. A primary concern are activities of root in the TCB. Since root has all the rights on the system he could try to abuse his power by spawning new IMA namespaces and do things there that affect the TCB but now would go undetected due to weaknesses in the IMA namespacing implementation. The following enumeration of IMA namespacing design points is supposed to guide the implementation and prevent such problems: Support for IMA in namespaces should enable the following: - IMA policy for container (similar to the host): - there should be an initial default policy for every IMA namespace that measures activities inside the container - the policy can be overwritten once with a user-defined policy that may activate appraisal; this policy would be independent of that of the host - CAP_SYS_ADMIN is currently gating the setting of the IMA policy; - setting the policy should be possibly without the almighty CAP_SYS_ADMIN - we may want to gate this with a new capability CAP_INTEGRITY_ADMIN that allows a user to set the IMA policy during container runtime - IMA policy extensions due to namespacing: - an IMA policy should allow rules that define whether activities in (all) child namespaces is to be measured (huge logs on the host) and audited or 'not'; a use case for not measuring may be found in cloud environments where containers come and go and the log on the host could possibly eat up a lot of memory - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured and audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - IMA-measurement: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured'' and audited in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-audit: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be measured and ''audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-appraisal and keys: - each IMA namespace should have its own keyring so that each container can have its files signed with different keys - the keys (certificates) for verifying signatures may be found inside containers - it should be possible to enforce that only certified keys are loaded onto a keyring, similar to .ima on the host - the CA public key used for verifying that public keys (certificates) used for verifying signatures may be found inside the container or could be known to the container management stack - IMA-appraisal and namespacing: - If IMA-appraisal is active on the host (per policy rules on the host), what is supposed to happen when (host) root executes files in a (nested) IMA namespace where an empty IMA policy has been set? We would measure and audit root's activities as described above. What about appraising? Would we traverse all the IMA namespaces back to the init_ima_ns and evaluate signatures against the appraisal policy set there and assume we would always find the keys in the init_user_ns? Maybe the following would be a solution for appraising file accesses by (host) root with the key used for signature verification assumed in the init_user_ns; this is a step after evaluating the file access with the current IMA namespace's policy and the currently active USER namespace where the key can be found for imans from current-IMA-NS backwards up to and including init_ima_ns: if policy(imans) has appraisal rules for this file: if file appraisal fails fail access else allow access break or simplified (again after evaluating file access with the current IMA namespace's policy and the currently active USER namespace where the key can be found) Appraise with policy of init_ima_ns and key found in .ima or _ima keyring of init_user_ns. - TPM and measurements: - The IMA namespace that holds the logs should be configurable to extend PCRs; since the single TPM of the host cannot be shared by containers, each IMA namespace would have to be associated with its own TPM instance (vTPM); measurement in the initial IMA namespace are extended into the hardware TPM as done already - Each IMA namespace should only have access to the sysfs entries of its own TPM instance; ideally, sysfs would only show a single TPM device entry when viewed from an IMA namespace; an alternative may be that all devices are shown but refuse read/write access to their files if it is initiated from the 'wrong' IMA namespace - Extended attribute security.ima: - A container should be able to set the security.ima extended attribute - this should be possibly without the almighty CAP_SYS_ADMIN; - we may want to gate this with a new capability CAP_SECURITY_XATTR_ADMIN that allows setting security extended attributes inside a container, possibly only during container build-time - Extended attribute security.ima and bind mounting - It may be necessary that different namespaces be able to sign the same bind-mounted file with different keys (I am thinking of bind-mounted files that the container management stack modifies and that may need to be signed for the container to be able to access them.) - Extended attributes, such as security.ima) may need to be virtualizeable (security.ima vs. security.ima@uid=1000 etc.) - SecurityFS: - every IMA namespace should have (read/write) access to the entries that are associated with its IMA namespace - the organization of IMA's securityfs directory structure should reflect the child-parent relationship of IMA namespaces; - there should be a directory called 'namespaces' where each child namespace would have a directory with the name of the IMA namespace's inode ('IMANS:4768263432') that leads to the files holding the information about that namespace Possible abuse-scenarios may include switching through the namespaces (UTS, PID, IPC, NET, USER, CGROUP, MNT). I am not sure what is supposed to happen other than logging the activity active in the current IMA namespace: What should happen with IMA logging, appraisal, and auditing if we setns() through all available - PID namespaces and send signals: log, appraise, and audit file activity following IMA policy with special handling for (host) root - IPC namespaces and send messages via IPC: same as for PID - UTS namespaces and setting hostname: same as for PID - NET namespaces and sending network traffic: same as for PID - CGROUP namespaces and configuring cgroups: same as for PID - USER: should now the keys of this USER namespace be active or the keys of the original user namespace used during the clone()? [we may need to adapt the current implementation...] other than that, same as for PID? - MNT namespaces and access files or execute program: same as for PID; if active IMA namespace policy requires file appraisal, files would need to be signed with key from keyring in current USER namespace == Standalone IMA namespace versus IMA namespace attached to MOUNT namespace or USER namespace == 1) The first set of posted patches '''attached the IMA namespace to the MOUNT namespace''' and shared the CLONE_NEWNS flag. Whenever a new mount namespace was created, it also created a new IMA namespace. Similarly, a setns() on a MOUNT namespace would also join the conjoint IMA namespace. File measurements and appraisal of an IMA policy would work on the files in the MOUNT namespace. The key used for the appraisal would be in the currently setns()'d USER namespace (the current implementation of IMA would need to be fixed in that regard). This proposed implementation of conjoint MOUNT and IMA namespaces was rejected. 2) Another choice is to '''attach the IMA namespace to the USER namespace'''. An IMA file measurement and appraisal policy would become activated when the conjoint USER and IMA namespaces are joined using setns() for example. Side effects of this include that joining a USER namespace activates an IMA policy, that, if appraisal is active, start appraising file accesses, which may include file access denials. 3) The last choice is to have IMA be a '''stand-alone namespace''' that is spawned using its own CLONE flag or by writing to a (securityfs) file. An IMA file measurement and appraisal policy would be activated when the IMA namespace is joint using setns() for example. If the appropriate set of MOUNT namespaces and USER namespace, providing file signatures and keys for signature verification respectively, is also joined, then only file appraisal will result in working file accesses, otherwise file accesses may be denied. The last two choices have their advantages and disadvantages. In order to avoid side effects on existing USER namespaces, the 3rd choice seems better suited. Though a system with IMA appraisal active in IMA namespaces will have restrictions when switching through MNT and possibly USER namespaces using setns(). Restrictions are related to file appraisal and possibly file access denials as well as file measurements. 06315ff7d2dd2cdb019d97afa4ff608cc2ac101d 3961 3960 2018-04-20T13:21:32Z Stefanb 10 /* Namespacing IMA */ wikitext text/x-wiki == Namespacing IMA == Our goals are to enable IMA-measurement, IMA-appraisal, and IMA-audit inside a container using Linux namespaces. The intention is to introduce an IMA namespace. === Background === IMA-measurement is about logging files that were read or executables that were started on a machine. Current IMA supports for example measuring root's activities in the TCB, such as which programs were started by root. Which files are measured can be configured using an IMA policy. IMA-appraisal is about only allowing files to be accessed that have been properly signed. This allows to lock down a machine if only signed files are allowed to be read or executed. Which files are appraised can be configured using an IMA policy. File signatures are found in the security.ima extended attribute. The keys for verifying the signature are found in IMA specific keyrings .ima or _ima. IMA-audit is about reporting accesses to files and generating audit records of file hash measurements. Which file activity is audited can be configured using an IMA policy. The audit records can be used to augment existing security analytics software and be used for system forensics. === IMA Namespacing Considerations === When namespacing IMA we certainly want to prevent the abuse of namespaces by users doing things that go undetected. A primary concern are activities of root in the TCB. Since root has all the rights on the system he could try to abuse his power by spawning new IMA namespaces and do things there that affect the TCB but now would go undetected due to weaknesses in the IMA namespacing implementation. The following enumeration of IMA namespacing design points is supposed to guide the implementation and prevent such problems: Support for IMA in namespaces should enable the following: - IMA policy for container (similar to the host): - there should be an initial default policy for every IMA namespace that measures activities inside the container - the policy can be overwritten once with a user-defined policy that may activate appraisal; this policy would be independent of that of the host - CAP_SYS_ADMIN is currently gating the setting of the IMA policy; - setting the policy should be possibly without the almighty CAP_SYS_ADMIN - we may want to gate this with a new capability CAP_INTEGRITY_ADMIN that allows a user to set the IMA policy during container runtime - IMA policy extensions due to namespacing: - an IMA policy should allow rules that define whether activities in (all) child namespaces is to be measured (huge logs on the host) and audited or 'not'; a use case for not measuring may be found in cloud environments where containers come and go and the log on the host could possibly eat up a lot of memory - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured and audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - IMA-measurement: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured'' and audited in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-audit: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be measured and ''audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-appraisal and keys: - each IMA namespace should have its own keyring so that each container can have its files signed with different keys - the keys (certificates) for verifying signatures may be found inside containers - it should be possible to enforce that only certified keys are loaded onto a keyring, similar to .ima on the host - the CA public key used for verifying that public keys (certificates) used for verifying signatures may be found inside the container or could be known to the container management stack - IMA-appraisal and namespacing: - If IMA-appraisal is active on the host (per policy rules on the host), what is supposed to happen when (host) root executes files in a (nested) IMA namespace where an empty IMA policy has been set? We would measure and audit root's activities as described above. What about appraising? Would we traverse all the IMA namespaces back to the init_ima_ns and evaluate signatures against the appraisal policy set there and assume we would always find the keys in the init_user_ns? Maybe the following would be a solution for appraising file accesses by (host) root with the key used for signature verification assumed in the init_user_ns; this is a step after evaluating the file access with the current IMA namespace's policy and the currently active USER namespace where the key can be found for imans from current-IMA-NS backwards up to and including init_ima_ns: if policy(imans) has appraisal rules for this file: if file appraisal fails fail access else allow access break or simplified (again after evaluating file access with the current IMA namespace's policy and the currently active USER namespace where the key can be found) Appraise with policy of init_ima_ns and key found in .ima or _ima keyring of init_user_ns. - TPM and measurements: - The IMA namespace that holds the logs should be configurable to extend PCRs; since the single TPM of the host cannot be shared by containers, each IMA namespace would have to be associated with its own TPM instance (vTPM); measurement in the initial IMA namespace are extended into the hardware TPM as done already - Each IMA namespace should only have access to the sysfs entries of its own TPM instance; ideally, sysfs would only show a single TPM device entry when viewed from an IMA namespace; an alternative may be that all devices are shown but refuse read/write access to their files if it is initiated from the 'wrong' IMA namespace - Extended attribute security.ima: - A container should be able to set the security.ima extended attribute - this should be possibly without the almighty CAP_SYS_ADMIN; - we may want to gate this with a new capability CAP_SECURITY_XATTR_ADMIN that allows setting security extended attributes inside a container, possibly only during container build-time - Extended attribute security.ima and bind mounting - It may be necessary that different namespaces be able to sign the same bind-mounted file with different keys (I am thinking of bind-mounted files that the container management stack modifies and that may need to be signed for the container to be able to access them.) - Extended attributes, such as security.ima) may need to be virtualizeable (security.ima vs. security.ima@uid=1000 etc.) - SecurityFS: - every IMA namespace should have (read/write) access to the entries that are associated with its IMA namespace - the organization of IMA's securityfs directory structure should reflect the child-parent relationship of IMA namespaces; - there should be a directory called 'namespaces' where each child namespace would have a directory with the name of the IMA namespace's inode ('IMANS:4768263432') that leads to the files holding the information about that namespace Possible abuse-scenarios may include switching through the namespaces (UTS, PID, IPC, NET, USER, CGROUP, MNT). I am not sure what is supposed to happen other than logging the activity active in the current IMA namespace: What should happen with IMA logging, appraisal, and auditing if we setns() through all available - PID namespaces and send signals: log, appraise, and audit file activity following IMA policy with special handling for (host) root - IPC namespaces and send messages via IPC: same as for PID - UTS namespaces and setting hostname: same as for PID - NET namespaces and sending network traffic: same as for PID - CGROUP namespaces and configuring cgroups: same as for PID - USER: should now the keys of this USER namespace be active or the keys of the original user namespace used during the clone()? [we may need to adapt the current implementation...] other than that, same as for PID? - MNT namespaces and access files or execute program: same as for PID; if active IMA namespace policy requires file appraisal, files would need to be signed with key from keyring in current USER namespace === IMA namespaces and IMA policy semantics === The following shows a IMA policy rules and their semantics when applied to IMA namespaces: 1) audit FUNC=BPRM_CHECK 2) audit FUNC=BPRM_CHECK ns 3) measure func=BPRM_CHECK The interpretation of these IMA policy rules is as follows: 1) Files executed in the IMA namespace that has this policy rule and its child namespaces are audited once 2) Files executed in a child namespace of the IMA namespace that has this policy rule are audited, even if already audited in the IMA namespace that has this policy rule or another namespace 3) Files executed in the IMA namespace that has this policy rule and its child namespaces are measured once Note: Initially, the init_ima_ns will be the only IMA namespace that will have a policy. == Standalone IMA namespace versus IMA namespace attached to MOUNT namespace or USER namespace == 1) The first set of posted patches '''attached the IMA namespace to the MOUNT namespace''' and shared the CLONE_NEWNS flag. Whenever a new mount namespace was created, it also created a new IMA namespace. Similarly, a setns() on a MOUNT namespace would also join the conjoint IMA namespace. File measurements and appraisal of an IMA policy would work on the files in the MOUNT namespace. The key used for the appraisal would be in the currently setns()'d USER namespace (the current implementation of IMA would need to be fixed in that regard). This proposed implementation of conjoint MOUNT and IMA namespaces was rejected. 2) Another choice is to '''attach the IMA namespace to the USER namespace'''. An IMA file measurement and appraisal policy would become activated when the conjoint USER and IMA namespaces are joined using setns() for example. Side effects of this include that joining a USER namespace activates an IMA policy, that, if appraisal is active, start appraising file accesses, which may include file access denials. 3) The last choice is to have IMA be a '''stand-alone namespace''' that is spawned using its own CLONE flag or by writing to a (securityfs) file. An IMA file measurement and appraisal policy would be activated when the IMA namespace is joint using setns() for example. If the appropriate set of MOUNT namespaces and USER namespace, providing file signatures and keys for signature verification respectively, is also joined, then only file appraisal will result in working file accesses, otherwise file accesses may be denied. The last two choices have their advantages and disadvantages. In order to avoid side effects on existing USER namespaces, the 3rd choice seems better suited. Though a system with IMA appraisal active in IMA namespaces will have restrictions when switching through MNT and possibly USER namespaces using setns(). Restrictions are related to file appraisal and possibly file access denials as well as file measurements. 972fa9893e8be84ace6042135d18f6adfcc878b3 3962 3961 2018-04-20T13:21:56Z Stefanb 10 /* IMA namespaces and IMA policy semantics */ wikitext text/x-wiki == Namespacing IMA == Our goals are to enable IMA-measurement, IMA-appraisal, and IMA-audit inside a container using Linux namespaces. The intention is to introduce an IMA namespace. === Background === IMA-measurement is about logging files that were read or executables that were started on a machine. Current IMA supports for example measuring root's activities in the TCB, such as which programs were started by root. Which files are measured can be configured using an IMA policy. IMA-appraisal is about only allowing files to be accessed that have been properly signed. This allows to lock down a machine if only signed files are allowed to be read or executed. Which files are appraised can be configured using an IMA policy. File signatures are found in the security.ima extended attribute. The keys for verifying the signature are found in IMA specific keyrings .ima or _ima. IMA-audit is about reporting accesses to files and generating audit records of file hash measurements. Which file activity is audited can be configured using an IMA policy. The audit records can be used to augment existing security analytics software and be used for system forensics. === IMA Namespacing Considerations === When namespacing IMA we certainly want to prevent the abuse of namespaces by users doing things that go undetected. A primary concern are activities of root in the TCB. Since root has all the rights on the system he could try to abuse his power by spawning new IMA namespaces and do things there that affect the TCB but now would go undetected due to weaknesses in the IMA namespacing implementation. The following enumeration of IMA namespacing design points is supposed to guide the implementation and prevent such problems: Support for IMA in namespaces should enable the following: - IMA policy for container (similar to the host): - there should be an initial default policy for every IMA namespace that measures activities inside the container - the policy can be overwritten once with a user-defined policy that may activate appraisal; this policy would be independent of that of the host - CAP_SYS_ADMIN is currently gating the setting of the IMA policy; - setting the policy should be possibly without the almighty CAP_SYS_ADMIN - we may want to gate this with a new capability CAP_INTEGRITY_ADMIN that allows a user to set the IMA policy during container runtime - IMA policy extensions due to namespacing: - an IMA policy should allow rules that define whether activities in (all) child namespaces is to be measured (huge logs on the host) and audited or 'not'; a use case for not measuring may be found in cloud environments where containers come and go and the log on the host could possibly eat up a lot of memory - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured and audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - IMA-measurement: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured'' and audited in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-audit: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be measured and ''audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-appraisal and keys: - each IMA namespace should have its own keyring so that each container can have its files signed with different keys - the keys (certificates) for verifying signatures may be found inside containers - it should be possible to enforce that only certified keys are loaded onto a keyring, similar to .ima on the host - the CA public key used for verifying that public keys (certificates) used for verifying signatures may be found inside the container or could be known to the container management stack - IMA-appraisal and namespacing: - If IMA-appraisal is active on the host (per policy rules on the host), what is supposed to happen when (host) root executes files in a (nested) IMA namespace where an empty IMA policy has been set? We would measure and audit root's activities as described above. What about appraising? Would we traverse all the IMA namespaces back to the init_ima_ns and evaluate signatures against the appraisal policy set there and assume we would always find the keys in the init_user_ns? Maybe the following would be a solution for appraising file accesses by (host) root with the key used for signature verification assumed in the init_user_ns; this is a step after evaluating the file access with the current IMA namespace's policy and the currently active USER namespace where the key can be found for imans from current-IMA-NS backwards up to and including init_ima_ns: if policy(imans) has appraisal rules for this file: if file appraisal fails fail access else allow access break or simplified (again after evaluating file access with the current IMA namespace's policy and the currently active USER namespace where the key can be found) Appraise with policy of init_ima_ns and key found in .ima or _ima keyring of init_user_ns. - TPM and measurements: - The IMA namespace that holds the logs should be configurable to extend PCRs; since the single TPM of the host cannot be shared by containers, each IMA namespace would have to be associated with its own TPM instance (vTPM); measurement in the initial IMA namespace are extended into the hardware TPM as done already - Each IMA namespace should only have access to the sysfs entries of its own TPM instance; ideally, sysfs would only show a single TPM device entry when viewed from an IMA namespace; an alternative may be that all devices are shown but refuse read/write access to their files if it is initiated from the 'wrong' IMA namespace - Extended attribute security.ima: - A container should be able to set the security.ima extended attribute - this should be possibly without the almighty CAP_SYS_ADMIN; - we may want to gate this with a new capability CAP_SECURITY_XATTR_ADMIN that allows setting security extended attributes inside a container, possibly only during container build-time - Extended attribute security.ima and bind mounting - It may be necessary that different namespaces be able to sign the same bind-mounted file with different keys (I am thinking of bind-mounted files that the container management stack modifies and that may need to be signed for the container to be able to access them.) - Extended attributes, such as security.ima) may need to be virtualizeable (security.ima vs. security.ima@uid=1000 etc.) - SecurityFS: - every IMA namespace should have (read/write) access to the entries that are associated with its IMA namespace - the organization of IMA's securityfs directory structure should reflect the child-parent relationship of IMA namespaces; - there should be a directory called 'namespaces' where each child namespace would have a directory with the name of the IMA namespace's inode ('IMANS:4768263432') that leads to the files holding the information about that namespace Possible abuse-scenarios may include switching through the namespaces (UTS, PID, IPC, NET, USER, CGROUP, MNT). I am not sure what is supposed to happen other than logging the activity active in the current IMA namespace: What should happen with IMA logging, appraisal, and auditing if we setns() through all available - PID namespaces and send signals: log, appraise, and audit file activity following IMA policy with special handling for (host) root - IPC namespaces and send messages via IPC: same as for PID - UTS namespaces and setting hostname: same as for PID - NET namespaces and sending network traffic: same as for PID - CGROUP namespaces and configuring cgroups: same as for PID - USER: should now the keys of this USER namespace be active or the keys of the original user namespace used during the clone()? [we may need to adapt the current implementation...] other than that, same as for PID? - MNT namespaces and access files or execute program: same as for PID; if active IMA namespace policy requires file appraisal, files would need to be signed with key from keyring in current USER namespace === IMA namespaces and IMA policy semantics === The following shows IMA policy rules and their semantics when applied to IMA namespaces: 1) audit FUNC=BPRM_CHECK 2) audit FUNC=BPRM_CHECK ns 3) measure func=BPRM_CHECK The interpretation of these IMA policy rules is as follows: 1) Files executed in the IMA namespace that has this policy rule and its child namespaces are audited once 2) Files executed in a child namespace of the IMA namespace that has this policy rule are audited, even if already audited in the IMA namespace that has this policy rule or another namespace 3) Files executed in the IMA namespace that has this policy rule and its child namespaces are measured once Note: Initially, the init_ima_ns will be the only IMA namespace that will have a policy. == Standalone IMA namespace versus IMA namespace attached to MOUNT namespace or USER namespace == 1) The first set of posted patches '''attached the IMA namespace to the MOUNT namespace''' and shared the CLONE_NEWNS flag. Whenever a new mount namespace was created, it also created a new IMA namespace. Similarly, a setns() on a MOUNT namespace would also join the conjoint IMA namespace. File measurements and appraisal of an IMA policy would work on the files in the MOUNT namespace. The key used for the appraisal would be in the currently setns()'d USER namespace (the current implementation of IMA would need to be fixed in that regard). This proposed implementation of conjoint MOUNT and IMA namespaces was rejected. 2) Another choice is to '''attach the IMA namespace to the USER namespace'''. An IMA file measurement and appraisal policy would become activated when the conjoint USER and IMA namespaces are joined using setns() for example. Side effects of this include that joining a USER namespace activates an IMA policy, that, if appraisal is active, start appraising file accesses, which may include file access denials. 3) The last choice is to have IMA be a '''stand-alone namespace''' that is spawned using its own CLONE flag or by writing to a (securityfs) file. An IMA file measurement and appraisal policy would be activated when the IMA namespace is joint using setns() for example. If the appropriate set of MOUNT namespaces and USER namespace, providing file signatures and keys for signature verification respectively, is also joined, then only file appraisal will result in working file accesses, otherwise file accesses may be denied. The last two choices have their advantages and disadvantages. In order to avoid side effects on existing USER namespaces, the 3rd choice seems better suited. Though a system with IMA appraisal active in IMA namespaces will have restrictions when switching through MNT and possibly USER namespaces using setns(). Restrictions are related to file appraisal and possibly file access denials as well as file measurements. e5d18bc34b86e61d39375f4c41dcf4f936294344 3963 3962 2018-04-20T13:22:16Z Stefanb 10 /* IMA namespaces and IMA policy semantics */ wikitext text/x-wiki == Namespacing IMA == Our goals are to enable IMA-measurement, IMA-appraisal, and IMA-audit inside a container using Linux namespaces. The intention is to introduce an IMA namespace. === Background === IMA-measurement is about logging files that were read or executables that were started on a machine. Current IMA supports for example measuring root's activities in the TCB, such as which programs were started by root. Which files are measured can be configured using an IMA policy. IMA-appraisal is about only allowing files to be accessed that have been properly signed. This allows to lock down a machine if only signed files are allowed to be read or executed. Which files are appraised can be configured using an IMA policy. File signatures are found in the security.ima extended attribute. The keys for verifying the signature are found in IMA specific keyrings .ima or _ima. IMA-audit is about reporting accesses to files and generating audit records of file hash measurements. Which file activity is audited can be configured using an IMA policy. The audit records can be used to augment existing security analytics software and be used for system forensics. === IMA Namespacing Considerations === When namespacing IMA we certainly want to prevent the abuse of namespaces by users doing things that go undetected. A primary concern are activities of root in the TCB. Since root has all the rights on the system he could try to abuse his power by spawning new IMA namespaces and do things there that affect the TCB but now would go undetected due to weaknesses in the IMA namespacing implementation. The following enumeration of IMA namespacing design points is supposed to guide the implementation and prevent such problems: Support for IMA in namespaces should enable the following: - IMA policy for container (similar to the host): - there should be an initial default policy for every IMA namespace that measures activities inside the container - the policy can be overwritten once with a user-defined policy that may activate appraisal; this policy would be independent of that of the host - CAP_SYS_ADMIN is currently gating the setting of the IMA policy; - setting the policy should be possibly without the almighty CAP_SYS_ADMIN - we may want to gate this with a new capability CAP_INTEGRITY_ADMIN that allows a user to set the IMA policy during container runtime - IMA policy extensions due to namespacing: - an IMA policy should allow rules that define whether activities in (all) child namespaces is to be measured (huge logs on the host) and audited or 'not'; a use case for not measuring may be found in cloud environments where containers come and go and the log on the host could possibly eat up a lot of memory - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured and audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - IMA-measurement: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured'' and audited in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-audit: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be measured and ''audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-appraisal and keys: - each IMA namespace should have its own keyring so that each container can have its files signed with different keys - the keys (certificates) for verifying signatures may be found inside containers - it should be possible to enforce that only certified keys are loaded onto a keyring, similar to .ima on the host - the CA public key used for verifying that public keys (certificates) used for verifying signatures may be found inside the container or could be known to the container management stack - IMA-appraisal and namespacing: - If IMA-appraisal is active on the host (per policy rules on the host), what is supposed to happen when (host) root executes files in a (nested) IMA namespace where an empty IMA policy has been set? We would measure and audit root's activities as described above. What about appraising? Would we traverse all the IMA namespaces back to the init_ima_ns and evaluate signatures against the appraisal policy set there and assume we would always find the keys in the init_user_ns? Maybe the following would be a solution for appraising file accesses by (host) root with the key used for signature verification assumed in the init_user_ns; this is a step after evaluating the file access with the current IMA namespace's policy and the currently active USER namespace where the key can be found for imans from current-IMA-NS backwards up to and including init_ima_ns: if policy(imans) has appraisal rules for this file: if file appraisal fails fail access else allow access break or simplified (again after evaluating file access with the current IMA namespace's policy and the currently active USER namespace where the key can be found) Appraise with policy of init_ima_ns and key found in .ima or _ima keyring of init_user_ns. - TPM and measurements: - The IMA namespace that holds the logs should be configurable to extend PCRs; since the single TPM of the host cannot be shared by containers, each IMA namespace would have to be associated with its own TPM instance (vTPM); measurement in the initial IMA namespace are extended into the hardware TPM as done already - Each IMA namespace should only have access to the sysfs entries of its own TPM instance; ideally, sysfs would only show a single TPM device entry when viewed from an IMA namespace; an alternative may be that all devices are shown but refuse read/write access to their files if it is initiated from the 'wrong' IMA namespace - Extended attribute security.ima: - A container should be able to set the security.ima extended attribute - this should be possibly without the almighty CAP_SYS_ADMIN; - we may want to gate this with a new capability CAP_SECURITY_XATTR_ADMIN that allows setting security extended attributes inside a container, possibly only during container build-time - Extended attribute security.ima and bind mounting - It may be necessary that different namespaces be able to sign the same bind-mounted file with different keys (I am thinking of bind-mounted files that the container management stack modifies and that may need to be signed for the container to be able to access them.) - Extended attributes, such as security.ima) may need to be virtualizeable (security.ima vs. security.ima@uid=1000 etc.) - SecurityFS: - every IMA namespace should have (read/write) access to the entries that are associated with its IMA namespace - the organization of IMA's securityfs directory structure should reflect the child-parent relationship of IMA namespaces; - there should be a directory called 'namespaces' where each child namespace would have a directory with the name of the IMA namespace's inode ('IMANS:4768263432') that leads to the files holding the information about that namespace Possible abuse-scenarios may include switching through the namespaces (UTS, PID, IPC, NET, USER, CGROUP, MNT). I am not sure what is supposed to happen other than logging the activity active in the current IMA namespace: What should happen with IMA logging, appraisal, and auditing if we setns() through all available - PID namespaces and send signals: log, appraise, and audit file activity following IMA policy with special handling for (host) root - IPC namespaces and send messages via IPC: same as for PID - UTS namespaces and setting hostname: same as for PID - NET namespaces and sending network traffic: same as for PID - CGROUP namespaces and configuring cgroups: same as for PID - USER: should now the keys of this USER namespace be active or the keys of the original user namespace used during the clone()? [we may need to adapt the current implementation...] other than that, same as for PID? - MNT namespaces and access files or execute program: same as for PID; if active IMA namespace policy requires file appraisal, files would need to be signed with key from keyring in current USER namespace === IMA namespaces and IMA policy semantics === The following shows IMA policy rules and their semantics when applied to IMA namespaces: 1) audit FUNC=BPRM_CHECK 2) audit FUNC=BPRM_CHECK ns 3) measure func=BPRM_CHECK The interpretation of these IMA policy rules is as follows: 1) Files executed in the IMA namespace that has this policy rule and its child namespaces are audited once 2) Files executed in a child namespace of the IMA namespace that has this policy rule are audited, even if already audited in the IMA namespace that has this policy rule or another namespace 3) Files executed in the IMA namespace that has this policy rule and its child namespaces are measured once Note: Initially, the init_ima_ns will be the only IMA namespace that will have a policy. == Standalone IMA namespace versus IMA namespace attached to MOUNT namespace or USER namespace == 1) The first set of posted patches '''attached the IMA namespace to the MOUNT namespace''' and shared the CLONE_NEWNS flag. Whenever a new mount namespace was created, it also created a new IMA namespace. Similarly, a setns() on a MOUNT namespace would also join the conjoint IMA namespace. File measurements and appraisal of an IMA policy would work on the files in the MOUNT namespace. The key used for the appraisal would be in the currently setns()'d USER namespace (the current implementation of IMA would need to be fixed in that regard). This proposed implementation of conjoint MOUNT and IMA namespaces was rejected. 2) Another choice is to '''attach the IMA namespace to the USER namespace'''. An IMA file measurement and appraisal policy would become activated when the conjoint USER and IMA namespaces are joined using setns() for example. Side effects of this include that joining a USER namespace activates an IMA policy, that, if appraisal is active, start appraising file accesses, which may include file access denials. 3) The last choice is to have IMA be a '''stand-alone namespace''' that is spawned using its own CLONE flag or by writing to a (securityfs) file. An IMA file measurement and appraisal policy would be activated when the IMA namespace is joint using setns() for example. If the appropriate set of MOUNT namespaces and USER namespace, providing file signatures and keys for signature verification respectively, is also joined, then only file appraisal will result in working file accesses, otherwise file accesses may be denied. The last two choices have their advantages and disadvantages. In order to avoid side effects on existing USER namespaces, the 3rd choice seems better suited. Though a system with IMA appraisal active in IMA namespaces will have restrictions when switching through MNT and possibly USER namespaces using setns(). Restrictions are related to file appraisal and possibly file access denials as well as file measurements. 4e628d98852285c0e956c40a00710751f93b982a 3969 3963 2018-04-30T17:54:55Z Stefanb 10 /* Background */ wikitext text/x-wiki == Namespacing IMA == Our goals are to enable IMA-measurement, IMA-appraisal, and IMA-audit inside a container using Linux namespaces. The intention is to introduce an IMA namespace. === Background === IMA-measurement extends the concept of “trusted boot”[1] to the running OS. Based on policy, as files are accessed, executed, mmapped a hash of the file data is calculated and used to extend TPM[2], if enabled, and added to the IMA measurement list. The current builtin IMA-measurement Trusted Computing Base (TCB) policies measures all files read by root or executed/mmapped by any user. It also measures all kernel modules and firmware, when they are loaded, as well as the IMA policy itself. IMA-appraisal: extends the concept of “secure boot”[3] to the running OS. Based on policy, as files are accessed, executed, mmapped the file hash is calculated and used to verify the known good value as stored in the security.ima xattr. Stored in the security.ima xattr could be either a file hash or a signature. The keys for verifying the file data signature are found in IMA specific keyrings .ima or _ima. IMA-audit: adds system audit records containing the file hash to the system audit log. The IMA-audit records can be used to augment existing security analytics software and be used for system forensics. Namespacing each of these features requires not only adding IMA namespacing support, but requires some additional kernel changes. === IMA Namespacing Considerations === When namespacing IMA we certainly want to prevent the abuse of namespaces by users doing things that go undetected. A primary concern are activities of root in the TCB. Since root has all the rights on the system he could try to abuse his power by spawning new IMA namespaces and do things there that affect the TCB but now would go undetected due to weaknesses in the IMA namespacing implementation. The following enumeration of IMA namespacing design points is supposed to guide the implementation and prevent such problems: Support for IMA in namespaces should enable the following: - IMA policy for container (similar to the host): - there should be an initial default policy for every IMA namespace that measures activities inside the container - the policy can be overwritten once with a user-defined policy that may activate appraisal; this policy would be independent of that of the host - CAP_SYS_ADMIN is currently gating the setting of the IMA policy; - setting the policy should be possibly without the almighty CAP_SYS_ADMIN - we may want to gate this with a new capability CAP_INTEGRITY_ADMIN that allows a user to set the IMA policy during container runtime - IMA policy extensions due to namespacing: - an IMA policy should allow rules that define whether activities in (all) child namespaces is to be measured (huge logs on the host) and audited or 'not'; a use case for not measuring may be found in cloud environments where containers come and go and the log on the host could possibly eat up a lot of memory - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured and audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - IMA-measurement: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured'' and audited in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-audit: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be measured and ''audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-appraisal and keys: - each IMA namespace should have its own keyring so that each container can have its files signed with different keys - the keys (certificates) for verifying signatures may be found inside containers - it should be possible to enforce that only certified keys are loaded onto a keyring, similar to .ima on the host - the CA public key used for verifying that public keys (certificates) used for verifying signatures may be found inside the container or could be known to the container management stack - IMA-appraisal and namespacing: - If IMA-appraisal is active on the host (per policy rules on the host), what is supposed to happen when (host) root executes files in a (nested) IMA namespace where an empty IMA policy has been set? We would measure and audit root's activities as described above. What about appraising? Would we traverse all the IMA namespaces back to the init_ima_ns and evaluate signatures against the appraisal policy set there and assume we would always find the keys in the init_user_ns? Maybe the following would be a solution for appraising file accesses by (host) root with the key used for signature verification assumed in the init_user_ns; this is a step after evaluating the file access with the current IMA namespace's policy and the currently active USER namespace where the key can be found for imans from current-IMA-NS backwards up to and including init_ima_ns: if policy(imans) has appraisal rules for this file: if file appraisal fails fail access else allow access break or simplified (again after evaluating file access with the current IMA namespace's policy and the currently active USER namespace where the key can be found) Appraise with policy of init_ima_ns and key found in .ima or _ima keyring of init_user_ns. - TPM and measurements: - The IMA namespace that holds the logs should be configurable to extend PCRs; since the single TPM of the host cannot be shared by containers, each IMA namespace would have to be associated with its own TPM instance (vTPM); measurement in the initial IMA namespace are extended into the hardware TPM as done already - Each IMA namespace should only have access to the sysfs entries of its own TPM instance; ideally, sysfs would only show a single TPM device entry when viewed from an IMA namespace; an alternative may be that all devices are shown but refuse read/write access to their files if it is initiated from the 'wrong' IMA namespace - Extended attribute security.ima: - A container should be able to set the security.ima extended attribute - this should be possibly without the almighty CAP_SYS_ADMIN; - we may want to gate this with a new capability CAP_SECURITY_XATTR_ADMIN that allows setting security extended attributes inside a container, possibly only during container build-time - Extended attribute security.ima and bind mounting - It may be necessary that different namespaces be able to sign the same bind-mounted file with different keys (I am thinking of bind-mounted files that the container management stack modifies and that may need to be signed for the container to be able to access them.) - Extended attributes, such as security.ima) may need to be virtualizeable (security.ima vs. security.ima@uid=1000 etc.) - SecurityFS: - every IMA namespace should have (read/write) access to the entries that are associated with its IMA namespace - the organization of IMA's securityfs directory structure should reflect the child-parent relationship of IMA namespaces; - there should be a directory called 'namespaces' where each child namespace would have a directory with the name of the IMA namespace's inode ('IMANS:4768263432') that leads to the files holding the information about that namespace Possible abuse-scenarios may include switching through the namespaces (UTS, PID, IPC, NET, USER, CGROUP, MNT). I am not sure what is supposed to happen other than logging the activity active in the current IMA namespace: What should happen with IMA logging, appraisal, and auditing if we setns() through all available - PID namespaces and send signals: log, appraise, and audit file activity following IMA policy with special handling for (host) root - IPC namespaces and send messages via IPC: same as for PID - UTS namespaces and setting hostname: same as for PID - NET namespaces and sending network traffic: same as for PID - CGROUP namespaces and configuring cgroups: same as for PID - USER: should now the keys of this USER namespace be active or the keys of the original user namespace used during the clone()? [we may need to adapt the current implementation...] other than that, same as for PID? - MNT namespaces and access files or execute program: same as for PID; if active IMA namespace policy requires file appraisal, files would need to be signed with key from keyring in current USER namespace === IMA namespaces and IMA policy semantics === The following shows IMA policy rules and their semantics when applied to IMA namespaces: 1) audit FUNC=BPRM_CHECK 2) audit FUNC=BPRM_CHECK ns 3) measure func=BPRM_CHECK The interpretation of these IMA policy rules is as follows: 1) Files executed in the IMA namespace that has this policy rule and its child namespaces are audited once 2) Files executed in a child namespace of the IMA namespace that has this policy rule are audited, even if already audited in the IMA namespace that has this policy rule or another namespace 3) Files executed in the IMA namespace that has this policy rule and its child namespaces are measured once Note: Initially, the init_ima_ns will be the only IMA namespace that will have a policy. == Standalone IMA namespace versus IMA namespace attached to MOUNT namespace or USER namespace == 1) The first set of posted patches '''attached the IMA namespace to the MOUNT namespace''' and shared the CLONE_NEWNS flag. Whenever a new mount namespace was created, it also created a new IMA namespace. Similarly, a setns() on a MOUNT namespace would also join the conjoint IMA namespace. File measurements and appraisal of an IMA policy would work on the files in the MOUNT namespace. The key used for the appraisal would be in the currently setns()'d USER namespace (the current implementation of IMA would need to be fixed in that regard). This proposed implementation of conjoint MOUNT and IMA namespaces was rejected. 2) Another choice is to '''attach the IMA namespace to the USER namespace'''. An IMA file measurement and appraisal policy would become activated when the conjoint USER and IMA namespaces are joined using setns() for example. Side effects of this include that joining a USER namespace activates an IMA policy, that, if appraisal is active, start appraising file accesses, which may include file access denials. 3) The last choice is to have IMA be a '''stand-alone namespace''' that is spawned using its own CLONE flag or by writing to a (securityfs) file. An IMA file measurement and appraisal policy would be activated when the IMA namespace is joint using setns() for example. If the appropriate set of MOUNT namespaces and USER namespace, providing file signatures and keys for signature verification respectively, is also joined, then only file appraisal will result in working file accesses, otherwise file accesses may be denied. The last two choices have their advantages and disadvantages. In order to avoid side effects on existing USER namespaces, the 3rd choice seems better suited. Though a system with IMA appraisal active in IMA namespaces will have restrictions when switching through MNT and possibly USER namespaces using setns(). Restrictions are related to file appraisal and possibly file access denials as well as file measurements. 0b33ef175d00495b82039d58fd4dd771c5f39398 3970 3969 2018-04-30T17:57:54Z Stefanb 10 /* Namespacing IMA */ wikitext text/x-wiki == Namespacing IMA == Our goals are to enable IMA-measurement, IMA-appraisal, and IMA-audit inside a container using Linux namespaces. The intention is to introduce an IMA namespace. === Background === IMA-measurement extends the concept of “trusted boot”[1] to the running OS. Based on policy, as files are accessed, executed, mmapped a hash of the file data is calculated and used to extend TPM[2], if enabled, and added to the IMA measurement list. The current builtin IMA-measurement Trusted Computing Base (TCB) policies measures all files read by root or executed/mmapped by any user. It also measures all kernel modules and firmware, when they are loaded, as well as the IMA policy itself. IMA-appraisal: extends the concept of “secure boot”[3] to the running OS. Based on policy, as files are accessed, executed, mmapped the file hash is calculated and used to verify the known good value as stored in the security.ima xattr. Stored in the security.ima xattr could be either a file hash or a signature. The keys for verifying the file data signature are found in IMA specific keyrings .ima or _ima. IMA-audit: adds system audit records containing the file hash to the system audit log. The IMA-audit records can be used to augment existing security analytics software and be used for system forensics. Namespacing each of these features requires not only adding IMA namespacing support, but requires some additional kernel changes. Our goals are to ultimately enable IMA-measurement, IMA-appraisal, and IMA-audit inside a container using Linux namespaces. Namespacing these different aspects of IMA is a major under taking and needs to be staged in manageable pieces. === IMA Namespacing Considerations === When namespacing IMA we certainly want to prevent the abuse of namespaces by users doing things that go undetected. A primary concern are activities of root in the TCB. Since root has all the rights on the system he could try to abuse his power by spawning new IMA namespaces and do things there that affect the TCB but now would go undetected due to weaknesses in the IMA namespacing implementation. The following enumeration of IMA namespacing design points is supposed to guide the implementation and prevent such problems: Support for IMA in namespaces should enable the following: - IMA policy for container (similar to the host): - there should be an initial default policy for every IMA namespace that measures activities inside the container - the policy can be overwritten once with a user-defined policy that may activate appraisal; this policy would be independent of that of the host - CAP_SYS_ADMIN is currently gating the setting of the IMA policy; - setting the policy should be possibly without the almighty CAP_SYS_ADMIN - we may want to gate this with a new capability CAP_INTEGRITY_ADMIN that allows a user to set the IMA policy during container runtime - IMA policy extensions due to namespacing: - an IMA policy should allow rules that define whether activities in (all) child namespaces is to be measured (huge logs on the host) and audited or 'not'; a use case for not measuring may be found in cloud environments where containers come and go and the log on the host could possibly eat up a lot of memory - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured and audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - IMA-measurement: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured'' and audited in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-audit: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be measured and ''audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-appraisal and keys: - each IMA namespace should have its own keyring so that each container can have its files signed with different keys - the keys (certificates) for verifying signatures may be found inside containers - it should be possible to enforce that only certified keys are loaded onto a keyring, similar to .ima on the host - the CA public key used for verifying that public keys (certificates) used for verifying signatures may be found inside the container or could be known to the container management stack - IMA-appraisal and namespacing: - If IMA-appraisal is active on the host (per policy rules on the host), what is supposed to happen when (host) root executes files in a (nested) IMA namespace where an empty IMA policy has been set? We would measure and audit root's activities as described above. What about appraising? Would we traverse all the IMA namespaces back to the init_ima_ns and evaluate signatures against the appraisal policy set there and assume we would always find the keys in the init_user_ns? Maybe the following would be a solution for appraising file accesses by (host) root with the key used for signature verification assumed in the init_user_ns; this is a step after evaluating the file access with the current IMA namespace's policy and the currently active USER namespace where the key can be found for imans from current-IMA-NS backwards up to and including init_ima_ns: if policy(imans) has appraisal rules for this file: if file appraisal fails fail access else allow access break or simplified (again after evaluating file access with the current IMA namespace's policy and the currently active USER namespace where the key can be found) Appraise with policy of init_ima_ns and key found in .ima or _ima keyring of init_user_ns. - TPM and measurements: - The IMA namespace that holds the logs should be configurable to extend PCRs; since the single TPM of the host cannot be shared by containers, each IMA namespace would have to be associated with its own TPM instance (vTPM); measurement in the initial IMA namespace are extended into the hardware TPM as done already - Each IMA namespace should only have access to the sysfs entries of its own TPM instance; ideally, sysfs would only show a single TPM device entry when viewed from an IMA namespace; an alternative may be that all devices are shown but refuse read/write access to their files if it is initiated from the 'wrong' IMA namespace - Extended attribute security.ima: - A container should be able to set the security.ima extended attribute - this should be possibly without the almighty CAP_SYS_ADMIN; - we may want to gate this with a new capability CAP_SECURITY_XATTR_ADMIN that allows setting security extended attributes inside a container, possibly only during container build-time - Extended attribute security.ima and bind mounting - It may be necessary that different namespaces be able to sign the same bind-mounted file with different keys (I am thinking of bind-mounted files that the container management stack modifies and that may need to be signed for the container to be able to access them.) - Extended attributes, such as security.ima) may need to be virtualizeable (security.ima vs. security.ima@uid=1000 etc.) - SecurityFS: - every IMA namespace should have (read/write) access to the entries that are associated with its IMA namespace - the organization of IMA's securityfs directory structure should reflect the child-parent relationship of IMA namespaces; - there should be a directory called 'namespaces' where each child namespace would have a directory with the name of the IMA namespace's inode ('IMANS:4768263432') that leads to the files holding the information about that namespace Possible abuse-scenarios may include switching through the namespaces (UTS, PID, IPC, NET, USER, CGROUP, MNT). I am not sure what is supposed to happen other than logging the activity active in the current IMA namespace: What should happen with IMA logging, appraisal, and auditing if we setns() through all available - PID namespaces and send signals: log, appraise, and audit file activity following IMA policy with special handling for (host) root - IPC namespaces and send messages via IPC: same as for PID - UTS namespaces and setting hostname: same as for PID - NET namespaces and sending network traffic: same as for PID - CGROUP namespaces and configuring cgroups: same as for PID - USER: should now the keys of this USER namespace be active or the keys of the original user namespace used during the clone()? [we may need to adapt the current implementation...] other than that, same as for PID? - MNT namespaces and access files or execute program: same as for PID; if active IMA namespace policy requires file appraisal, files would need to be signed with key from keyring in current USER namespace === IMA namespaces and IMA policy semantics === The following shows IMA policy rules and their semantics when applied to IMA namespaces: 1) audit FUNC=BPRM_CHECK 2) audit FUNC=BPRM_CHECK ns 3) measure func=BPRM_CHECK The interpretation of these IMA policy rules is as follows: 1) Files executed in the IMA namespace that has this policy rule and its child namespaces are audited once 2) Files executed in a child namespace of the IMA namespace that has this policy rule are audited, even if already audited in the IMA namespace that has this policy rule or another namespace 3) Files executed in the IMA namespace that has this policy rule and its child namespaces are measured once Note: Initially, the init_ima_ns will be the only IMA namespace that will have a policy. == Standalone IMA namespace versus IMA namespace attached to MOUNT namespace or USER namespace == 1) The first set of posted patches '''attached the IMA namespace to the MOUNT namespace''' and shared the CLONE_NEWNS flag. Whenever a new mount namespace was created, it also created a new IMA namespace. Similarly, a setns() on a MOUNT namespace would also join the conjoint IMA namespace. File measurements and appraisal of an IMA policy would work on the files in the MOUNT namespace. The key used for the appraisal would be in the currently setns()'d USER namespace (the current implementation of IMA would need to be fixed in that regard). This proposed implementation of conjoint MOUNT and IMA namespaces was rejected. 2) Another choice is to '''attach the IMA namespace to the USER namespace'''. An IMA file measurement and appraisal policy would become activated when the conjoint USER and IMA namespaces are joined using setns() for example. Side effects of this include that joining a USER namespace activates an IMA policy, that, if appraisal is active, start appraising file accesses, which may include file access denials. 3) The last choice is to have IMA be a '''stand-alone namespace''' that is spawned using its own CLONE flag or by writing to a (securityfs) file. An IMA file measurement and appraisal policy would be activated when the IMA namespace is joint using setns() for example. If the appropriate set of MOUNT namespaces and USER namespace, providing file signatures and keys for signature verification respectively, is also joined, then only file appraisal will result in working file accesses, otherwise file accesses may be denied. The last two choices have their advantages and disadvantages. In order to avoid side effects on existing USER namespaces, the 3rd choice seems better suited. Though a system with IMA appraisal active in IMA namespaces will have restrictions when switching through MNT and possibly USER namespaces using setns(). Restrictions are related to file appraisal and possibly file access denials as well as file measurements. 311a0110d7b32fce1d77d5bf95e80e0327e8a36a 3971 3970 2018-04-30T19:12:21Z Stefanb 10 /* IMA Namespacing Considerations */ wikitext text/x-wiki == Namespacing IMA == Our goals are to enable IMA-measurement, IMA-appraisal, and IMA-audit inside a container using Linux namespaces. The intention is to introduce an IMA namespace. === Background === IMA-measurement extends the concept of “trusted boot”[1] to the running OS. Based on policy, as files are accessed, executed, mmapped a hash of the file data is calculated and used to extend TPM[2], if enabled, and added to the IMA measurement list. The current builtin IMA-measurement Trusted Computing Base (TCB) policies measures all files read by root or executed/mmapped by any user. It also measures all kernel modules and firmware, when they are loaded, as well as the IMA policy itself. IMA-appraisal: extends the concept of “secure boot”[3] to the running OS. Based on policy, as files are accessed, executed, mmapped the file hash is calculated and used to verify the known good value as stored in the security.ima xattr. Stored in the security.ima xattr could be either a file hash or a signature. The keys for verifying the file data signature are found in IMA specific keyrings .ima or _ima. IMA-audit: adds system audit records containing the file hash to the system audit log. The IMA-audit records can be used to augment existing security analytics software and be used for system forensics. Namespacing each of these features requires not only adding IMA namespacing support, but requires some additional kernel changes. Our goals are to ultimately enable IMA-measurement, IMA-appraisal, and IMA-audit inside a container using Linux namespaces. Namespacing these different aspects of IMA is a major under taking and needs to be staged in manageable pieces. === IMA Namespacing Considerations === When namespacing IMA we certainly want to prevent the abuse of namespaces by users doing things that go undetected. A primary concern are activities of root in the TCB. Since root has all the rights on the system he could try to abuse his power by spawning new IMA namespaces and do things there that affect the TCB but now would go undetected due to weaknesses in the IMA namespacing implementation. The following enumeration of IMA namespacing design points is supposed to guide the implementation and prevent such problems: Support for IMA in namespaces should enable the following: - IMA policy for container (similar to the host): - there should be an initial default policy for every IMA namespace that measures activities inside the container - the uid in policy rules are relative to the uid's of the user namespace that is active; uid=0 refers to root inside the user namespace - like the existing builtin policies can be replaced with a custom policy once, the namespace policy can be replaced with a user-defined custom policy once. Both the initial and custom namespace IMA policies would be independent of that of the host policy. - CAP_SYS_ADMIN is currently gating the setting of the IMA policy; - setting the policy should be possibly without the almighty CAP_SYS_ADMIN - we may want to gate this with a new capability CAP_INTEGRITY_ADMIN that allows a user to set the IMA policy during container runtime - IMA policy extensions due to namespacing: - an IMA policy should allow rules that define whether activities in (all) child namespaces is to be measured (huge logs on the host) and audited or 'not'; a use case for not measuring may be found in cloud environments where containers come and go and the log on the host could possibly eat up a lot of memory - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured and audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespacee - The existing builtin policies assume policy rules are based on the global “uid” or “fowner”, not based on the namespaced “uid” or “fowner”. Instead of explicitly including specific “uid” or “fowner” rules for each container, allow rules to be specified in terms of the namespaced “uid” or “fowner”. For example, “measure func=FILE_CHECK mask=^MAY_READ uid=0 ns” means measure all files opened for read by root in the namespace and “appraise fowner=0 ns” means appraise all files owned by root in the namespace. - The measurement list size is currently unbounded. Additional rules, which measure files opened by root in the namespace or appraise files owned by root in the namespace, will add additional system memory pressures. - IMA-measurement: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured'' and audited in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-audit: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be measured and ''audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-appraisal and keys: - each IMA namespace should have its own keyring so that each container can have its files signed with different keys - the keys (certificates) for verifying signatures may be found inside containers - it should be possible to enforce that only certified keys are loaded onto a keyring, similar to .ima on the host - the CA public key used for verifying that public keys (certificates) used for verifying signatures may be found inside the container or could be known to the container management stack - IMA-appraisal and namespacing: - If IMA-appraisal is active on the host (per policy rules on the host), what is supposed to happen when (host) root executes files in a (nested) IMA namespace where an empty IMA policy has been set? We would measure and audit root's activities as described above. What about appraising? Would we traverse all the IMA namespaces back to the init_ima_ns and evaluate signatures against the appraisal policy set there and assume we would always find the keys in the init_user_ns? Maybe the following would be a solution for appraising file accesses by (host) root with the key used for signature verification assumed in the init_user_ns; this is a step after evaluating the file access with the current IMA namespace's policy and the currently active USER namespace where the key can be found for imans from current-IMA-NS backwards up to and including init_ima_ns: if policy(imans) has appraisal rules for this file: if file appraisal fails fail access else allow access break or simplified (again after evaluating file access with the current IMA namespace's policy and the currently active USER namespace where the key can be found) Appraise with policy of init_ima_ns and key found in .ima or _ima keyring of init_user_ns. - TPM and measurements: - The IMA namespace that holds the logs should be configurable to extend PCRs; since the single TPM of the host cannot be shared by containers, each IMA namespace would have to be associated with its own TPM instance (vTPM); measurement in the initial IMA namespace are extended into the hardware TPM as done already - Each IMA namespace should only have access to the sysfs entries of its own TPM instance; ideally, sysfs would only show a single TPM device entry when viewed from an IMA namespace; an alternative may be that all devices are shown but refuse read/write access to their files if it is initiated from the 'wrong' IMA namespace - Extended attribute security.ima: - A container should be able to set the security.ima extended attribute - this should be possibly without the almighty CAP_SYS_ADMIN; - we may want to gate this with a new capability CAP_SECURITY_XATTR_ADMIN that allows setting security extended attributes inside a container, possibly only during container build-time - Extended attribute security.ima and bind mounting - It may be necessary that different namespaces be able to sign the same bind-mounted file with different keys (I am thinking of bind-mounted files that the container management stack modifies and that may need to be signed for the container to be able to access them.) - Extended attributes, such as security.ima) may need to be virtualizeable (security.ima vs. security.ima@uid=1000 etc.) - SecurityFS: - every IMA namespace should have (read/write) access to the entries that are associated with its IMA namespace - the organization of IMA's securityfs directory structure should reflect the child-parent relationship of IMA namespaces; - there should be a directory called 'namespaces' where each child namespace would have a directory with the name of the IMA namespace's inode ('IMANS:4768263432') that leads to the files holding the information about that namespace Possible abuse-scenarios may include switching through the namespaces (UTS, PID, IPC, NET, USER, CGROUP, MNT). I am not sure what is supposed to happen other than logging the activity active in the current IMA namespace: What should happen with IMA logging, appraisal, and auditing if we setns() through all available - PID namespaces and send signals: log, appraise, and audit file activity following IMA policy with special handling for (host) root - IPC namespaces and send messages via IPC: same as for PID - UTS namespaces and setting hostname: same as for PID - NET namespaces and sending network traffic: same as for PID - CGROUP namespaces and configuring cgroups: same as for PID - USER: should now the keys of this USER namespace be active or the keys of the original user namespace used during the clone()? [we may need to adapt the current implementation...] other than that, same as for PID? - MNT namespaces and access files or execute program: same as for PID; if active IMA namespace policy requires file appraisal, files would need to be signed with key from keyring in current USER namespace === IMA namespaces and IMA policy semantics === The following shows IMA policy rules and their semantics when applied to IMA namespaces: 1) audit FUNC=BPRM_CHECK 2) audit FUNC=BPRM_CHECK ns 3) measure func=BPRM_CHECK The interpretation of these IMA policy rules is as follows: 1) Files executed in the IMA namespace that has this policy rule and its child namespaces are audited once 2) Files executed in a child namespace of the IMA namespace that has this policy rule are audited, even if already audited in the IMA namespace that has this policy rule or another namespace 3) Files executed in the IMA namespace that has this policy rule and its child namespaces are measured once Note: Initially, the init_ima_ns will be the only IMA namespace that will have a policy. == Standalone IMA namespace versus IMA namespace attached to MOUNT namespace or USER namespace == 1) The first set of posted patches '''attached the IMA namespace to the MOUNT namespace''' and shared the CLONE_NEWNS flag. Whenever a new mount namespace was created, it also created a new IMA namespace. Similarly, a setns() on a MOUNT namespace would also join the conjoint IMA namespace. File measurements and appraisal of an IMA policy would work on the files in the MOUNT namespace. The key used for the appraisal would be in the currently setns()'d USER namespace (the current implementation of IMA would need to be fixed in that regard). This proposed implementation of conjoint MOUNT and IMA namespaces was rejected. 2) Another choice is to '''attach the IMA namespace to the USER namespace'''. An IMA file measurement and appraisal policy would become activated when the conjoint USER and IMA namespaces are joined using setns() for example. Side effects of this include that joining a USER namespace activates an IMA policy, that, if appraisal is active, start appraising file accesses, which may include file access denials. 3) The last choice is to have IMA be a '''stand-alone namespace''' that is spawned using its own CLONE flag or by writing to a (securityfs) file. An IMA file measurement and appraisal policy would be activated when the IMA namespace is joint using setns() for example. If the appropriate set of MOUNT namespaces and USER namespace, providing file signatures and keys for signature verification respectively, is also joined, then only file appraisal will result in working file accesses, otherwise file accesses may be denied. The last two choices have their advantages and disadvantages. In order to avoid side effects on existing USER namespaces, the 3rd choice seems better suited. Though a system with IMA appraisal active in IMA namespaces will have restrictions when switching through MNT and possibly USER namespaces using setns(). Restrictions are related to file appraisal and possibly file access denials as well as file measurements. 6bb407045d800bd896ee62acb5248565af4e66fb 3972 3971 2018-04-30T19:12:44Z Stefanb 10 /* IMA Namespacing Considerations */ wikitext text/x-wiki == Namespacing IMA == Our goals are to enable IMA-measurement, IMA-appraisal, and IMA-audit inside a container using Linux namespaces. The intention is to introduce an IMA namespace. === Background === IMA-measurement extends the concept of “trusted boot”[1] to the running OS. Based on policy, as files are accessed, executed, mmapped a hash of the file data is calculated and used to extend TPM[2], if enabled, and added to the IMA measurement list. The current builtin IMA-measurement Trusted Computing Base (TCB) policies measures all files read by root or executed/mmapped by any user. It also measures all kernel modules and firmware, when they are loaded, as well as the IMA policy itself. IMA-appraisal: extends the concept of “secure boot”[3] to the running OS. Based on policy, as files are accessed, executed, mmapped the file hash is calculated and used to verify the known good value as stored in the security.ima xattr. Stored in the security.ima xattr could be either a file hash or a signature. The keys for verifying the file data signature are found in IMA specific keyrings .ima or _ima. IMA-audit: adds system audit records containing the file hash to the system audit log. The IMA-audit records can be used to augment existing security analytics software and be used for system forensics. Namespacing each of these features requires not only adding IMA namespacing support, but requires some additional kernel changes. Our goals are to ultimately enable IMA-measurement, IMA-appraisal, and IMA-audit inside a container using Linux namespaces. Namespacing these different aspects of IMA is a major under taking and needs to be staged in manageable pieces. === IMA Namespacing Considerations === When namespacing IMA we certainly want to prevent the abuse of namespaces by users doing things that go undetected. A primary concern are activities of root in the TCB. Since root has all the rights on the system he could try to abuse his power by spawning new IMA namespaces and do things there that affect the TCB but now would go undetected due to weaknesses in the IMA namespacing implementation. The following enumeration of IMA namespacing design points is supposed to guide the implementation and prevent such problems: Support for IMA in namespaces should enable the following: - IMA policy for container (similar to the host): - there should be an initial default policy for every IMA namespace that measures activities inside the container - the uid in policy rules are relative to the uid's of the user namespace that is active; uid=0 refers to root inside the user namespace - like the existing builtin policies can be replaced with a custom policy once, the namespace policy can be replaced with a user-defined custom policy once. Both the initial and custom namespace IMA policies would be independent of that of the host policy. - CAP_SYS_ADMIN is currently gating the setting of the IMA policy; - setting the policy should be possibly without the almighty CAP_SYS_ADMIN - we may want to gate this with a new capability CAP_INTEGRITY_ADMIN that allows a user to set the IMA policy during container runtime - IMA policy extensions due to namespacing: - an IMA policy should allow rules that define whether activities in (all) child namespaces is to be measured (huge logs on the host) and audited or 'not'; a use case for not measuring may be found in cloud environments where containers come and go and the log on the host could possibly eat up a lot of memory - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured and audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespacee - The existing builtin policies assume policy rules are based on the global “uid” or “fowner”, not based on the namespaced “uid” or “fowner”. Instead of explicitly including specific “uid” or “fowner” rules for each container, allow rules to be specified in terms of the namespaced “uid” or “fowner”. For example, “measure func=FILE_CHECK mask=^MAY_READ uid=0 ns” means measure all files opened for read by root in the namespace and “appraise fowner=0 ns” means appraise all files owned by root in the namespace. - The measurement list size is currently unbounded. Additional rules, which measure files opened by root in the namespace or appraise files owned by root in the namespace, will add additional system memory pressures. - IMA-measurement: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured'' and audited in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-audit: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be measured and ''audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-appraisal and keys: - each IMA namespace should have its own keyring so that each container can have its files signed with different keys - the keys (certificates) for verifying signatures may be found inside containers - it should be possible to enforce that only certified keys are loaded onto a keyring, similar to .ima on the host - the CA public key used for verifying that public keys (certificates) used for verifying signatures may be found inside the container or could be known to the container management stack - IMA-appraisal and namespacing: - If IMA-appraisal is active on the host (per policy rules on the host), what is supposed to happen when (host) root executes files in a (nested) IMA namespace where an empty IMA policy has been set? We would measure and audit root's activities as described above. What about appraising? Would we traverse all the IMA namespaces back to the init_ima_ns and evaluate signatures against the appraisal policy set there and assume we would always find the keys in the init_user_ns? Maybe the following would be a solution for appraising file accesses by (host) root with the key used for signature verification assumed in the init_user_ns; this is a step after evaluating the file access with the current IMA namespace's policy and the currently active USER namespace where the key can be found for imans from current-IMA-NS backwards up to and including init_ima_ns: if policy(imans) has appraisal rules for this file: if file appraisal fails fail access else allow access break or simplified (again after evaluating file access with the current IMA namespace's policy and the currently active USER namespace where the key can be found) Appraise with policy of init_ima_ns and key found in .ima or _ima keyring of init_user_ns. - TPM and measurements: - The IMA namespace that holds the logs should be configurable to extend PCRs; since the single TPM of the host cannot be shared by containers, each IMA namespace would have to be associated with its own TPM instance (vTPM); measurement in the initial IMA namespace are extended into the hardware TPM as done already - Each IMA namespace should only have access to the sysfs entries of its own TPM instance; ideally, sysfs would only show a single TPM device entry when viewed from an IMA namespace; an alternative may be that all devices are shown but refuse read/write access to their files if it is initiated from the 'wrong' IMA namespace - Extended attribute security.ima: - A container should be able to set the security.ima extended attribute - this should be possibly without the almighty CAP_SYS_ADMIN; - we may want to gate this with a new capability CAP_SECURITY_XATTR_ADMIN that allows setting security extended attributes inside a container, possibly only during container build-time - Extended attribute security.ima and bind mounting - It may be necessary that different namespaces be able to sign the same bind-mounted file with different keys (I am thinking of bind-mounted files that the container management stack modifies and that may need to be signed for the container to be able to access them.) - Extended attributes, such as security.ima) may need to be virtualizeable (security.ima vs. security.ima@uid=1000 etc.) - SecurityFS: - every IMA namespace should have (read/write) access to the entries that are associated with its IMA namespace - the organization of IMA's securityfs directory structure should reflect the child-parent relationship of IMA namespaces; - there should be a directory called 'namespaces' where each child namespace would have a directory with the name of the IMA namespace's inode ('IMANS:4768263432') that leads to the files holding the information about that namespace Possible abuse-scenarios may include switching through the namespaces (UTS, PID, IPC, NET, USER, CGROUP, MNT). I am not sure what is supposed to happen other than logging the activity active in the current IMA namespace: What should happen with IMA logging, appraisal, and auditing if we setns() through all available - PID namespaces and send signals: log, appraise, and audit file activity following IMA policy with special handling for (host) root - IPC namespaces and send messages via IPC: same as for PID - UTS namespaces and setting hostname: same as for PID - NET namespaces and sending network traffic: same as for PID - CGROUP namespaces and configuring cgroups: same as for PID - USER: should now the keys of this USER namespace be active or the keys of the original user namespace used during the clone()? [we may need to adapt the current implementation...] other than that, same as for PID? - MNT namespaces and access files or execute program: same as for PID; if active IMA namespace policy requires file appraisal, files would need to be signed with key from keyring in current USER namespace === IMA namespaces and IMA policy semantics === The following shows IMA policy rules and their semantics when applied to IMA namespaces: 1) audit FUNC=BPRM_CHECK 2) audit FUNC=BPRM_CHECK ns 3) measure func=BPRM_CHECK The interpretation of these IMA policy rules is as follows: 1) Files executed in the IMA namespace that has this policy rule and its child namespaces are audited once 2) Files executed in a child namespace of the IMA namespace that has this policy rule are audited, even if already audited in the IMA namespace that has this policy rule or another namespace 3) Files executed in the IMA namespace that has this policy rule and its child namespaces are measured once Note: Initially, the init_ima_ns will be the only IMA namespace that will have a policy. == Standalone IMA namespace versus IMA namespace attached to MOUNT namespace or USER namespace == 1) The first set of posted patches '''attached the IMA namespace to the MOUNT namespace''' and shared the CLONE_NEWNS flag. Whenever a new mount namespace was created, it also created a new IMA namespace. Similarly, a setns() on a MOUNT namespace would also join the conjoint IMA namespace. File measurements and appraisal of an IMA policy would work on the files in the MOUNT namespace. The key used for the appraisal would be in the currently setns()'d USER namespace (the current implementation of IMA would need to be fixed in that regard). This proposed implementation of conjoint MOUNT and IMA namespaces was rejected. 2) Another choice is to '''attach the IMA namespace to the USER namespace'''. An IMA file measurement and appraisal policy would become activated when the conjoint USER and IMA namespaces are joined using setns() for example. Side effects of this include that joining a USER namespace activates an IMA policy, that, if appraisal is active, start appraising file accesses, which may include file access denials. 3) The last choice is to have IMA be a '''stand-alone namespace''' that is spawned using its own CLONE flag or by writing to a (securityfs) file. An IMA file measurement and appraisal policy would be activated when the IMA namespace is joint using setns() for example. If the appropriate set of MOUNT namespaces and USER namespace, providing file signatures and keys for signature verification respectively, is also joined, then only file appraisal will result in working file accesses, otherwise file accesses may be denied. The last two choices have their advantages and disadvantages. In order to avoid side effects on existing USER namespaces, the 3rd choice seems better suited. Though a system with IMA appraisal active in IMA namespaces will have restrictions when switching through MNT and possibly USER namespaces using setns(). Restrictions are related to file appraisal and possibly file access denials as well as file measurements. 9eed215311a27bcedf6886280b0569c0c0234f0c 3973 3972 2018-04-30T19:14:43Z Stefanb 10 /* IMA Namespacing Considerations */ wikitext text/x-wiki == Namespacing IMA == Our goals are to enable IMA-measurement, IMA-appraisal, and IMA-audit inside a container using Linux namespaces. The intention is to introduce an IMA namespace. === Background === IMA-measurement extends the concept of “trusted boot”[1] to the running OS. Based on policy, as files are accessed, executed, mmapped a hash of the file data is calculated and used to extend TPM[2], if enabled, and added to the IMA measurement list. The current builtin IMA-measurement Trusted Computing Base (TCB) policies measures all files read by root or executed/mmapped by any user. It also measures all kernel modules and firmware, when they are loaded, as well as the IMA policy itself. IMA-appraisal: extends the concept of “secure boot”[3] to the running OS. Based on policy, as files are accessed, executed, mmapped the file hash is calculated and used to verify the known good value as stored in the security.ima xattr. Stored in the security.ima xattr could be either a file hash or a signature. The keys for verifying the file data signature are found in IMA specific keyrings .ima or _ima. IMA-audit: adds system audit records containing the file hash to the system audit log. The IMA-audit records can be used to augment existing security analytics software and be used for system forensics. Namespacing each of these features requires not only adding IMA namespacing support, but requires some additional kernel changes. Our goals are to ultimately enable IMA-measurement, IMA-appraisal, and IMA-audit inside a container using Linux namespaces. Namespacing these different aspects of IMA is a major under taking and needs to be staged in manageable pieces. === IMA Namespacing Considerations === When namespacing IMA we certainly want to prevent the abuse of namespaces by users doing things that go undetected. A primary concern are activities of root in the TCB. Since root has all the rights on the system he could try to abuse his power by spawning new IMA namespaces and do things there that affect the TCB but now would go undetected due to weaknesses in the IMA namespacing implementation. The following enumeration of IMA namespacing design points is supposed to guide the implementation and prevent such problems: Support for IMA in namespaces should enable the following: - IMA policy for container (similar to the host): - there should be an initial default policy for every IMA namespace that measures activities inside the container - the uid in policy rules are relative to the uid's of the user namespace that is active; uid=0 refers to root inside the user namespace - like the existing builtin policies can be replaced with a custom policy once, the namespace policy can be replaced with a user-defined custom policy once. Both the initial and custom namespace IMA policies would be independent of that of the host policy. - CAP_SYS_ADMIN is currently gating the setting of the IMA policy; - setting the policy should be possibly without the almighty CAP_SYS_ADMIN - we may want to gate this with a new capability CAP_INTEGRITY_ADMIN that allows a user to set the IMA policy during container runtime - IMA policy extensions due to namespacing: - an IMA policy should allow rules that define whether activities in (all) child namespaces is to be measured (huge logs on the host) and audited or 'not'; a use case for not measuring may be found in cloud environments where containers come and go and the log on the host could possibly eat up a lot of memory - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured and audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - The existing builtin policies assume policy rules are based on the global “uid” or “fowner”, not based on the namespaced “uid” or “fowner”. Instead of explicitly including specific “uid” or “fowner” rules for each container, allow rules to be specified in terms of the namespaced “uid” or “fowner”. For example, “measure func=FILE_CHECK mask=^MAY_READ uid=0 ns” means measure all files opened for read by root in the namespace and “appraise fowner=0 ns” means appraise all files owned by root in the namespace. - The measurement list size is currently unbounded. Additional rules, which measure files opened by root in the namespace or appraise files owned by root in the namespace, will add additional system memory pressures. - IMA-measurement: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured'' and audited in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-audit: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be measured and ''audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-appraisal and keys: - each IMA namespace should have its own keyring so that each container can have its files signed with different keys - the keys (certificates) for verifying signatures may be found inside containers - it should be possible to enforce that only certified keys are loaded onto a keyring, similar to .ima on the host - the CA public key used for verifying that public keys (certificates) used for verifying signatures may be found inside the container or could be known to the container management stack - IMA-appraisal and namespacing: - If IMA-appraisal is active on the host (per policy rules on the host), what is supposed to happen when (host) root executes files in a (nested) IMA namespace where an empty IMA policy has been set? We would measure and audit root's activities as described above. What about appraising? Would we traverse all the IMA namespaces back to the init_ima_ns and evaluate signatures against the appraisal policy set there and assume we would always find the keys in the init_user_ns? Maybe the following would be a solution for appraising file accesses by (host) root with the key used for signature verification assumed in the init_user_ns; this is a step after evaluating the file access with the current IMA namespace's policy and the currently active USER namespace where the key can be found for imans from current-IMA-NS backwards up to and including init_ima_ns: if policy(imans) has appraisal rules for this file: if file appraisal fails fail access else allow access break or simplified (again after evaluating file access with the current IMA namespace's policy and the currently active USER namespace where the key can be found) Appraise with policy of init_ima_ns and key found in .ima or _ima keyring of init_user_ns. - TPM and measurements: - The IMA namespace that holds the logs should be configurable to extend PCRs; since the single TPM of the host cannot be shared by containers, each IMA namespace would have to be associated with its own TPM instance (vTPM); measurement in the initial IMA namespace are extended into the hardware TPM as done already - Each IMA namespace should only have access to the sysfs entries of its own TPM instance; ideally, sysfs would only show a single TPM device entry when viewed from an IMA namespace; an alternative may be that all devices are shown but refuse read/write access to their files if it is initiated from the 'wrong' IMA namespace - Extended attribute security.ima: - A container should be able to set the security.ima extended attribute - this should be possibly without the almighty CAP_SYS_ADMIN; - we may want to gate this with a new capability CAP_SECURITY_XATTR_ADMIN that allows setting security extended attributes inside a container, possibly only during container build-time - Extended attribute security.ima and bind mounting - It may be necessary that different namespaces be able to sign the same bind-mounted file with different keys (I am thinking of bind-mounted files that the container management stack modifies and that may need to be signed for the container to be able to access them.) - Extended attributes, such as security.ima) may need to be virtualizeable (security.ima vs. security.ima@uid=1000 etc.) - SecurityFS: - every IMA namespace should have (read/write) access to the entries that are associated with its IMA namespace - the organization of IMA's securityfs directory structure should reflect the child-parent relationship of IMA namespaces; - there should be a directory called 'namespaces' where each child namespace would have a directory with the name of the IMA namespace's inode ('IMANS:4768263432') that leads to the files holding the information about that namespace Possible abuse-scenarios may include switching through the namespaces (UTS, PID, IPC, NET, USER, CGROUP, MNT). I am not sure what is supposed to happen other than logging the activity active in the current IMA namespace: What should happen with IMA logging, appraisal, and auditing if we setns() through all available - PID namespaces and send signals: log, appraise, and audit file activity following IMA policy with special handling for (host) root - IPC namespaces and send messages via IPC: same as for PID - UTS namespaces and setting hostname: same as for PID - NET namespaces and sending network traffic: same as for PID - CGROUP namespaces and configuring cgroups: same as for PID - USER: should now the keys of this USER namespace be active or the keys of the original user namespace used during the clone()? [we may need to adapt the current implementation...] other than that, same as for PID? - MNT namespaces and access files or execute program: same as for PID; if active IMA namespace policy requires file appraisal, files would need to be signed with key from keyring in current USER namespace === IMA namespaces and IMA policy semantics === The following shows IMA policy rules and their semantics when applied to IMA namespaces: 1) audit FUNC=BPRM_CHECK 2) audit FUNC=BPRM_CHECK ns 3) measure func=BPRM_CHECK The interpretation of these IMA policy rules is as follows: 1) Files executed in the IMA namespace that has this policy rule and its child namespaces are audited once 2) Files executed in a child namespace of the IMA namespace that has this policy rule are audited, even if already audited in the IMA namespace that has this policy rule or another namespace 3) Files executed in the IMA namespace that has this policy rule and its child namespaces are measured once Note: Initially, the init_ima_ns will be the only IMA namespace that will have a policy. == Standalone IMA namespace versus IMA namespace attached to MOUNT namespace or USER namespace == 1) The first set of posted patches '''attached the IMA namespace to the MOUNT namespace''' and shared the CLONE_NEWNS flag. Whenever a new mount namespace was created, it also created a new IMA namespace. Similarly, a setns() on a MOUNT namespace would also join the conjoint IMA namespace. File measurements and appraisal of an IMA policy would work on the files in the MOUNT namespace. The key used for the appraisal would be in the currently setns()'d USER namespace (the current implementation of IMA would need to be fixed in that regard). This proposed implementation of conjoint MOUNT and IMA namespaces was rejected. 2) Another choice is to '''attach the IMA namespace to the USER namespace'''. An IMA file measurement and appraisal policy would become activated when the conjoint USER and IMA namespaces are joined using setns() for example. Side effects of this include that joining a USER namespace activates an IMA policy, that, if appraisal is active, start appraising file accesses, which may include file access denials. 3) The last choice is to have IMA be a '''stand-alone namespace''' that is spawned using its own CLONE flag or by writing to a (securityfs) file. An IMA file measurement and appraisal policy would be activated when the IMA namespace is joint using setns() for example. If the appropriate set of MOUNT namespaces and USER namespace, providing file signatures and keys for signature verification respectively, is also joined, then only file appraisal will result in working file accesses, otherwise file accesses may be denied. The last two choices have their advantages and disadvantages. In order to avoid side effects on existing USER namespaces, the 3rd choice seems better suited. Though a system with IMA appraisal active in IMA namespaces will have restrictions when switching through MNT and possibly USER namespaces using setns(). Restrictions are related to file appraisal and possibly file access denials as well as file measurements. fe2d43c74d549e8016641ec895bc15f9ded677d9 3985 3973 2019-03-01T16:52:56Z Stefanb 10 /* Standalone IMA namespace versus IMA namespace attached to MOUNT namespace or USER namespace */ wikitext text/x-wiki == Namespacing IMA == Our goals are to enable IMA-measurement, IMA-appraisal, and IMA-audit inside a container using Linux namespaces. The intention is to introduce an IMA namespace. === Background === IMA-measurement extends the concept of “trusted boot”[1] to the running OS. Based on policy, as files are accessed, executed, mmapped a hash of the file data is calculated and used to extend TPM[2], if enabled, and added to the IMA measurement list. The current builtin IMA-measurement Trusted Computing Base (TCB) policies measures all files read by root or executed/mmapped by any user. It also measures all kernel modules and firmware, when they are loaded, as well as the IMA policy itself. IMA-appraisal: extends the concept of “secure boot”[3] to the running OS. Based on policy, as files are accessed, executed, mmapped the file hash is calculated and used to verify the known good value as stored in the security.ima xattr. Stored in the security.ima xattr could be either a file hash or a signature. The keys for verifying the file data signature are found in IMA specific keyrings .ima or _ima. IMA-audit: adds system audit records containing the file hash to the system audit log. The IMA-audit records can be used to augment existing security analytics software and be used for system forensics. Namespacing each of these features requires not only adding IMA namespacing support, but requires some additional kernel changes. Our goals are to ultimately enable IMA-measurement, IMA-appraisal, and IMA-audit inside a container using Linux namespaces. Namespacing these different aspects of IMA is a major under taking and needs to be staged in manageable pieces. === IMA Namespacing Considerations === When namespacing IMA we certainly want to prevent the abuse of namespaces by users doing things that go undetected. A primary concern are activities of root in the TCB. Since root has all the rights on the system he could try to abuse his power by spawning new IMA namespaces and do things there that affect the TCB but now would go undetected due to weaknesses in the IMA namespacing implementation. The following enumeration of IMA namespacing design points is supposed to guide the implementation and prevent such problems: Support for IMA in namespaces should enable the following: - IMA policy for container (similar to the host): - there should be an initial default policy for every IMA namespace that measures activities inside the container - the uid in policy rules are relative to the uid's of the user namespace that is active; uid=0 refers to root inside the user namespace - like the existing builtin policies can be replaced with a custom policy once, the namespace policy can be replaced with a user-defined custom policy once. Both the initial and custom namespace IMA policies would be independent of that of the host policy. - CAP_SYS_ADMIN is currently gating the setting of the IMA policy; - setting the policy should be possibly without the almighty CAP_SYS_ADMIN - we may want to gate this with a new capability CAP_INTEGRITY_ADMIN that allows a user to set the IMA policy during container runtime - IMA policy extensions due to namespacing: - an IMA policy should allow rules that define whether activities in (all) child namespaces is to be measured (huge logs on the host) and audited or 'not'; a use case for not measuring may be found in cloud environments where containers come and go and the log on the host could possibly eat up a lot of memory - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured and audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - The existing builtin policies assume policy rules are based on the global “uid” or “fowner”, not based on the namespaced “uid” or “fowner”. Instead of explicitly including specific “uid” or “fowner” rules for each container, allow rules to be specified in terms of the namespaced “uid” or “fowner”. For example, “measure func=FILE_CHECK mask=^MAY_READ uid=0 ns” means measure all files opened for read by root in the namespace and “appraise fowner=0 ns” means appraise all files owned by root in the namespace. - The measurement list size is currently unbounded. Additional rules, which measure files opened by root in the namespace or appraise files owned by root in the namespace, will add additional system memory pressures. - IMA-measurement: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be ''measured'' and audited in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-audit: - to prevent (host) root from spawning new IMA namespaces and doing things undetected in the TCB, all activities of root must be measured and ''audited'' in all IMA namespaces independent of whether the policy enables logging or auditing in child namespaces - activities of all other users, including container-root user, would only be subject to the policy set in the IMA namespace - IMA-appraisal and keys: - each IMA namespace should have its own keyring so that each container can have its files signed with different keys - the keys (certificates) for verifying signatures may be found inside containers - it should be possible to enforce that only certified keys are loaded onto a keyring, similar to .ima on the host - the CA public key used for verifying that public keys (certificates) used for verifying signatures may be found inside the container or could be known to the container management stack - IMA-appraisal and namespacing: - If IMA-appraisal is active on the host (per policy rules on the host), what is supposed to happen when (host) root executes files in a (nested) IMA namespace where an empty IMA policy has been set? We would measure and audit root's activities as described above. What about appraising? Would we traverse all the IMA namespaces back to the init_ima_ns and evaluate signatures against the appraisal policy set there and assume we would always find the keys in the init_user_ns? Maybe the following would be a solution for appraising file accesses by (host) root with the key used for signature verification assumed in the init_user_ns; this is a step after evaluating the file access with the current IMA namespace's policy and the currently active USER namespace where the key can be found for imans from current-IMA-NS backwards up to and including init_ima_ns: if policy(imans) has appraisal rules for this file: if file appraisal fails fail access else allow access break or simplified (again after evaluating file access with the current IMA namespace's policy and the currently active USER namespace where the key can be found) Appraise with policy of init_ima_ns and key found in .ima or _ima keyring of init_user_ns. - TPM and measurements: - The IMA namespace that holds the logs should be configurable to extend PCRs; since the single TPM of the host cannot be shared by containers, each IMA namespace would have to be associated with its own TPM instance (vTPM); measurement in the initial IMA namespace are extended into the hardware TPM as done already - Each IMA namespace should only have access to the sysfs entries of its own TPM instance; ideally, sysfs would only show a single TPM device entry when viewed from an IMA namespace; an alternative may be that all devices are shown but refuse read/write access to their files if it is initiated from the 'wrong' IMA namespace - Extended attribute security.ima: - A container should be able to set the security.ima extended attribute - this should be possibly without the almighty CAP_SYS_ADMIN; - we may want to gate this with a new capability CAP_SECURITY_XATTR_ADMIN that allows setting security extended attributes inside a container, possibly only during container build-time - Extended attribute security.ima and bind mounting - It may be necessary that different namespaces be able to sign the same bind-mounted file with different keys (I am thinking of bind-mounted files that the container management stack modifies and that may need to be signed for the container to be able to access them.) - Extended attributes, such as security.ima) may need to be virtualizeable (security.ima vs. security.ima@uid=1000 etc.) - SecurityFS: - every IMA namespace should have (read/write) access to the entries that are associated with its IMA namespace - the organization of IMA's securityfs directory structure should reflect the child-parent relationship of IMA namespaces; - there should be a directory called 'namespaces' where each child namespace would have a directory with the name of the IMA namespace's inode ('IMANS:4768263432') that leads to the files holding the information about that namespace Possible abuse-scenarios may include switching through the namespaces (UTS, PID, IPC, NET, USER, CGROUP, MNT). I am not sure what is supposed to happen other than logging the activity active in the current IMA namespace: What should happen with IMA logging, appraisal, and auditing if we setns() through all available - PID namespaces and send signals: log, appraise, and audit file activity following IMA policy with special handling for (host) root - IPC namespaces and send messages via IPC: same as for PID - UTS namespaces and setting hostname: same as for PID - NET namespaces and sending network traffic: same as for PID - CGROUP namespaces and configuring cgroups: same as for PID - USER: should now the keys of this USER namespace be active or the keys of the original user namespace used during the clone()? [we may need to adapt the current implementation...] other than that, same as for PID? - MNT namespaces and access files or execute program: same as for PID; if active IMA namespace policy requires file appraisal, files would need to be signed with key from keyring in current USER namespace === IMA namespaces and IMA policy semantics === The following shows IMA policy rules and their semantics when applied to IMA namespaces: 1) audit FUNC=BPRM_CHECK 2) audit FUNC=BPRM_CHECK ns 3) measure func=BPRM_CHECK The interpretation of these IMA policy rules is as follows: 1) Files executed in the IMA namespace that has this policy rule and its child namespaces are audited once 2) Files executed in a child namespace of the IMA namespace that has this policy rule are audited, even if already audited in the IMA namespace that has this policy rule or another namespace 3) Files executed in the IMA namespace that has this policy rule and its child namespaces are measured once Note: Initially, the init_ima_ns will be the only IMA namespace that will have a policy. == Standalone IMA namespace versus IMA namespace attached to MOUNT namespace or USER namespace == 1) The first set of posted patches '''attached the IMA namespace to the MOUNT namespace''' and shared the CLONE_NEWNS flag. Whenever a new mount namespace was created, it also created a new IMA namespace. Similarly, a setns() on a MOUNT namespace would also join the conjoint IMA namespace. File measurements and appraisal of an IMA policy would work on the files in the MOUNT namespace. The key used for the appraisal would be in the currently setns()'d USER namespace (the current implementation of IMA would need to be fixed in that regard). This proposed implementation of conjoint MOUNT and IMA namespaces was rejected. 2) Another choice is to '''attach the IMA namespace to the USER namespace'''. An IMA file measurement and appraisal policy would become activated when the conjoint USER and IMA namespaces are joined using setns() for example. Side effects of this include that joining a USER namespace activates an IMA policy, that, if appraisal is active, start appraising file accesses, which may include file access denials. 3) The last choice is to have IMA be a '''stand-alone namespace''' that is spawned using its own CLONE flag or by writing to a (securityfs) file. An IMA file measurement and appraisal policy would be activated when the IMA namespace is joined using setns() for example. If the appropriate set of MOUNT namespaces and USER namespace, providing file signatures and keys for signature verification respectively, is also joined, then only file appraisal will result in working file accesses, otherwise file accesses may be denied. The last two choices have their advantages and disadvantages. In order to avoid side effects on existing USER namespaces, the 3rd choice seems better suited. Though a system with IMA appraisal active in IMA namespaces will have restrictions when switching through MNT and possibly USER namespaces using setns(). Restrictions are related to file appraisal and possibly file access denials as well as file measurements. fce10b2547df605b09f2a1e5b0d645c14d6dffee 0 183 3964 3924 2018-04-23T18:38:09Z KeesCook 3 /* CONFIGs */ wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system: = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. CONFIG_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y = kernel command line options = # Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 22091cd510a87cdfed899da30bdaa0ef675ed9fb 3965 3964 2018-04-23T18:38:37Z KeesCook 3 /* arm64 */ wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system: = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. CONFIG_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation. CONFIG_UNMAP_KERNEL_AT_EL0=y = kernel command line options = # Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 e9364ffd2217897533dcc02abe307690287e83d8 3966 3965 2018-04-23T18:39:26Z KeesCook 3 /* kernel command line options */ wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system: = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. CONFIG_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation. CONFIG_UNMAP_KERNEL_AT_EL0=y = kernel command line options = # Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is self from Meltdown. pti=on == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 dbcc1a40e4518dccc5bef555f4155398470292ef 3967 3966 2018-04-23T18:41:11Z KeesCook 3 /* x86_64 */ wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system: = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. CONFIG_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation. CONFIG_UNMAP_KERNEL_AT_EL0=y = kernel command line options = # Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is self from Meltdown. pti=on == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 7dcd0763e9f6b678522e4b89e8b69f0308b7b2a7 3968 3967 2018-04-23T18:41:26Z KeesCook 3 /* arm64 */ wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system: = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. CONFIG_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y = kernel command line options = # Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is self from Meltdown. pti=on == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 ce37cb8262e636f3bbdf819a4aba482029e24a08 3974 3968 2018-05-04T22:06:36Z KeesCook 3 /* sysctls */ wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system: = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. CONFIG_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y = kernel command line options = # Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is self from Meltdown. pti=on == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 e20624eaddc3c19b876544c9d7b1bf3303f793d0 3975 3974 2018-05-08T19:43:10Z KeesCook 3 /* kernel command line options */ wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system: = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. CONFIG_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y = kernel command line options = # Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 1fdf365f1a899a3b6d59ac8a33cf241e116b6703 3976 3975 2018-06-21T23:05:33Z KeesCook 3 /* CONFIGs */ wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system: = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. CONFIG_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y = kernel command line options = # Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 59fd63e137129d4b0d8ef289ed90d709227fa1da 3983 3976 2019-01-10T00:29:43Z KeesCook 3 /* CONFIGs */ Rename stack protector configs since v4.18 wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system: = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y = kernel command line options = # Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 7aabe9fb993aab1bbf70e8f1d6c199b5aa56ffa8 0 6 3977 3922 2018-09-24T06:38:03Z JamesMorris 2 wikitext text/x-wiki == Upcoming == * [http://events.linuxfoundation.org/events/linux-security-summit-europe Linux Security Summit Europe 2018], Edinburgh, UK, October 25-26. == Past == === 2018 === * [http://events.linuxfoundation.org/events/linux-security-summit-north-america Linux Security Summit North America 2018], Vancouver, Canada, August 27-28. === 2017 === * [[Linux Kernel Summit 2017, Security Session]], Prague, Czech Republic, October 24. * [[Linux Security Summit 2017]], Los Angeles, USA, Sept 14-15. === 2016 === * [[Linux Security Summit 2016]], Toronto, Canada. August 25-26. === 2015 === * [[Linux Security Summit 2015]], Seattle, WA, USA. August 20-21. ===2014=== * [[Linux Security Summit 2014]], 18-19 August, Chicago, USA. Co-located with [http://events.linuxfoundation.org/events/linuxcon LinuxCon]. === 2013 === * [[Linux Security Summit 2013]] New Orleans, USA. === 2012 === * [[Linux Security Summit 2012]], San Diego, CA, USA. ===2011=== * [[Linux Security Summit 2011]], Santa Rosa, CA, USA. ===2010=== * [https://security.wiki.kernel.org/index.php/LinuxSecuritySummit2010 Linux Security Summit 2010], Boston MA, USA. ===2009=== *Security Microconf at the Linux Plumbers Conference 2009, September, Portland OR, USA. **CFP **LWN discussion *SELinux Developer Summit at LinuxCon 2009, September, Portland OR, USA. **Event Details *Security BoF (Birds of Feather) meeting at the Japan Linux Symposium, October 2009. Tokyo, Japan. **Enhanced Securities: Where Should We Go Next *Kernel Conference Australia, July 2009, Brisbane, Australia. *LCA security miniconf 20 January 2009, Hobart, Australia. 192d6f10258f53cdbf6259a2fdfa1dbe633f8e12 3984 3977 2019-02-05T00:43:36Z AndrewDonnellan 12 move LSSEU2018 to past wikitext text/x-wiki == Upcoming == == Past == === 2018 === * [http://events.linuxfoundation.org/events/linux-security-summit-europe Linux Security Summit Europe 2018], Edinburgh, UK, October 25-26. * [http://events.linuxfoundation.org/events/linux-security-summit-north-america Linux Security Summit North America 2018], Vancouver, Canada, August 27-28. === 2017 === * [[Linux Kernel Summit 2017, Security Session]], Prague, Czech Republic, October 24. * [[Linux Security Summit 2017]], Los Angeles, USA, Sept 14-15. === 2016 === * [[Linux Security Summit 2016]], Toronto, Canada. August 25-26. === 2015 === * [[Linux Security Summit 2015]], Seattle, WA, USA. August 20-21. ===2014=== * [[Linux Security Summit 2014]], 18-19 August, Chicago, USA. Co-located with [http://events.linuxfoundation.org/events/linuxcon LinuxCon]. === 2013 === * [[Linux Security Summit 2013]] New Orleans, USA. === 2012 === * [[Linux Security Summit 2012]], San Diego, CA, USA. ===2011=== * [[Linux Security Summit 2011]], Santa Rosa, CA, USA. ===2010=== * [https://security.wiki.kernel.org/index.php/LinuxSecuritySummit2010 Linux Security Summit 2010], Boston MA, USA. ===2009=== *Security Microconf at the Linux Plumbers Conference 2009, September, Portland OR, USA. **CFP **LWN discussion *SELinux Developer Summit at LinuxCon 2009, September, Portland OR, USA. **Event Details *Security BoF (Birds of Feather) meeting at the Japan Linux Symposium, October 2009. Tokyo, Japan. **Enhanced Securities: Where Should We Go Next *Kernel Conference Australia, July 2009, Brisbane, Australia. *LCA security miniconf 20 January 2009, Hobart, Australia. bb2cbf8a34d36503ea8d35225fcb49997b2b9e4c 0 182 3978 3880 2018-10-25T08:33:47Z KeesCook 3 whoops, forgot the IRC wikitext text/x-wiki Want to get involved in the [[Kernel Self Protection Project]]? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list], or hop on IRC at `##linux-hardened` on [https://freenode.net/ freenode]. = Introduce Yourself = Send an email to introduce yourself! Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Patch Contribution Guidelines = When contributing patches for the Linux kernel, be sure to follow the Linux kernel [https://www.kernel.org/doc/html/latest/process/coding-style.html Coding Style Guide] and read about [https://www.kernel.org/doc/html/latest/process/submitting-patches.html Submitting Patches]. Even if you're only sending your patches to the kernel-hardening mailing list for some early review, it's best to get as much of the coding style and submission semantics correct to avoid reviewers needing to recommend changes in those areas. As with any other Open Source project, it is particularly important that if you're working on upstreaming work from other Open Source projects, be sure your patches are giving credit to the original authors, that licenses are compatible, and that copyright notices are retained, etc. In the case of new files, or other places where a copyright notice would be expected to be added, be sure to retain all copyright notices from the other project. This may require some examination of commit history. For example, [https://github.com/linux-scraping/linux-grsecurity/blob/grsec-test/grsecurity/Makefile#L3 Grsecurity's copyright notice from their most recent public patch] does not include PaX Team's copyright notice, which is only listed in the patch for GCC plugins. For Grsecurity copyright, when more specific details are not easy to find, the following could be used: Copyright (C) 2001-2017 PaX Team, Bradley Spengler, Open Source Security Inc. Additionally, Grsecurity has asked that contributors include this in commit messages for non-trivial code ported from Grsecurity: $CODE is {verbatim,modified} from Brad Spengler/PaX Team's code in the last public patch of grsecurity/PaX based on my understanding of the code. Changes or omissions from the original code are mine and don't reflect the original grsecurity/PaX code. 41252d02f8a6574e965a3454b450051cb7a9cfa8 3979 3978 2018-10-25T08:37:23Z KeesCook 3 wikitext text/x-wiki Want to get involved in the [[Kernel Self Protection Project]]? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list], or hop on IRC at <code>##linux-hardened</code> on [https://freenode.net/ freenode]. = Introduce Yourself = Send an email to introduce yourself! Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Patch Contribution Guidelines = When contributing patches for the Linux kernel, be sure to follow the Linux kernel [https://www.kernel.org/doc/html/latest/process/coding-style.html Coding Style Guide] and read about [https://www.kernel.org/doc/html/latest/process/submitting-patches.html Submitting Patches]. Even if you're only sending your patches to the kernel-hardening mailing list for some early review, it's best to get as much of the coding style and submission semantics correct to avoid reviewers needing to recommend changes in those areas. As with any other Open Source project, it is particularly important that if you're working on upstreaming work from other Open Source projects, be sure your patches are giving credit to the original authors, that licenses are compatible, and that copyright notices are retained, etc. In the case of new files, or other places where a copyright notice would be expected to be added, be sure to retain all copyright notices from the other project. This may require some examination of commit history. For example, [https://github.com/linux-scraping/linux-grsecurity/blob/grsec-test/grsecurity/Makefile#L3 Grsecurity's copyright notice from their most recent public patch] does not include PaX Team's copyright notice, which is only listed in the patch for GCC plugins. For Grsecurity copyright, when more specific details are not easy to find, the following could be used: Copyright (C) 2001-2017 PaX Team, Bradley Spengler, Open Source Security Inc. Additionally, Grsecurity has asked that contributors include this in commit messages for non-trivial code ported from Grsecurity: $CODE is {verbatim,modified} from Brad Spengler/PaX Team's code in the last public patch of grsecurity/PaX based on my understanding of the code. Changes or omissions from the original code are mine and don't reflect the original grsecurity/PaX code. 85f1db8e77da3b6519e46b1447d236927170c8e6 2 191 3980 2018-10-30T04:33:09Z AndrewDonnellan 12 Created page with "I'm a kernel + firmware hacker at IBM Australia (OzLabs) working on Power." wikitext text/x-wiki I'm a kernel + firmware hacker at IBM Australia (OzLabs) working on Power. 885956e4abf5947063538db03e58d0bbba3ba0ad 2 192 3981 2018-10-30T04:35:26Z RussellCurrey 11 Created page with " == ruscur == I'm [https://russell.cc Russell Currey] aka ruscur, an Australian kernel hacker working at IBM [https://ozlabs.org OzLabs]. Currently focused on POWER kernel h..." wikitext text/x-wiki == ruscur == I'm [https://russell.cc Russell Currey] aka ruscur, an Australian kernel hacker working at IBM [https://ozlabs.org OzLabs]. Currently focused on POWER kernel hardening. You can email my handle at russell.cc or find me on twitter [https://twitter.com/russelldotcc @russelldotcc]. 459ed3c171f49873b20d984265f6421b2e49eaf7 0 184 3982 3881 2018-10-31T22:25:45Z KeesCook 3 /* Specific TODO Items */ wikitext text/x-wiki = Work Areas = The [[Kernel Self Protection Project]] has a lot of work to do! While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. The following is far from a comprehensive list, but it's at least a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] = Specific TODO Items = Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention: * Split thread_info off of kernel stack (Done: x86, arm64, s390. Needed on arm, powerpc and others?) * Move kernel stack to vmap area (Done: x86, s390. Needed on arm, arm64, powerpc and others?) * Implement kernel relocation and KASLR for ARM * Write a plugin to clear struct padding * Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings) * Make CONFIG_STRICT_KERNEL_RWX and CONFIG_STRICT_MODULE_RWX mandatory (done for arm64 and x86, other archs still need it) * Write lib/test_bpf.c tests for eBPF constant blinding * Further restriction of perf_event_open (e.g. perf_event_paranoid=3) * Extend HARDENED_USERCOPY to split user-facing malloc()s and in-kernel malloc()svmalloc stack guard pages (in progress) * split short-lived kmalloc()s from long-lived kmalloc()s * split user-size-controlled kmalloc()s from regular kmalloc()s * protect ARM vector table as fixed-location kernel target * disable kuser helpers on arm * rename CONFIG_DEBUG_LIST better and default=y * add WARN path for page-spanning usercopy checks (instead of the separate CONFIG) * create UNEXPECTED(), like BUG() but without the lock-busting, etc * create defconfig "make" target for by-default hardened Kconfigs * provide mechanism to check for ro_after_init memory areas, and reject structures not marked ro_after_init in vmbus_register() * expand use of __ro_after_init, especially in arch/arm64 * restrict autoloading of kernel modules (like GRKERNSEC_MODHARDEN) (In progress: [http://www.openwall.com/lists/kernel-hardening/2017/02/02/21 Timgad LSM]) * wire up LKDTM tests to kselftest * set_memory_*() needs __must_check and/or atomicity * refactor tasklets to avoid unsigned long argument * have kfree() (and related) set the pointer to NULL too * create per-task stack canary on arm and arm64 95f5c3f41430fafcf5ea494b944794dd9da688fa 3987 3982 2019-04-11T21:47:08Z KeesCook 3 /* Specific TODO Items */ wikitext text/x-wiki = Work Areas = The [[Kernel Self Protection Project]] has a lot of work to do! While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. The following is far from a comprehensive list, but it's at least a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] = Specific TODO Items = Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention: == Kernel items == * Split thread_info off of kernel stack (Done: x86, arm64, s390. Needed on arm, powerpc and others?) * Move kernel stack to vmap area (Done: x86, s390. Needed on arm, arm64, powerpc and others?) * Implement kernel relocation and KASLR for ARM * Make CONFIG_STRICT_KERNEL_RWX and CONFIG_STRICT_MODULE_RWX mandatory (done for arm64 and x86, other archs still need it) * Further restriction of perf_event_open (e.g. perf_event_paranoid=3) * Extend HARDENED_USERCOPY to split user-facing kmalloc()s and in-kernel kmalloc() * split short-lived kmalloc()s from long-lived kmalloc()s * split user-size-controlled kmalloc()s from regular kmalloc()s * protect ARM vector table as fixed-location kernel target * disable kuser helpers on arm * add constant-blinding tests to lib/test_bpf.c * rename CONFIG_DEBUG_LIST better and default=y * create defconfig "make" target for by-default hardened Kconfigs * expand use of __ro_after_init, especially in arch/arm64 * restrict autoloading of kernel modules (like GRKERNSEC_MODHARDEN) ([http://www.openwall.com/lists/kernel-hardening/2017/02/02/21 Timgad LSM]) * set_memory_*() needs __must_check and/or atomicity * refactor tasklets to avoid unsigned long argument * have kfree() (and related) set the pointer to NULL too * create per-task stack canary (Done: x86, arm, arm64, powerpc. Needed on s390 and others?) * deprecate strcpy() in favor of strscpy() * deprecate strlcpy() in favor of strscpy() * deprecate strncpy() in favor of strscpy(), strscpy_pad(), or str2mem_pad() * fix sizeof_field() vs SIZEOF_FIELD() vs FIELD_SIZEOF() * expand use of opt-in mult/div/add/sub overflow wrappers * WARN on kfree() of ERR_PTR range * audit and fix all misuse of NLA_STRING * add detection for double-reads * add FORTIFY_SOURCE checks to strscpy*() * add static_branch for iopl removal (and zeroing?) * enhance objtool to search for ROP gadgets * signed integer overflow detection * unsigned integer overflow detection * exec brute force detection == Compiler items == * Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings) * Finish Clang implementation of __randomize_layout * Implement clearing of caller-saved regs (https://github.com/clearlinux-pkgs/gcc/blob/master/zero-regs-gcc8.patch) e17f293a796f719de6b98203d8e9cc7b2d0d6aed 0 175 3986 3814 2019-03-25T02:40:10Z RussellCurrey 11 update for powerpc wikitext text/x-wiki = Details = Once an attacker has gain control over the instruction pointers, it must be aimed somewhere. The place where attackers have the most control over memory layout tends to be in userspace, so it has been natural to place malicious code in userspace and have the kernel redirection execution there. (Frequently known as "ret2usr".) For more details, see [[Exploit Methods/Userspace data usage|Userspace access]], as that can be superset of userspace execution under some emulation situations. = Examples = * See nearly every other exploit example listed under other [[Exploit Methods]] and [[Bug Classes]]. = Mitigations = * hardware segregation: SMEP (x86), PXN (arm) * compiler instrumentation to set high bit on function calls * emulate memory segregation via separate page tables (e.g. PAX_MEMORY_UDEREF) Right now, the upstream options available for Privileged eXecute Never (e.g. PXN, SMEP) are: {| class="wikitable" !colspan="2"|CPU ! Feature Name |- |rowspan="3"| ARM | v7 (32-bit) non-LPAE | CONFIG_CPU_SW_DOMAIN_PAN (since Linux v4.3) |- | v7 (32-bit) LPAE (e.g. Cortex-A7, A15+) | hardware PXN (since Linux v3.19) |- | v8.0+ (64-bit) | hardware PXN |- |rowspan="2"| x86 | pre-Ivy-Bridge |style="color: red;"| nothing (could use PCID?) |- | Ivy-Bridge+ (since May 2012) | hardware PXN (SMEP) |- |colspan="2"| s/390 | hardware PXN (Address Spaces) |- |rowspan="2"| powerpc | radix MMU (since POWER9) | hardware PXN (KUEP, since Linux v4.10) |- | hash MMU (since POWER7) |style="color: red;"| nothing yet, but implementation possible |- |colspan="2"| MIPS |style="color: red;"| nothing (could use ASID switching?) |} 8176f22d54648df8f42c57396b7d4fc993bfa093 0 176 3988 3817 2019-05-08T05:19:21Z RussellCurrey 11 update PAN for powerpc wikitext text/x-wiki = Details = Sometimes an attacker won't be able to control the instruction pointer directly, but they will be able to redirect the dereference a structure or other pointer. In these cases, it is easiest to aim at malicious structures that have been built in userspace to perform the exploitation. Note that under some emulation situations, this can be a superset that includes [[Exploit Methods/Userspace execution|Userspace execution]]. (If we can protect against userspace access, we'll also be protecting against userspace execution.) Hardware protections tend to be separate, though, due to different memory paths for instruction fetch (execution) and data access (read/write). = Examples = * [https://github.com/geekben/towelroot/blob/master/towelroot.c cred structure] * [http://labs.bromium.com/2015/02/02/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/ fake kernel stack] * [http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=176155dac13f528e0a58c14dc322623219365d91 Bad casts] = Mitigations = * hardware segregation: SMAP (x86), PAN (arm, arm64), Domains (arm) * emulated PAN (memory segregation via segments, Domains, page table swapping, PCID, etc. e.g. PAX_MEMORY_UDEREF) Right now, the upstream options available for Privileged Access Never (PAN) are: {| class="wikitable" !colspan="2"|CPU ! Feature Name |- |rowspan="3"| ARM | v7 (32-bit) | CONFIG_CPU_SW_DOMAIN_PAN (since Linux v4.3) |- | v8.0 (64-bit) | CONFIG_ARM64_SW_TTBR0_PAN (likely Linux v4.9 [http://www.openwall.com/lists/kernel-hardening/2016/09/13/3 Catalin's series]) |- | v8.1 (defined since December 2014) | hardware PAN (none shipping) |- |rowspan="2"| x86 | pre-late-Broadwell |style="color: red;"| nothing (could use PCID?) |- | Broadwell+ (since October 2014) | hardware PAN (SMAP) |- |colspan="2"| s/390 | hardware PAN (Address Spaces) |- |rowspan="2"| powerpc | radix MMU (since POWER9) | hardware PAN (KUAP, [https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git/commit/?h=next&id=890274c2dc4c0a57ae5a12d6a76fa6d05b599d98 likely since Linux v5.2]) |- | hash MMU (since POWER7) |style="color: red;"| nothing yet, but implementation possible |- |colspan="2"| MIPS |style="color: red;"| nothing (could use ASID switching?) |} e3961d94ca311e6e008954743b8ee499bc3e7c17 3989 3988 2019-05-13T04:55:17Z RussellCurrey 11 ppc PAN merged in 5.2 wikitext text/x-wiki = Details = Sometimes an attacker won't be able to control the instruction pointer directly, but they will be able to redirect the dereference a structure or other pointer. In these cases, it is easiest to aim at malicious structures that have been built in userspace to perform the exploitation. Note that under some emulation situations, this can be a superset that includes [[Exploit Methods/Userspace execution|Userspace execution]]. (If we can protect against userspace access, we'll also be protecting against userspace execution.) Hardware protections tend to be separate, though, due to different memory paths for instruction fetch (execution) and data access (read/write). = Examples = * [https://github.com/geekben/towelroot/blob/master/towelroot.c cred structure] * [http://labs.bromium.com/2015/02/02/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/ fake kernel stack] * [http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=176155dac13f528e0a58c14dc322623219365d91 Bad casts] = Mitigations = * hardware segregation: SMAP (x86), PAN (arm, arm64), Domains (arm) * emulated PAN (memory segregation via segments, Domains, page table swapping, PCID, etc. e.g. PAX_MEMORY_UDEREF) Right now, the upstream options available for Privileged Access Never (PAN) are: {| class="wikitable" !colspan="2"|CPU ! Feature Name |- |rowspan="3"| ARM | v7 (32-bit) | CONFIG_CPU_SW_DOMAIN_PAN (since Linux v4.3) |- | v8.0 (64-bit) | CONFIG_ARM64_SW_TTBR0_PAN (likely Linux v4.9 [http://www.openwall.com/lists/kernel-hardening/2016/09/13/3 Catalin's series]) |- | v8.1 (defined since December 2014) | hardware PAN (none shipping) |- |rowspan="2"| x86 | pre-late-Broadwell |style="color: red;"| nothing (could use PCID?) |- | Broadwell+ (since October 2014) | hardware PAN (SMAP) |- |colspan="2"| s/390 | hardware PAN (Address Spaces) |- |rowspan="2"| powerpc | radix MMU (since POWER9) | hardware PAN (KUAP, since Linux 5.2) |- | hash MMU (since POWER7) |style="color: red;"| nothing yet, but implementation possible |- |colspan="2"| MIPS |style="color: red;"| nothing (could use ASID switching?) |} 76f6c59d09ad12b5bf2d9d11b4ccf54faf9b0dbf 3999 3989 2019-07-31T12:48:52Z ChristopheLeroy 14 /* Mitigations */ wikitext text/x-wiki = Details = Sometimes an attacker won't be able to control the instruction pointer directly, but they will be able to redirect the dereference a structure or other pointer. In these cases, it is easiest to aim at malicious structures that have been built in userspace to perform the exploitation. Note that under some emulation situations, this can be a superset that includes [[Exploit Methods/Userspace execution|Userspace execution]]. (If we can protect against userspace access, we'll also be protecting against userspace execution.) Hardware protections tend to be separate, though, due to different memory paths for instruction fetch (execution) and data access (read/write). = Examples = * [https://github.com/geekben/towelroot/blob/master/towelroot.c cred structure] * [http://labs.bromium.com/2015/02/02/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/ fake kernel stack] * [http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=176155dac13f528e0a58c14dc322623219365d91 Bad casts] = Mitigations = * hardware segregation: SMAP (x86), PAN (arm, arm64), Domains (arm) * emulated PAN (memory segregation via segments, Domains, page table swapping, PCID, etc. e.g. PAX_MEMORY_UDEREF) Right now, the upstream options available for Privileged Access Never (PAN) are: {| class="wikitable" !colspan="2"|CPU ! Feature Name |- |rowspan="3"| ARM | v7 (32-bit) | CONFIG_CPU_SW_DOMAIN_PAN (since Linux v4.3) |- | v8.0 (64-bit) | CONFIG_ARM64_SW_TTBR0_PAN (likely Linux v4.9 [http://www.openwall.com/lists/kernel-hardening/2016/09/13/3 Catalin's series]) |- | v8.1 (defined since December 2014) | hardware PAN (none shipping) |- |rowspan="2"| x86 | pre-late-Broadwell |style="color: red;"| nothing (could use PCID?) |- | Broadwell+ (since October 2014) | hardware PAN (SMAP) |- |colspan="2"| s/390 | hardware PAN (Address Spaces) |- |rowspan="4"| powerpc | radix MMU (since POWER9) | hardware PAN (KUAP, since Linux 5.2) |- | PPC64 hash MMU (since POWER7) |style="color: red;"| nothing yet, but implementation possible |- | PPC32 hash MMU | hardware PAN (KUAP) |- | MPC 8xx | hardware PAN (KUAP) |- |colspan="2"| MIPS |style="color: red;"| nothing (could use ASID switching?) |} b005ac2e71996ec9d605b09b67830fa8a5fffbc3 0 184 3990 3987 2019-06-10T16:07:38Z RomainPerier 15 /* Kernel items */ wikitext text/x-wiki = Work Areas = The [[Kernel Self Protection Project]] has a lot of work to do! While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. The following is far from a comprehensive list, but it's at least a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] = Specific TODO Items = Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention: == Kernel items == * Split thread_info off of kernel stack (Done: x86, arm64, s390. Needed on arm, powerpc and others?) * Move kernel stack to vmap area (Done: x86, s390. Needed on arm, arm64, powerpc and others?) * Implement kernel relocation and KASLR for ARM * Make CONFIG_STRICT_KERNEL_RWX and CONFIG_STRICT_MODULE_RWX mandatory (done for arm64 and x86, other archs still need it) * Further restriction of perf_event_open (e.g. perf_event_paranoid=3) * Extend HARDENED_USERCOPY to split user-facing kmalloc()s and in-kernel kmalloc() * split short-lived kmalloc()s from long-lived kmalloc()s * split user-size-controlled kmalloc()s from regular kmalloc()s * protect ARM vector table as fixed-location kernel target * disable kuser helpers on arm * add constant-blinding tests to lib/test_bpf.c * rename CONFIG_DEBUG_LIST better and default=y * create defconfig "make" target for by-default hardened Kconfigs * expand use of __ro_after_init, especially in arch/arm64 * restrict autoloading of kernel modules (like GRKERNSEC_MODHARDEN) ([http://www.openwall.com/lists/kernel-hardening/2017/02/02/21 Timgad LSM]) * set_memory_*() needs __must_check and/or atomicity * refactor tasklets to avoid unsigned long argument * have kfree() (and related) set the pointer to NULL too * create per-task stack canary (Done: x86, arm, arm64, powerpc. Needed on s390 and others?) * deprecate strcpy() in favor of strscpy() * deprecate strlcpy() in favor of strscpy() * deprecate strncpy() in favor of strscpy(), strscpy_pad(), or str2mem_pad() * fix sizeof_field() vs SIZEOF_FIELD() vs FIELD_SIZEOF() * expand use of opt-in mult/div/add/sub overflow wrappers * WARN on kfree() of ERR_PTR range * audit and fix all misuse of NLA_STRING (WIP: rperier) * add detection for double-reads * add FORTIFY_SOURCE checks to strscpy*() * add static_branch for iopl removal (and zeroing?) * enhance objtool to search for ROP gadgets * signed integer overflow detection * unsigned integer overflow detection * exec brute force detection == Compiler items == * Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings) * Finish Clang implementation of __randomize_layout * Implement clearing of caller-saved regs (https://github.com/clearlinux-pkgs/gcc/blob/master/zero-regs-gcc8.patch) 8ab03b5c53ea375084859af578c5b01854c39b2a 3991 3990 2019-06-10T16:08:59Z RomainPerier 15 /* Kernel items */ wikitext text/x-wiki = Work Areas = The [[Kernel Self Protection Project]] has a lot of work to do! While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. The following is far from a comprehensive list, but it's at least a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] = Specific TODO Items = Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention: == Kernel items == * Split thread_info off of kernel stack (Done: x86, arm64, s390. Needed on arm, powerpc and others?) * Move kernel stack to vmap area (Done: x86, s390. Needed on arm, arm64, powerpc and others?) * Implement kernel relocation and KASLR for ARM * Make CONFIG_STRICT_KERNEL_RWX and CONFIG_STRICT_MODULE_RWX mandatory (done for arm64 and x86, other archs still need it) * Further restriction of perf_event_open (e.g. perf_event_paranoid=3) * Extend HARDENED_USERCOPY to split user-facing kmalloc()s and in-kernel kmalloc() * split short-lived kmalloc()s from long-lived kmalloc()s * split user-size-controlled kmalloc()s from regular kmalloc()s * protect ARM vector table as fixed-location kernel target * disable kuser helpers on arm * add constant-blinding tests to lib/test_bpf.c * rename CONFIG_DEBUG_LIST better and default=y * create defconfig "make" target for by-default hardened Kconfigs * expand use of __ro_after_init, especially in arch/arm64 * restrict autoloading of kernel modules (like GRKERNSEC_MODHARDEN) ([http://www.openwall.com/lists/kernel-hardening/2017/02/02/21 Timgad LSM]) * set_memory_*() needs __must_check and/or atomicity * refactor tasklets to avoid unsigned long argument * have kfree() (and related) set the pointer to NULL too * create per-task stack canary (Done: x86, arm, arm64, powerpc. Needed on s390 and others?) * deprecate strcpy() in favor of strscpy() * deprecate strlcpy() in favor of strscpy() * deprecate strncpy() in favor of strscpy(), strscpy_pad(), or str2mem_pad() * fix sizeof_field() vs SIZEOF_FIELD() vs FIELD_SIZEOF() * expand use of opt-in mult/div/add/sub overflow wrappers * WARN on kfree() of ERR_PTR range (WIP: Shyam Saini <mayhs11saini@gmail.com>) * audit and fix all misuse of NLA_STRING (WIP: Romain Perier <romain.perier@gmail.com> (aka "rperier", on IRC)) * add detection for double-reads * add FORTIFY_SOURCE checks to strscpy*() * add static_branch for iopl removal (and zeroing?) * enhance objtool to search for ROP gadgets * signed integer overflow detection * unsigned integer overflow detection * exec brute force detection == Compiler items == * Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings) * Finish Clang implementation of __randomize_layout * Implement clearing of caller-saved regs (https://github.com/clearlinux-pkgs/gcc/blob/master/zero-regs-gcc8.patch) 224030040b4f2c5d36bba713735ec32f04579de3 3992 3991 2019-06-27T14:28:17Z RomainPerier 15 /* Kernel items */ wikitext text/x-wiki = Work Areas = The [[Kernel Self Protection Project]] has a lot of work to do! While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. The following is far from a comprehensive list, but it's at least a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] = Specific TODO Items = Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention: == Kernel items == * Split thread_info off of kernel stack (Done: x86, arm64, s390. Needed on arm, powerpc and others?) * Move kernel stack to vmap area (Done: x86, s390. Needed on arm, arm64, powerpc and others?) * Implement kernel relocation and KASLR for ARM * Make CONFIG_STRICT_KERNEL_RWX and CONFIG_STRICT_MODULE_RWX mandatory (done for arm64 and x86, other archs still need it) * Further restriction of perf_event_open (e.g. perf_event_paranoid=3) * Extend HARDENED_USERCOPY to split user-facing kmalloc()s and in-kernel kmalloc() * split short-lived kmalloc()s from long-lived kmalloc()s * split user-size-controlled kmalloc()s from regular kmalloc()s * protect ARM vector table as fixed-location kernel target * disable kuser helpers on arm * add constant-blinding tests to lib/test_bpf.c * rename CONFIG_DEBUG_LIST better and default=y * create defconfig "make" target for by-default hardened Kconfigs * expand use of __ro_after_init, especially in arch/arm64 * restrict autoloading of kernel modules (like GRKERNSEC_MODHARDEN) ([http://www.openwall.com/lists/kernel-hardening/2017/02/02/21 Timgad LSM]) * set_memory_*() needs __must_check and/or atomicity * refactor tasklets to avoid unsigned long argument * have kfree() (and related) set the pointer to NULL too * create per-task stack canary (Done: x86, arm, arm64, powerpc. Needed on s390 and others?) * deprecate strcpy() in favor of strscpy() * deprecate strlcpy() in favor of strscpy() * deprecate strncpy() in favor of strscpy(), strscpy_pad(), or str2mem_pad() * fix sizeof_field() vs SIZEOF_FIELD() vs FIELD_SIZEOF() * expand use of opt-in mult/div/add/sub overflow wrappers * WARN on kfree() of ERR_PTR range (WIP: Shyam Saini <mayhs11saini@gmail.com>) * audit and fix all misuse of NLA_STRING (DONE) * add detection for double-reads * add FORTIFY_SOURCE checks to strscpy*() * add static_branch for iopl removal (and zeroing?) * enhance objtool to search for ROP gadgets * signed integer overflow detection * unsigned integer overflow detection * exec brute force detection == Compiler items == * Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings) * Finish Clang implementation of __randomize_layout * Implement clearing of caller-saved regs (https://github.com/clearlinux-pkgs/gcc/blob/master/zero-regs-gcc8.patch) f021c165e36c40610bb9a552b478124030cb9eab 3993 3992 2019-06-27T14:28:53Z RomainPerier 15 /* Kernel items */ wikitext text/x-wiki = Work Areas = The [[Kernel Self Protection Project]] has a lot of work to do! While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. The following is far from a comprehensive list, but it's at least a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] = Specific TODO Items = Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention: == Kernel items == * Split thread_info off of kernel stack (Done: x86, arm64, s390. Needed on arm, powerpc and others?) * Move kernel stack to vmap area (Done: x86, s390. Needed on arm, arm64, powerpc and others?) * Implement kernel relocation and KASLR for ARM * Make CONFIG_STRICT_KERNEL_RWX and CONFIG_STRICT_MODULE_RWX mandatory (done for arm64 and x86, other archs still need it) * Further restriction of perf_event_open (e.g. perf_event_paranoid=3) * Extend HARDENED_USERCOPY to split user-facing kmalloc()s and in-kernel kmalloc() * split short-lived kmalloc()s from long-lived kmalloc()s * split user-size-controlled kmalloc()s from regular kmalloc()s * protect ARM vector table as fixed-location kernel target * disable kuser helpers on arm * add constant-blinding tests to lib/test_bpf.c * rename CONFIG_DEBUG_LIST better and default=y * create defconfig "make" target for by-default hardened Kconfigs * expand use of __ro_after_init, especially in arch/arm64 * restrict autoloading of kernel modules (like GRKERNSEC_MODHARDEN) ([http://www.openwall.com/lists/kernel-hardening/2017/02/02/21 Timgad LSM]) * set_memory_*() needs __must_check and/or atomicity * refactor tasklets to avoid unsigned long argument * have kfree() (and related) set the pointer to NULL too * create per-task stack canary (Done: x86, arm, arm64, powerpc. Needed on s390 and others?) * deprecate strcpy() in favor of strscpy() * deprecate strlcpy() in favor of strscpy() * deprecate strncpy() in favor of strscpy(), strscpy_pad(), or str2mem_pad() * fix sizeof_field() vs SIZEOF_FIELD() vs FIELD_SIZEOF() * expand use of opt-in mult/div/add/sub overflow wrappers * WARN on kfree() of ERR_PTR range (WIP: Shyam Saini <mayhs11saini@gmail.com>) * add detection for double-reads * add FORTIFY_SOURCE checks to strscpy*() * add static_branch for iopl removal (and zeroing?) * enhance objtool to search for ROP gadgets * signed integer overflow detection * unsigned integer overflow detection * exec brute force detection == Compiler items == * Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings) * Finish Clang implementation of __randomize_layout * Implement clearing of caller-saved regs (https://github.com/clearlinux-pkgs/gcc/blob/master/zero-regs-gcc8.patch) f8f01285bc3bd60c26dd0a92de1a0847d6f0191f 3994 3993 2019-07-01T09:52:58Z RomainPerier 15 /* Kernel items */ wikitext text/x-wiki = Work Areas = The [[Kernel Self Protection Project]] has a lot of work to do! While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. The following is far from a comprehensive list, but it's at least a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] = Specific TODO Items = Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention: == Kernel items == * Split thread_info off of kernel stack (Done: x86, arm64, s390. Needed on arm, powerpc and others?) * Move kernel stack to vmap area (Done: x86, s390. Needed on arm, arm64, powerpc and others?) * Implement kernel relocation and KASLR for ARM * Make CONFIG_STRICT_KERNEL_RWX and CONFIG_STRICT_MODULE_RWX mandatory (done for arm64 and x86, other archs still need it) * Further restriction of perf_event_open (e.g. perf_event_paranoid=3) * Extend HARDENED_USERCOPY to split user-facing kmalloc()s and in-kernel kmalloc() * split short-lived kmalloc()s from long-lived kmalloc()s * split user-size-controlled kmalloc()s from regular kmalloc()s * protect ARM vector table as fixed-location kernel target * disable kuser helpers on arm * add constant-blinding tests to lib/test_bpf.c * rename CONFIG_DEBUG_LIST better and default=y * create defconfig "make" target for by-default hardened Kconfigs * expand use of __ro_after_init, especially in arch/arm64 * restrict autoloading of kernel modules (like GRKERNSEC_MODHARDEN) ([http://www.openwall.com/lists/kernel-hardening/2017/02/02/21 Timgad LSM]) * set_memory_*() needs __must_check and/or atomicity * refactor tasklets to avoid unsigned long argument * have kfree() (and related) set the pointer to NULL too * create per-task stack canary (Done: x86, arm, arm64, powerpc. Needed on s390 and others?) * deprecate strcpy() in favor of strscpy() * deprecate strlcpy() in favor of strscpy() * deprecate strncpy() in favor of strscpy(), strscpy_pad(), or str2mem_pad() * fix sizeof_field() vs SIZEOF_FIELD() vs FIELD_SIZEOF() (WIP: Shyam Saini <mayhs11saini@gmail.com>) * expand use of opt-in mult/div/add/sub overflow wrappers * WARN on kfree() of ERR_PTR range (WIP: Shyam Saini <mayhs11saini@gmail.com>) * add detection for double-reads * add FORTIFY_SOURCE checks to strscpy*() * add static_branch for iopl removal (and zeroing?) * enhance objtool to search for ROP gadgets * signed integer overflow detection * unsigned integer overflow detection * exec brute force detection == Compiler items == * Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings) * Finish Clang implementation of __randomize_layout * Implement clearing of caller-saved regs (https://github.com/clearlinux-pkgs/gcc/blob/master/zero-regs-gcc8.patch) 37cef3df21d917c1e0f66b7ffa35d77ae145e4c4 3995 3994 2019-07-03T18:13:05Z RomainPerier 15 /* Kernel items */ wikitext text/x-wiki = Work Areas = The [[Kernel Self Protection Project]] has a lot of work to do! While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. The following is far from a comprehensive list, but it's at least a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] = Specific TODO Items = Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention: == Kernel items == * Split thread_info off of kernel stack (Done: x86, arm64, s390. Needed on arm, powerpc and others?) * Move kernel stack to vmap area (Done: x86, s390. Needed on arm, arm64, powerpc and others?) * Implement kernel relocation and KASLR for ARM * Make CONFIG_STRICT_KERNEL_RWX and CONFIG_STRICT_MODULE_RWX mandatory (done for arm64 and x86, other archs still need it) * Further restriction of perf_event_open (e.g. perf_event_paranoid=3) * Extend HARDENED_USERCOPY to split user-facing kmalloc()s and in-kernel kmalloc() * split short-lived kmalloc()s from long-lived kmalloc()s * split user-size-controlled kmalloc()s from regular kmalloc()s * protect ARM vector table as fixed-location kernel target * disable kuser helpers on arm * add constant-blinding tests to lib/test_bpf.c * rename CONFIG_DEBUG_LIST better and default=y * create defconfig "make" target for by-default hardened Kconfigs * expand use of __ro_after_init, especially in arch/arm64 * restrict autoloading of kernel modules (like GRKERNSEC_MODHARDEN) ([http://www.openwall.com/lists/kernel-hardening/2017/02/02/21 Timgad LSM]) * set_memory_*() needs __must_check and/or atomicity * refactor tasklets to avoid unsigned long argument (WIP: Romain Perier <romain.perier@gmail.com>, "rperier" on FreeNode) * have kfree() (and related) set the pointer to NULL too * create per-task stack canary (Done: x86, arm, arm64, powerpc. Needed on s390 and others?) * deprecate strcpy() in favor of strscpy() * deprecate strlcpy() in favor of strscpy() * deprecate strncpy() in favor of strscpy(), strscpy_pad(), or str2mem_pad() * fix sizeof_field() vs SIZEOF_FIELD() vs FIELD_SIZEOF() (WIP: Shyam Saini <mayhs11saini@gmail.com>) * expand use of opt-in mult/div/add/sub overflow wrappers * WARN on kfree() of ERR_PTR range (WIP: Shyam Saini <mayhs11saini@gmail.com>) * add detection for double-reads * add FORTIFY_SOURCE checks to strscpy*() * add static_branch for iopl removal (and zeroing?) * enhance objtool to search for ROP gadgets * signed integer overflow detection * unsigned integer overflow detection * exec brute force detection == Compiler items == * Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings) * Finish Clang implementation of __randomize_layout * Implement clearing of caller-saved regs (https://github.com/clearlinux-pkgs/gcc/blob/master/zero-regs-gcc8.patch) 694f16b868253c6045a965fbe595082451d38bd3 3996 3995 2019-07-31T12:20:02Z ChristopheLeroy 14 wikitext text/x-wiki = Work Areas = The [[Kernel Self Protection Project]] has a lot of work to do! While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. The following is far from a comprehensive list, but it's at least a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] = Specific TODO Items = Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention: == Kernel items == * Split thread_info off of kernel stack (Done: x86, arm64, s390, powerpc. Needed on arm and others?) * Move kernel stack to vmap area (Done: x86, s390. Needed on arm, arm64, powerpc and others?) * Implement kernel relocation and KASLR for ARM * Make CONFIG_STRICT_KERNEL_RWX and CONFIG_STRICT_MODULE_RWX mandatory (done for arm64 and x86, other archs still need it) * Further restriction of perf_event_open (e.g. perf_event_paranoid=3) * Extend HARDENED_USERCOPY to split user-facing kmalloc()s and in-kernel kmalloc() * split short-lived kmalloc()s from long-lived kmalloc()s * split user-size-controlled kmalloc()s from regular kmalloc()s * protect ARM vector table as fixed-location kernel target * disable kuser helpers on arm * add constant-blinding tests to lib/test_bpf.c * rename CONFIG_DEBUG_LIST better and default=y * create defconfig "make" target for by-default hardened Kconfigs * expand use of __ro_after_init, especially in arch/arm64 * restrict autoloading of kernel modules (like GRKERNSEC_MODHARDEN) ([http://www.openwall.com/lists/kernel-hardening/2017/02/02/21 Timgad LSM]) * set_memory_*() needs __must_check and/or atomicity * refactor tasklets to avoid unsigned long argument (WIP: Romain Perier <romain.perier@gmail.com>, "rperier" on FreeNode) * have kfree() (and related) set the pointer to NULL too * create per-task stack canary (Done: x86, arm, arm64, powerpc. Needed on s390 and others?) * deprecate strcpy() in favor of strscpy() * deprecate strlcpy() in favor of strscpy() * deprecate strncpy() in favor of strscpy(), strscpy_pad(), or str2mem_pad() * fix sizeof_field() vs SIZEOF_FIELD() vs FIELD_SIZEOF() (WIP: Shyam Saini <mayhs11saini@gmail.com>) * expand use of opt-in mult/div/add/sub overflow wrappers * WARN on kfree() of ERR_PTR range (WIP: Shyam Saini <mayhs11saini@gmail.com>) * add detection for double-reads * add FORTIFY_SOURCE checks to strscpy*() * add static_branch for iopl removal (and zeroing?) * enhance objtool to search for ROP gadgets * signed integer overflow detection * unsigned integer overflow detection * exec brute force detection == Compiler items == * Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings) * Finish Clang implementation of __randomize_layout * Implement clearing of caller-saved regs (https://github.com/clearlinux-pkgs/gcc/blob/master/zero-regs-gcc8.patch) 4c0c8b984655488781f0cd906ea69dda772eb0ea 4000 3996 2019-11-20T17:43:18Z KeesCook 3 /* Specific TODO Items */ add github tracker wikitext text/x-wiki = Work Areas = The [[Kernel Self Protection Project]] has a lot of work to do! While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. The following is far from a comprehensive list, but it's at least a starting point we can add to: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] = Specific TODO Items = Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention. This list below is slightly out of date, and we are transitioning to better tracking here: https://github.com/KSPP/linux/issues == Kernel items == * Split thread_info off of kernel stack (Done: x86, arm64, s390, powerpc. Needed on arm and others?) * Move kernel stack to vmap area (Done: x86, s390. Needed on arm, arm64, powerpc and others?) * Implement kernel relocation and KASLR for ARM * Make CONFIG_STRICT_KERNEL_RWX and CONFIG_STRICT_MODULE_RWX mandatory (done for arm64 and x86, other archs still need it) * Further restriction of perf_event_open (e.g. perf_event_paranoid=3) * Extend HARDENED_USERCOPY to split user-facing kmalloc()s and in-kernel kmalloc() * split short-lived kmalloc()s from long-lived kmalloc()s * split user-size-controlled kmalloc()s from regular kmalloc()s * protect ARM vector table as fixed-location kernel target * disable kuser helpers on arm * add constant-blinding tests to lib/test_bpf.c * rename CONFIG_DEBUG_LIST better and default=y * create defconfig "make" target for by-default hardened Kconfigs * expand use of __ro_after_init, especially in arch/arm64 * restrict autoloading of kernel modules (like GRKERNSEC_MODHARDEN) ([http://www.openwall.com/lists/kernel-hardening/2017/02/02/21 Timgad LSM]) * set_memory_*() needs __must_check and/or atomicity * refactor tasklets to avoid unsigned long argument (WIP: Romain Perier <romain.perier@gmail.com>, "rperier" on FreeNode) * have kfree() (and related) set the pointer to NULL too * create per-task stack canary (Done: x86, arm, arm64, powerpc. Needed on s390 and others?) * deprecate strcpy() in favor of strscpy() * deprecate strlcpy() in favor of strscpy() * deprecate strncpy() in favor of strscpy(), strscpy_pad(), or str2mem_pad() * fix sizeof_field() vs SIZEOF_FIELD() vs FIELD_SIZEOF() (WIP: Shyam Saini <mayhs11saini@gmail.com>) * expand use of opt-in mult/div/add/sub overflow wrappers * WARN on kfree() of ERR_PTR range (WIP: Shyam Saini <mayhs11saini@gmail.com>) * add detection for double-reads * add FORTIFY_SOURCE checks to strscpy*() * add static_branch for iopl removal (and zeroing?) * enhance objtool to search for ROP gadgets * signed integer overflow detection * unsigned integer overflow detection * exec brute force detection == Compiler items == * Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings) * Finish Clang implementation of __randomize_layout * Implement clearing of caller-saved regs (https://github.com/clearlinux-pkgs/gcc/blob/master/zero-regs-gcc8.patch) b26e4ea1b0081aaa62bf3c859780be1c55817d91 4015 4000 2020-08-10T18:41:56Z KeesCook 3 the issue track is canonical now wikitext text/x-wiki = Work Areas = The [[Kernel Self Protection Project]] has a lot of work to do! While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. For the list of specific items and desired features, see the [https://github.com/KSPP/linux/issues KSPP Issue Tracker]. General concepts and concerns are here: == [[Bug Classes]] == * [[Bug Classes/Stack overflow|Stack overflow]] * [[Bug Classes/Integer overflow|Integer overflow]] * [[Bug Classes/Heap overflow|Heap overflow]] * [[Bug Classes/Format string injection|Format string injection]] * [[Bug Classes/Kernel pointer leak|Kernel pointer leak]] * [[Bug Classes/Uninitialized variables|Uninitialized variables]] * [[Bug Classes/Use after free|Use-after-free]] == [[Exploit Methods|Exploitation Methods]] == * [[Exploit Methods/Kernel location|Kernel location]] * [[Exploit Methods/Text overwrite|Text overwrite]] * [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]] * [[Exploit Methods/Userspace execution|Userspace execution]] * [[Exploit Methods/Userspace data usage|Userspace data usage]] * [[Exploit Methods/Reused code chunks|Reused code chunks]] 778e28163b8a614eae41e0efd20d9266042d5062 0 175 3997 3986 2019-07-31T12:32:16Z ChristopheLeroy 14 /* Mitigations */ wikitext text/x-wiki = Details = Once an attacker has gain control over the instruction pointers, it must be aimed somewhere. The place where attackers have the most control over memory layout tends to be in userspace, so it has been natural to place malicious code in userspace and have the kernel redirection execution there. (Frequently known as "ret2usr".) For more details, see [[Exploit Methods/Userspace data usage|Userspace access]], as that can be superset of userspace execution under some emulation situations. = Examples = * See nearly every other exploit example listed under other [[Exploit Methods]] and [[Bug Classes]]. = Mitigations = * hardware segregation: SMEP (x86), PXN (arm) * compiler instrumentation to set high bit on function calls * emulate memory segregation via separate page tables (e.g. PAX_MEMORY_UDEREF) Right now, the upstream options available for Privileged eXecute Never (e.g. PXN, SMEP) are: {| class="wikitable" !colspan="2"|CPU ! Feature Name |- |rowspan="3"| ARM | v7 (32-bit) non-LPAE | CONFIG_CPU_SW_DOMAIN_PAN (since Linux v4.3) |- | v7 (32-bit) LPAE (e.g. Cortex-A7, A15+) | hardware PXN (since Linux v3.19) |- | v8.0+ (64-bit) | hardware PXN |- |rowspan="2"| x86 | pre-Ivy-Bridge |style="color: red;"| nothing (could use PCID?) |- | Ivy-Bridge+ (since May 2012) | hardware PXN (SMEP) |- |colspan="2"| s/390 | hardware PXN (Address Spaces) |- |rowspan="2"| powerpc | radix MMU (since POWER9) | hardware PXN (KUEP, since Linux v4.10) |- | PPC64 hash MMU (since POWER7) |style="color: red;"| nothing yet, but implementation possible |- | PPC32 hash MMU (except 601 which doesn't have NX segment) | hardware PXN (KUEP) |- | MPC 8xx | hardware PXN (KUEP) |- |colspan="2"| MIPS |style="color: red;"| nothing (could use ASID switching?) |} e072ff090b263878ea189320c393ac0b071f0319 3998 3997 2019-07-31T12:33:26Z ChristopheLeroy 14 /* Mitigations */ wikitext text/x-wiki = Details = Once an attacker has gain control over the instruction pointers, it must be aimed somewhere. The place where attackers have the most control over memory layout tends to be in userspace, so it has been natural to place malicious code in userspace and have the kernel redirection execution there. (Frequently known as "ret2usr".) For more details, see [[Exploit Methods/Userspace data usage|Userspace access]], as that can be superset of userspace execution under some emulation situations. = Examples = * See nearly every other exploit example listed under other [[Exploit Methods]] and [[Bug Classes]]. = Mitigations = * hardware segregation: SMEP (x86), PXN (arm) * compiler instrumentation to set high bit on function calls * emulate memory segregation via separate page tables (e.g. PAX_MEMORY_UDEREF) Right now, the upstream options available for Privileged eXecute Never (e.g. PXN, SMEP) are: {| class="wikitable" !colspan="2"|CPU ! Feature Name |- |rowspan="3"| ARM | v7 (32-bit) non-LPAE | CONFIG_CPU_SW_DOMAIN_PAN (since Linux v4.3) |- | v7 (32-bit) LPAE (e.g. Cortex-A7, A15+) | hardware PXN (since Linux v3.19) |- | v8.0+ (64-bit) | hardware PXN |- |rowspan="2"| x86 | pre-Ivy-Bridge |style="color: red;"| nothing (could use PCID?) |- | Ivy-Bridge+ (since May 2012) | hardware PXN (SMEP) |- |colspan="2"| s/390 | hardware PXN (Address Spaces) |- |rowspan="4"| powerpc | radix MMU (since POWER9) | hardware PXN (KUEP, since Linux v4.10) |- | PPC64 hash MMU (since POWER7) |style="color: red;"| nothing yet, but implementation possible |- | PPC32 hash MMU (except 601 which doesn't have NX segment) | hardware PXN (KUEP) |- | MPC 8xx | hardware PXN (KUEP) |- |colspan="2"| MIPS |style="color: red;"| nothing (could use ASID switching?) |} 62dfb171b7998bdfca06a3b854f45611940b234a 0 183 4001 3983 2020-03-04T17:42:37Z KeesCook 3 update for v5.4 wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system: = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y # Randomize high-order page allocation freelist. CONFIG_SHUFFLE_PAGE_ALLOCATOR=1 # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=1 CONFIG_INIT_ON_FREE_DEFAULT_ON=1 # Initialize all stack variables on function entry. (Clang builds only. For GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=1 below) CONFIG_INIT_STACK_ALL=1 # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y = kernel command line options = # Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Wipe slab and page allocations (supersedes "slub_debug=P" and "page_poison=1" above, since v5.3) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=1 and CONFIG_INIT_ON_FREE_DEFAULT_ON=1 above. init_on_alloc=1 init_on_free=1 # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 7e535734e89a0b3beac2438a7e1af2b10b42fe51 4002 4001 2020-03-05T18:33:09Z KeesCook 3 /* CONFIGs */ swap some "=1" to the correct "=y" wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system: = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y # Randomize high-order page allocation freelist. CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang builds only. For GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y = kernel command line options = # Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Wipe slab and page allocations (supersedes "slub_debug=P" and "page_poison=1" above, since v5.3) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=1 and CONFIG_INIT_ON_FREE_DEFAULT_ON=1 above. init_on_alloc=1 init_on_free=1 # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 2a4cf003c0c035199070837d5bc37fc911e8e33c 4003 4002 2020-03-05T18:33:30Z KeesCook 3 /* kernel command line options */ wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system: = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y # Randomize high-order page allocation freelist. CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang builds only. For GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y = kernel command line options = # Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Wipe slab and page allocations (supersedes "slub_debug=P" and "page_poison=1" above, since v5.3) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 7d8c33c18a42e7d0a64129e123f0e03657130953 4004 4003 2020-03-18T22:25:15Z KeesCook 3 /* x86_32 */ wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system: = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y # Randomize high-order page allocation freelist. CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang builds only. For GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y = kernel command line options = # Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Wipe slab and page allocations (supersedes "slub_debug=P" and "page_poison=1" above, since v5.3) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 a59f78c156fb5b0aa73962b829fa3aecbdd82f7b 4005 4004 2020-03-18T22:26:24Z KeesCook 3 re-arrange arch sections wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system: = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y # Randomize high-order page allocation freelist. CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang builds only. For GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset = kernel command line options = # Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Wipe slab and page allocations (supersedes "slub_debug=P" and "page_poison=1" above, since v5.3) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 c71c1fff982f048359a88e8df8511d49f1c21732 4006 4005 2020-03-18T22:28:28Z KeesCook 3 /* x86_32 */ wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system: = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y # Randomize high-order page allocation freelist. CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang builds only. For GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is unset = kernel command line options = # Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Wipe slab and page allocations (supersedes "slub_debug=P" and "page_poison=1" above, since v5.3) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 fc37d686f4eacb3bcc6c88ec3c04894f4e95b7bc 4007 4006 2020-03-18T22:28:49Z KeesCook 3 /* arm */ wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system: = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y # Randomize high-order page allocation freelist. CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang builds only. For GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set = kernel command line options = # Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Wipe slab and page allocations (supersedes "slub_debug=P" and "page_poison=1" above, since v5.3) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 c516c92e4a3f6958ca025da44a9e08daa78061a8 4008 4007 2020-03-19T01:45:31Z KeesCook 3 wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system. Another place to find recommended kernel hardening settings is via the "[[https://github.com/a13xp0p0v/kconfig-hardened-check/|kconfig-hardened-check]]" tool maintained by Alexander Popov. = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y # Randomize high-order page allocation freelist. CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang builds only. For GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set = kernel command line options = # Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Wipe slab and page allocations (supersedes "slub_debug=P" and "page_poison=1" above, since v5.3) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 4ee327780bd47f7fb87b5060ed3dce376c8c81a2 4009 4008 2020-03-19T01:46:13Z KeesCook 3 wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system. Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov. = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y # Randomize high-order page allocation freelist. CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang builds only. For GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set = kernel command line options = # Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Wipe slab and page allocations (supersedes "slub_debug=P" and "page_poison=1" above, since v5.3) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 1d5670e5e5753ee7f72541bdb83a29575e9faa9f 4022 4009 2020-10-18T17:29:37Z KeesCook 3 /* kernel command line options */ add some more ideas from Simon Ruderich wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system. Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov. = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y # Randomize high-order page allocation freelist. CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang builds only. For GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set = kernel command line options = # Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on # To prevent against L1TF, at the cost of losing hyper threading ('''slow'''). smt # Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above). slub_debug=ZF # (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 1f18c8ee3b3f9f2fe829d0d35f603f2a06201c5d 4023 4022 2020-10-18T17:37:13Z KeesCook 3 /* CONFIGs */ suggest the CONFIG form of kernel.dmesg_restrict sysctl wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system. Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov. = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y # Randomize high-order page allocation freelist. CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang builds only. For GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set = kernel command line options = # Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on # To prevent against L1TF, at the cost of losing hyper threading ('''slow'''). smt # Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above). slub_debug=ZF # (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 3deb80aae999052b2c0cf634565541b48bdd50a1 4024 4023 2020-10-18T17:47:19Z KeesCook 3 /* sysctls */ add notes about sysctl to CONFIG mappings wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system. Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov. = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y # Randomize high-order page allocation freelist. CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang builds only. For GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set = kernel command line options = # Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on # To prevent against L1TF, at the cost of losing hyper threading ('''slow'''). smt # Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above). slub_debug=ZF # (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.) kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT). kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 217b30a00db5c55b8deb8fcafdc5de77458ab8b4 4025 4024 2020-11-09T11:00:28Z KeesCook 3 /* kernel command line options */ wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system. Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov. = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y # Randomize high-order page allocation freelist. CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang builds only. For GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set = kernel command line options = # Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on # To prevent against L1TF, at the cost of losing hyper threading ('''slow'''). nosmt # Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above). slub_debug=ZF # (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.) kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT). kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 160beaa4353311d74b3e10807055efa82ab9086b 4026 4025 2021-04-05T23:14:07Z KeesCook 3 /* x86_64 */ wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system. Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov. = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y # Randomize high-order page allocation freelist. CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang builds only. For GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set = kernel command line options = # Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on # To prevent against L1TF, at the cost of losing hyper threading ('''slow'''). nosmt # Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above). slub_debug=ZF # (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.) kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT). kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 f3aced58ad458c846a5a36282d9e511d50512cde 4027 4026 2021-04-05T23:14:26Z KeesCook 3 /* x86_32 */ wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system. Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov. = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y # Randomize high-order page allocation freelist. CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang builds only. For GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set = kernel command line options = # Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on # To prevent against L1TF, at the cost of losing hyper threading ('''slow'''). nosmt # Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above). slub_debug=ZF # (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.) kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT). kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 84707a56c29f5a2a2a24f68312c92ef2e37f61dc 4030 4027 2021-09-15T22:45:36Z Anthraxx 16 Add randomize_kstack_offset (CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT) for x86_64, arm64 and x86_32 (since v5.13) wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system. Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov. = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y # Randomize high-order page allocation freelist. CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang builds only. For GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set = kernel command line options = # Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Randomize kernel stack offset on syscall entry (since v5.13). # See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above. randomize_kstack_offset=on # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on # To prevent against L1TF, at the cost of losing hyper threading ('''slow'''). nosmt # Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above). slub_debug=ZF # (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.) kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT). kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 cc5b9354c14b33c375da1fc3ea4a8f9b337c604b 4031 4030 2021-09-15T22:51:20Z Anthraxx 16 Add missing critical whitespaces to the newly added randomize_kstack_offset entries to preserve a single visual block wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system. Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov. = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y # Randomize high-order page allocation freelist. CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang builds only. For GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set = kernel command line options = # Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Randomize kernel stack offset on syscall entry (since v5.13). # See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above. randomize_kstack_offset=on # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on # To prevent against L1TF, at the cost of losing hyper threading ('''slow'''). nosmt # Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above). slub_debug=ZF # (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.) kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT). kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 838714951c76789cd4b90803248a1bdb0d61a703 0 6 4010 3984 2020-07-23T22:28:49Z JamesMorris 2 /* Past */ wikitext text/x-wiki == Upcoming == == Past == === 2020 == * [https://events.linuxfoundation.org/linux-security-summit-north-america/ Linux Security Summit North America 2020], Virtual, July 1-2. === 2019 === * [https://events19.linuxfoundation.org/events/linux-security-summit-north-america-2019 Linux Security Summit North America 2019] * [https://events19.linuxfoundation.org/events/linux-security-summit-europe-2019 Linux Security Summit Europe 2019] === 2018 === * [http://events.linuxfoundation.org/events/linux-security-summit-europe Linux Security Summit Europe 2018], Edinburgh, UK, October 25-26. * [http://events.linuxfoundation.org/events/linux-security-summit-north-america Linux Security Summit North America 2018], Vancouver, Canada, August 27-28. === 2017 === * [[Linux Kernel Summit 2017, Security Session]], Prague, Czech Republic, October 24. * [[Linux Security Summit 2017]], Los Angeles, USA, Sept 14-15. === 2016 === * [[Linux Security Summit 2016]], Toronto, Canada. August 25-26. === 2015 === * [[Linux Security Summit 2015]], Seattle, WA, USA. August 20-21. ===2014=== * [[Linux Security Summit 2014]], 18-19 August, Chicago, USA. Co-located with [http://events.linuxfoundation.org/events/linuxcon LinuxCon]. === 2013 === * [[Linux Security Summit 2013]] New Orleans, USA. === 2012 === * [[Linux Security Summit 2012]], San Diego, CA, USA. ===2011=== * [[Linux Security Summit 2011]], Santa Rosa, CA, USA. ===2010=== * [https://security.wiki.kernel.org/index.php/LinuxSecuritySummit2010 Linux Security Summit 2010], Boston MA, USA. ===2009=== *Security Microconf at the Linux Plumbers Conference 2009, September, Portland OR, USA. **CFP **LWN discussion *SELinux Developer Summit at LinuxCon 2009, September, Portland OR, USA. **Event Details *Security BoF (Birds of Feather) meeting at the Japan Linux Symposium, October 2009. Tokyo, Japan. **Enhanced Securities: Where Should We Go Next *Kernel Conference Australia, July 2009, Brisbane, Australia. *LCA security miniconf 20 January 2009, Hobart, Australia. d140338f96d18f3e6d82c45cc281b52eeeccc89f 4011 4010 2020-07-23T22:29:03Z JamesMorris 2 /* = 2020 */ wikitext text/x-wiki == Upcoming == == Past == === 2020 === * [https://events.linuxfoundation.org/linux-security-summit-north-america/ Linux Security Summit North America 2020], Virtual, July 1-2. === 2019 === * [https://events19.linuxfoundation.org/events/linux-security-summit-north-america-2019 Linux Security Summit North America 2019] * [https://events19.linuxfoundation.org/events/linux-security-summit-europe-2019 Linux Security Summit Europe 2019] === 2018 === * [http://events.linuxfoundation.org/events/linux-security-summit-europe Linux Security Summit Europe 2018], Edinburgh, UK, October 25-26. * [http://events.linuxfoundation.org/events/linux-security-summit-north-america Linux Security Summit North America 2018], Vancouver, Canada, August 27-28. === 2017 === * [[Linux Kernel Summit 2017, Security Session]], Prague, Czech Republic, October 24. * [[Linux Security Summit 2017]], Los Angeles, USA, Sept 14-15. === 2016 === * [[Linux Security Summit 2016]], Toronto, Canada. August 25-26. === 2015 === * [[Linux Security Summit 2015]], Seattle, WA, USA. August 20-21. ===2014=== * [[Linux Security Summit 2014]], 18-19 August, Chicago, USA. Co-located with [http://events.linuxfoundation.org/events/linuxcon LinuxCon]. === 2013 === * [[Linux Security Summit 2013]] New Orleans, USA. === 2012 === * [[Linux Security Summit 2012]], San Diego, CA, USA. ===2011=== * [[Linux Security Summit 2011]], Santa Rosa, CA, USA. ===2010=== * [https://security.wiki.kernel.org/index.php/LinuxSecuritySummit2010 Linux Security Summit 2010], Boston MA, USA. ===2009=== *Security Microconf at the Linux Plumbers Conference 2009, September, Portland OR, USA. **CFP **LWN discussion *SELinux Developer Summit at LinuxCon 2009, September, Portland OR, USA. **Event Details *Security BoF (Birds of Feather) meeting at the Japan Linux Symposium, October 2009. Tokyo, Japan. **Enhanced Securities: Where Should We Go Next *Kernel Conference Australia, July 2009, Brisbane, Australia. *LCA security miniconf 20 January 2009, Hobart, Australia. 2dc9dc2b0781749746ea018246d1ceff01981637 4012 4011 2020-07-23T22:29:25Z JamesMorris 2 /* Past */ wikitext text/x-wiki == Upcoming == == Past == === 2020 === * [https://events.linuxfoundation.org/linux-security-summit-north-america/ Linux Security Summit North America 2020], Online, July 1-2. === 2019 === * [https://events19.linuxfoundation.org/events/linux-security-summit-north-america-2019 Linux Security Summit North America 2019] * [https://events19.linuxfoundation.org/events/linux-security-summit-europe-2019 Linux Security Summit Europe 2019] === 2018 === * [http://events.linuxfoundation.org/events/linux-security-summit-europe Linux Security Summit Europe 2018], Edinburgh, UK, October 25-26. * [http://events.linuxfoundation.org/events/linux-security-summit-north-america Linux Security Summit North America 2018], Vancouver, Canada, August 27-28. === 2017 === * [[Linux Kernel Summit 2017, Security Session]], Prague, Czech Republic, October 24. * [[Linux Security Summit 2017]], Los Angeles, USA, Sept 14-15. === 2016 === * [[Linux Security Summit 2016]], Toronto, Canada. August 25-26. === 2015 === * [[Linux Security Summit 2015]], Seattle, WA, USA. August 20-21. ===2014=== * [[Linux Security Summit 2014]], 18-19 August, Chicago, USA. Co-located with [http://events.linuxfoundation.org/events/linuxcon LinuxCon]. === 2013 === * [[Linux Security Summit 2013]] New Orleans, USA. === 2012 === * [[Linux Security Summit 2012]], San Diego, CA, USA. ===2011=== * [[Linux Security Summit 2011]], Santa Rosa, CA, USA. ===2010=== * [https://security.wiki.kernel.org/index.php/LinuxSecuritySummit2010 Linux Security Summit 2010], Boston MA, USA. ===2009=== *Security Microconf at the Linux Plumbers Conference 2009, September, Portland OR, USA. **CFP **LWN discussion *SELinux Developer Summit at LinuxCon 2009, September, Portland OR, USA. **Event Details *Security BoF (Birds of Feather) meeting at the Japan Linux Symposium, October 2009. Tokyo, Japan. **Enhanced Securities: Where Should We Go Next *Kernel Conference Australia, July 2009, Brisbane, Australia. *LCA security miniconf 20 January 2009, Hobart, Australia. dab50dc6a5410917f72247d2c8f58411d121dc31 4013 4012 2020-07-23T22:30:58Z JamesMorris 2 /* Upcoming */ wikitext text/x-wiki == Upcoming == === 2020 === * [https://events.linuxfoundation.org/linux-security-summit-europe/ Linux Security Summit Europe 2020], Online, October 29-30. == Past == === 2020 === * [https://events.linuxfoundation.org/linux-security-summit-north-america/ Linux Security Summit North America 2020], Online, July 1-2. === 2019 === * [https://events19.linuxfoundation.org/events/linux-security-summit-north-america-2019 Linux Security Summit North America 2019] * [https://events19.linuxfoundation.org/events/linux-security-summit-europe-2019 Linux Security Summit Europe 2019] === 2018 === * [http://events.linuxfoundation.org/events/linux-security-summit-europe Linux Security Summit Europe 2018], Edinburgh, UK, October 25-26. * [http://events.linuxfoundation.org/events/linux-security-summit-north-america Linux Security Summit North America 2018], Vancouver, Canada, August 27-28. === 2017 === * [[Linux Kernel Summit 2017, Security Session]], Prague, Czech Republic, October 24. * [[Linux Security Summit 2017]], Los Angeles, USA, Sept 14-15. === 2016 === * [[Linux Security Summit 2016]], Toronto, Canada. August 25-26. === 2015 === * [[Linux Security Summit 2015]], Seattle, WA, USA. August 20-21. ===2014=== * [[Linux Security Summit 2014]], 18-19 August, Chicago, USA. Co-located with [http://events.linuxfoundation.org/events/linuxcon LinuxCon]. === 2013 === * [[Linux Security Summit 2013]] New Orleans, USA. === 2012 === * [[Linux Security Summit 2012]], San Diego, CA, USA. ===2011=== * [[Linux Security Summit 2011]], Santa Rosa, CA, USA. ===2010=== * [https://security.wiki.kernel.org/index.php/LinuxSecuritySummit2010 Linux Security Summit 2010], Boston MA, USA. ===2009=== *Security Microconf at the Linux Plumbers Conference 2009, September, Portland OR, USA. **CFP **LWN discussion *SELinux Developer Summit at LinuxCon 2009, September, Portland OR, USA. **Event Details *Security BoF (Birds of Feather) meeting at the Japan Linux Symposium, October 2009. Tokyo, Japan. **Enhanced Securities: Where Should We Go Next *Kernel Conference Australia, July 2009, Brisbane, Australia. *LCA security miniconf 20 January 2009, Hobart, Australia. 35c89db2f004e596bda03a30457cd9466d18629c 4014 4013 2020-07-23T22:34:01Z JamesMorris 2 /* 2019 */ wikitext text/x-wiki == Upcoming == === 2020 === * [https://events.linuxfoundation.org/linux-security-summit-europe/ Linux Security Summit Europe 2020], Online, October 29-30. == Past == === 2020 === * [https://events.linuxfoundation.org/linux-security-summit-north-america/ Linux Security Summit North America 2020], Online, July 1-2. === 2019 === * [https://events19.linuxfoundation.org/events/linux-security-summit-north-america-2019 Linux Security Summit North America 2019], San Diego, USA, August 19-21. * [https://events19.linuxfoundation.org/events/linux-security-summit-europe-2019 Linux Security Summit Europe 2019], Lyon, France, October 31 - November 1. === 2018 === * [http://events.linuxfoundation.org/events/linux-security-summit-europe Linux Security Summit Europe 2018], Edinburgh, UK, October 25-26. * [http://events.linuxfoundation.org/events/linux-security-summit-north-america Linux Security Summit North America 2018], Vancouver, Canada, August 27-28. === 2017 === * [[Linux Kernel Summit 2017, Security Session]], Prague, Czech Republic, October 24. * [[Linux Security Summit 2017]], Los Angeles, USA, Sept 14-15. === 2016 === * [[Linux Security Summit 2016]], Toronto, Canada. August 25-26. === 2015 === * [[Linux Security Summit 2015]], Seattle, WA, USA. August 20-21. ===2014=== * [[Linux Security Summit 2014]], 18-19 August, Chicago, USA. Co-located with [http://events.linuxfoundation.org/events/linuxcon LinuxCon]. === 2013 === * [[Linux Security Summit 2013]] New Orleans, USA. === 2012 === * [[Linux Security Summit 2012]], San Diego, CA, USA. ===2011=== * [[Linux Security Summit 2011]], Santa Rosa, CA, USA. ===2010=== * [https://security.wiki.kernel.org/index.php/LinuxSecuritySummit2010 Linux Security Summit 2010], Boston MA, USA. ===2009=== *Security Microconf at the Linux Plumbers Conference 2009, September, Portland OR, USA. **CFP **LWN discussion *SELinux Developer Summit at LinuxCon 2009, September, Portland OR, USA. **Event Details *Security BoF (Birds of Feather) meeting at the Japan Linux Symposium, October 2009. Tokyo, Japan. **Enhanced Securities: Where Should We Go Next *Kernel Conference Australia, July 2009, Brisbane, Australia. *LCA security miniconf 20 January 2009, Hobart, Australia. a0f8ff46a812bf5d516c5d301fe5a79831017e97 0 182 4016 3979 2020-09-29T17:18:04Z KeesCook 3 update mailing list wikitext text/x-wiki Want to get involved in the [[Kernel Self Protection Project]]? [http://vger.kernel.org/vger-lists.html#linux-hardening Join] the [https://lore.kernel.org/linux-hardening/ Linux kernel hardening mailing list], or hop on IRC at <code>##linux-hardened</code> on [https://freenode.net/ freenode]. You may also want to join the general [https://www.openwall.com/lists/kernel-hardening/ kernel hardening list] too, where new topics are frequently discussed. = Introduce Yourself = Send an email to introduce yourself! Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [https://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Patch Contribution Guidelines = When contributing patches for the Linux kernel, be sure to follow the Linux kernel [https://www.kernel.org/doc/html/latest/process/coding-style.html Coding Style Guide] and read about [https://www.kernel.org/doc/html/latest/process/submitting-patches.html Submitting Patches]. Even if you're only sending your patches to the kernel-hardening mailing list for some early review, it's best to get as much of the coding style and submission semantics correct to avoid reviewers needing to recommend changes in those areas. As with any other Open Source project, it is particularly important that if you're working on upstreaming work from other Open Source projects, be sure your patches are giving credit to the original authors, that licenses are compatible, and that copyright notices are retained, etc. In the case of new files, or other places where a copyright notice would be expected to be added, be sure to retain all copyright notices from the other project. This may require some examination of commit history. For example, [https://github.com/linux-scraping/linux-grsecurity/blob/grsec-test/grsecurity/Makefile#L3 Grsecurity's copyright notice from their most recent public patch] does not include PaX Team's copyright notice, which is only listed in the patch for GCC plugins. For Grsecurity copyright, when more specific details are not easy to find, the following could be used: Copyright (C) 2001-2017 PaX Team, Bradley Spengler, Open Source Security Inc. Additionally, Grsecurity has asked that contributors include this in commit messages for non-trivial code ported from Grsecurity: $CODE is {verbatim,modified} from Brad Spengler/PaX Team's code in the last public patch of grsecurity/PaX based on my understanding of the code. Changes or omissions from the original code are mine and don't reflect the original grsecurity/PaX code. a2907b221b74849ac19c3a15f4bc323ca8bea881 4017 4016 2020-10-05T22:08:46Z KeesCook 3 update list descriptions, tweak capitalization, and split up contribution guildeline better wikitext text/x-wiki Want to get involved in the [[Kernel Self Protection Project]]? Here's how: - Join the [http://vger.kernel.org/vger-lists.html#linux-hardening upstream Linux kernel hardening mailing list] where development, maintenance, and administrivia happen. (And visit the [https://lore.kernel.org/linux-hardening/ list archive].) - Join the [https://www.openwall.com/lists/kernel-hardening/ general Linux kernel hardening mailing list], where new hardening topics are discussed. (And visit the [https://lore.kernel.org/kernel-hardening/ list archive].) - (Optional) Join the <code>##linux-hardened</code> IRC channel on [https://freenode.net/ freenode]. = Introduce Yourself = Send an email to introduce yourself! Then pick an area of work from the [https://github.com/KSPP/issues issue tracker] or add a new one), coordinate on the mailing lists, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [https://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Patch Contribution Guidelines = Please send new topics and patch series to both [http://vger.kernel.org/vger-lists.html#linux-hardening linux-hardening@vger.kernel.org] and [https://www.openwall.com/lists/kernel-hardening kernel-hardening@lists.openwall.com] for the widest audience possible. When contributing patches for the Linux kernel, be sure to follow the Linux kernel [https://www.kernel.org/doc/html/latest/process/coding-style.html Coding Style Guide] and read about [https://www.kernel.org/doc/html/latest/process/submitting-patches.html Submitting Patches]. Even if you're only sending your patches to the mailing lists for some early review, it's best to get as much of the coding style and submission semantics correct to avoid reviewers needing to recommend changes in those areas. == grsecurity and other non-upstream patch sources == As with any other Free Software project, it is particularly important that if you're working on upstreaming work from other projects, be sure your patches are giving credit to the original authors, that licenses are compatible, and that copyright notices are retained, etc. In the case of new files, or other places where a copyright notice would be expected to be added, be sure to retain all copyright notices from the other project. This may require some examination of commit history. For example, [https://github.com/linux-scraping/linux-grsecurity/blob/grsec-test/grsecurity/Makefile#L3 grsecurity's copyright notice from their most recent public patch] does not include PaX Team's copyright notice, which is only listed in the patch for GCC plugins. For grsecurity copyright, when more specific details are not easy to find, the following could be used: Copyright (C) 2001-2017 PaX Team, Bradley Spengler, Open Source Security Inc. Additionally, grsecurity has asked that contributors include this in commit messages for non-trivial code ported from grsecurity: $CODE is {verbatim,modified} from Brad Spengler/PaX Team's code in the last public patch of grsecurity/PaX based on my understanding of the code. Changes or omissions from the original code are mine and don't reflect the original grsecurity/PaX code. 086e960ee20d15538a5e1fcbcfe3088f811f4094 4018 4017 2020-10-05T22:09:24Z KeesCook 3 wikitext text/x-wiki Want to get involved in the [[Kernel Self Protection Project]]? Here's how: * Join the [http://vger.kernel.org/vger-lists.html#linux-hardening upstream Linux kernel hardening mailing list] where development, maintenance, and administrivia happen. (And visit the [https://lore.kernel.org/linux-hardening/ list archive].) * Join the [https://www.openwall.com/lists/kernel-hardening/ general Linux kernel hardening mailing list], where new hardening topics are discussed. (And visit the [https://lore.kernel.org/kernel-hardening/ list archive].) * (Optional) Join the <code>##linux-hardened</code> IRC channel on [https://freenode.net/ freenode]. = Introduce Yourself = Send an email to introduce yourself! Then pick an area of work from the [https://github.com/KSPP/issues issue tracker] or add a new one), coordinate on the mailing lists, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [https://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Patch Contribution Guidelines = Please send new topics and patch series to both [http://vger.kernel.org/vger-lists.html#linux-hardening linux-hardening@vger.kernel.org] and [https://www.openwall.com/lists/kernel-hardening kernel-hardening@lists.openwall.com] for the widest audience possible. When contributing patches for the Linux kernel, be sure to follow the Linux kernel [https://www.kernel.org/doc/html/latest/process/coding-style.html Coding Style Guide] and read about [https://www.kernel.org/doc/html/latest/process/submitting-patches.html Submitting Patches]. Even if you're only sending your patches to the mailing lists for some early review, it's best to get as much of the coding style and submission semantics correct to avoid reviewers needing to recommend changes in those areas. == grsecurity and other non-upstream patch sources == As with any other Free Software project, it is particularly important that if you're working on upstreaming work from other projects, be sure your patches are giving credit to the original authors, that licenses are compatible, and that copyright notices are retained, etc. In the case of new files, or other places where a copyright notice would be expected to be added, be sure to retain all copyright notices from the other project. This may require some examination of commit history. For example, [https://github.com/linux-scraping/linux-grsecurity/blob/grsec-test/grsecurity/Makefile#L3 grsecurity's copyright notice from their most recent public patch] does not include PaX Team's copyright notice, which is only listed in the patch for GCC plugins. For grsecurity copyright, when more specific details are not easy to find, the following could be used: Copyright (C) 2001-2017 PaX Team, Bradley Spengler, Open Source Security Inc. Additionally, grsecurity has asked that contributors include this in commit messages for non-trivial code ported from grsecurity: $CODE is {verbatim,modified} from Brad Spengler/PaX Team's code in the last public patch of grsecurity/PaX based on my understanding of the code. Changes or omissions from the original code are mine and don't reflect the original grsecurity/PaX code. 86fe6e4ca9648875a4135d6fdec38f7b9a11d721 4019 4018 2020-10-05T22:13:20Z KeesCook 3 more cleanup wikitext text/x-wiki Want to get involved in the [[Kernel Self Protection Project]]? Here's how: = Join the conversations = * Join the [http://vger.kernel.org/vger-lists.html#linux-hardening upstream Linux kernel hardening mailing list] where development, maintenance, and administrivia happen. (And visit the [https://lore.kernel.org/linux-hardening/ list archive].) * Join the [https://www.openwall.com/lists/kernel-hardening/ general Linux kernel hardening mailing list], where new hardening topics are discussed. (And visit the [https://lore.kernel.org/kernel-hardening/ list archive].) * (Optional) Join the <code>##linux-hardened</code> IRC channel on [https://freenode.net/ freenode]. = Introduce Yourself = Send an email to the lists to introduce yourself! * What topics are you interested in? * What do you want to learn about? * What experience do you have with security, the kernel, programming, or anything else you think is important. = Pick something to work on = Pick something from the [https://github.com/KSPP/issues issue tracker] (or add a new one), coordinate on the mailing lists, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [https://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Contribute patches = Please send new topics and patch series to both [http://vger.kernel.org/vger-lists.html#linux-hardening linux-hardening@vger.kernel.org] and [https://www.openwall.com/lists/kernel-hardening kernel-hardening@lists.openwall.com] for the widest audience possible. When contributing patches for the Linux kernel, be sure to follow the Linux kernel [https://www.kernel.org/doc/html/latest/process/coding-style.html Coding Style Guide] and read about [https://www.kernel.org/doc/html/latest/process/submitting-patches.html Submitting Patches]. Even if you're only sending your patches to the mailing lists for some early review, it's best to get as much of the coding style and submission semantics correct to avoid reviewers needing to recommend changes in those areas. == grsecurity and other non-upstream patch sources == As with any other Free Software project, it is particularly important that if you're working on upstreaming work from other projects, be sure your patches are giving credit to the original authors, that licenses are compatible, and that copyright notices are retained, etc. In the case of new files, or other places where a copyright notice would be expected to be added, be sure to retain all copyright notices from the other project. This may require some examination of commit history. For example, [https://github.com/linux-scraping/linux-grsecurity/blob/grsec-test/grsecurity/Makefile#L3 grsecurity's copyright notice from their most recent public patch] does not include PaX Team's copyright notice, which is only listed in the patch for GCC plugins. For grsecurity copyright, when more specific details are not easy to find, the following could be used: Copyright (C) 2001-2017 PaX Team, Bradley Spengler, Open Source Security Inc. Additionally, grsecurity has asked that contributors include this in commit messages for non-trivial code ported from grsecurity: $CODE is {verbatim,modified} from Brad Spengler/PaX Team's code in the last public patch of grsecurity/PaX based on my understanding of the code. Changes or omissions from the original code are mine and don't reflect the original grsecurity/PaX code. 85b54c634ba4640c3663a0b1c0af69dc2821a0fd 4020 4019 2020-10-05T22:22:27Z KeesCook 3 moar cleanup wikitext text/x-wiki Want to get involved in the [[Kernel Self Protection Project]]? Here's how: = Join the conversations = * Subscribe to the [http://vger.kernel.org/vger-lists.html#linux-hardening '''upstream''' Linux kernel hardening mailing list], <code>'''linux'''-hardening@vger.kernel.org</code>, where development, maintenance, and administrivia happen. (And visit the [https://lore.kernel.org/linux-hardening/ list archive].) * Subscribe to the [https://www.openwall.com/lists/kernel-hardening/ '''general''' Linux kernel hardening mailing list], <code>'''kernel'''-hardening@lists.openwall.com</code>, where new hardening topics and summaries of completed work are discussed. (And visit the [https://lore.kernel.org/kernel-hardening/ list archive].) ** Note: when sending to <code>kernel-hardening@lists.openwall.com</code>, please also CC <code>linux-hardening@vger.kernel.org</code> too. * (Optional) Join the <code>##linux-hardened</code> IRC channel on [https://freenode.net/ freenode]. = Introduce Yourself = Send an email to the lists to introduce yourself! * What topics are you interested in? * What do you want to learn about? * What experience do you have with security, the kernel, programming, or anything else you think is important. = Pick something to work on = Pick something from the [https://github.com/KSPP/issues issue tracker] (or add a new one), coordinate on the mailing lists, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [https://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Contribute patches = Please send new topics and patch series to both [http://vger.kernel.org/vger-lists.html#linux-hardening linux-hardening@vger.kernel.org] and [https://www.openwall.com/lists/kernel-hardening kernel-hardening@lists.openwall.com] for the widest audience possible. When contributing patches for the Linux kernel, be sure to follow the Linux kernel [https://www.kernel.org/doc/html/latest/process/coding-style.html Coding Style Guide] and read about [https://www.kernel.org/doc/html/latest/process/submitting-patches.html Submitting Patches]. Even if you're only sending your patches to the mailing lists for some early review, it's best to get as much of the coding style and submission semantics correct to avoid reviewers needing to recommend changes in those areas. == grsecurity and other non-upstream patch sources == As with any other Free Software project, it is particularly important that if you're working on upstreaming work from other projects, be sure your patches are giving credit to the original authors, that licenses are compatible, and that copyright notices are retained, etc. In the case of new files, or other places where a copyright notice would be expected to be added, be sure to retain all copyright notices from the other project. This may require some examination of commit history. For example, [https://github.com/linux-scraping/linux-grsecurity/blob/grsec-test/grsecurity/Makefile#L3 grsecurity's copyright notice from their most recent public patch] does not include PaX Team's copyright notice, which is only listed in the patch for GCC plugins. For grsecurity copyright, when more specific details are not easy to find, the following could be used: Copyright (C) 2001-2017 PaX Team, Bradley Spengler, Open Source Security Inc. Additionally, grsecurity has asked that contributors include this in commit messages for non-trivial code ported from grsecurity: $CODE is {verbatim,modified} from Brad Spengler/PaX Team's code in the last public patch of grsecurity/PaX based on my understanding of the code. Changes or omissions from the original code are mine and don't reflect the original grsecurity/PaX code. a6a638a8ee82069638b8ef2780b7fc4f2502135d 4021 4020 2020-10-18T17:23:14Z KeesCook 3 /* Pick something to work on */ wikitext text/x-wiki Want to get involved in the [[Kernel Self Protection Project]]? Here's how: = Join the conversations = * Subscribe to the [http://vger.kernel.org/vger-lists.html#linux-hardening '''upstream''' Linux kernel hardening mailing list], <code>'''linux'''-hardening@vger.kernel.org</code>, where development, maintenance, and administrivia happen. (And visit the [https://lore.kernel.org/linux-hardening/ list archive].) * Subscribe to the [https://www.openwall.com/lists/kernel-hardening/ '''general''' Linux kernel hardening mailing list], <code>'''kernel'''-hardening@lists.openwall.com</code>, where new hardening topics and summaries of completed work are discussed. (And visit the [https://lore.kernel.org/kernel-hardening/ list archive].) ** Note: when sending to <code>kernel-hardening@lists.openwall.com</code>, please also CC <code>linux-hardening@vger.kernel.org</code> too. * (Optional) Join the <code>##linux-hardened</code> IRC channel on [https://freenode.net/ freenode]. = Introduce Yourself = Send an email to the lists to introduce yourself! * What topics are you interested in? * What do you want to learn about? * What experience do you have with security, the kernel, programming, or anything else you think is important. = Pick something to work on = Pick something from the [https://github.com/KSPP/linux/issues issue tracker] (or add a new one), coordinate on the mailing lists, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [https://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Contribute patches = Please send new topics and patch series to both [http://vger.kernel.org/vger-lists.html#linux-hardening linux-hardening@vger.kernel.org] and [https://www.openwall.com/lists/kernel-hardening kernel-hardening@lists.openwall.com] for the widest audience possible. When contributing patches for the Linux kernel, be sure to follow the Linux kernel [https://www.kernel.org/doc/html/latest/process/coding-style.html Coding Style Guide] and read about [https://www.kernel.org/doc/html/latest/process/submitting-patches.html Submitting Patches]. Even if you're only sending your patches to the mailing lists for some early review, it's best to get as much of the coding style and submission semantics correct to avoid reviewers needing to recommend changes in those areas. == grsecurity and other non-upstream patch sources == As with any other Free Software project, it is particularly important that if you're working on upstreaming work from other projects, be sure your patches are giving credit to the original authors, that licenses are compatible, and that copyright notices are retained, etc. In the case of new files, or other places where a copyright notice would be expected to be added, be sure to retain all copyright notices from the other project. This may require some examination of commit history. For example, [https://github.com/linux-scraping/linux-grsecurity/blob/grsec-test/grsecurity/Makefile#L3 grsecurity's copyright notice from their most recent public patch] does not include PaX Team's copyright notice, which is only listed in the patch for GCC plugins. For grsecurity copyright, when more specific details are not easy to find, the following could be used: Copyright (C) 2001-2017 PaX Team, Bradley Spengler, Open Source Security Inc. Additionally, grsecurity has asked that contributors include this in commit messages for non-trivial code ported from grsecurity: $CODE is {verbatim,modified} from Brad Spengler/PaX Team's code in the last public patch of grsecurity/PaX based on my understanding of the code. Changes or omissions from the original code are mine and don't reflect the original grsecurity/PaX code. b8b9d50671afe2ce0268b9b4b6eec41e13d33039 4028 4021 2021-05-27T05:35:58Z KeesCook 3 ditch freenode wikitext text/x-wiki Want to get involved in the [[Kernel Self Protection Project]]? Here's how: = Join the conversations = * Subscribe to the [http://vger.kernel.org/vger-lists.html#linux-hardening '''upstream''' Linux kernel hardening mailing list], <code>'''linux'''-hardening@vger.kernel.org</code>, where development, maintenance, and administrivia happen. (And visit the [https://lore.kernel.org/linux-hardening/ list archive].) * Subscribe to the [https://www.openwall.com/lists/kernel-hardening/ '''general''' Linux kernel hardening mailing list], <code>'''kernel'''-hardening@lists.openwall.com</code>, where new hardening topics and summaries of completed work are discussed. (And visit the [https://lore.kernel.org/kernel-hardening/ list archive].) ** Note: when sending to <code>kernel-hardening@lists.openwall.com</code>, please also CC <code>linux-hardening@vger.kernel.org</code> too. * (Optional) Join the <code>#linux-hardening</code> IRC channel on [https://libera.chat/ Libera.Chat]. = Introduce Yourself = Send an email to the lists to introduce yourself! * What topics are you interested in? * What do you want to learn about? * What experience do you have with security, the kernel, programming, or anything else you think is important. = Pick something to work on = Pick something from the [https://github.com/KSPP/linux/issues issue tracker] (or add a new one), coordinate on the mailing lists, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [https://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Contribute patches = Please send new topics and patch series to both [http://vger.kernel.org/vger-lists.html#linux-hardening linux-hardening@vger.kernel.org] and [https://www.openwall.com/lists/kernel-hardening kernel-hardening@lists.openwall.com] for the widest audience possible. When contributing patches for the Linux kernel, be sure to follow the Linux kernel [https://www.kernel.org/doc/html/latest/process/coding-style.html Coding Style Guide] and read about [https://www.kernel.org/doc/html/latest/process/submitting-patches.html Submitting Patches]. Even if you're only sending your patches to the mailing lists for some early review, it's best to get as much of the coding style and submission semantics correct to avoid reviewers needing to recommend changes in those areas. == grsecurity and other non-upstream patch sources == As with any other Free Software project, it is particularly important that if you're working on upstreaming work from other projects, be sure your patches are giving credit to the original authors, that licenses are compatible, and that copyright notices are retained, etc. In the case of new files, or other places where a copyright notice would be expected to be added, be sure to retain all copyright notices from the other project. This may require some examination of commit history. For example, [https://github.com/linux-scraping/linux-grsecurity/blob/grsec-test/grsecurity/Makefile#L3 grsecurity's copyright notice from their most recent public patch] does not include PaX Team's copyright notice, which is only listed in the patch for GCC plugins. For grsecurity copyright, when more specific details are not easy to find, the following could be used: Copyright (C) 2001-2017 PaX Team, Bradley Spengler, Open Source Security Inc. Additionally, grsecurity has asked that contributors include this in commit messages for non-trivial code ported from grsecurity: $CODE is {verbatim,modified} from Brad Spengler/PaX Team's code in the last public patch of grsecurity/PaX based on my understanding of the code. Changes or omissions from the original code are mine and don't reflect the original grsecurity/PaX code. e01cb09e0901f093c6e4c0ff1c1945d5f5e9b01e 0 193 4029 2021-08-12T18:10:42Z KeesCook 3 add shortened redirect page wikitext text/x-wiki #REDIRECT [[Kernel Self Protection Project]] 94c8ace45f71357af64931088caea72f54cb3357 0 162 4032 3895 2021-10-20T21:27:42Z KeesCook 3 /* Details */ adding a link to patch tracking process wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in the [https://pax.grsecurity.net/ PaX] and [https://grsecurity.net/features.php grsecurity] [https://github.com/linux-scraping/linux-grsecurity patches], and in piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Upstream development is evolutionary, not revolutionary, which means it can sometimes take time for features to become fully realized. * Features will be more than finding bugs, and should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Details = Specific details on the project: ==== [[Kernel Self Protection Project/Get Involved|Get Involved]] ==== ==== [[Kernel Self Protection Project/Work|Areas of Work Needed]] ==== ==== [[Kernel Self Protection Project/Recommended_Settings|Recommended Kernel Settings]] ==== ==== [[Kernel Self Protection Project/Work|Patch Tracking]] ==== = Documentation = For kernel protections already in upstream (or under active development) that have specific documentation: ==== [https://www.kernel.org/doc/html/latest/security/self-protection.html Self-Protection Guidelines] ==== ==== [[Kernel_Protections/refcount_t|refcount_t]] ==== : Kernel reference counter overflow protection 4b82af5d851b4d540441aa0262c87cc1f4335814 4033 4032 2021-10-20T21:27:57Z KeesCook 3 /* Details */ wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in the [https://pax.grsecurity.net/ PaX] and [https://grsecurity.net/features.php grsecurity] [https://github.com/linux-scraping/linux-grsecurity patches], and in piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Upstream development is evolutionary, not revolutionary, which means it can sometimes take time for features to become fully realized. * Features will be more than finding bugs, and should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Details = Specific details on the project: ==== [[Kernel Self Protection Project/Get Involved|Get Involved]] ==== ==== [[Kernel Self Protection Project/Work|Areas of Work Needed]] ==== ==== [[Kernel Self Protection Project/Recommended_Settings|Recommended Kernel Settings]] ==== ==== [[Kernel Self Protection Project/Patch_Tracking|Patch Tracking]] ==== = Documentation = For kernel protections already in upstream (or under active development) that have specific documentation: ==== [https://www.kernel.org/doc/html/latest/security/self-protection.html Self-Protection Guidelines] ==== ==== [[Kernel_Protections/refcount_t|refcount_t]] ==== : Kernel reference counter overflow protection 88066062124947b41b448b3cbc190f8a894dbedb 0 194 4034 2021-10-20T22:07:59Z KeesCook 3 process overview wikitext text/x-wiki = Overview = The primary place where patches are tracked is through our [https://patchwork.kernel.org/project/linux-hardening/list/|patchwork instance]. This helps collect Reviewed-by, Acked-by, Tested-by, etc, tags in a single place to see status. = Process = The overview list shows patches that need some kind of work to move through the tracking process: * [https://patchwork.kernel.org/project/linux-hardening/list/|Action Needed]: Needs work from someone from the linux-hardening patchwork team. The specific "state machine" we use follows this path: * [https://patchwork.kernel.org/project/linux-hardening/list/?series=&submitter=&state=1&q=&archive=&delegate=|New]: No activity yet. * Move to "Under Review" (possibly with a delegate assigned to do the review). * Move to "Superseded" if a newer version of the same patch has been sent (the patchwork-bot usually does this automatically). * [https://patchwork.kernel.org/project/linux-hardening/list/?series=&submitter=&state=2&q=&archive=&delegate=|Under Review]: Reviewers need to give feedback on the patch. * Move to "Changes Requested" if a new version of the patch is needed after review feedback. * Move to "Handled Elsewhere" if a non-linux-hardening tree says they are applying the patch. * Move to "Queued" if a linux-hardening tree applies the patch. * Move to "Superseded" if a newer version of the same patch has been sent (the patchwork-bot usually does this automatically). * In rare cases, a patch can be moved to "Rejected", but that is uncommon, as normally review feedback is expected to be acted on. * [https://patchwork.kernel.org/project/linux-hardening/list/?series=&submitter=&state=17&q=&archive=&delegate=|Handled Elsewhere]: Going via another tree, but not yet in linux-next. * Move to "Awaiting Upstream" once a patch appears in linux-next (the patchwork-bot usually does this automatically). * [https://patchwork.kernel.org/project/linux-hardening/list/?series=&submitter=&state=13&q=&archive=&delegate=|Queued]: Going via a linux-hardening tree, but not yet in linux-next. * Move to "Awaiting Upstream" once a patch appears in linux-next (the patchwork-bot usually does this automatically). * [https://patchwork.kernel.org/project/linux-hardening/list/?series=&submitter=&state=8&q=&archive=&delegate=|Awaiting Upstream]: In linux-next, but not yet in Linus's tree. * Move to "Mainlined" once a patch appears in Linus's tree (the patchwork-bot usually does this automatically). * [https://patchwork.kernel.org/project/linux-hardening/list/?series=&submitter=&state=11&q=&archive=&delegate=|Mainlined]: Done! In Linus's tree. ce1d670cfef1b7ef819caa22fb5f30e38ca576a4 4035 4034 2021-10-20T22:11:40Z KeesCook 3 fix formatting wikitext text/x-wiki = Overview = The primary place where [[Kernel_Self_Protection_Project|KSPP]] patches are tracked is through our [https://patchwork.kernel.org/project/linux-hardening/list/ patchwork instance]. This helps collect Reviewed-by, Acked-by, Tested-by, etc, tags in a single place to see status. = Process = The overview list shows patches that need some kind of work to move through the tracking process: * [https://patchwork.kernel.org/project/linux-hardening/list/ Action Needed]: Needs work from someone from the linux-hardening patchwork team. The specific "state machine" we use follows this path: * [https://patchwork.kernel.org/project/linux-hardening/list/?series=&submitter=&state=1&q=&archive=&delegate= New]: No activity yet. ** Move to "Under Review" (possibly with a delegate assigned to do the review). ** Move to "Superseded" if a newer version of the same patch has been sent (the patchwork-bot usually does this automatically). * [https://patchwork.kernel.org/project/linux-hardening/list/?series=&submitter=&state=2&q=&archive=&delegate= Under Review]: Reviewers need to give feedback on the patch. ** Move to "Changes Requested" if a new version of the patch is needed after review feedback. ** Move to "Handled Elsewhere" if a non-linux-hardening tree says they are applying the patch. ** Move to "Queued" if a linux-hardening tree applies the patch. ** Move to "Superseded" if a newer version of the same patch has been sent (the patchwork-bot usually does this automatically). ** In rare cases, a patch can be moved to "Rejected", but that is uncommon, as normally review feedback is expected to be acted on. * [https://patchwork.kernel.org/project/linux-hardening/list/?series=&submitter=&state=17&q=&archive=&delegate= Handled Elsewhere]: Going via another tree, but not yet in linux-next. ** Move to "Awaiting Upstream" once a patch appears in linux-next (the patchwork-bot usually does this automatically). * [https://patchwork.kernel.org/project/linux-hardening/list/?series=&submitter=&state=13&q=&archive=&delegate= Queued]: Going via a linux-hardening tree, but not yet in linux-next. ** Move to "Awaiting Upstream" once a patch appears in linux-next (the patchwork-bot usually does this automatically). * [https://patchwork.kernel.org/project/linux-hardening/list/?series=&submitter=&state=8&q=&archive=&delegate= Awaiting Upstream]: In linux-next, but not yet in Linus's tree. ** Move to "Mainlined" once a patch appears in Linus's tree (the patchwork-bot usually does this automatically). * [https://patchwork.kernel.org/project/linux-hardening/list/?series=&submitter=&state=11&q=&archive=&delegate= Mainlined]: Done! In Linus's tree. 09ac4e337a591ad667bd9ee2b2c752f91cd30216 4036 4035 2021-10-21T15:20:32Z KeesCook 3 swap "Awaiting Upstream" for "In Next" wikitext text/x-wiki = Overview = The primary place where [[Kernel_Self_Protection_Project|KSPP]] patches are tracked is through our [https://patchwork.kernel.org/project/linux-hardening/list/ patchwork instance]. This helps collect Reviewed-by, Acked-by, Tested-by, etc, tags in a single place to see status. = Process = The overview list shows patches that need some kind of work to move through the tracking process: * [https://patchwork.kernel.org/project/linux-hardening/list/ Action Needed]: Needs work from someone from the linux-hardening patchwork team. The specific "state machine" we use follows this path: * [https://patchwork.kernel.org/project/linux-hardening/list/?series=&submitter=&state=1&q=&archive=&delegate= New]: No activity yet. ** Move to "Under Review" (possibly with a delegate assigned to do the review). ** Move to "Superseded" if a newer version of the same patch has been sent (the patchwork-bot usually does this automatically). * [https://patchwork.kernel.org/project/linux-hardening/list/?series=&submitter=&state=2&q=&archive=&delegate= Under Review]: Reviewers need to give feedback on the patch. ** Move to "Changes Requested" if a new version of the patch is needed after review feedback. ** Move to "Handled Elsewhere" if a non-linux-hardening tree says they are applying the patch. ** Move to "Queued" if a linux-hardening tree applies the patch. ** Move to "Superseded" if a newer version of the same patch has been sent (the patchwork-bot usually does this automatically). ** In rare cases, a patch can be moved to "Rejected", but that is uncommon, as normally review feedback is expected to be acted on. * [https://patchwork.kernel.org/project/linux-hardening/list/?series=&submitter=&state=17&q=&archive=&delegate= Handled Elsewhere]: Going via another tree, but not yet in linux-next. ** Move to "In Next" once a patch appears in linux-next (the patchwork-bot usually does this automatically). * [https://patchwork.kernel.org/project/linux-hardening/list/?series=&submitter=&state=13&q=&archive=&delegate= Queued]: Going via a linux-hardening tree, but not yet in linux-next. ** Move to "In Next" once a patch appears in linux-next (the patchwork-bot usually does this automatically). * [https://patchwork.kernel.org/project/linux-hardening/list/?series=&submitter=&state=8&q=&archive=&delegate= In Next]: In linux-next, but not yet in Linus's tree. ** Move to "Mainlined" once a patch appears in Linus's tree (the patchwork-bot usually does this automatically). * [https://patchwork.kernel.org/project/linux-hardening/list/?series=&submitter=&state=11&q=&archive=&delegate= Mainlined]: Done! In Linus's tree. 549f45be084d0021b89afe59e9f052d1ea931f1b 4037 4036 2021-10-26T22:50:58Z KeesCook 3 /* Process */ adjust process for "Needs ACK" wikitext text/x-wiki = Overview = The primary place where [[Kernel_Self_Protection_Project|KSPP]] patches are tracked is through our [https://patchwork.kernel.org/project/linux-hardening/list/ patchwork instance]. This helps collect Reviewed-by, Acked-by, Tested-by, etc, tags in a single place to see status. = Process = The overview list shows patches that need some kind of work to move through the tracking process: * [https://patchwork.kernel.org/project/linux-hardening/list/ Action Needed]: Needs work from someone from the linux-hardening patchwork team. The specific "state machine" we use follows this path: * [https://patchwork.kernel.org/project/linux-hardening/list/?series=&submitter=&state=1&q=&archive=&delegate= New]: No activity yet. ** Move to "Under Review" (possibly with a delegate assigned to do the review). ** Move to "Superseded" if a newer version of the same patch has been sent (the patchwork-bot usually does this automatically). * [https://patchwork.kernel.org/project/linux-hardening/list/?series=&submitter=&state=2&q=&archive=&delegate= Under Review]: Reviewers need to give feedback on the patch. ** Move to "Changes Requested" if a new version of the patch is needed after review feedback. ** Move to "Needs ACK" if another subsystem is expected to take the patch into their tree. ** Move to "Handled Elsewhere" if a non-linux-hardening tree says they are applying the patch. ** Move to "Queued" if a linux-hardening tree applies the patch. ** Move to "Superseded" if a newer version of the same patch has been sent (the patchwork-bot usually does this automatically). ** Move to "In Next" if the patch appears in linux-next (the patchwork-bot usually does this automatically). ** In rare cases, a patch can be moved to "Rejected", but that is uncommon, as normally review feedback is expected to be acted on. * [https://patchwork.kernel.org/project/linux-hardening/list/?series=&submitter=&state=13&q=&archive=&delegate= Queued]: Going via a linux-hardening tree, but not yet in linux-next. ** Move to "In Next" once a patch appears in linux-next (the patchwork-bot usually does this automatically). * [https://patchwork.kernel.org/project/linux-hardening/list/?series=&submitter=&state=15&q=&archive=&delegate= Needs ACK]: Going via another tree, but not yet reviewed by maintainer. ** Move to "Handled Elsewhere" once other tree maintainer says they are applying the patch. ** Move to "In Next" once a patch appears in linux-next (the patchwork-bot usually does this automatically). * [https://patchwork.kernel.org/project/linux-hardening/list/?series=&submitter=&state=17&q=&archive=&delegate= Handled Elsewhere]: Going via another tree, but not yet in linux-next. ** Move to "In Next" once a patch appears in linux-next (the patchwork-bot usually does this automatically). * [https://patchwork.kernel.org/project/linux-hardening/list/?series=&submitter=&state=8&q=&archive=&delegate= In Next]: In linux-next, but not yet in Linus's tree. ** Move to "Mainlined" once a patch appears in Linus's tree (the patchwork-bot usually does this automatically). * [https://patchwork.kernel.org/project/linux-hardening/list/?series=&submitter=&state=11&q=&archive=&delegate= Mainlined]: Done! In Linus's tree. 291558069c723ed1d05a2aa4d369e8e59a464db2 0 162 4039 4033 2022-02-14T20:28:34Z KeesCook 3 /* Details */ don't make these sections of their own, just a list so the Contents links aren't confusing. wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in the [https://pax.grsecurity.net/ PaX] and [https://grsecurity.net/features.php grsecurity] [https://github.com/linux-scraping/linux-grsecurity patches], and in piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Upstream development is evolutionary, not revolutionary, which means it can sometimes take time for features to become fully realized. * Features will be more than finding bugs, and should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Details = Specific details on the project: * [[Kernel Self Protection Project/Get Involved|Get Involved]] * [[Kernel Self Protection Project/Work|Areas of Work Needed]] * [[Kernel Self Protection Project/Recommended_Settings|Recommended Kernel Settings]] * [[Kernel Self Protection Project/Patch_Tracking|Patch Tracking]] = Documentation = For kernel protections already in upstream (or under active development) that have specific documentation: ==== [https://www.kernel.org/doc/html/latest/security/self-protection.html Self-Protection Guidelines] ==== ==== [[Kernel_Protections/refcount_t|refcount_t]] ==== : Kernel reference counter overflow protection f91e353623afcfc5c55164b0978990675f74f4ac 4040 4039 2022-02-14T20:29:50Z KeesCook 3 /* Documentation */ wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in the [https://pax.grsecurity.net/ PaX] and [https://grsecurity.net/features.php grsecurity] [https://github.com/linux-scraping/linux-grsecurity patches], and in piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Upstream development is evolutionary, not revolutionary, which means it can sometimes take time for features to become fully realized. * Features will be more than finding bugs, and should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Details = Specific details on the project: * [[Kernel Self Protection Project/Get Involved|Get Involved]] * [[Kernel Self Protection Project/Work|Areas of Work Needed]] * [[Kernel Self Protection Project/Recommended_Settings|Recommended Kernel Settings]] * [[Kernel Self Protection Project/Patch_Tracking|Patch Tracking]] = Documentation = For kernel protections already in upstream (or under active development) that have specific documentation: * [https://www.kernel.org/doc/html/latest/security/self-protection.html Self-Protection Guidelines] * [[Kernel_Protections/refcount_t|refcount_t]] Kernel reference counter overflow protection 794fab47a3b6cfe00d4a8d6c1675257a615198db 4048 4040 2022-05-08T08:18:31Z KeesCook 3 /* Documentation */ add Samsung analysis wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in the [https://pax.grsecurity.net/ PaX] and [https://grsecurity.net/features.php grsecurity] [https://github.com/linux-scraping/linux-grsecurity patches], and in piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Upstream development is evolutionary, not revolutionary, which means it can sometimes take time for features to become fully realized. * Features will be more than finding bugs, and should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Details = Specific details on the project: * [[Kernel Self Protection Project/Get Involved|Get Involved]] * [[Kernel Self Protection Project/Work|Areas of Work Needed]] * [[Kernel Self Protection Project/Recommended_Settings|Recommended Kernel Settings]] * [[Kernel Self Protection Project/Patch_Tracking|Patch Tracking]] = Documentation = For kernel protections already in upstream (or under active development) that have specific documentation: * [https://www.kernel.org/doc/html/latest/security/self-protection.html Self-Protection Guidelines] * [[Kernel_Protections/refcount_t|refcount_t]] Kernel reference counter overflow protection * [https://samsung.github.io/kspp-study/ Analysis on Kernel Self-Protection: Understanding Security and Performance Implication] ([https://github.com/Samsung/kspp-study github]) f26e3ccc4bf6c41183f64b8ed3b17df2c44e6a6b 4061 4048 2022-10-28T16:50:48Z KeesCook 3 /* Principles */ wikitext text/x-wiki = Mission Statement = This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely]. These kinds of protections have existed for years in the [https://pax.grsecurity.net/ PaX] and [https://grsecurity.net/features.php grsecurity] [https://github.com/linux-scraping/linux-grsecurity patches], and in piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation. = Principles = A short list of things to keep in mind when designing self-protection features: * Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results. * Upstream development is evolutionary, not revolutionary, which means it can sometimes [https://ieeexplore.ieee.org/abstract/document/6624016 take time] for features to become fully realized. * Features will be more than finding bugs, and should be active at run-time to catch previously unknown flaws. * Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks). = Details = Specific details on the project: * [[Kernel Self Protection Project/Get Involved|Get Involved]] * [[Kernel Self Protection Project/Work|Areas of Work Needed]] * [[Kernel Self Protection Project/Recommended_Settings|Recommended Kernel Settings]] * [[Kernel Self Protection Project/Patch_Tracking|Patch Tracking]] = Documentation = For kernel protections already in upstream (or under active development) that have specific documentation: * [https://www.kernel.org/doc/html/latest/security/self-protection.html Self-Protection Guidelines] * [[Kernel_Protections/refcount_t|refcount_t]] Kernel reference counter overflow protection * [https://samsung.github.io/kspp-study/ Analysis on Kernel Self-Protection: Understanding Security and Performance Implication] ([https://github.com/Samsung/kspp-study github]) 46ab4722e1c5dc12f80a18666450704e5d098b35 0 194 4041 4037 2022-03-24T23:39:24Z KeesCook 3 /* Process */ fix "in next" link wikitext text/x-wiki = Overview = The primary place where [[Kernel_Self_Protection_Project|KSPP]] patches are tracked is through our [https://patchwork.kernel.org/project/linux-hardening/list/ patchwork instance]. This helps collect Reviewed-by, Acked-by, Tested-by, etc, tags in a single place to see status. = Process = The overview list shows patches that need some kind of work to move through the tracking process: * [https://patchwork.kernel.org/project/linux-hardening/list/ Action Needed]: Needs work from someone from the linux-hardening patchwork team. The specific "state machine" we use follows this path: * [https://patchwork.kernel.org/project/linux-hardening/list/?series=&submitter=&state=1&q=&archive=&delegate= New]: No activity yet. ** Move to "Under Review" (possibly with a delegate assigned to do the review). ** Move to "Superseded" if a newer version of the same patch has been sent (the patchwork-bot usually does this automatically). * [https://patchwork.kernel.org/project/linux-hardening/list/?series=&submitter=&state=2&q=&archive=&delegate= Under Review]: Reviewers need to give feedback on the patch. ** Move to "Changes Requested" if a new version of the patch is needed after review feedback. ** Move to "Needs ACK" if another subsystem is expected to take the patch into their tree. ** Move to "Handled Elsewhere" if a non-linux-hardening tree says they are applying the patch. ** Move to "Queued" if a linux-hardening tree applies the patch. ** Move to "Superseded" if a newer version of the same patch has been sent (the patchwork-bot usually does this automatically). ** Move to "In Next" if the patch appears in linux-next (the patchwork-bot usually does this automatically). ** In rare cases, a patch can be moved to "Rejected", but that is uncommon, as normally review feedback is expected to be acted on. * [https://patchwork.kernel.org/project/linux-hardening/list/?series=&submitter=&state=13&q=&archive=&delegate= Queued]: Going via a linux-hardening tree, but not yet in linux-next. ** Move to "In Next" once a patch appears in linux-next (the patchwork-bot usually does this automatically). * [https://patchwork.kernel.org/project/linux-hardening/list/?series=&submitter=&state=15&q=&archive=&delegate= Needs ACK]: Going via another tree, but not yet reviewed by maintainer. ** Move to "Handled Elsewhere" once other tree maintainer says they are applying the patch. ** Move to "In Next" once a patch appears in linux-next (the patchwork-bot usually does this automatically). * [https://patchwork.kernel.org/project/linux-hardening/list/?series=&submitter=&state=17&q=&archive=&delegate= Handled Elsewhere]: Going via another tree, but not yet in linux-next. ** Move to "In Next" once a patch appears in linux-next (the patchwork-bot usually does this automatically). * [https://patchwork.kernel.org/project/linux-hardening/list/?series=&submitter=&state=19&q=&archive=&delegate= In Next]: In linux-next, but not yet in Linus's tree. ** Move to "Mainlined" once a patch appears in Linus's tree (the patchwork-bot usually does this automatically). * [https://patchwork.kernel.org/project/linux-hardening/list/?series=&submitter=&state=11&q=&archive=&delegate= Mainlined]: Done! In Linus's tree. 4adec240075111b55531cd41a3583977563acfe4 0 183 4042 4031 2022-03-30T21:49:33Z KeesCook 3 /* CONFIGs */ add various bits noted as missing by Peter Böhm wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system. Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov. = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y # Randomize high-order page allocation freelist. CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang builds only. For GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y # Do not ignore compile-time warnings (since v5.15) CONFIG_WERROR=y # Enable kernel stack offset randomization by default (or set "randomize_kstack_offset=y" at boot) CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) CONFIG_IOMMU_DEFAULT_DMA_STRICT=y # Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and minimizes stale data in registers) CONFIG_ZERO_CALL_USED_REGS=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set = kernel command line options = # Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Randomize kernel stack offset on syscall entry (since v5.13). # See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above. randomize_kstack_offset=on # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on # To prevent against L1TF, at the cost of losing hyper threading ('''slow'''). nosmt # Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above). slub_debug=ZF # (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.) kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT). kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 df6ac6d448f61406024fbec44751459f05db08e4 4043 4042 2022-03-30T21:49:51Z KeesCook 3 /* CONFIGs */ wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system. Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov. = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y # Randomize high-order page allocation freelist. CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang builds only. For GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y # Do not ignore compile-time warnings (since v5.15) CONFIG_WERROR=y # Enable kernel stack offset randomization by default (or set "randomize_kstack_offset=y" at boot) CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) CONFIG_IOMMU_DEFAULT_DMA_STRICT=y # Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and minimizes stale data in registers) CONFIG_ZERO_CALL_USED_REGS=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set = kernel command line options = # Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Randomize kernel stack offset on syscall entry (since v5.13). # See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above. randomize_kstack_offset=on # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on # To prevent against L1TF, at the cost of losing hyper threading ('''slow'''). nosmt # Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above). slub_debug=ZF # (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.) kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT). kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 a86ae21a9735d17130b8f797006623f80cc03fa2 4044 4043 2022-03-30T21:52:29Z KeesCook 3 Ah, koffset_default was already there. Add iommu default boot param too. wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system. Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov. = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y # Randomize high-order page allocation freelist. CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang builds only. For GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y # Do not ignore compile-time warnings (since v5.15) CONFIG_WERROR=y # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) CONFIG_IOMMU_DEFAULT_DMA_STRICT=y # Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and minimizes stale data in registers) CONFIG_ZERO_CALL_USED_REGS=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set = kernel command line options = # Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Randomize kernel stack offset on syscall entry (since v5.13). # See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above. randomize_kstack_offset=on # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on # To prevent against L1TF, at the cost of losing hyper threading ('''slow'''). nosmt # Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above). slub_debug=ZF # (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above). iommu.passthrough=0 iommu.strict=1 == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.) kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT). kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 f31ef1d396cbb3685ace668c47ba7974b11e012a 4045 4044 2022-03-30T21:55:51Z KeesCook 3 move randomized kstack to all archs, since it's only missing on arm. fix name of trivial-auto-var-init feature enablement wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system. Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov. = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y # Randomize high-order page allocation freelist. CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Do not ignore compile-time warnings (since v5.15) CONFIG_WERROR=y # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) CONFIG_IOMMU_DEFAULT_DMA_STRICT=y # Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and minimizes stale data in registers) CONFIG_ZERO_CALL_USED_REGS=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set = kernel command line options = # Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Randomize kernel stack offset on syscall entry (since v5.13). # See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above. randomize_kstack_offset=on # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on # To prevent against L1TF, at the cost of losing hyper threading ('''slow'''). nosmt # Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above). slub_debug=ZF # (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above). iommu.passthrough=0 iommu.strict=1 == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.) kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT). kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 114208f9126894e95670c058a9d52f7552caab95 4046 4045 2022-03-30T21:57:22Z KeesCook 3 /* CONFIGs */ add kfence wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system. Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov. = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y # Randomize high-order page allocation freelist. CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Enable sampling-based overflow detection. This is similar to KASAN coverage, but with almost zero runtime overhead. CONFIG_KFENCE=y # Do not ignore compile-time warnings (since v5.15) CONFIG_WERROR=y # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) CONFIG_IOMMU_DEFAULT_DMA_STRICT=y # Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and minimizes stale data in registers) CONFIG_ZERO_CALL_USED_REGS=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set = kernel command line options = # Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Randomize kernel stack offset on syscall entry (since v5.13). # See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above. randomize_kstack_offset=on # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on # To prevent against L1TF, at the cost of losing hyper threading ('''slow'''). nosmt # Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above). slub_debug=ZF # (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above). iommu.passthrough=0 iommu.strict=1 == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.) kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT). kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 a849901420488f74cf1c65620732e586dc699d8f 4047 4046 2022-03-30T22:03:25Z KeesCook 3 /* CONFIGs */ CONFIG_SCHED_CORE wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system. Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov. = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y # Randomize high-order page allocation freelist. CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Enable sampling-based overflow detection. This is similar to KASAN coverage, but with almost zero runtime overhead. CONFIG_KFENCE=y # Do not ignore compile-time warnings (since v5.15) CONFIG_WERROR=y # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) CONFIG_IOMMU_DEFAULT_DMA_STRICT=y # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE). CONFIG_SCHED_CORE=y # Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and minimizes stale data in registers) CONFIG_ZERO_CALL_USED_REGS=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set = kernel command line options = # Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Randomize kernel stack offset on syscall entry (since v5.13). # See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above. randomize_kstack_offset=on # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on # To prevent against L1TF, at the cost of losing hyper threading ('''slow'''). nosmt # Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above). slub_debug=ZF # (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above). iommu.passthrough=0 iommu.strict=1 == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.) kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT). kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 521181ad33dcb8ebee8760b64adc0f0e546a2eab 4049 4047 2022-08-19T21:56:51Z KeesCook 3 /* CONFIGs */ add note about Landlock thanks to Mickaël Salaün wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system. Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov. = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. # Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Provide userspace with Landlock MAC interface. # Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list. CONFIG_SECURITY_LANDLOCK=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y # Randomize high-order page allocation freelist. CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Enable sampling-based overflow detection. This is similar to KASAN coverage, but with almost zero runtime overhead. CONFIG_KFENCE=y # Do not ignore compile-time warnings (since v5.15) CONFIG_WERROR=y # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) CONFIG_IOMMU_DEFAULT_DMA_STRICT=y # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE). CONFIG_SCHED_CORE=y # Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and minimizes stale data in registers) CONFIG_ZERO_CALL_USED_REGS=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set = kernel command line options = # Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Randomize kernel stack offset on syscall entry (since v5.13). # See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above. randomize_kstack_offset=on # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on # To prevent against L1TF, at the cost of losing hyper threading ('''slow'''). nosmt # Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above). slub_debug=ZF # (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above). iommu.passthrough=0 iommu.strict=1 == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.) kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT). kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 d9261a3c3f081a9682870b496565fe5bc162a18f 4050 4049 2022-10-10T02:29:14Z KeesCook 3 /* CONFIGs */ add settings for recent kernels, thanks to Alexander Popov for the prodding and specific suggestions. wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system. Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov. = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. # Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Provide userspace with Landlock MAC interface. # Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list. CONFIG_SECURITY_LANDLOCK=y # Make sure SELinux cannot be disabled trivially. # SECURITY_SELINUX_BOOTPARAM is not set # SECURITY_SELINUX_DEVELOP is not set # CONFIG_SECURITY_WRITABLE_HOOKS is not set # Enable "lockdown" LSM for bright line between the root user and kernel memory. CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y # Randomize high-order page allocation freelist. CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y # Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled. CONFIG_UBSAN=y CONFIG_UBSAN_TRAP=y CONFIG_UBSAN_BOUNDS=y CONFIG_UBSAN_SANITIZE_ALL=y # CONFIG_UBSAN_SHIFT is not set # CONFIG_UBSAN_DIV_ZERO is not set # CONFIG_UBSAN_UNREACHABLE is not set # CONFIG_UBSAN_BOOL is not set # CONFIG_UBSAN_ENUM is not set # CONFIG_UBSAN_ALIGNMENT is not set # This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set: CONFIG_UBSAN_LOCAL_BOUNDS=y # Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead. CONFIG_KFENCE=y # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Do not ignore compile-time warnings (since v5.15) CONFIG_WERROR=y # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) CONFIG_IOMMU_DEFAULT_DMA_STRICT=y # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE). CONFIG_SCHED_CORE=y # Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and minimizes stale data in registers) CONFIG_ZERO_CALL_USED_REGS=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set = kernel command line options = # Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Randomize kernel stack offset on syscall entry (since v5.13). # See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above. randomize_kstack_offset=on # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on # To prevent against L1TF, at the cost of losing hyper threading ('''slow'''). nosmt # Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above). slub_debug=ZF # (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above). iommu.passthrough=0 iommu.strict=1 == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.) kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT). kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 abe103d76b9bbacd4130e8423cb465d6cbe692be 4051 4050 2022-10-10T02:41:23Z KeesCook 3 /* CONFIGs */ next chunk from Alexander. RNG trust source setting are my recommendation, though. wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system. Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov. = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. # Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Provide userspace with Landlock MAC interface. # Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list. CONFIG_SECURITY_LANDLOCK=y # Make sure SELinux cannot be disabled trivially. # SECURITY_SELINUX_BOOTPARAM is not set # SECURITY_SELINUX_DEVELOP is not set # CONFIG_SECURITY_WRITABLE_HOOKS is not set # Enable "lockdown" LSM for bright line between the root user and kernel memory. CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y # Randomize high-order page allocation freelist. CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y # Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled. CONFIG_UBSAN=y CONFIG_UBSAN_TRAP=y CONFIG_UBSAN_BOUNDS=y CONFIG_UBSAN_SANITIZE_ALL=y # CONFIG_UBSAN_SHIFT is not set # CONFIG_UBSAN_DIV_ZERO is not set # CONFIG_UBSAN_UNREACHABLE is not set # CONFIG_UBSAN_BOOL is not set # CONFIG_UBSAN_ENUM is not set # CONFIG_UBSAN_ALIGNMENT is not set # This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set: CONFIG_UBSAN_LOCAL_BOUNDS=y # Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead. CONFIG_KFENCE=y # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Do not ignore compile-time warnings (since v5.15) CONFIG_WERROR=y # Disable DMA between EFI hand-off and the kernel's IOMMU setup. CONFIG_EFI_DISABLE_PCI_DMA=y # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) CONFIG_IOMMU_SUPPORT=y CONFIG_IOMMU_DEFAULT_DMA_STRICT=y # Enable feeding RNG entropy from TPM, if available. CONFIG_HW_RANDOM_TPM=y # Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even # malicious sources should not cause problems. CONFIG_RANDOM_TRUST_BOOTLOADER=y CONFIG_RANDOM_TRUST_CPU=y # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE). CONFIG_SCHED_CORE=y # Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and minimizes stale data in registers) CONFIG_ZERO_CALL_USED_REGS=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # CONFIG_STACKLEAK_METRICS is not set # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y # CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y CONFIG_INTEL_IOMMU_SVM=y CONFIG_AMD_IOMMU=y CONFIG_AMD_IOMMU_V2=y == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set = kernel command line options = # Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Randomize kernel stack offset on syscall entry (since v5.13). # See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above. randomize_kstack_offset=on # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on # To prevent against L1TF, at the cost of losing hyper threading ('''slow'''). nosmt # Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above). slub_debug=ZF # (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above). iommu.passthrough=0 iommu.strict=1 == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.) kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT). kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 a097b8e801482e514b7b0995c9b56430fa308c14 4052 4051 2022-10-10T02:57:35Z KeesCook 3 /* arm64 */ arm64 CFI and things, thanks to Alexander for the ping wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system. Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov. = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. # Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Provide userspace with Landlock MAC interface. # Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list. CONFIG_SECURITY_LANDLOCK=y # Make sure SELinux cannot be disabled trivially. # SECURITY_SELINUX_BOOTPARAM is not set # SECURITY_SELINUX_DEVELOP is not set # CONFIG_SECURITY_WRITABLE_HOOKS is not set # Enable "lockdown" LSM for bright line between the root user and kernel memory. CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y # Randomize high-order page allocation freelist. CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y # Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled. CONFIG_UBSAN=y CONFIG_UBSAN_TRAP=y CONFIG_UBSAN_BOUNDS=y CONFIG_UBSAN_SANITIZE_ALL=y # CONFIG_UBSAN_SHIFT is not set # CONFIG_UBSAN_DIV_ZERO is not set # CONFIG_UBSAN_UNREACHABLE is not set # CONFIG_UBSAN_BOOL is not set # CONFIG_UBSAN_ENUM is not set # CONFIG_UBSAN_ALIGNMENT is not set # This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set: CONFIG_UBSAN_LOCAL_BOUNDS=y # Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead. CONFIG_KFENCE=y # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Do not ignore compile-time warnings (since v5.15) CONFIG_WERROR=y # Disable DMA between EFI hand-off and the kernel's IOMMU setup. CONFIG_EFI_DISABLE_PCI_DMA=y # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) CONFIG_IOMMU_SUPPORT=y CONFIG_IOMMU_DEFAULT_DMA_STRICT=y # Enable feeding RNG entropy from TPM, if available. CONFIG_HW_RANDOM_TPM=y # Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even # malicious sources should not cause problems. CONFIG_RANDOM_TRUST_BOOTLOADER=y CONFIG_RANDOM_TRUST_CPU=y # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE). CONFIG_SCHED_CORE=y # Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and minimizes stale data in registers) CONFIG_ZERO_CALL_USED_REGS=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # CONFIG_STACKLEAK_METRICS is not set # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y # CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y CONFIG_INTEL_IOMMU_SVM=y CONFIG_AMD_IOMMU=y CONFIG_AMD_IOMMU_V2=y == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y # Software Shadow Stack or PAC CONFIG_SHADOW_CALL_STACK=y # Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can # turn off CONFIG_STACKPROTECTOR_STRONG with this enabled. CONFIG_ARM64_PTR_AUTH=y CONFIG_ARM64_PTR_AUTH_KERNEL=y # Available in ARMv8.5 and later. CONFIG_ARM64_BTI=y CONFIG_ARM64_BTI_KERNEL=y CONFIG_ARM64_MTE=y CONFIG_KASAN_HW_TAGS=y CONFIG_ARM64_E0PD=y # Available in ARMv8.7 and later. CONFIG_ARM64_EPAN=y # Enable Control Flow Integrity CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set = kernel command line options = # Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Randomize kernel stack offset on syscall entry (since v5.13). # See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above. randomize_kstack_offset=on # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on # To prevent against L1TF, at the cost of losing hyper threading ('''slow'''). nosmt # Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above). slub_debug=ZF # (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above). iommu.passthrough=0 iommu.strict=1 == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.) kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT). kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 305d7aa9c75f0e1d876d42559e5db7a19b0c9eb9 4053 4052 2022-10-10T02:58:17Z KeesCook 3 /* x86_64 */ wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system. Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov. = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. # Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Provide userspace with Landlock MAC interface. # Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list. CONFIG_SECURITY_LANDLOCK=y # Make sure SELinux cannot be disabled trivially. # SECURITY_SELINUX_BOOTPARAM is not set # SECURITY_SELINUX_DEVELOP is not set # CONFIG_SECURITY_WRITABLE_HOOKS is not set # Enable "lockdown" LSM for bright line between the root user and kernel memory. CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y # Randomize high-order page allocation freelist. CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y # Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled. CONFIG_UBSAN=y CONFIG_UBSAN_TRAP=y CONFIG_UBSAN_BOUNDS=y CONFIG_UBSAN_SANITIZE_ALL=y # CONFIG_UBSAN_SHIFT is not set # CONFIG_UBSAN_DIV_ZERO is not set # CONFIG_UBSAN_UNREACHABLE is not set # CONFIG_UBSAN_BOOL is not set # CONFIG_UBSAN_ENUM is not set # CONFIG_UBSAN_ALIGNMENT is not set # This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set: CONFIG_UBSAN_LOCAL_BOUNDS=y # Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead. CONFIG_KFENCE=y # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Do not ignore compile-time warnings (since v5.15) CONFIG_WERROR=y # Disable DMA between EFI hand-off and the kernel's IOMMU setup. CONFIG_EFI_DISABLE_PCI_DMA=y # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) CONFIG_IOMMU_SUPPORT=y CONFIG_IOMMU_DEFAULT_DMA_STRICT=y # Enable feeding RNG entropy from TPM, if available. CONFIG_HW_RANDOM_TPM=y # Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even # malicious sources should not cause problems. CONFIG_RANDOM_TRUST_BOOTLOADER=y CONFIG_RANDOM_TRUST_CPU=y # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE). CONFIG_SCHED_CORE=y # Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and minimizes stale data in registers) CONFIG_ZERO_CALL_USED_REGS=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # CONFIG_STACKLEAK_METRICS is not set # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y # CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y CONFIG_INTEL_IOMMU_SVM=y CONFIG_AMD_IOMMU=y CONFIG_AMD_IOMMU_V2=y # Straight-Line-Speculation CONFIG_SLS=y == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y # Software Shadow Stack or PAC CONFIG_SHADOW_CALL_STACK=y # Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can # turn off CONFIG_STACKPROTECTOR_STRONG with this enabled. CONFIG_ARM64_PTR_AUTH=y CONFIG_ARM64_PTR_AUTH_KERNEL=y # Available in ARMv8.5 and later. CONFIG_ARM64_BTI=y CONFIG_ARM64_BTI_KERNEL=y CONFIG_ARM64_MTE=y CONFIG_KASAN_HW_TAGS=y CONFIG_ARM64_E0PD=y # Available in ARMv8.7 and later. CONFIG_ARM64_EPAN=y # Enable Control Flow Integrity CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set = kernel command line options = # Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Randomize kernel stack offset on syscall entry (since v5.13). # See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above. randomize_kstack_offset=on # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on # To prevent against L1TF, at the cost of losing hyper threading ('''slow'''). nosmt # Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above). slub_debug=ZF # (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above). iommu.passthrough=0 iommu.strict=1 == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.) kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT). kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 1af402e7b000e76c16c9f3109a6fed19c8526da6 4054 4053 2022-10-10T03:00:57Z KeesCook 3 /* CONFIGs */ Alexander recommendation wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system. Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov. = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. # Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Provide userspace with Landlock MAC interface. # Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list. CONFIG_SECURITY_LANDLOCK=y # Make sure SELinux cannot be disabled trivially. # SECURITY_SELINUX_BOOTPARAM is not set # SECURITY_SELINUX_DEVELOP is not set # CONFIG_SECURITY_WRITABLE_HOOKS is not set # Enable "lockdown" LSM for bright line between the root user and kernel memory. CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y # Randomize high-order page allocation freelist. CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y # Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled. CONFIG_UBSAN=y CONFIG_UBSAN_TRAP=y CONFIG_UBSAN_BOUNDS=y CONFIG_UBSAN_SANITIZE_ALL=y # CONFIG_UBSAN_SHIFT is not set # CONFIG_UBSAN_DIV_ZERO is not set # CONFIG_UBSAN_UNREACHABLE is not set # CONFIG_UBSAN_BOOL is not set # CONFIG_UBSAN_ENUM is not set # CONFIG_UBSAN_ALIGNMENT is not set # This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set: CONFIG_UBSAN_LOCAL_BOUNDS=y # Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead. CONFIG_KFENCE=y # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Do not ignore compile-time warnings (since v5.15) CONFIG_WERROR=y # Disable DMA between EFI hand-off and the kernel's IOMMU setup. CONFIG_EFI_DISABLE_PCI_DMA=y # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) CONFIG_IOMMU_SUPPORT=y CONFIG_IOMMU_DEFAULT_DMA_STRICT=y # Enable feeding RNG entropy from TPM, if available. CONFIG_HW_RANDOM_TPM=y # Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even # malicious sources should not cause problems. CONFIG_RANDOM_TRUST_BOOTLOADER=y CONFIG_RANDOM_TRUST_CPU=y # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE). CONFIG_SCHED_CORE=y # Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and minimizes stale data in registers) CONFIG_ZERO_CALL_USED_REGS=y # Wipe RAM at reboot via EFI. CONFIG_RESET_ATTACK_MITIGATION=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # CONFIG_STACKLEAK_METRICS is not set # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y # CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y CONFIG_INTEL_IOMMU_SVM=y CONFIG_AMD_IOMMU=y CONFIG_AMD_IOMMU_V2=y # Straight-Line-Speculation CONFIG_SLS=y == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y # Software Shadow Stack or PAC CONFIG_SHADOW_CALL_STACK=y # Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can # turn off CONFIG_STACKPROTECTOR_STRONG with this enabled. CONFIG_ARM64_PTR_AUTH=y CONFIG_ARM64_PTR_AUTH_KERNEL=y # Available in ARMv8.5 and later. CONFIG_ARM64_BTI=y CONFIG_ARM64_BTI_KERNEL=y CONFIG_ARM64_MTE=y CONFIG_KASAN_HW_TAGS=y CONFIG_ARM64_E0PD=y # Available in ARMv8.7 and later. CONFIG_ARM64_EPAN=y # Enable Control Flow Integrity CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set = kernel command line options = # Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Randomize kernel stack offset on syscall entry (since v5.13). # See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above. randomize_kstack_offset=on # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on # To prevent against L1TF, at the cost of losing hyper threading ('''slow'''). nosmt # Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above). slub_debug=ZF # (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above). iommu.passthrough=0 iommu.strict=1 == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.) kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT). kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 00e518234347d6e910c0c2200f10dc8289c7c356 4055 4054 2022-10-11T20:12:06Z KeesCook 3 /* CONFIGs */ wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system. Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov. = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. # Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Provide userspace with Landlock MAC interface. # Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list. CONFIG_SECURITY_LANDLOCK=y # Make sure SELinux cannot be disabled trivially. # SECURITY_SELINUX_BOOTPARAM is not set # SECURITY_SELINUX_DEVELOP is not set # CONFIG_SECURITY_WRITABLE_HOOKS is not set # Enable "lockdown" LSM for bright line between the root user and kernel memory. CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y # Randomize high-order page allocation freelist. CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y # Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled. CONFIG_UBSAN=y CONFIG_UBSAN_TRAP=y CONFIG_UBSAN_BOUNDS=y CONFIG_UBSAN_SANITIZE_ALL=y # CONFIG_UBSAN_SHIFT is not set # CONFIG_UBSAN_DIV_ZERO is not set # CONFIG_UBSAN_UNREACHABLE is not set # CONFIG_UBSAN_BOOL is not set # CONFIG_UBSAN_ENUM is not set # CONFIG_UBSAN_ALIGNMENT is not set # This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set: CONFIG_UBSAN_LOCAL_BOUNDS=y # Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead. CONFIG_KFENCE=y # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Do not ignore compile-time warnings (since v5.15) CONFIG_WERROR=y # Disable DMA between EFI hand-off and the kernel's IOMMU setup. CONFIG_EFI_DISABLE_PCI_DMA=y # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) CONFIG_IOMMU_SUPPORT=y CONFIG_IOMMU_DEFAULT_DMA_STRICT=y # Enable feeding RNG entropy from TPM, if available. CONFIG_HW_RANDOM_TPM=y # Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even # malicious sources should not cause problems. CONFIG_RANDOM_TRUST_BOOTLOADER=y CONFIG_RANDOM_TRUST_CPU=y # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE). CONFIG_SCHED_CORE=y # Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and # minimizes stale data in registers). (Since v5.15) CONFIG_ZERO_CALL_USED_REGS=y # Wipe RAM at reboot via EFI. CONFIG_RESET_ATTACK_MITIGATION=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # CONFIG_STACKLEAK_METRICS is not set # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y # CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y CONFIG_INTEL_IOMMU_SVM=y CONFIG_AMD_IOMMU=y CONFIG_AMD_IOMMU_V2=y # Straight-Line-Speculation CONFIG_SLS=y == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y # Software Shadow Stack or PAC CONFIG_SHADOW_CALL_STACK=y # Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can # turn off CONFIG_STACKPROTECTOR_STRONG with this enabled. CONFIG_ARM64_PTR_AUTH=y CONFIG_ARM64_PTR_AUTH_KERNEL=y # Available in ARMv8.5 and later. CONFIG_ARM64_BTI=y CONFIG_ARM64_BTI_KERNEL=y CONFIG_ARM64_MTE=y CONFIG_KASAN_HW_TAGS=y CONFIG_ARM64_E0PD=y # Available in ARMv8.7 and later. CONFIG_ARM64_EPAN=y # Enable Control Flow Integrity CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set = kernel command line options = # Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Randomize kernel stack offset on syscall entry (since v5.13). # See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above. randomize_kstack_offset=on # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on # To prevent against L1TF, at the cost of losing hyper threading ('''slow'''). nosmt # Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above). slub_debug=ZF # (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above). iommu.passthrough=0 iommu.strict=1 == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.) kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT). kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 161633dae9c067db7a4a69c4db98d8c039ac93d0 4056 4055 2022-10-13T14:49:30Z KeesCook 3 /* x86_64 */ CFI wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system. Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov. = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. # Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Provide userspace with Landlock MAC interface. # Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list. CONFIG_SECURITY_LANDLOCK=y # Make sure SELinux cannot be disabled trivially. # SECURITY_SELINUX_BOOTPARAM is not set # SECURITY_SELINUX_DEVELOP is not set # CONFIG_SECURITY_WRITABLE_HOOKS is not set # Enable "lockdown" LSM for bright line between the root user and kernel memory. CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y # Randomize high-order page allocation freelist. CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y # Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled. CONFIG_UBSAN=y CONFIG_UBSAN_TRAP=y CONFIG_UBSAN_BOUNDS=y CONFIG_UBSAN_SANITIZE_ALL=y # CONFIG_UBSAN_SHIFT is not set # CONFIG_UBSAN_DIV_ZERO is not set # CONFIG_UBSAN_UNREACHABLE is not set # CONFIG_UBSAN_BOOL is not set # CONFIG_UBSAN_ENUM is not set # CONFIG_UBSAN_ALIGNMENT is not set # This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set: CONFIG_UBSAN_LOCAL_BOUNDS=y # Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead. CONFIG_KFENCE=y # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Do not ignore compile-time warnings (since v5.15) CONFIG_WERROR=y # Disable DMA between EFI hand-off and the kernel's IOMMU setup. CONFIG_EFI_DISABLE_PCI_DMA=y # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) CONFIG_IOMMU_SUPPORT=y CONFIG_IOMMU_DEFAULT_DMA_STRICT=y # Enable feeding RNG entropy from TPM, if available. CONFIG_HW_RANDOM_TPM=y # Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even # malicious sources should not cause problems. CONFIG_RANDOM_TRUST_BOOTLOADER=y CONFIG_RANDOM_TRUST_CPU=y # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE). CONFIG_SCHED_CORE=y # Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and # minimizes stale data in registers). (Since v5.15) CONFIG_ZERO_CALL_USED_REGS=y # Wipe RAM at reboot via EFI. CONFIG_RESET_ATTACK_MITIGATION=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # CONFIG_STACKLEAK_METRICS is not set # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y # CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y CONFIG_INTEL_IOMMU_SVM=y CONFIG_AMD_IOMMU=y CONFIG_AMD_IOMMU_V2=y # Straight-Line-Speculation CONFIG_SLS=y # Enable Control Flow Integrity (since v6.1) CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y # Software Shadow Stack or PAC CONFIG_SHADOW_CALL_STACK=y # Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can # turn off CONFIG_STACKPROTECTOR_STRONG with this enabled. CONFIG_ARM64_PTR_AUTH=y CONFIG_ARM64_PTR_AUTH_KERNEL=y # Available in ARMv8.5 and later. CONFIG_ARM64_BTI=y CONFIG_ARM64_BTI_KERNEL=y CONFIG_ARM64_MTE=y CONFIG_KASAN_HW_TAGS=y CONFIG_ARM64_E0PD=y # Available in ARMv8.7 and later. CONFIG_ARM64_EPAN=y # Enable Control Flow Integrity CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set = kernel command line options = # Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Randomize kernel stack offset on syscall entry (since v5.13). # See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above. randomize_kstack_offset=on # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on # To prevent against L1TF, at the cost of losing hyper threading ('''slow'''). nosmt # Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above). slub_debug=ZF # (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above). iommu.passthrough=0 iommu.strict=1 == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.) kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT). kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 19406ca713f6aa64fa705894123dbab94cf540ad 4057 4056 2022-10-13T15:17:18Z KeesCook 3 /* CONFIGs */ wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system. Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov. = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_DEBUG_VIRTUAL=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. # Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Provide userspace with Landlock MAC interface. # Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list. CONFIG_SECURITY_LANDLOCK=y # Make sure SELinux cannot be disabled trivially. # CONFIG_SECURITY_SELINUX_BOOTPARAM is not set # CONFIG_SECURITY_SELINUX_DEVELOP is not set # CONFIG_SECURITY_WRITABLE_HOOKS is not set # Enable "lockdown" LSM for bright line between the root user and kernel memory. CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y # Randomize high-order page allocation freelist. CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y # Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled. CONFIG_UBSAN=y CONFIG_UBSAN_TRAP=y CONFIG_UBSAN_BOUNDS=y CONFIG_UBSAN_SANITIZE_ALL=y # CONFIG_UBSAN_SHIFT is not set # CONFIG_UBSAN_DIV_ZERO is not set # CONFIG_UBSAN_UNREACHABLE is not set # CONFIG_UBSAN_BOOL is not set # CONFIG_UBSAN_ENUM is not set # CONFIG_UBSAN_ALIGNMENT is not set # This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set: CONFIG_UBSAN_LOCAL_BOUNDS=y # Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead. CONFIG_KFENCE=y # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Do not ignore compile-time warnings (since v5.15) CONFIG_WERROR=y # Disable DMA between EFI hand-off and the kernel's IOMMU setup. CONFIG_EFI_DISABLE_PCI_DMA=y # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) CONFIG_IOMMU_SUPPORT=y CONFIG_IOMMU_DEFAULT_DMA_STRICT=y # Enable feeding RNG entropy from TPM, if available. CONFIG_HW_RANDOM_TPM=y # Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even # malicious sources should not cause problems. CONFIG_RANDOM_TRUST_BOOTLOADER=y CONFIG_RANDOM_TRUST_CPU=y # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE). CONFIG_SCHED_CORE=y # Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and # minimizes stale data in registers). (Since v5.15) CONFIG_ZERO_CALL_USED_REGS=y # Wipe RAM at reboot via EFI. # For more details, see: # https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/ # https://bugzilla.redhat.com/show_bug.cgi?id=1532058 CONFIG_RESET_ATTACK_MITIGATION=y # This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk CONFIG_STATIC_USERMODEHELPER=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # CONFIG_STACKLEAK_METRICS is not set # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y # CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y CONFIG_INTEL_IOMMU_SVM=y CONFIG_AMD_IOMMU=y CONFIG_AMD_IOMMU_V2=y # Straight-Line-Speculation CONFIG_SLS=y # Enable Control Flow Integrity (since v6.1) CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y # Software Shadow Stack or PAC CONFIG_SHADOW_CALL_STACK=y # Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can # turn off CONFIG_STACKPROTECTOR_STRONG with this enabled. CONFIG_ARM64_PTR_AUTH=y CONFIG_ARM64_PTR_AUTH_KERNEL=y # Available in ARMv8.5 and later. CONFIG_ARM64_BTI=y CONFIG_ARM64_BTI_KERNEL=y CONFIG_ARM64_MTE=y CONFIG_KASAN_HW_TAGS=y CONFIG_ARM64_E0PD=y # Available in ARMv8.7 and later. CONFIG_ARM64_EPAN=y # Enable Control Flow Integrity CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set = kernel command line options = # Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Randomize kernel stack offset on syscall entry (since v5.13). # See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above. randomize_kstack_offset=on # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on # To prevent against L1TF, at the cost of losing hyper threading ('''slow'''). nosmt # Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above). slub_debug=ZF # (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above). iommu.passthrough=0 iommu.strict=1 == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.) kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT). kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 07c3fc97df2d1e45c3a4bad18cb5a40cd0ae77be 4058 4057 2022-10-14T02:25:55Z KeesCook 3 /* x86_32 */ iommu wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system. Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov. = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_DEBUG_VIRTUAL=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. # Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Provide userspace with Landlock MAC interface. # Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list. CONFIG_SECURITY_LANDLOCK=y # Make sure SELinux cannot be disabled trivially. # CONFIG_SECURITY_SELINUX_BOOTPARAM is not set # CONFIG_SECURITY_SELINUX_DEVELOP is not set # CONFIG_SECURITY_WRITABLE_HOOKS is not set # Enable "lockdown" LSM for bright line between the root user and kernel memory. CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y # Randomize high-order page allocation freelist. CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y # Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled. CONFIG_UBSAN=y CONFIG_UBSAN_TRAP=y CONFIG_UBSAN_BOUNDS=y CONFIG_UBSAN_SANITIZE_ALL=y # CONFIG_UBSAN_SHIFT is not set # CONFIG_UBSAN_DIV_ZERO is not set # CONFIG_UBSAN_UNREACHABLE is not set # CONFIG_UBSAN_BOOL is not set # CONFIG_UBSAN_ENUM is not set # CONFIG_UBSAN_ALIGNMENT is not set # This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set: CONFIG_UBSAN_LOCAL_BOUNDS=y # Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead. CONFIG_KFENCE=y # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Do not ignore compile-time warnings (since v5.15) CONFIG_WERROR=y # Disable DMA between EFI hand-off and the kernel's IOMMU setup. CONFIG_EFI_DISABLE_PCI_DMA=y # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) CONFIG_IOMMU_SUPPORT=y CONFIG_IOMMU_DEFAULT_DMA_STRICT=y # Enable feeding RNG entropy from TPM, if available. CONFIG_HW_RANDOM_TPM=y # Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even # malicious sources should not cause problems. CONFIG_RANDOM_TRUST_BOOTLOADER=y CONFIG_RANDOM_TRUST_CPU=y # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE). CONFIG_SCHED_CORE=y # Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and # minimizes stale data in registers). (Since v5.15) CONFIG_ZERO_CALL_USED_REGS=y # Wipe RAM at reboot via EFI. # For more details, see: # https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/ # https://bugzilla.redhat.com/show_bug.cgi?id=1532058 CONFIG_RESET_ATTACK_MITIGATION=y # This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk CONFIG_STATIC_USERMODEHELPER=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # CONFIG_STACKLEAK_METRICS is not set # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y # CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y CONFIG_INTEL_IOMMU_SVM=y CONFIG_AMD_IOMMU=y CONFIG_AMD_IOMMU_V2=y # Straight-Line-Speculation CONFIG_SLS=y # Enable Control Flow Integrity (since v6.1) CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y # Software Shadow Stack or PAC CONFIG_SHADOW_CALL_STACK=y # Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can # turn off CONFIG_STACKPROTECTOR_STRONG with this enabled. CONFIG_ARM64_PTR_AUTH=y CONFIG_ARM64_PTR_AUTH_KERNEL=y # Available in ARMv8.5 and later. CONFIG_ARM64_BTI=y CONFIG_ARM64_BTI_KERNEL=y CONFIG_ARM64_MTE=y CONFIG_KASAN_HW_TAGS=y CONFIG_ARM64_E0PD=y # Available in ARMv8.7 and later. CONFIG_ARM64_EPAN=y # Enable Control Flow Integrity CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set = kernel command line options = # Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Randomize kernel stack offset on syscall entry (since v5.13). # See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above. randomize_kstack_offset=on # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on # To prevent against L1TF, at the cost of losing hyper threading ('''slow'''). nosmt # Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above). slub_debug=ZF # (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above). iommu.passthrough=0 iommu.strict=1 == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.) kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT). kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 5aa5562de7eb29496853c0ff78c7fb440fee3c6e 4059 4058 2022-10-15T03:16:58Z KeesCook 3 /* CONFIGs */ wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system. Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov. = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_DEBUG_VIRTUAL=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Make sure line disciplines can't be autoloaded (since v5.1). # CONFIG_LDISC_AUTOLOAD is not set # Provide userspace with ptrace ancestry protections. # Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Provide userspace with Landlock MAC interface. # Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list. CONFIG_SECURITY_LANDLOCK=y # Make sure SELinux cannot be disabled trivially. # CONFIG_SECURITY_SELINUX_BOOTPARAM is not set # CONFIG_SECURITY_SELINUX_DEVELOP is not set # CONFIG_SECURITY_WRITABLE_HOOKS is not set # Enable "lockdown" LSM for bright line between the root user and kernel memory. CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y # Randomize high-order page allocation freelist. CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y # Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled. CONFIG_UBSAN=y CONFIG_UBSAN_TRAP=y CONFIG_UBSAN_BOUNDS=y CONFIG_UBSAN_SANITIZE_ALL=y # CONFIG_UBSAN_SHIFT is not set # CONFIG_UBSAN_DIV_ZERO is not set # CONFIG_UBSAN_UNREACHABLE is not set # CONFIG_UBSAN_BOOL is not set # CONFIG_UBSAN_ENUM is not set # CONFIG_UBSAN_ALIGNMENT is not set # This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set: CONFIG_UBSAN_LOCAL_BOUNDS=y # Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead. CONFIG_KFENCE=y # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Do not ignore compile-time warnings (since v5.15) CONFIG_WERROR=y # Disable DMA between EFI hand-off and the kernel's IOMMU setup. CONFIG_EFI_DISABLE_PCI_DMA=y # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) CONFIG_IOMMU_SUPPORT=y CONFIG_IOMMU_DEFAULT_DMA_STRICT=y # Enable feeding RNG entropy from TPM, if available. CONFIG_HW_RANDOM_TPM=y # Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even # malicious sources should not cause problems. CONFIG_RANDOM_TRUST_BOOTLOADER=y CONFIG_RANDOM_TRUST_CPU=y # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE). CONFIG_SCHED_CORE=y # Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and # minimizes stale data in registers). (Since v5.15) CONFIG_ZERO_CALL_USED_REGS=y # Wipe RAM at reboot via EFI. # For more details, see: # https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/ # https://bugzilla.redhat.com/show_bug.cgi?id=1532058 CONFIG_RESET_ATTACK_MITIGATION=y # This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk CONFIG_STATIC_USERMODEHELPER=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # CONFIG_STACKLEAK_METRICS is not set # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y # CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y CONFIG_INTEL_IOMMU_SVM=y CONFIG_AMD_IOMMU=y CONFIG_AMD_IOMMU_V2=y # Straight-Line-Speculation CONFIG_SLS=y # Enable Control Flow Integrity (since v6.1) CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y # Software Shadow Stack or PAC CONFIG_SHADOW_CALL_STACK=y # Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can # turn off CONFIG_STACKPROTECTOR_STRONG with this enabled. CONFIG_ARM64_PTR_AUTH=y CONFIG_ARM64_PTR_AUTH_KERNEL=y # Available in ARMv8.5 and later. CONFIG_ARM64_BTI=y CONFIG_ARM64_BTI_KERNEL=y CONFIG_ARM64_MTE=y CONFIG_KASAN_HW_TAGS=y CONFIG_ARM64_E0PD=y # Available in ARMv8.7 and later. CONFIG_ARM64_EPAN=y # Enable Control Flow Integrity CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set = kernel command line options = # Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Randomize kernel stack offset on syscall entry (since v5.13). # See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above. randomize_kstack_offset=on # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on # To prevent against L1TF, at the cost of losing hyper threading ('''slow'''). nosmt # Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above). slub_debug=ZF # (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above). iommu.passthrough=0 iommu.strict=1 == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.) kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT). kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 902e77a0a2dc931ad0849461988c1c923b640849 4060 4059 2022-10-15T03:17:58Z KeesCook 3 /* sysctls */ wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system. Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov. = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_DEBUG_VIRTUAL=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Make sure line disciplines can't be autoloaded (since v5.1). # CONFIG_LDISC_AUTOLOAD is not set # Provide userspace with ptrace ancestry protections. # Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Provide userspace with Landlock MAC interface. # Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list. CONFIG_SECURITY_LANDLOCK=y # Make sure SELinux cannot be disabled trivially. # CONFIG_SECURITY_SELINUX_BOOTPARAM is not set # CONFIG_SECURITY_SELINUX_DEVELOP is not set # CONFIG_SECURITY_WRITABLE_HOOKS is not set # Enable "lockdown" LSM for bright line between the root user and kernel memory. CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y # Randomize high-order page allocation freelist. CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y # Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled. CONFIG_UBSAN=y CONFIG_UBSAN_TRAP=y CONFIG_UBSAN_BOUNDS=y CONFIG_UBSAN_SANITIZE_ALL=y # CONFIG_UBSAN_SHIFT is not set # CONFIG_UBSAN_DIV_ZERO is not set # CONFIG_UBSAN_UNREACHABLE is not set # CONFIG_UBSAN_BOOL is not set # CONFIG_UBSAN_ENUM is not set # CONFIG_UBSAN_ALIGNMENT is not set # This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set: CONFIG_UBSAN_LOCAL_BOUNDS=y # Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead. CONFIG_KFENCE=y # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Do not ignore compile-time warnings (since v5.15) CONFIG_WERROR=y # Disable DMA between EFI hand-off and the kernel's IOMMU setup. CONFIG_EFI_DISABLE_PCI_DMA=y # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) CONFIG_IOMMU_SUPPORT=y CONFIG_IOMMU_DEFAULT_DMA_STRICT=y # Enable feeding RNG entropy from TPM, if available. CONFIG_HW_RANDOM_TPM=y # Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even # malicious sources should not cause problems. CONFIG_RANDOM_TRUST_BOOTLOADER=y CONFIG_RANDOM_TRUST_CPU=y # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE). CONFIG_SCHED_CORE=y # Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and # minimizes stale data in registers). (Since v5.15) CONFIG_ZERO_CALL_USED_REGS=y # Wipe RAM at reboot via EFI. # For more details, see: # https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/ # https://bugzilla.redhat.com/show_bug.cgi?id=1532058 CONFIG_RESET_ATTACK_MITIGATION=y # This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk CONFIG_STATIC_USERMODEHELPER=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # CONFIG_STACKLEAK_METRICS is not set # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y # CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y CONFIG_INTEL_IOMMU_SVM=y CONFIG_AMD_IOMMU=y CONFIG_AMD_IOMMU_V2=y # Straight-Line-Speculation CONFIG_SLS=y # Enable Control Flow Integrity (since v6.1) CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y # Software Shadow Stack or PAC CONFIG_SHADOW_CALL_STACK=y # Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can # turn off CONFIG_STACKPROTECTOR_STRONG with this enabled. CONFIG_ARM64_PTR_AUTH=y CONFIG_ARM64_PTR_AUTH_KERNEL=y # Available in ARMv8.5 and later. CONFIG_ARM64_BTI=y CONFIG_ARM64_BTI_KERNEL=y CONFIG_ARM64_MTE=y CONFIG_KASAN_HW_TAGS=y CONFIG_ARM64_E0PD=y # Available in ARMv8.7 and later. CONFIG_ARM64_EPAN=y # Enable Control Flow Integrity CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set = kernel command line options = # Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Randomize kernel stack offset on syscall entry (since v5.13). # See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above. randomize_kstack_offset=on # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on # To prevent against L1TF, at the cost of losing hyper threading ('''slow'''). nosmt # Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above). slub_debug=ZF # (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above). iommu.passthrough=0 iommu.strict=1 == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.) kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT). kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Disable tty line discipline autoloading (see CONFIG_LDISC_AUTOLOAD). dev.tty.ldisc_autoload = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 8820693f9ab0ff9c3064eb1b6b106fb3ec950aea 4062 4060 2022-11-01T22:48:40Z KeesCook 3 /* x86_64 */ wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system. Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov. = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_DEBUG_VIRTUAL=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Make sure line disciplines can't be autoloaded (since v5.1). # CONFIG_LDISC_AUTOLOAD is not set # Provide userspace with ptrace ancestry protections. # Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Provide userspace with Landlock MAC interface. # Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list. CONFIG_SECURITY_LANDLOCK=y # Make sure SELinux cannot be disabled trivially. # CONFIG_SECURITY_SELINUX_BOOTPARAM is not set # CONFIG_SECURITY_SELINUX_DEVELOP is not set # CONFIG_SECURITY_WRITABLE_HOOKS is not set # Enable "lockdown" LSM for bright line between the root user and kernel memory. CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y # Randomize high-order page allocation freelist. CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y # Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled. CONFIG_UBSAN=y CONFIG_UBSAN_TRAP=y CONFIG_UBSAN_BOUNDS=y CONFIG_UBSAN_SANITIZE_ALL=y # CONFIG_UBSAN_SHIFT is not set # CONFIG_UBSAN_DIV_ZERO is not set # CONFIG_UBSAN_UNREACHABLE is not set # CONFIG_UBSAN_BOOL is not set # CONFIG_UBSAN_ENUM is not set # CONFIG_UBSAN_ALIGNMENT is not set # This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set: CONFIG_UBSAN_LOCAL_BOUNDS=y # Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead. CONFIG_KFENCE=y # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Do not ignore compile-time warnings (since v5.15) CONFIG_WERROR=y # Disable DMA between EFI hand-off and the kernel's IOMMU setup. CONFIG_EFI_DISABLE_PCI_DMA=y # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) CONFIG_IOMMU_SUPPORT=y CONFIG_IOMMU_DEFAULT_DMA_STRICT=y # Enable feeding RNG entropy from TPM, if available. CONFIG_HW_RANDOM_TPM=y # Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even # malicious sources should not cause problems. CONFIG_RANDOM_TRUST_BOOTLOADER=y CONFIG_RANDOM_TRUST_CPU=y # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE). CONFIG_SCHED_CORE=y # Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and # minimizes stale data in registers). (Since v5.15) CONFIG_ZERO_CALL_USED_REGS=y # Wipe RAM at reboot via EFI. # For more details, see: # https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/ # https://bugzilla.redhat.com/show_bug.cgi?id=1532058 CONFIG_RESET_ATTACK_MITIGATION=y # This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk CONFIG_STATIC_USERMODEHELPER=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # CONFIG_STACKLEAK_METRICS is not set # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y # CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_X86_X32_ABI is not set # CONFIG_MODIFY_LDT_SYSCALL is not set # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y CONFIG_INTEL_IOMMU_SVM=y CONFIG_AMD_IOMMU=y CONFIG_AMD_IOMMU_V2=y # Straight-Line-Speculation CONFIG_SLS=y # Enable Control Flow Integrity (since v6.1) CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y # Software Shadow Stack or PAC CONFIG_SHADOW_CALL_STACK=y # Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can # turn off CONFIG_STACKPROTECTOR_STRONG with this enabled. CONFIG_ARM64_PTR_AUTH=y CONFIG_ARM64_PTR_AUTH_KERNEL=y # Available in ARMv8.5 and later. CONFIG_ARM64_BTI=y CONFIG_ARM64_BTI_KERNEL=y CONFIG_ARM64_MTE=y CONFIG_KASAN_HW_TAGS=y CONFIG_ARM64_E0PD=y # Available in ARMv8.7 and later. CONFIG_ARM64_EPAN=y # Enable Control Flow Integrity CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set = kernel command line options = # Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Randomize kernel stack offset on syscall entry (since v5.13). # See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above. randomize_kstack_offset=on # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on # To prevent against L1TF, at the cost of losing hyper threading ('''slow'''). nosmt # Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above). slub_debug=ZF # (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above). iommu.passthrough=0 iommu.strict=1 == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.) kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT). kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Disable tty line discipline autoloading (see CONFIG_LDISC_AUTOLOAD). dev.tty.ldisc_autoload = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 51ac29b428af97c560357a5fcd0ea1fd45944e00 4063 4062 2022-11-01T22:50:15Z KeesCook 3 /* arm64 */ wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system. Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov. = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_DEBUG_VIRTUAL=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Make sure line disciplines can't be autoloaded (since v5.1). # CONFIG_LDISC_AUTOLOAD is not set # Provide userspace with ptrace ancestry protections. # Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Provide userspace with Landlock MAC interface. # Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list. CONFIG_SECURITY_LANDLOCK=y # Make sure SELinux cannot be disabled trivially. # CONFIG_SECURITY_SELINUX_BOOTPARAM is not set # CONFIG_SECURITY_SELINUX_DEVELOP is not set # CONFIG_SECURITY_WRITABLE_HOOKS is not set # Enable "lockdown" LSM for bright line between the root user and kernel memory. CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y # Randomize high-order page allocation freelist. CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y # Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled. CONFIG_UBSAN=y CONFIG_UBSAN_TRAP=y CONFIG_UBSAN_BOUNDS=y CONFIG_UBSAN_SANITIZE_ALL=y # CONFIG_UBSAN_SHIFT is not set # CONFIG_UBSAN_DIV_ZERO is not set # CONFIG_UBSAN_UNREACHABLE is not set # CONFIG_UBSAN_BOOL is not set # CONFIG_UBSAN_ENUM is not set # CONFIG_UBSAN_ALIGNMENT is not set # This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set: CONFIG_UBSAN_LOCAL_BOUNDS=y # Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead. CONFIG_KFENCE=y # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Do not ignore compile-time warnings (since v5.15) CONFIG_WERROR=y # Disable DMA between EFI hand-off and the kernel's IOMMU setup. CONFIG_EFI_DISABLE_PCI_DMA=y # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) CONFIG_IOMMU_SUPPORT=y CONFIG_IOMMU_DEFAULT_DMA_STRICT=y # Enable feeding RNG entropy from TPM, if available. CONFIG_HW_RANDOM_TPM=y # Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even # malicious sources should not cause problems. CONFIG_RANDOM_TRUST_BOOTLOADER=y CONFIG_RANDOM_TRUST_CPU=y # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE). CONFIG_SCHED_CORE=y # Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and # minimizes stale data in registers). (Since v5.15) CONFIG_ZERO_CALL_USED_REGS=y # Wipe RAM at reboot via EFI. # For more details, see: # https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/ # https://bugzilla.redhat.com/show_bug.cgi?id=1532058 CONFIG_RESET_ATTACK_MITIGATION=y # This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk CONFIG_STATIC_USERMODEHELPER=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # CONFIG_STACKLEAK_METRICS is not set # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y # CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Remove additional attack surface, unless you really need them. # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_X86_X32_ABI is not set # CONFIG_MODIFY_LDT_SYSCALL is not set # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y CONFIG_INTEL_IOMMU_SVM=y CONFIG_AMD_IOMMU=y CONFIG_AMD_IOMMU_V2=y # Straight-Line-Speculation CONFIG_SLS=y # Enable Control Flow Integrity (since v6.1) CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Remove arm32 support to reduce syscall attack surface. # CONFIG_COMPAT is not set # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y # Software Shadow Stack or PAC CONFIG_SHADOW_CALL_STACK=y # Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can # turn off CONFIG_STACKPROTECTOR_STRONG with this enabled. CONFIG_ARM64_PTR_AUTH=y CONFIG_ARM64_PTR_AUTH_KERNEL=y # Available in ARMv8.5 and later. CONFIG_ARM64_BTI=y CONFIG_ARM64_BTI_KERNEL=y CONFIG_ARM64_MTE=y CONFIG_KASAN_HW_TAGS=y CONFIG_ARM64_E0PD=y # Available in ARMv8.7 and later. CONFIG_ARM64_EPAN=y # Enable Control Flow Integrity CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set = kernel command line options = # Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Randomize kernel stack offset on syscall entry (since v5.13). # See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above. randomize_kstack_offset=on # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on # To prevent against L1TF, at the cost of losing hyper threading ('''slow'''). nosmt # Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above). slub_debug=ZF # (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above). iommu.passthrough=0 iommu.strict=1 == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.) kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT). kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Disable tty line discipline autoloading (see CONFIG_LDISC_AUTOLOAD). dev.tty.ldisc_autoload = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 4af6bfd1d1e895506f8d1e85b296995243c63007 4064 4063 2022-11-01T22:50:37Z KeesCook 3 /* x86_64 */ wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system. Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov. = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_DEBUG_VIRTUAL=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Make sure line disciplines can't be autoloaded (since v5.1). # CONFIG_LDISC_AUTOLOAD is not set # Provide userspace with ptrace ancestry protections. # Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Provide userspace with Landlock MAC interface. # Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list. CONFIG_SECURITY_LANDLOCK=y # Make sure SELinux cannot be disabled trivially. # CONFIG_SECURITY_SELINUX_BOOTPARAM is not set # CONFIG_SECURITY_SELINUX_DEVELOP is not set # CONFIG_SECURITY_WRITABLE_HOOKS is not set # Enable "lockdown" LSM for bright line between the root user and kernel memory. CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y # Randomize high-order page allocation freelist. CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y # Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled. CONFIG_UBSAN=y CONFIG_UBSAN_TRAP=y CONFIG_UBSAN_BOUNDS=y CONFIG_UBSAN_SANITIZE_ALL=y # CONFIG_UBSAN_SHIFT is not set # CONFIG_UBSAN_DIV_ZERO is not set # CONFIG_UBSAN_UNREACHABLE is not set # CONFIG_UBSAN_BOOL is not set # CONFIG_UBSAN_ENUM is not set # CONFIG_UBSAN_ALIGNMENT is not set # This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set: CONFIG_UBSAN_LOCAL_BOUNDS=y # Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead. CONFIG_KFENCE=y # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Do not ignore compile-time warnings (since v5.15) CONFIG_WERROR=y # Disable DMA between EFI hand-off and the kernel's IOMMU setup. CONFIG_EFI_DISABLE_PCI_DMA=y # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) CONFIG_IOMMU_SUPPORT=y CONFIG_IOMMU_DEFAULT_DMA_STRICT=y # Enable feeding RNG entropy from TPM, if available. CONFIG_HW_RANDOM_TPM=y # Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even # malicious sources should not cause problems. CONFIG_RANDOM_TRUST_BOOTLOADER=y CONFIG_RANDOM_TRUST_CPU=y # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE). CONFIG_SCHED_CORE=y # Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and # minimizes stale data in registers). (Since v5.15) CONFIG_ZERO_CALL_USED_REGS=y # Wipe RAM at reboot via EFI. # For more details, see: # https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/ # https://bugzilla.redhat.com/show_bug.cgi?id=1532058 CONFIG_RESET_ATTACK_MITIGATION=y # This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk CONFIG_STATIC_USERMODEHELPER=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # CONFIG_STACKLEAK_METRICS is not set # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y # CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Remove additional (32-bit) attack surface, unless you really need them. # CONFIG_COMPAT is not set # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_X86_X32_ABI is not set # CONFIG_MODIFY_LDT_SYSCALL is not set # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y CONFIG_INTEL_IOMMU_SVM=y CONFIG_AMD_IOMMU=y CONFIG_AMD_IOMMU_V2=y # Straight-Line-Speculation CONFIG_SLS=y # Enable Control Flow Integrity (since v6.1) CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Remove arm32 support to reduce syscall attack surface. # CONFIG_COMPAT is not set # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y # Software Shadow Stack or PAC CONFIG_SHADOW_CALL_STACK=y # Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can # turn off CONFIG_STACKPROTECTOR_STRONG with this enabled. CONFIG_ARM64_PTR_AUTH=y CONFIG_ARM64_PTR_AUTH_KERNEL=y # Available in ARMv8.5 and later. CONFIG_ARM64_BTI=y CONFIG_ARM64_BTI_KERNEL=y CONFIG_ARM64_MTE=y CONFIG_KASAN_HW_TAGS=y CONFIG_ARM64_E0PD=y # Available in ARMv8.7 and later. CONFIG_ARM64_EPAN=y # Enable Control Flow Integrity CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set = kernel command line options = # Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Randomize kernel stack offset on syscall entry (since v5.13). # See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above. randomize_kstack_offset=on # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on # To prevent against L1TF, at the cost of losing hyper threading ('''slow'''). nosmt # Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above). slub_debug=ZF # (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above). iommu.passthrough=0 iommu.strict=1 == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.) kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT). kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Disable tty line discipline autoloading (see CONFIG_LDISC_AUTOLOAD). dev.tty.ldisc_autoload = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 dfc2bedb32b7178c8bcf699538d8628d800f1509 4068 4064 2023-09-30T22:38:10Z KeesCook 3 /* x86_64 */ compile out vsyscall by default wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system. Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov. = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_DEBUG_VIRTUAL=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Make sure line disciplines can't be autoloaded (since v5.1). # CONFIG_LDISC_AUTOLOAD is not set # Provide userspace with ptrace ancestry protections. # Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Provide userspace with Landlock MAC interface. # Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list. CONFIG_SECURITY_LANDLOCK=y # Make sure SELinux cannot be disabled trivially. # CONFIG_SECURITY_SELINUX_BOOTPARAM is not set # CONFIG_SECURITY_SELINUX_DEVELOP is not set # CONFIG_SECURITY_WRITABLE_HOOKS is not set # Enable "lockdown" LSM for bright line between the root user and kernel memory. CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y # Randomize high-order page allocation freelist. CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y # Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled. CONFIG_UBSAN=y CONFIG_UBSAN_TRAP=y CONFIG_UBSAN_BOUNDS=y CONFIG_UBSAN_SANITIZE_ALL=y # CONFIG_UBSAN_SHIFT is not set # CONFIG_UBSAN_DIV_ZERO is not set # CONFIG_UBSAN_UNREACHABLE is not set # CONFIG_UBSAN_BOOL is not set # CONFIG_UBSAN_ENUM is not set # CONFIG_UBSAN_ALIGNMENT is not set # This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set: CONFIG_UBSAN_LOCAL_BOUNDS=y # Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead. CONFIG_KFENCE=y # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Do not ignore compile-time warnings (since v5.15) CONFIG_WERROR=y # Disable DMA between EFI hand-off and the kernel's IOMMU setup. CONFIG_EFI_DISABLE_PCI_DMA=y # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) CONFIG_IOMMU_SUPPORT=y CONFIG_IOMMU_DEFAULT_DMA_STRICT=y # Enable feeding RNG entropy from TPM, if available. CONFIG_HW_RANDOM_TPM=y # Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even # malicious sources should not cause problems. CONFIG_RANDOM_TRUST_BOOTLOADER=y CONFIG_RANDOM_TRUST_CPU=y # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE). CONFIG_SCHED_CORE=y # Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and # minimizes stale data in registers). (Since v5.15) CONFIG_ZERO_CALL_USED_REGS=y # Wipe RAM at reboot via EFI. # For more details, see: # https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/ # https://bugzilla.redhat.com/show_bug.cgi?id=1532058 CONFIG_RESET_ATTACK_MITIGATION=y # This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk CONFIG_STATIC_USERMODEHELPER=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # CONFIG_STACKLEAK_METRICS is not set # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y # CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. # CONFIG_X86_VSYSCALL_EMULATION is not set0 CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Remove additional (32-bit) attack surface, unless you really need them. # CONFIG_COMPAT is not set # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_X86_X32_ABI is not set # CONFIG_MODIFY_LDT_SYSCALL is not set # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y CONFIG_INTEL_IOMMU_SVM=y CONFIG_AMD_IOMMU=y CONFIG_AMD_IOMMU_V2=y # Straight-Line-Speculation CONFIG_SLS=y # Enable Control Flow Integrity (since v6.1) CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Remove arm32 support to reduce syscall attack surface. # CONFIG_COMPAT is not set # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y # Software Shadow Stack or PAC CONFIG_SHADOW_CALL_STACK=y # Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can # turn off CONFIG_STACKPROTECTOR_STRONG with this enabled. CONFIG_ARM64_PTR_AUTH=y CONFIG_ARM64_PTR_AUTH_KERNEL=y # Available in ARMv8.5 and later. CONFIG_ARM64_BTI=y CONFIG_ARM64_BTI_KERNEL=y CONFIG_ARM64_MTE=y CONFIG_KASAN_HW_TAGS=y CONFIG_ARM64_E0PD=y # Available in ARMv8.7 and later. CONFIG_ARM64_EPAN=y # Enable Control Flow Integrity CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set = kernel command line options = # Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Randomize kernel stack offset on syscall entry (since v5.13). # See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above. randomize_kstack_offset=on # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on # To prevent against L1TF, at the cost of losing hyper threading ('''slow'''). nosmt # Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above). slub_debug=ZF # (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above). iommu.passthrough=0 iommu.strict=1 == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.) kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT). kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Disable tty line discipline autoloading (see CONFIG_LDISC_AUTOLOAD). dev.tty.ldisc_autoload = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 a498f35a605321d6af6c48c1e6e6af50316a485e 4069 4068 2023-09-30T22:42:21Z KeesCook 3 /* kernel command line options */ From Alexander Popov: disable smt when needed wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system. Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov. = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_DEBUG_VIRTUAL=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Make sure line disciplines can't be autoloaded (since v5.1). # CONFIG_LDISC_AUTOLOAD is not set # Provide userspace with ptrace ancestry protections. # Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Provide userspace with Landlock MAC interface. # Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list. CONFIG_SECURITY_LANDLOCK=y # Make sure SELinux cannot be disabled trivially. # CONFIG_SECURITY_SELINUX_BOOTPARAM is not set # CONFIG_SECURITY_SELINUX_DEVELOP is not set # CONFIG_SECURITY_WRITABLE_HOOKS is not set # Enable "lockdown" LSM for bright line between the root user and kernel memory. CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y # Randomize high-order page allocation freelist. CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y # Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled. CONFIG_UBSAN=y CONFIG_UBSAN_TRAP=y CONFIG_UBSAN_BOUNDS=y CONFIG_UBSAN_SANITIZE_ALL=y # CONFIG_UBSAN_SHIFT is not set # CONFIG_UBSAN_DIV_ZERO is not set # CONFIG_UBSAN_UNREACHABLE is not set # CONFIG_UBSAN_BOOL is not set # CONFIG_UBSAN_ENUM is not set # CONFIG_UBSAN_ALIGNMENT is not set # This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set: CONFIG_UBSAN_LOCAL_BOUNDS=y # Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead. CONFIG_KFENCE=y # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Do not ignore compile-time warnings (since v5.15) CONFIG_WERROR=y # Disable DMA between EFI hand-off and the kernel's IOMMU setup. CONFIG_EFI_DISABLE_PCI_DMA=y # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) CONFIG_IOMMU_SUPPORT=y CONFIG_IOMMU_DEFAULT_DMA_STRICT=y # Enable feeding RNG entropy from TPM, if available. CONFIG_HW_RANDOM_TPM=y # Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even # malicious sources should not cause problems. CONFIG_RANDOM_TRUST_BOOTLOADER=y CONFIG_RANDOM_TRUST_CPU=y # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE). CONFIG_SCHED_CORE=y # Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and # minimizes stale data in registers). (Since v5.15) CONFIG_ZERO_CALL_USED_REGS=y # Wipe RAM at reboot via EFI. # For more details, see: # https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/ # https://bugzilla.redhat.com/show_bug.cgi?id=1532058 CONFIG_RESET_ATTACK_MITIGATION=y # This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk CONFIG_STATIC_USERMODEHELPER=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # CONFIG_STACKLEAK_METRICS is not set # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y # CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. # CONFIG_X86_VSYSCALL_EMULATION is not set0 CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Remove additional (32-bit) attack surface, unless you really need them. # CONFIG_COMPAT is not set # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_X86_X32_ABI is not set # CONFIG_MODIFY_LDT_SYSCALL is not set # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y CONFIG_INTEL_IOMMU_SVM=y CONFIG_AMD_IOMMU=y CONFIG_AMD_IOMMU_V2=y # Straight-Line-Speculation CONFIG_SLS=y # Enable Control Flow Integrity (since v6.1) CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Remove arm32 support to reduce syscall attack surface. # CONFIG_COMPAT is not set # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y # Software Shadow Stack or PAC CONFIG_SHADOW_CALL_STACK=y # Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can # turn off CONFIG_STACKPROTECTOR_STRONG with this enabled. CONFIG_ARM64_PTR_AUTH=y CONFIG_ARM64_PTR_AUTH_KERNEL=y # Available in ARMv8.5 and later. CONFIG_ARM64_BTI=y CONFIG_ARM64_BTI_KERNEL=y CONFIG_ARM64_MTE=y CONFIG_KASAN_HW_TAGS=y CONFIG_ARM64_E0PD=y # Available in ARMv8.7 and later. CONFIG_ARM64_EPAN=y # Enable Control Flow Integrity CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set = kernel command line options = # Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Randomize kernel stack offset on syscall entry (since v5.13). # See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above. randomize_kstack_offset=on # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on # To prevent against L1TF, at the cost of losing hyper threading ('''slow'''). nosmt # Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above). slub_debug=ZF # (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above). iommu.passthrough=0 iommu.strict=1 # Mitigates all known CPU vulnerabilities, disabling SMT *if needed*. mitigations=auto,nosmt == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.) kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT). kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Disable tty line discipline autoloading (see CONFIG_LDISC_AUTOLOAD). dev.tty.ldisc_autoload = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 81bf53692c4076647ee2301a523081a80d7b8530 4070 4069 2023-09-30T22:44:47Z KeesCook 3 /* kernel command line options */ From Alexander Popov: enable page shuffling in case CONFIG is unset. wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system. Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov. = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_DEBUG_VIRTUAL=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Make sure line disciplines can't be autoloaded (since v5.1). # CONFIG_LDISC_AUTOLOAD is not set # Provide userspace with ptrace ancestry protections. # Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Provide userspace with Landlock MAC interface. # Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list. CONFIG_SECURITY_LANDLOCK=y # Make sure SELinux cannot be disabled trivially. # CONFIG_SECURITY_SELINUX_BOOTPARAM is not set # CONFIG_SECURITY_SELINUX_DEVELOP is not set # CONFIG_SECURITY_WRITABLE_HOOKS is not set # Enable "lockdown" LSM for bright line between the root user and kernel memory. CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y # Randomize high-order page allocation freelist. CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y # Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled. CONFIG_UBSAN=y CONFIG_UBSAN_TRAP=y CONFIG_UBSAN_BOUNDS=y CONFIG_UBSAN_SANITIZE_ALL=y # CONFIG_UBSAN_SHIFT is not set # CONFIG_UBSAN_DIV_ZERO is not set # CONFIG_UBSAN_UNREACHABLE is not set # CONFIG_UBSAN_BOOL is not set # CONFIG_UBSAN_ENUM is not set # CONFIG_UBSAN_ALIGNMENT is not set # This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set: CONFIG_UBSAN_LOCAL_BOUNDS=y # Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead. CONFIG_KFENCE=y # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Do not ignore compile-time warnings (since v5.15) CONFIG_WERROR=y # Disable DMA between EFI hand-off and the kernel's IOMMU setup. CONFIG_EFI_DISABLE_PCI_DMA=y # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) CONFIG_IOMMU_SUPPORT=y CONFIG_IOMMU_DEFAULT_DMA_STRICT=y # Enable feeding RNG entropy from TPM, if available. CONFIG_HW_RANDOM_TPM=y # Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even # malicious sources should not cause problems. CONFIG_RANDOM_TRUST_BOOTLOADER=y CONFIG_RANDOM_TRUST_CPU=y # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE). CONFIG_SCHED_CORE=y # Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and # minimizes stale data in registers). (Since v5.15) CONFIG_ZERO_CALL_USED_REGS=y # Wipe RAM at reboot via EFI. # For more details, see: # https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/ # https://bugzilla.redhat.com/show_bug.cgi?id=1532058 CONFIG_RESET_ATTACK_MITIGATION=y # This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk CONFIG_STATIC_USERMODEHELPER=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # CONFIG_STACKLEAK_METRICS is not set # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y # CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. # CONFIG_X86_VSYSCALL_EMULATION is not set0 CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Remove additional (32-bit) attack surface, unless you really need them. # CONFIG_COMPAT is not set # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_X86_X32_ABI is not set # CONFIG_MODIFY_LDT_SYSCALL is not set # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y CONFIG_INTEL_IOMMU_SVM=y CONFIG_AMD_IOMMU=y CONFIG_AMD_IOMMU_V2=y # Straight-Line-Speculation CONFIG_SLS=y # Enable Control Flow Integrity (since v6.1) CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Remove arm32 support to reduce syscall attack surface. # CONFIG_COMPAT is not set # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y # Software Shadow Stack or PAC CONFIG_SHADOW_CALL_STACK=y # Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can # turn off CONFIG_STACKPROTECTOR_STRONG with this enabled. CONFIG_ARM64_PTR_AUTH=y CONFIG_ARM64_PTR_AUTH_KERNEL=y # Available in ARMv8.5 and later. CONFIG_ARM64_BTI=y CONFIG_ARM64_BTI_KERNEL=y CONFIG_ARM64_MTE=y CONFIG_KASAN_HW_TAGS=y CONFIG_ARM64_E0PD=y # Available in ARMv8.7 and later. CONFIG_ARM64_EPAN=y # Enable Control Flow Integrity CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set = kernel command line options = # Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Randomize kernel stack offset on syscall entry (since v5.13). # See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above. randomize_kstack_offset=on # Randomize page allocator (for when CONFIG_PAGE_SUFFLE isn't already enabled). page_alloc.shuffle=1 # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on # To prevent against L1TF, at the cost of losing hyper threading ('''slow'''). nosmt # Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above). slub_debug=ZF # (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above). iommu.passthrough=0 iommu.strict=1 # Mitigates all known CPU vulnerabilities, disabling SMT *if needed*. mitigations=auto,nosmt == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.) kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT). kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Disable tty line discipline autoloading (see CONFIG_LDISC_AUTOLOAD). dev.tty.ldisc_autoload = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 9506b7c964e415400f3c433140c97a7218d2b670 4071 4070 2023-09-30T22:45:16Z KeesCook 3 /* kernel command line options */ wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system. Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov. = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_DEBUG_VIRTUAL=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Make sure line disciplines can't be autoloaded (since v5.1). # CONFIG_LDISC_AUTOLOAD is not set # Provide userspace with ptrace ancestry protections. # Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Provide userspace with Landlock MAC interface. # Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list. CONFIG_SECURITY_LANDLOCK=y # Make sure SELinux cannot be disabled trivially. # CONFIG_SECURITY_SELINUX_BOOTPARAM is not set # CONFIG_SECURITY_SELINUX_DEVELOP is not set # CONFIG_SECURITY_WRITABLE_HOOKS is not set # Enable "lockdown" LSM for bright line between the root user and kernel memory. CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y # Randomize high-order page allocation freelist. CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y # Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled. CONFIG_UBSAN=y CONFIG_UBSAN_TRAP=y CONFIG_UBSAN_BOUNDS=y CONFIG_UBSAN_SANITIZE_ALL=y # CONFIG_UBSAN_SHIFT is not set # CONFIG_UBSAN_DIV_ZERO is not set # CONFIG_UBSAN_UNREACHABLE is not set # CONFIG_UBSAN_BOOL is not set # CONFIG_UBSAN_ENUM is not set # CONFIG_UBSAN_ALIGNMENT is not set # This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set: CONFIG_UBSAN_LOCAL_BOUNDS=y # Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead. CONFIG_KFENCE=y # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Do not ignore compile-time warnings (since v5.15) CONFIG_WERROR=y # Disable DMA between EFI hand-off and the kernel's IOMMU setup. CONFIG_EFI_DISABLE_PCI_DMA=y # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) CONFIG_IOMMU_SUPPORT=y CONFIG_IOMMU_DEFAULT_DMA_STRICT=y # Enable feeding RNG entropy from TPM, if available. CONFIG_HW_RANDOM_TPM=y # Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even # malicious sources should not cause problems. CONFIG_RANDOM_TRUST_BOOTLOADER=y CONFIG_RANDOM_TRUST_CPU=y # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE). CONFIG_SCHED_CORE=y # Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and # minimizes stale data in registers). (Since v5.15) CONFIG_ZERO_CALL_USED_REGS=y # Wipe RAM at reboot via EFI. # For more details, see: # https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/ # https://bugzilla.redhat.com/show_bug.cgi?id=1532058 CONFIG_RESET_ATTACK_MITIGATION=y # This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk CONFIG_STATIC_USERMODEHELPER=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # CONFIG_STACKLEAK_METRICS is not set # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y # CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. # CONFIG_X86_VSYSCALL_EMULATION is not set0 CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Remove additional (32-bit) attack surface, unless you really need them. # CONFIG_COMPAT is not set # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_X86_X32_ABI is not set # CONFIG_MODIFY_LDT_SYSCALL is not set # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y CONFIG_INTEL_IOMMU_SVM=y CONFIG_AMD_IOMMU=y CONFIG_AMD_IOMMU_V2=y # Straight-Line-Speculation CONFIG_SLS=y # Enable Control Flow Integrity (since v6.1) CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Remove arm32 support to reduce syscall attack surface. # CONFIG_COMPAT is not set # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y # Software Shadow Stack or PAC CONFIG_SHADOW_CALL_STACK=y # Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can # turn off CONFIG_STACKPROTECTOR_STRONG with this enabled. CONFIG_ARM64_PTR_AUTH=y CONFIG_ARM64_PTR_AUTH_KERNEL=y # Available in ARMv8.5 and later. CONFIG_ARM64_BTI=y CONFIG_ARM64_BTI_KERNEL=y CONFIG_ARM64_MTE=y CONFIG_KASAN_HW_TAGS=y CONFIG_ARM64_E0PD=y # Available in ARMv8.7 and later. CONFIG_ARM64_EPAN=y # Enable Control Flow Integrity CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set = kernel command line options = # Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Randomize kernel stack offset on syscall entry (since v5.13). # See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above. randomize_kstack_offset=on # Randomize page allocator (for when CONFIG_SHUFFLE_PAGE_ALLOCATOR isn't already enabled). page_alloc.shuffle=1 # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on # To prevent against L1TF, at the cost of losing hyper threading ('''slow'''). nosmt # Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above). slub_debug=ZF # (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above). iommu.passthrough=0 iommu.strict=1 # Mitigates all known CPU vulnerabilities, disabling SMT *if needed*. mitigations=auto,nosmt == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.) kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT). kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Disable tty line discipline autoloading (see CONFIG_LDISC_AUTOLOAD). dev.tty.ldisc_autoload = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 d38d2e4d971a756368088b2a452289b718d645b9 4072 4071 2023-09-30T22:55:06Z KeesCook 3 /* kernel command line options */ From Alexander Popov, adding options for maybe missing CONFIGs wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system. Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov. = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_DEBUG_VIRTUAL=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Make sure line disciplines can't be autoloaded (since v5.1). # CONFIG_LDISC_AUTOLOAD is not set # Provide userspace with ptrace ancestry protections. # Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Provide userspace with Landlock MAC interface. # Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list. CONFIG_SECURITY_LANDLOCK=y # Make sure SELinux cannot be disabled trivially. # CONFIG_SECURITY_SELINUX_BOOTPARAM is not set # CONFIG_SECURITY_SELINUX_DEVELOP is not set # CONFIG_SECURITY_WRITABLE_HOOKS is not set # Enable "lockdown" LSM for bright line between the root user and kernel memory. CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y # Randomize high-order page allocation freelist. CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y # Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled. CONFIG_UBSAN=y CONFIG_UBSAN_TRAP=y CONFIG_UBSAN_BOUNDS=y CONFIG_UBSAN_SANITIZE_ALL=y # CONFIG_UBSAN_SHIFT is not set # CONFIG_UBSAN_DIV_ZERO is not set # CONFIG_UBSAN_UNREACHABLE is not set # CONFIG_UBSAN_BOOL is not set # CONFIG_UBSAN_ENUM is not set # CONFIG_UBSAN_ALIGNMENT is not set # This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set: CONFIG_UBSAN_LOCAL_BOUNDS=y # Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead. CONFIG_KFENCE=y # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Do not ignore compile-time warnings (since v5.15) CONFIG_WERROR=y # Disable DMA between EFI hand-off and the kernel's IOMMU setup. CONFIG_EFI_DISABLE_PCI_DMA=y # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) CONFIG_IOMMU_SUPPORT=y CONFIG_IOMMU_DEFAULT_DMA_STRICT=y # Enable feeding RNG entropy from TPM, if available. CONFIG_HW_RANDOM_TPM=y # Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even # malicious sources should not cause problems. CONFIG_RANDOM_TRUST_BOOTLOADER=y CONFIG_RANDOM_TRUST_CPU=y # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE). CONFIG_SCHED_CORE=y # Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and # minimizes stale data in registers). (Since v5.15) CONFIG_ZERO_CALL_USED_REGS=y # Wipe RAM at reboot via EFI. # For more details, see: # https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/ # https://bugzilla.redhat.com/show_bug.cgi?id=1532058 CONFIG_RESET_ATTACK_MITIGATION=y # This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk CONFIG_STATIC_USERMODEHELPER=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # CONFIG_STACKLEAK_METRICS is not set # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y # CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. # CONFIG_X86_VSYSCALL_EMULATION is not set0 CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Remove additional (32-bit) attack surface, unless you really need them. # CONFIG_COMPAT is not set # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_X86_X32_ABI is not set # CONFIG_MODIFY_LDT_SYSCALL is not set # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y CONFIG_INTEL_IOMMU_SVM=y CONFIG_AMD_IOMMU=y CONFIG_AMD_IOMMU_V2=y # Straight-Line-Speculation CONFIG_SLS=y # Enable Control Flow Integrity (since v6.1) CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Remove arm32 support to reduce syscall attack surface. # CONFIG_COMPAT is not set # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y # Software Shadow Stack or PAC CONFIG_SHADOW_CALL_STACK=y # Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can # turn off CONFIG_STACKPROTECTOR_STRONG with this enabled. CONFIG_ARM64_PTR_AUTH=y CONFIG_ARM64_PTR_AUTH_KERNEL=y # Available in ARMv8.5 and later. CONFIG_ARM64_BTI=y CONFIG_ARM64_BTI_KERNEL=y CONFIG_ARM64_MTE=y CONFIG_KASAN_HW_TAGS=y CONFIG_ARM64_E0PD=y # Available in ARMv8.7 and later. CONFIG_ARM64_EPAN=y # Enable Control Flow Integrity CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set = kernel command line options = # Make sure CONFIG_HARDENED_USERCOPY stays enabled. hardened_usercopy=1 # Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Randomize kernel stack offset on syscall entry (since v5.13). # See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above. randomize_kstack_offset=on # Randomize page allocator (for when CONFIG_SHUFFLE_PAGE_ALLOCATOR isn't already enabled). page_alloc.shuffle=1 # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on # To prevent against L1TF, at the cost of losing hyper threading ('''slow'''). nosmt # Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above). slub_debug=ZF # (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above). iommu.passthrough=0 iommu.strict=1 # Mitigates all known CPU vulnerabilities, disabling SMT *if needed*. mitigations=auto,nosmt == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none # Make sure COMPAT_VDSO stays disabled vdso32=0 = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.) kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT). kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Disable tty line discipline autoloading (see CONFIG_LDISC_AUTOLOAD). dev.tty.ldisc_autoload = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 3d190afe2e96e53bbdb22a8f95dda1ecd0fba2dc 4073 4072 2023-09-30T23:09:20Z KeesCook 3 /* sysctls */ From Alexander Popov: lock down things even harder. wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system. Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov. = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_DEBUG_VIRTUAL=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Make sure line disciplines can't be autoloaded (since v5.1). # CONFIG_LDISC_AUTOLOAD is not set # Provide userspace with ptrace ancestry protections. # Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Provide userspace with Landlock MAC interface. # Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list. CONFIG_SECURITY_LANDLOCK=y # Make sure SELinux cannot be disabled trivially. # CONFIG_SECURITY_SELINUX_BOOTPARAM is not set # CONFIG_SECURITY_SELINUX_DEVELOP is not set # CONFIG_SECURITY_WRITABLE_HOOKS is not set # Enable "lockdown" LSM for bright line between the root user and kernel memory. CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y # Randomize high-order page allocation freelist. CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y # Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled. CONFIG_UBSAN=y CONFIG_UBSAN_TRAP=y CONFIG_UBSAN_BOUNDS=y CONFIG_UBSAN_SANITIZE_ALL=y # CONFIG_UBSAN_SHIFT is not set # CONFIG_UBSAN_DIV_ZERO is not set # CONFIG_UBSAN_UNREACHABLE is not set # CONFIG_UBSAN_BOOL is not set # CONFIG_UBSAN_ENUM is not set # CONFIG_UBSAN_ALIGNMENT is not set # This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set: CONFIG_UBSAN_LOCAL_BOUNDS=y # Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead. CONFIG_KFENCE=y # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Do not ignore compile-time warnings (since v5.15) CONFIG_WERROR=y # Disable DMA between EFI hand-off and the kernel's IOMMU setup. CONFIG_EFI_DISABLE_PCI_DMA=y # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) CONFIG_IOMMU_SUPPORT=y CONFIG_IOMMU_DEFAULT_DMA_STRICT=y # Enable feeding RNG entropy from TPM, if available. CONFIG_HW_RANDOM_TPM=y # Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even # malicious sources should not cause problems. CONFIG_RANDOM_TRUST_BOOTLOADER=y CONFIG_RANDOM_TRUST_CPU=y # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE). CONFIG_SCHED_CORE=y # Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and # minimizes stale data in registers). (Since v5.15) CONFIG_ZERO_CALL_USED_REGS=y # Wipe RAM at reboot via EFI. # For more details, see: # https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/ # https://bugzilla.redhat.com/show_bug.cgi?id=1532058 CONFIG_RESET_ATTACK_MITIGATION=y # This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk CONFIG_STATIC_USERMODEHELPER=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # CONFIG_STACKLEAK_METRICS is not set # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y # CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. # CONFIG_X86_VSYSCALL_EMULATION is not set0 CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Remove additional (32-bit) attack surface, unless you really need them. # CONFIG_COMPAT is not set # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_X86_X32_ABI is not set # CONFIG_MODIFY_LDT_SYSCALL is not set # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y CONFIG_INTEL_IOMMU_SVM=y CONFIG_AMD_IOMMU=y CONFIG_AMD_IOMMU_V2=y # Straight-Line-Speculation CONFIG_SLS=y # Enable Control Flow Integrity (since v6.1) CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Remove arm32 support to reduce syscall attack surface. # CONFIG_COMPAT is not set # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y # Software Shadow Stack or PAC CONFIG_SHADOW_CALL_STACK=y # Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can # turn off CONFIG_STACKPROTECTOR_STRONG with this enabled. CONFIG_ARM64_PTR_AUTH=y CONFIG_ARM64_PTR_AUTH_KERNEL=y # Available in ARMv8.5 and later. CONFIG_ARM64_BTI=y CONFIG_ARM64_BTI_KERNEL=y CONFIG_ARM64_MTE=y CONFIG_KASAN_HW_TAGS=y CONFIG_ARM64_E0PD=y # Available in ARMv8.7 and later. CONFIG_ARM64_EPAN=y # Enable Control Flow Integrity CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set = kernel command line options = # Make sure CONFIG_HARDENED_USERCOPY stays enabled. hardened_usercopy=1 # Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Randomize kernel stack offset on syscall entry (since v5.13). # See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above. randomize_kstack_offset=on # Randomize page allocator (for when CONFIG_SHUFFLE_PAGE_ALLOCATOR isn't already enabled). page_alloc.shuffle=1 # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on # To prevent against L1TF, at the cost of losing hyper threading ('''slow'''). nosmt # Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above). slub_debug=ZF # (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above). iommu.passthrough=0 iommu.strict=1 # Mitigates all known CPU vulnerabilities, disabling SMT *if needed*. mitigations=auto,nosmt == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none # Make sure COMPAT_VDSO stays disabled vdso32=0 = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.) If root absolutely needs values from /proc, use value "1". kernel.kptr_restrict = 2 # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT). kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Make sure the expected default is enabled to enable full ASLR in userpsace. kernel.randomize_va_space = 2 # Block all PTRACE_ATTACH. If you need ptrace to work, then avoid non-ancestor ptrace access to running processes and their credentials, and use value "1". kernel.yama.ptrace_scope = 3 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Disable tty line discipline autoloading (see CONFIG_LDISC_AUTOLOAD). dev.tty.ldisc_autoload = 0 # Disable TIOCSTI which is used to inject keypresses. (This will, however, break screen readers.) dev.tty.legacy_tiocsti = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 # Disable userfaultfd for unprivileged processes. vm.unprivileged_userfaultfd = 0 # Disable POSIX symlink and hardlink corner cases that lead to lots of filesystem confusion attacks. fs.protected_symlinks = 1 fs.protected_hardlinks = 1 # Disable POSIX corner cases with creating files and fifos unless the directory owner matches. Check your workloads! fs.protected_fifos = 2 fs.protected_regular = 2 # Make sure the default process dumpability is set (processes that changed privileges aren't dumpable). fs.suid_dumpable = 0 a8365fdcf5b7b5d3cb7101d66f2a660b1126b41e 4074 4073 2023-10-20T18:48:06Z KeesCook 3 /* x86_64 */ typo noticed by Alexander Popov wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system. Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov. = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_DEBUG_VIRTUAL=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Make sure line disciplines can't be autoloaded (since v5.1). # CONFIG_LDISC_AUTOLOAD is not set # Provide userspace with ptrace ancestry protections. # Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Provide userspace with Landlock MAC interface. # Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list. CONFIG_SECURITY_LANDLOCK=y # Make sure SELinux cannot be disabled trivially. # CONFIG_SECURITY_SELINUX_BOOTPARAM is not set # CONFIG_SECURITY_SELINUX_DEVELOP is not set # CONFIG_SECURITY_WRITABLE_HOOKS is not set # Enable "lockdown" LSM for bright line between the root user and kernel memory. CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y # Randomize high-order page allocation freelist. CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y # Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled. CONFIG_UBSAN=y CONFIG_UBSAN_TRAP=y CONFIG_UBSAN_BOUNDS=y CONFIG_UBSAN_SANITIZE_ALL=y # CONFIG_UBSAN_SHIFT is not set # CONFIG_UBSAN_DIV_ZERO is not set # CONFIG_UBSAN_UNREACHABLE is not set # CONFIG_UBSAN_BOOL is not set # CONFIG_UBSAN_ENUM is not set # CONFIG_UBSAN_ALIGNMENT is not set # This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set: CONFIG_UBSAN_LOCAL_BOUNDS=y # Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead. CONFIG_KFENCE=y # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Do not ignore compile-time warnings (since v5.15) CONFIG_WERROR=y # Disable DMA between EFI hand-off and the kernel's IOMMU setup. CONFIG_EFI_DISABLE_PCI_DMA=y # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) CONFIG_IOMMU_SUPPORT=y CONFIG_IOMMU_DEFAULT_DMA_STRICT=y # Enable feeding RNG entropy from TPM, if available. CONFIG_HW_RANDOM_TPM=y # Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even # malicious sources should not cause problems. CONFIG_RANDOM_TRUST_BOOTLOADER=y CONFIG_RANDOM_TRUST_CPU=y # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE). CONFIG_SCHED_CORE=y # Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and # minimizes stale data in registers). (Since v5.15) CONFIG_ZERO_CALL_USED_REGS=y # Wipe RAM at reboot via EFI. # For more details, see: # https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/ # https://bugzilla.redhat.com/show_bug.cgi?id=1532058 CONFIG_RESET_ATTACK_MITIGATION=y # This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk CONFIG_STATIC_USERMODEHELPER=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # CONFIG_STACKLEAK_METRICS is not set # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y # CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. # CONFIG_X86_VSYSCALL_EMULATION is not set CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Remove additional (32-bit) attack surface, unless you really need them. # CONFIG_COMPAT is not set # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_X86_X32_ABI is not set # CONFIG_MODIFY_LDT_SYSCALL is not set # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y CONFIG_INTEL_IOMMU_SVM=y CONFIG_AMD_IOMMU=y CONFIG_AMD_IOMMU_V2=y # Straight-Line-Speculation CONFIG_SLS=y # Enable Control Flow Integrity (since v6.1) CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Remove arm32 support to reduce syscall attack surface. # CONFIG_COMPAT is not set # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y # Software Shadow Stack or PAC CONFIG_SHADOW_CALL_STACK=y # Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can # turn off CONFIG_STACKPROTECTOR_STRONG with this enabled. CONFIG_ARM64_PTR_AUTH=y CONFIG_ARM64_PTR_AUTH_KERNEL=y # Available in ARMv8.5 and later. CONFIG_ARM64_BTI=y CONFIG_ARM64_BTI_KERNEL=y CONFIG_ARM64_MTE=y CONFIG_KASAN_HW_TAGS=y CONFIG_ARM64_E0PD=y # Available in ARMv8.7 and later. CONFIG_ARM64_EPAN=y # Enable Control Flow Integrity CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set = kernel command line options = # Make sure CONFIG_HARDENED_USERCOPY stays enabled. hardened_usercopy=1 # Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Randomize kernel stack offset on syscall entry (since v5.13). # See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above. randomize_kstack_offset=on # Randomize page allocator (for when CONFIG_SHUFFLE_PAGE_ALLOCATOR isn't already enabled). page_alloc.shuffle=1 # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on # To prevent against L1TF, at the cost of losing hyper threading ('''slow'''). nosmt # Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above). slub_debug=ZF # (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above). iommu.passthrough=0 iommu.strict=1 # Mitigates all known CPU vulnerabilities, disabling SMT *if needed*. mitigations=auto,nosmt == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none # Make sure COMPAT_VDSO stays disabled vdso32=0 = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.) If root absolutely needs values from /proc, use value "1". kernel.kptr_restrict = 2 # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT). kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Make sure the expected default is enabled to enable full ASLR in userpsace. kernel.randomize_va_space = 2 # Block all PTRACE_ATTACH. If you need ptrace to work, then avoid non-ancestor ptrace access to running processes and their credentials, and use value "1". kernel.yama.ptrace_scope = 3 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Disable tty line discipline autoloading (see CONFIG_LDISC_AUTOLOAD). dev.tty.ldisc_autoload = 0 # Disable TIOCSTI which is used to inject keypresses. (This will, however, break screen readers.) dev.tty.legacy_tiocsti = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 # Disable userfaultfd for unprivileged processes. vm.unprivileged_userfaultfd = 0 # Disable POSIX symlink and hardlink corner cases that lead to lots of filesystem confusion attacks. fs.protected_symlinks = 1 fs.protected_hardlinks = 1 # Disable POSIX corner cases with creating files and fifos unless the directory owner matches. Check your workloads! fs.protected_fifos = 2 fs.protected_regular = 2 # Make sure the default process dumpability is set (processes that changed privileges aren't dumpable). fs.suid_dumpable = 0 4ebedbb50c1e077fa5095a95c505db33b84616bd 4075 4074 2023-10-20T18:50:20Z KeesCook 3 /* CONFIGs */ wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system. Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov. = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_DEBUG_VIRTUAL=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Make sure line disciplines can't be autoloaded (since v5.1). # CONFIG_LDISC_AUTOLOAD is not set # Provide userspace with ptrace ancestry protections. # Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Provide userspace with Landlock MAC interface. # Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list. CONFIG_SECURITY_LANDLOCK=y # Make sure SELinux cannot be disabled trivially. # CONFIG_SECURITY_SELINUX_BOOTPARAM is not set # CONFIG_SECURITY_SELINUX_DEVELOP is not set # CONFIG_SECURITY_WRITABLE_HOOKS is not set # Enable "lockdown" LSM for bright line between the root user and kernel memory. CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y # Allow for randomization of high-order page allocation freelist. Must be enabled with # the "page_alloc.shuffle=1" command line below). CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y # Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled. CONFIG_UBSAN=y CONFIG_UBSAN_TRAP=y CONFIG_UBSAN_BOUNDS=y CONFIG_UBSAN_SANITIZE_ALL=y # CONFIG_UBSAN_SHIFT is not set # CONFIG_UBSAN_DIV_ZERO is not set # CONFIG_UBSAN_UNREACHABLE is not set # CONFIG_UBSAN_BOOL is not set # CONFIG_UBSAN_ENUM is not set # CONFIG_UBSAN_ALIGNMENT is not set # This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set: CONFIG_UBSAN_LOCAL_BOUNDS=y # Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead. CONFIG_KFENCE=y # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Do not ignore compile-time warnings (since v5.15) CONFIG_WERROR=y # Disable DMA between EFI hand-off and the kernel's IOMMU setup. CONFIG_EFI_DISABLE_PCI_DMA=y # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) CONFIG_IOMMU_SUPPORT=y CONFIG_IOMMU_DEFAULT_DMA_STRICT=y # Enable feeding RNG entropy from TPM, if available. CONFIG_HW_RANDOM_TPM=y # Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even # malicious sources should not cause problems. CONFIG_RANDOM_TRUST_BOOTLOADER=y CONFIG_RANDOM_TRUST_CPU=y # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE). CONFIG_SCHED_CORE=y # Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and # minimizes stale data in registers). (Since v5.15) CONFIG_ZERO_CALL_USED_REGS=y # Wipe RAM at reboot via EFI. # For more details, see: # https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/ # https://bugzilla.redhat.com/show_bug.cgi?id=1532058 CONFIG_RESET_ATTACK_MITIGATION=y # This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk CONFIG_STATIC_USERMODEHELPER=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # CONFIG_STACKLEAK_METRICS is not set # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y # CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. # CONFIG_X86_VSYSCALL_EMULATION is not set CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Remove additional (32-bit) attack surface, unless you really need them. # CONFIG_COMPAT is not set # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_X86_X32_ABI is not set # CONFIG_MODIFY_LDT_SYSCALL is not set # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y CONFIG_INTEL_IOMMU_SVM=y CONFIG_AMD_IOMMU=y CONFIG_AMD_IOMMU_V2=y # Straight-Line-Speculation CONFIG_SLS=y # Enable Control Flow Integrity (since v6.1) CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Remove arm32 support to reduce syscall attack surface. # CONFIG_COMPAT is not set # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y # Software Shadow Stack or PAC CONFIG_SHADOW_CALL_STACK=y # Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can # turn off CONFIG_STACKPROTECTOR_STRONG with this enabled. CONFIG_ARM64_PTR_AUTH=y CONFIG_ARM64_PTR_AUTH_KERNEL=y # Available in ARMv8.5 and later. CONFIG_ARM64_BTI=y CONFIG_ARM64_BTI_KERNEL=y CONFIG_ARM64_MTE=y CONFIG_KASAN_HW_TAGS=y CONFIG_ARM64_E0PD=y # Available in ARMv8.7 and later. CONFIG_ARM64_EPAN=y # Enable Control Flow Integrity CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set = kernel command line options = # Make sure CONFIG_HARDENED_USERCOPY stays enabled. hardened_usercopy=1 # Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Randomize kernel stack offset on syscall entry (since v5.13). # See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above. randomize_kstack_offset=on # Randomize page allocator (for when CONFIG_SHUFFLE_PAGE_ALLOCATOR isn't already enabled). page_alloc.shuffle=1 # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on # To prevent against L1TF, at the cost of losing hyper threading ('''slow'''). nosmt # Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above). slub_debug=ZF # (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above). iommu.passthrough=0 iommu.strict=1 # Mitigates all known CPU vulnerabilities, disabling SMT *if needed*. mitigations=auto,nosmt == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none # Make sure COMPAT_VDSO stays disabled vdso32=0 = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.) If root absolutely needs values from /proc, use value "1". kernel.kptr_restrict = 2 # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT). kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Make sure the expected default is enabled to enable full ASLR in userpsace. kernel.randomize_va_space = 2 # Block all PTRACE_ATTACH. If you need ptrace to work, then avoid non-ancestor ptrace access to running processes and their credentials, and use value "1". kernel.yama.ptrace_scope = 3 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Disable tty line discipline autoloading (see CONFIG_LDISC_AUTOLOAD). dev.tty.ldisc_autoload = 0 # Disable TIOCSTI which is used to inject keypresses. (This will, however, break screen readers.) dev.tty.legacy_tiocsti = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 # Disable userfaultfd for unprivileged processes. vm.unprivileged_userfaultfd = 0 # Disable POSIX symlink and hardlink corner cases that lead to lots of filesystem confusion attacks. fs.protected_symlinks = 1 fs.protected_hardlinks = 1 # Disable POSIX corner cases with creating files and fifos unless the directory owner matches. Check your workloads! fs.protected_fifos = 2 fs.protected_regular = 2 # Make sure the default process dumpability is set (processes that changed privileges aren't dumpable). fs.suid_dumpable = 0 297bf77ca16e127f0b44c713c5ba8d977559795f 4076 4075 2023-10-20T18:51:09Z KeesCook 3 /* kernel command line options */ wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system. Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov. = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_DEBUG_VIRTUAL=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Make sure line disciplines can't be autoloaded (since v5.1). # CONFIG_LDISC_AUTOLOAD is not set # Provide userspace with ptrace ancestry protections. # Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Provide userspace with Landlock MAC interface. # Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list. CONFIG_SECURITY_LANDLOCK=y # Make sure SELinux cannot be disabled trivially. # CONFIG_SECURITY_SELINUX_BOOTPARAM is not set # CONFIG_SECURITY_SELINUX_DEVELOP is not set # CONFIG_SECURITY_WRITABLE_HOOKS is not set # Enable "lockdown" LSM for bright line between the root user and kernel memory. CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y # Allow for randomization of high-order page allocation freelist. Must be enabled with # the "page_alloc.shuffle=1" command line below). CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y # Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled. CONFIG_UBSAN=y CONFIG_UBSAN_TRAP=y CONFIG_UBSAN_BOUNDS=y CONFIG_UBSAN_SANITIZE_ALL=y # CONFIG_UBSAN_SHIFT is not set # CONFIG_UBSAN_DIV_ZERO is not set # CONFIG_UBSAN_UNREACHABLE is not set # CONFIG_UBSAN_BOOL is not set # CONFIG_UBSAN_ENUM is not set # CONFIG_UBSAN_ALIGNMENT is not set # This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set: CONFIG_UBSAN_LOCAL_BOUNDS=y # Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead. CONFIG_KFENCE=y # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Do not ignore compile-time warnings (since v5.15) CONFIG_WERROR=y # Disable DMA between EFI hand-off and the kernel's IOMMU setup. CONFIG_EFI_DISABLE_PCI_DMA=y # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) CONFIG_IOMMU_SUPPORT=y CONFIG_IOMMU_DEFAULT_DMA_STRICT=y # Enable feeding RNG entropy from TPM, if available. CONFIG_HW_RANDOM_TPM=y # Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even # malicious sources should not cause problems. CONFIG_RANDOM_TRUST_BOOTLOADER=y CONFIG_RANDOM_TRUST_CPU=y # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE). CONFIG_SCHED_CORE=y # Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and # minimizes stale data in registers). (Since v5.15) CONFIG_ZERO_CALL_USED_REGS=y # Wipe RAM at reboot via EFI. # For more details, see: # https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/ # https://bugzilla.redhat.com/show_bug.cgi?id=1532058 CONFIG_RESET_ATTACK_MITIGATION=y # This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk CONFIG_STATIC_USERMODEHELPER=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # CONFIG_STACKLEAK_METRICS is not set # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y # CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. # CONFIG_X86_VSYSCALL_EMULATION is not set CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Remove additional (32-bit) attack surface, unless you really need them. # CONFIG_COMPAT is not set # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_X86_X32_ABI is not set # CONFIG_MODIFY_LDT_SYSCALL is not set # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y CONFIG_INTEL_IOMMU_SVM=y CONFIG_AMD_IOMMU=y CONFIG_AMD_IOMMU_V2=y # Straight-Line-Speculation CONFIG_SLS=y # Enable Control Flow Integrity (since v6.1) CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Remove arm32 support to reduce syscall attack surface. # CONFIG_COMPAT is not set # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y # Software Shadow Stack or PAC CONFIG_SHADOW_CALL_STACK=y # Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can # turn off CONFIG_STACKPROTECTOR_STRONG with this enabled. CONFIG_ARM64_PTR_AUTH=y CONFIG_ARM64_PTR_AUTH_KERNEL=y # Available in ARMv8.5 and later. CONFIG_ARM64_BTI=y CONFIG_ARM64_BTI_KERNEL=y CONFIG_ARM64_MTE=y CONFIG_KASAN_HW_TAGS=y CONFIG_ARM64_E0PD=y # Available in ARMv8.7 and later. CONFIG_ARM64_EPAN=y # Enable Control Flow Integrity CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set = kernel command line options = # Make sure CONFIG_HARDENED_USERCOPY stays enabled. hardened_usercopy=1 # Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Randomize kernel stack offset on syscall entry (since v5.13). # See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above. randomize_kstack_offset=on # Randomize page allocator (needs CONFIG_SHUFFLE_PAGE_ALLOCATOR=y too). page_alloc.shuffle=1 # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on # To prevent against L1TF, at the cost of losing hyper threading ('''slow'''). nosmt # Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above). slub_debug=ZF # (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above). iommu.passthrough=0 iommu.strict=1 # Mitigates all known CPU vulnerabilities, disabling SMT *if needed*. mitigations=auto,nosmt == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none # Make sure COMPAT_VDSO stays disabled vdso32=0 = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.) If root absolutely needs values from /proc, use value "1". kernel.kptr_restrict = 2 # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT). kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Make sure the expected default is enabled to enable full ASLR in userpsace. kernel.randomize_va_space = 2 # Block all PTRACE_ATTACH. If you need ptrace to work, then avoid non-ancestor ptrace access to running processes and their credentials, and use value "1". kernel.yama.ptrace_scope = 3 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Disable tty line discipline autoloading (see CONFIG_LDISC_AUTOLOAD). dev.tty.ldisc_autoload = 0 # Disable TIOCSTI which is used to inject keypresses. (This will, however, break screen readers.) dev.tty.legacy_tiocsti = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 # Disable userfaultfd for unprivileged processes. vm.unprivileged_userfaultfd = 0 # Disable POSIX symlink and hardlink corner cases that lead to lots of filesystem confusion attacks. fs.protected_symlinks = 1 fs.protected_hardlinks = 1 # Disable POSIX corner cases with creating files and fifos unless the directory owner matches. Check your workloads! fs.protected_fifos = 2 fs.protected_regular = 2 # Make sure the default process dumpability is set (processes that changed privileges aren't dumpable). fs.suid_dumpable = 0 4048cf17b196170341cb270edb97389f36eb8be6 4077 4076 2023-10-20T19:03:08Z KeesCook 3 /* CONFIGs */ wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system. Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov. = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_DEBUG_VIRTUAL=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Make sure line disciplines can't be autoloaded (since v5.1). # CONFIG_LDISC_AUTOLOAD is not set # Provide userspace with ptrace ancestry protections. # Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Provide userspace with Landlock MAC interface. # Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list. CONFIG_SECURITY_LANDLOCK=y # Make sure SELinux cannot be disabled trivially. # CONFIG_SECURITY_SELINUX_BOOTPARAM is not set # CONFIG_SECURITY_SELINUX_DEVELOP is not set # CONFIG_SECURITY_WRITABLE_HOOKS is not set # Enable "lockdown" LSM for bright line between the root user and kernel memory. CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y # Allow for randomization of high-order page allocation freelist. Must be enabled with # the "page_alloc.shuffle=1" command line below). CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y # Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled. CONFIG_UBSAN=y CONFIG_UBSAN_TRAP=y CONFIG_UBSAN_BOUNDS=y CONFIG_UBSAN_SANITIZE_ALL=y # CONFIG_UBSAN_SHIFT is not set # CONFIG_UBSAN_DIV_ZERO is not set # CONFIG_UBSAN_UNREACHABLE is not set # CONFIG_UBSAN_BOOL is not set # CONFIG_UBSAN_ENUM is not set # CONFIG_UBSAN_ALIGNMENT is not set # This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set: CONFIG_UBSAN_LOCAL_BOUNDS=y # Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead. CONFIG_KFENCE=y # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Do not ignore compile-time warnings (since v5.15) CONFIG_WERROR=y # Disable DMA between EFI hand-off and the kernel's IOMMU setup. CONFIG_EFI_DISABLE_PCI_DMA=y # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) CONFIG_IOMMU_SUPPORT=y CONFIG_IOMMU_DEFAULT_DMA_STRICT=y # Enable feeding RNG entropy from TPM, if available. CONFIG_HW_RANDOM_TPM=y # Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even # malicious sources should not cause problems. CONFIG_RANDOM_TRUST_BOOTLOADER=y CONFIG_RANDOM_TRUST_CPU=y # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE). CONFIG_SCHED_CORE=y # Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and # minimizes stale data in registers). (Since v5.15) CONFIG_ZERO_CALL_USED_REGS=y # Wipe RAM at reboot via EFI. # For more details, see: # https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/ # https://bugzilla.redhat.com/show_bug.cgi?id=1532058 CONFIG_RESET_ATTACK_MITIGATION=y # This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk CONFIG_STATIC_USERMODEHELPER=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Block TTY stuffing attacks (this will break screen readers, see "dev.tty.legacy_tiocsti" sysctl below). # CONFIG_LEGACY_TIOCSTI is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # CONFIG_STACKLEAK_METRICS is not set # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y # CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. # CONFIG_X86_VSYSCALL_EMULATION is not set CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Remove additional (32-bit) attack surface, unless you really need them. # CONFIG_COMPAT is not set # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_X86_X32_ABI is not set # CONFIG_MODIFY_LDT_SYSCALL is not set # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y CONFIG_INTEL_IOMMU_SVM=y CONFIG_AMD_IOMMU=y CONFIG_AMD_IOMMU_V2=y # Straight-Line-Speculation CONFIG_SLS=y # Enable Control Flow Integrity (since v6.1) CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Remove arm32 support to reduce syscall attack surface. # CONFIG_COMPAT is not set # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y # Software Shadow Stack or PAC CONFIG_SHADOW_CALL_STACK=y # Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can # turn off CONFIG_STACKPROTECTOR_STRONG with this enabled. CONFIG_ARM64_PTR_AUTH=y CONFIG_ARM64_PTR_AUTH_KERNEL=y # Available in ARMv8.5 and later. CONFIG_ARM64_BTI=y CONFIG_ARM64_BTI_KERNEL=y CONFIG_ARM64_MTE=y CONFIG_KASAN_HW_TAGS=y CONFIG_ARM64_E0PD=y # Available in ARMv8.7 and later. CONFIG_ARM64_EPAN=y # Enable Control Flow Integrity CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set = kernel command line options = # Make sure CONFIG_HARDENED_USERCOPY stays enabled. hardened_usercopy=1 # Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Randomize kernel stack offset on syscall entry (since v5.13). # See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above. randomize_kstack_offset=on # Randomize page allocator (needs CONFIG_SHUFFLE_PAGE_ALLOCATOR=y too). page_alloc.shuffle=1 # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on # To prevent against L1TF, at the cost of losing hyper threading ('''slow'''). nosmt # Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above). slub_debug=ZF # (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above). iommu.passthrough=0 iommu.strict=1 # Mitigates all known CPU vulnerabilities, disabling SMT *if needed*. mitigations=auto,nosmt == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none # Make sure COMPAT_VDSO stays disabled vdso32=0 = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.) If root absolutely needs values from /proc, use value "1". kernel.kptr_restrict = 2 # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT). kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Make sure the expected default is enabled to enable full ASLR in userpsace. kernel.randomize_va_space = 2 # Block all PTRACE_ATTACH. If you need ptrace to work, then avoid non-ancestor ptrace access to running processes and their credentials, and use value "1". kernel.yama.ptrace_scope = 3 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Disable tty line discipline autoloading (see CONFIG_LDISC_AUTOLOAD). dev.tty.ldisc_autoload = 0 # Disable TIOCSTI which is used to inject keypresses. (This will, however, break screen readers.) dev.tty.legacy_tiocsti = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 # Disable userfaultfd for unprivileged processes. vm.unprivileged_userfaultfd = 0 # Disable POSIX symlink and hardlink corner cases that lead to lots of filesystem confusion attacks. fs.protected_symlinks = 1 fs.protected_hardlinks = 1 # Disable POSIX corner cases with creating files and fifos unless the directory owner matches. Check your workloads! fs.protected_fifos = 2 fs.protected_regular = 2 # Make sure the default process dumpability is set (processes that changed privileges aren't dumpable). fs.suid_dumpable = 0 0e75d86ed6a2a466f70e8ff06f1ccebdf8a42956 4078 4077 2023-10-20T19:04:15Z KeesCook 3 Update kernel hardening checker URL (and name). wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system. Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kernel-hardening-checker/ kernel-hardening-checker]" tool maintained by Alexander Popov. = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_DEBUG_VIRTUAL=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Make sure line disciplines can't be autoloaded (since v5.1). # CONFIG_LDISC_AUTOLOAD is not set # Provide userspace with ptrace ancestry protections. # Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Provide userspace with Landlock MAC interface. # Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list. CONFIG_SECURITY_LANDLOCK=y # Make sure SELinux cannot be disabled trivially. # CONFIG_SECURITY_SELINUX_BOOTPARAM is not set # CONFIG_SECURITY_SELINUX_DEVELOP is not set # CONFIG_SECURITY_WRITABLE_HOOKS is not set # Enable "lockdown" LSM for bright line between the root user and kernel memory. CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y # Allow for randomization of high-order page allocation freelist. Must be enabled with # the "page_alloc.shuffle=1" command line below). CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y # Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled. CONFIG_UBSAN=y CONFIG_UBSAN_TRAP=y CONFIG_UBSAN_BOUNDS=y CONFIG_UBSAN_SANITIZE_ALL=y # CONFIG_UBSAN_SHIFT is not set # CONFIG_UBSAN_DIV_ZERO is not set # CONFIG_UBSAN_UNREACHABLE is not set # CONFIG_UBSAN_BOOL is not set # CONFIG_UBSAN_ENUM is not set # CONFIG_UBSAN_ALIGNMENT is not set # This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set: CONFIG_UBSAN_LOCAL_BOUNDS=y # Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead. CONFIG_KFENCE=y # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Do not ignore compile-time warnings (since v5.15) CONFIG_WERROR=y # Disable DMA between EFI hand-off and the kernel's IOMMU setup. CONFIG_EFI_DISABLE_PCI_DMA=y # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) CONFIG_IOMMU_SUPPORT=y CONFIG_IOMMU_DEFAULT_DMA_STRICT=y # Enable feeding RNG entropy from TPM, if available. CONFIG_HW_RANDOM_TPM=y # Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even # malicious sources should not cause problems. CONFIG_RANDOM_TRUST_BOOTLOADER=y CONFIG_RANDOM_TRUST_CPU=y # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE). CONFIG_SCHED_CORE=y # Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and # minimizes stale data in registers). (Since v5.15) CONFIG_ZERO_CALL_USED_REGS=y # Wipe RAM at reboot via EFI. # For more details, see: # https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/ # https://bugzilla.redhat.com/show_bug.cgi?id=1532058 CONFIG_RESET_ATTACK_MITIGATION=y # This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk CONFIG_STATIC_USERMODEHELPER=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Block TTY stuffing attacks (this will break screen readers, see "dev.tty.legacy_tiocsti" sysctl below). # CONFIG_LEGACY_TIOCSTI is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # CONFIG_STACKLEAK_METRICS is not set # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y # CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. # CONFIG_X86_VSYSCALL_EMULATION is not set CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Remove additional (32-bit) attack surface, unless you really need them. # CONFIG_COMPAT is not set # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_X86_X32_ABI is not set # CONFIG_MODIFY_LDT_SYSCALL is not set # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y CONFIG_INTEL_IOMMU_SVM=y CONFIG_AMD_IOMMU=y CONFIG_AMD_IOMMU_V2=y # Straight-Line-Speculation CONFIG_SLS=y # Enable Control Flow Integrity (since v6.1) CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Remove arm32 support to reduce syscall attack surface. # CONFIG_COMPAT is not set # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y # Software Shadow Stack or PAC CONFIG_SHADOW_CALL_STACK=y # Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can # turn off CONFIG_STACKPROTECTOR_STRONG with this enabled. CONFIG_ARM64_PTR_AUTH=y CONFIG_ARM64_PTR_AUTH_KERNEL=y # Available in ARMv8.5 and later. CONFIG_ARM64_BTI=y CONFIG_ARM64_BTI_KERNEL=y CONFIG_ARM64_MTE=y CONFIG_KASAN_HW_TAGS=y CONFIG_ARM64_E0PD=y # Available in ARMv8.7 and later. CONFIG_ARM64_EPAN=y # Enable Control Flow Integrity CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set = kernel command line options = # Make sure CONFIG_HARDENED_USERCOPY stays enabled. hardened_usercopy=1 # Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Randomize kernel stack offset on syscall entry (since v5.13). # See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above. randomize_kstack_offset=on # Randomize page allocator (needs CONFIG_SHUFFLE_PAGE_ALLOCATOR=y too). page_alloc.shuffle=1 # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on # To prevent against L1TF, at the cost of losing hyper threading ('''slow'''). nosmt # Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above). slub_debug=ZF # (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above). iommu.passthrough=0 iommu.strict=1 # Mitigates all known CPU vulnerabilities, disabling SMT *if needed*. mitigations=auto,nosmt == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none # Make sure COMPAT_VDSO stays disabled vdso32=0 = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.) If root absolutely needs values from /proc, use value "1". kernel.kptr_restrict = 2 # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT). kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Make sure the expected default is enabled to enable full ASLR in userpsace. kernel.randomize_va_space = 2 # Block all PTRACE_ATTACH. If you need ptrace to work, then avoid non-ancestor ptrace access to running processes and their credentials, and use value "1". kernel.yama.ptrace_scope = 3 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Disable tty line discipline autoloading (see CONFIG_LDISC_AUTOLOAD). dev.tty.ldisc_autoload = 0 # Disable TIOCSTI which is used to inject keypresses. (This will, however, break screen readers.) dev.tty.legacy_tiocsti = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 # Disable userfaultfd for unprivileged processes. vm.unprivileged_userfaultfd = 0 # Disable POSIX symlink and hardlink corner cases that lead to lots of filesystem confusion attacks. fs.protected_symlinks = 1 fs.protected_hardlinks = 1 # Disable POSIX corner cases with creating files and fifos unless the directory owner matches. Check your workloads! fs.protected_fifos = 2 fs.protected_regular = 2 # Make sure the default process dumpability is set (processes that changed privileges aren't dumpable). fs.suid_dumpable = 0 40458eba60c260e202d67ad858de377595a5862e 4079 4078 2024-04-26T20:57:43Z KeesCook 3 /* CONFIGs */ CONFIG_PAGE_TABLE_CHECK wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system. Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kernel-hardening-checker/ kernel-hardening-checker]" tool maintained by Alexander Popov. = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_DEBUG_VIRTUAL=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Make sure line disciplines can't be autoloaded (since v5.1). # CONFIG_LDISC_AUTOLOAD is not set # Provide userspace with ptrace ancestry protections. # Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Provide userspace with Landlock MAC interface. # Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list. CONFIG_SECURITY_LANDLOCK=y # Make sure SELinux cannot be disabled trivially. # CONFIG_SECURITY_SELINUX_BOOTPARAM is not set # CONFIG_SECURITY_SELINUX_DEVELOP is not set # CONFIG_SECURITY_WRITABLE_HOOKS is not set # Enable "lockdown" LSM for bright line between the root user and kernel memory. CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y # Allow for randomization of high-order page allocation freelist. Must be enabled with # the "page_alloc.shuffle=1" command line below). CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Sanity check userspace page table mappings CONFIG_PAGE_TABLE_CHECK=y CONFIG_PAGE_TABLE_CHECK_ENFORCED=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y # Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled. CONFIG_UBSAN=y CONFIG_UBSAN_TRAP=y CONFIG_UBSAN_BOUNDS=y CONFIG_UBSAN_SANITIZE_ALL=y # CONFIG_UBSAN_SHIFT is not set # CONFIG_UBSAN_DIV_ZERO is not set # CONFIG_UBSAN_UNREACHABLE is not set # CONFIG_UBSAN_BOOL is not set # CONFIG_UBSAN_ENUM is not set # CONFIG_UBSAN_ALIGNMENT is not set # This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set: CONFIG_UBSAN_LOCAL_BOUNDS=y # Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead. CONFIG_KFENCE=y # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Do not ignore compile-time warnings (since v5.15) CONFIG_WERROR=y # Disable DMA between EFI hand-off and the kernel's IOMMU setup. CONFIG_EFI_DISABLE_PCI_DMA=y # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) CONFIG_IOMMU_SUPPORT=y CONFIG_IOMMU_DEFAULT_DMA_STRICT=y # Enable feeding RNG entropy from TPM, if available. CONFIG_HW_RANDOM_TPM=y # Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even # malicious sources should not cause problems. CONFIG_RANDOM_TRUST_BOOTLOADER=y CONFIG_RANDOM_TRUST_CPU=y # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE). CONFIG_SCHED_CORE=y # Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and # minimizes stale data in registers). (Since v5.15) CONFIG_ZERO_CALL_USED_REGS=y # Wipe RAM at reboot via EFI. # For more details, see: # https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/ # https://bugzilla.redhat.com/show_bug.cgi?id=1532058 CONFIG_RESET_ATTACK_MITIGATION=y # This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk CONFIG_STATIC_USERMODEHELPER=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Block TTY stuffing attacks (this will break screen readers, see "dev.tty.legacy_tiocsti" sysctl below). # CONFIG_LEGACY_TIOCSTI is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # CONFIG_STACKLEAK_METRICS is not set # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y # CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. # CONFIG_X86_VSYSCALL_EMULATION is not set CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Remove additional (32-bit) attack surface, unless you really need them. # CONFIG_COMPAT is not set # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_X86_X32_ABI is not set # CONFIG_MODIFY_LDT_SYSCALL is not set # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y CONFIG_INTEL_IOMMU_SVM=y CONFIG_AMD_IOMMU=y CONFIG_AMD_IOMMU_V2=y # Straight-Line-Speculation CONFIG_SLS=y # Enable Control Flow Integrity (since v6.1) CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Remove arm32 support to reduce syscall attack surface. # CONFIG_COMPAT is not set # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y # Software Shadow Stack or PAC CONFIG_SHADOW_CALL_STACK=y # Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can # turn off CONFIG_STACKPROTECTOR_STRONG with this enabled. CONFIG_ARM64_PTR_AUTH=y CONFIG_ARM64_PTR_AUTH_KERNEL=y # Available in ARMv8.5 and later. CONFIG_ARM64_BTI=y CONFIG_ARM64_BTI_KERNEL=y CONFIG_ARM64_MTE=y CONFIG_KASAN_HW_TAGS=y CONFIG_ARM64_E0PD=y # Available in ARMv8.7 and later. CONFIG_ARM64_EPAN=y # Enable Control Flow Integrity CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set = kernel command line options = # Make sure CONFIG_HARDENED_USERCOPY stays enabled. hardened_usercopy=1 # Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Randomize kernel stack offset on syscall entry (since v5.13). # See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above. randomize_kstack_offset=on # Randomize page allocator (needs CONFIG_SHUFFLE_PAGE_ALLOCATOR=y too). page_alloc.shuffle=1 # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on # To prevent against L1TF, at the cost of losing hyper threading ('''slow'''). nosmt # Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above). slub_debug=ZF # (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above). iommu.passthrough=0 iommu.strict=1 # Mitigates all known CPU vulnerabilities, disabling SMT *if needed*. mitigations=auto,nosmt == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none # Make sure COMPAT_VDSO stays disabled vdso32=0 = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.) If root absolutely needs values from /proc, use value "1". kernel.kptr_restrict = 2 # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT). kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Make sure the expected default is enabled to enable full ASLR in userpsace. kernel.randomize_va_space = 2 # Block all PTRACE_ATTACH. If you need ptrace to work, then avoid non-ancestor ptrace access to running processes and their credentials, and use value "1". kernel.yama.ptrace_scope = 3 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Disable tty line discipline autoloading (see CONFIG_LDISC_AUTOLOAD). dev.tty.ldisc_autoload = 0 # Disable TIOCSTI which is used to inject keypresses. (This will, however, break screen readers.) dev.tty.legacy_tiocsti = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 # Disable userfaultfd for unprivileged processes. vm.unprivileged_userfaultfd = 0 # Disable POSIX symlink and hardlink corner cases that lead to lots of filesystem confusion attacks. fs.protected_symlinks = 1 fs.protected_hardlinks = 1 # Disable POSIX corner cases with creating files and fifos unless the directory owner matches. Check your workloads! fs.protected_fifos = 2 fs.protected_regular = 2 # Make sure the default process dumpability is set (processes that changed privileges aren't dumpable). fs.suid_dumpable = 0 678125dffeda75e4d9ffe7861043838f12d3989f 4080 4079 2024-04-26T20:58:40Z KeesCook 3 /* x86_64 */ CONFIG_X86_USER_SHADOW_STACK wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system. Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kernel-hardening-checker/ kernel-hardening-checker]" tool maintained by Alexander Popov. = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_DEBUG_VIRTUAL=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Make sure line disciplines can't be autoloaded (since v5.1). # CONFIG_LDISC_AUTOLOAD is not set # Provide userspace with ptrace ancestry protections. # Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Provide userspace with Landlock MAC interface. # Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list. CONFIG_SECURITY_LANDLOCK=y # Make sure SELinux cannot be disabled trivially. # CONFIG_SECURITY_SELINUX_BOOTPARAM is not set # CONFIG_SECURITY_SELINUX_DEVELOP is not set # CONFIG_SECURITY_WRITABLE_HOOKS is not set # Enable "lockdown" LSM for bright line between the root user and kernel memory. CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y # Allow for randomization of high-order page allocation freelist. Must be enabled with # the "page_alloc.shuffle=1" command line below). CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Sanity check userspace page table mappings CONFIG_PAGE_TABLE_CHECK=y CONFIG_PAGE_TABLE_CHECK_ENFORCED=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y # Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled. CONFIG_UBSAN=y CONFIG_UBSAN_TRAP=y CONFIG_UBSAN_BOUNDS=y CONFIG_UBSAN_SANITIZE_ALL=y # CONFIG_UBSAN_SHIFT is not set # CONFIG_UBSAN_DIV_ZERO is not set # CONFIG_UBSAN_UNREACHABLE is not set # CONFIG_UBSAN_BOOL is not set # CONFIG_UBSAN_ENUM is not set # CONFIG_UBSAN_ALIGNMENT is not set # This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set: CONFIG_UBSAN_LOCAL_BOUNDS=y # Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead. CONFIG_KFENCE=y # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Do not ignore compile-time warnings (since v5.15) CONFIG_WERROR=y # Disable DMA between EFI hand-off and the kernel's IOMMU setup. CONFIG_EFI_DISABLE_PCI_DMA=y # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) CONFIG_IOMMU_SUPPORT=y CONFIG_IOMMU_DEFAULT_DMA_STRICT=y # Enable feeding RNG entropy from TPM, if available. CONFIG_HW_RANDOM_TPM=y # Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even # malicious sources should not cause problems. CONFIG_RANDOM_TRUST_BOOTLOADER=y CONFIG_RANDOM_TRUST_CPU=y # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE). CONFIG_SCHED_CORE=y # Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and # minimizes stale data in registers). (Since v5.15) CONFIG_ZERO_CALL_USED_REGS=y # Wipe RAM at reboot via EFI. # For more details, see: # https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/ # https://bugzilla.redhat.com/show_bug.cgi?id=1532058 CONFIG_RESET_ATTACK_MITIGATION=y # This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk CONFIG_STATIC_USERMODEHELPER=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Block TTY stuffing attacks (this will break screen readers, see "dev.tty.legacy_tiocsti" sysctl below). # CONFIG_LEGACY_TIOCSTI is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # CONFIG_STACKLEAK_METRICS is not set # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y # CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. # CONFIG_X86_VSYSCALL_EMULATION is not set CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Support userspace CET Shadow Stack CONFIG_X86_USER_SHADOW_STACK=y # Remove additional (32-bit) attack surface, unless you really need them. # CONFIG_COMPAT is not set # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_X86_X32_ABI is not set # CONFIG_MODIFY_LDT_SYSCALL is not set # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y CONFIG_INTEL_IOMMU_SVM=y CONFIG_AMD_IOMMU=y CONFIG_AMD_IOMMU_V2=y # Straight-Line-Speculation CONFIG_SLS=y # Enable Control Flow Integrity (since v6.1) CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Remove arm32 support to reduce syscall attack surface. # CONFIG_COMPAT is not set # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y # Software Shadow Stack or PAC CONFIG_SHADOW_CALL_STACK=y # Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can # turn off CONFIG_STACKPROTECTOR_STRONG with this enabled. CONFIG_ARM64_PTR_AUTH=y CONFIG_ARM64_PTR_AUTH_KERNEL=y # Available in ARMv8.5 and later. CONFIG_ARM64_BTI=y CONFIG_ARM64_BTI_KERNEL=y CONFIG_ARM64_MTE=y CONFIG_KASAN_HW_TAGS=y CONFIG_ARM64_E0PD=y # Available in ARMv8.7 and later. CONFIG_ARM64_EPAN=y # Enable Control Flow Integrity CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set = kernel command line options = # Make sure CONFIG_HARDENED_USERCOPY stays enabled. hardened_usercopy=1 # Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Randomize kernel stack offset on syscall entry (since v5.13). # See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above. randomize_kstack_offset=on # Randomize page allocator (needs CONFIG_SHUFFLE_PAGE_ALLOCATOR=y too). page_alloc.shuffle=1 # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on # To prevent against L1TF, at the cost of losing hyper threading ('''slow'''). nosmt # Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above). slub_debug=ZF # (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above). iommu.passthrough=0 iommu.strict=1 # Mitigates all known CPU vulnerabilities, disabling SMT *if needed*. mitigations=auto,nosmt == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none # Make sure COMPAT_VDSO stays disabled vdso32=0 = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.) If root absolutely needs values from /proc, use value "1". kernel.kptr_restrict = 2 # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT). kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Make sure the expected default is enabled to enable full ASLR in userpsace. kernel.randomize_va_space = 2 # Block all PTRACE_ATTACH. If you need ptrace to work, then avoid non-ancestor ptrace access to running processes and their credentials, and use value "1". kernel.yama.ptrace_scope = 3 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Disable tty line discipline autoloading (see CONFIG_LDISC_AUTOLOAD). dev.tty.ldisc_autoload = 0 # Disable TIOCSTI which is used to inject keypresses. (This will, however, break screen readers.) dev.tty.legacy_tiocsti = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 # Disable userfaultfd for unprivileged processes. vm.unprivileged_userfaultfd = 0 # Disable POSIX symlink and hardlink corner cases that lead to lots of filesystem confusion attacks. fs.protected_symlinks = 1 fs.protected_hardlinks = 1 # Disable POSIX corner cases with creating files and fifos unless the directory owner matches. Check your workloads! fs.protected_fifos = 2 fs.protected_regular = 2 # Make sure the default process dumpability is set (processes that changed privileges aren't dumpable). fs.suid_dumpable = 0 fca927d7187f97f7a5f8e023b60904f73fe89a76 4081 4080 2024-04-26T21:00:11Z KeesCook 3 /* CONFIGs */ wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system. Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kernel-hardening-checker/ kernel-hardening-checker]" tool maintained by Alexander Popov. = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_DEBUG_VIRTUAL=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Make sure line disciplines can't be autoloaded (since v5.1). # CONFIG_LDISC_AUTOLOAD is not set # Provide userspace with ptrace ancestry protections. # Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Provide userspace with Landlock MAC interface. # Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list. CONFIG_SECURITY_LANDLOCK=y # Make sure SELinux cannot be disabled trivially. # CONFIG_SECURITY_SELINUX_BOOTPARAM is not set # CONFIG_SECURITY_SELINUX_DEVELOP is not set # CONFIG_SECURITY_WRITABLE_HOOKS is not set # Enable "lockdown" LSM for bright line between the root user and kernel memory. CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y # Allow for randomization of high-order page allocation freelist. Must be enabled with # the "page_alloc.shuffle=1" command line below). CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Sanity check userspace page table mappings (since v5.17) CONFIG_PAGE_TABLE_CHECK=y CONFIG_PAGE_TABLE_CHECK_ENFORCED=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y # Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled. CONFIG_UBSAN=y CONFIG_UBSAN_TRAP=y CONFIG_UBSAN_BOUNDS=y CONFIG_UBSAN_SANITIZE_ALL=y # CONFIG_UBSAN_SHIFT is not set # CONFIG_UBSAN_DIV_ZERO is not set # CONFIG_UBSAN_UNREACHABLE is not set # CONFIG_UBSAN_BOOL is not set # CONFIG_UBSAN_ENUM is not set # CONFIG_UBSAN_ALIGNMENT is not set # This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set: CONFIG_UBSAN_LOCAL_BOUNDS=y # Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead. CONFIG_KFENCE=y # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Do not ignore compile-time warnings (since v5.15) CONFIG_WERROR=y # Disable DMA between EFI hand-off and the kernel's IOMMU setup. CONFIG_EFI_DISABLE_PCI_DMA=y # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) CONFIG_IOMMU_SUPPORT=y CONFIG_IOMMU_DEFAULT_DMA_STRICT=y # Enable feeding RNG entropy from TPM, if available. CONFIG_HW_RANDOM_TPM=y # Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even # malicious sources should not cause problems. CONFIG_RANDOM_TRUST_BOOTLOADER=y CONFIG_RANDOM_TRUST_CPU=y # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE). CONFIG_SCHED_CORE=y # Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and # minimizes stale data in registers). (Since v5.15) CONFIG_ZERO_CALL_USED_REGS=y # Wipe RAM at reboot via EFI. # For more details, see: # https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/ # https://bugzilla.redhat.com/show_bug.cgi?id=1532058 CONFIG_RESET_ATTACK_MITIGATION=y # This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk CONFIG_STATIC_USERMODEHELPER=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Block TTY stuffing attacks (this will break screen readers, see "dev.tty.legacy_tiocsti" sysctl below). # CONFIG_LEGACY_TIOCSTI is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # CONFIG_STACKLEAK_METRICS is not set # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y # CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. # CONFIG_X86_VSYSCALL_EMULATION is not set CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Support userspace CET Shadow Stack CONFIG_X86_USER_SHADOW_STACK=y # Remove additional (32-bit) attack surface, unless you really need them. # CONFIG_COMPAT is not set # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_X86_X32_ABI is not set # CONFIG_MODIFY_LDT_SYSCALL is not set # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y CONFIG_INTEL_IOMMU_SVM=y CONFIG_AMD_IOMMU=y CONFIG_AMD_IOMMU_V2=y # Straight-Line-Speculation CONFIG_SLS=y # Enable Control Flow Integrity (since v6.1) CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Remove arm32 support to reduce syscall attack surface. # CONFIG_COMPAT is not set # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y # Software Shadow Stack or PAC CONFIG_SHADOW_CALL_STACK=y # Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can # turn off CONFIG_STACKPROTECTOR_STRONG with this enabled. CONFIG_ARM64_PTR_AUTH=y CONFIG_ARM64_PTR_AUTH_KERNEL=y # Available in ARMv8.5 and later. CONFIG_ARM64_BTI=y CONFIG_ARM64_BTI_KERNEL=y CONFIG_ARM64_MTE=y CONFIG_KASAN_HW_TAGS=y CONFIG_ARM64_E0PD=y # Available in ARMv8.7 and later. CONFIG_ARM64_EPAN=y # Enable Control Flow Integrity CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set = kernel command line options = # Make sure CONFIG_HARDENED_USERCOPY stays enabled. hardened_usercopy=1 # Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Randomize kernel stack offset on syscall entry (since v5.13). # See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above. randomize_kstack_offset=on # Randomize page allocator (needs CONFIG_SHUFFLE_PAGE_ALLOCATOR=y too). page_alloc.shuffle=1 # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on # To prevent against L1TF, at the cost of losing hyper threading ('''slow'''). nosmt # Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above). slub_debug=ZF # (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above). iommu.passthrough=0 iommu.strict=1 # Mitigates all known CPU vulnerabilities, disabling SMT *if needed*. mitigations=auto,nosmt == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none # Make sure COMPAT_VDSO stays disabled vdso32=0 = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.) If root absolutely needs values from /proc, use value "1". kernel.kptr_restrict = 2 # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT). kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Make sure the expected default is enabled to enable full ASLR in userpsace. kernel.randomize_va_space = 2 # Block all PTRACE_ATTACH. If you need ptrace to work, then avoid non-ancestor ptrace access to running processes and their credentials, and use value "1". kernel.yama.ptrace_scope = 3 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Disable tty line discipline autoloading (see CONFIG_LDISC_AUTOLOAD). dev.tty.ldisc_autoload = 0 # Disable TIOCSTI which is used to inject keypresses. (This will, however, break screen readers.) dev.tty.legacy_tiocsti = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 # Disable userfaultfd for unprivileged processes. vm.unprivileged_userfaultfd = 0 # Disable POSIX symlink and hardlink corner cases that lead to lots of filesystem confusion attacks. fs.protected_symlinks = 1 fs.protected_hardlinks = 1 # Disable POSIX corner cases with creating files and fifos unless the directory owner matches. Check your workloads! fs.protected_fifos = 2 fs.protected_regular = 2 # Make sure the default process dumpability is set (processes that changed privileges aren't dumpable). fs.suid_dumpable = 0 50dc7fca5350600a31878344ee86dcf96f237724 4082 4081 2024-04-26T21:01:09Z KeesCook 3 /* CONFIGs */ CONFIG_RANDOM_KMALLOC_CACHES wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system. Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kernel-hardening-checker/ kernel-hardening-checker]" tool maintained by Alexander Popov. = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_DEBUG_VIRTUAL=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Make sure line disciplines can't be autoloaded (since v5.1). # CONFIG_LDISC_AUTOLOAD is not set # Provide userspace with ptrace ancestry protections. # Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Provide userspace with Landlock MAC interface. # Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list. CONFIG_SECURITY_LANDLOCK=y # Make sure SELinux cannot be disabled trivially. # CONFIG_SECURITY_SELINUX_BOOTPARAM is not set # CONFIG_SECURITY_SELINUX_DEVELOP is not set # CONFIG_SECURITY_WRITABLE_HOOKS is not set # Enable "lockdown" LSM for bright line between the root user and kernel memory. CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y CONFIG_RANDOM_KMALLOC_CACHES=y # Allow for randomization of high-order page allocation freelist. Must be enabled with # the "page_alloc.shuffle=1" command line below). CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Sanity check userspace page table mappings (since v5.17) CONFIG_PAGE_TABLE_CHECK=y CONFIG_PAGE_TABLE_CHECK_ENFORCED=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y # Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled. CONFIG_UBSAN=y CONFIG_UBSAN_TRAP=y CONFIG_UBSAN_BOUNDS=y CONFIG_UBSAN_SANITIZE_ALL=y # CONFIG_UBSAN_SHIFT is not set # CONFIG_UBSAN_DIV_ZERO is not set # CONFIG_UBSAN_UNREACHABLE is not set # CONFIG_UBSAN_BOOL is not set # CONFIG_UBSAN_ENUM is not set # CONFIG_UBSAN_ALIGNMENT is not set # This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set: CONFIG_UBSAN_LOCAL_BOUNDS=y # Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead. CONFIG_KFENCE=y # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Do not ignore compile-time warnings (since v5.15) CONFIG_WERROR=y # Disable DMA between EFI hand-off and the kernel's IOMMU setup. CONFIG_EFI_DISABLE_PCI_DMA=y # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) CONFIG_IOMMU_SUPPORT=y CONFIG_IOMMU_DEFAULT_DMA_STRICT=y # Enable feeding RNG entropy from TPM, if available. CONFIG_HW_RANDOM_TPM=y # Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even # malicious sources should not cause problems. CONFIG_RANDOM_TRUST_BOOTLOADER=y CONFIG_RANDOM_TRUST_CPU=y # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE). CONFIG_SCHED_CORE=y # Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and # minimizes stale data in registers). (Since v5.15) CONFIG_ZERO_CALL_USED_REGS=y # Wipe RAM at reboot via EFI. # For more details, see: # https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/ # https://bugzilla.redhat.com/show_bug.cgi?id=1532058 CONFIG_RESET_ATTACK_MITIGATION=y # This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk CONFIG_STATIC_USERMODEHELPER=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Block TTY stuffing attacks (this will break screen readers, see "dev.tty.legacy_tiocsti" sysctl below). # CONFIG_LEGACY_TIOCSTI is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # CONFIG_STACKLEAK_METRICS is not set # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y # CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. # CONFIG_X86_VSYSCALL_EMULATION is not set CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Support userspace CET Shadow Stack CONFIG_X86_USER_SHADOW_STACK=y # Remove additional (32-bit) attack surface, unless you really need them. # CONFIG_COMPAT is not set # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_X86_X32_ABI is not set # CONFIG_MODIFY_LDT_SYSCALL is not set # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y CONFIG_INTEL_IOMMU_SVM=y CONFIG_AMD_IOMMU=y CONFIG_AMD_IOMMU_V2=y # Straight-Line-Speculation CONFIG_SLS=y # Enable Control Flow Integrity (since v6.1) CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Remove arm32 support to reduce syscall attack surface. # CONFIG_COMPAT is not set # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y # Software Shadow Stack or PAC CONFIG_SHADOW_CALL_STACK=y # Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can # turn off CONFIG_STACKPROTECTOR_STRONG with this enabled. CONFIG_ARM64_PTR_AUTH=y CONFIG_ARM64_PTR_AUTH_KERNEL=y # Available in ARMv8.5 and later. CONFIG_ARM64_BTI=y CONFIG_ARM64_BTI_KERNEL=y CONFIG_ARM64_MTE=y CONFIG_KASAN_HW_TAGS=y CONFIG_ARM64_E0PD=y # Available in ARMv8.7 and later. CONFIG_ARM64_EPAN=y # Enable Control Flow Integrity CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set = kernel command line options = # Make sure CONFIG_HARDENED_USERCOPY stays enabled. hardened_usercopy=1 # Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Randomize kernel stack offset on syscall entry (since v5.13). # See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above. randomize_kstack_offset=on # Randomize page allocator (needs CONFIG_SHUFFLE_PAGE_ALLOCATOR=y too). page_alloc.shuffle=1 # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on # To prevent against L1TF, at the cost of losing hyper threading ('''slow'''). nosmt # Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above). slub_debug=ZF # (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above). iommu.passthrough=0 iommu.strict=1 # Mitigates all known CPU vulnerabilities, disabling SMT *if needed*. mitigations=auto,nosmt == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none # Make sure COMPAT_VDSO stays disabled vdso32=0 = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.) If root absolutely needs values from /proc, use value "1". kernel.kptr_restrict = 2 # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT). kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Make sure the expected default is enabled to enable full ASLR in userpsace. kernel.randomize_va_space = 2 # Block all PTRACE_ATTACH. If you need ptrace to work, then avoid non-ancestor ptrace access to running processes and their credentials, and use value "1". kernel.yama.ptrace_scope = 3 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Disable tty line discipline autoloading (see CONFIG_LDISC_AUTOLOAD). dev.tty.ldisc_autoload = 0 # Disable TIOCSTI which is used to inject keypresses. (This will, however, break screen readers.) dev.tty.legacy_tiocsti = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 # Disable userfaultfd for unprivileged processes. vm.unprivileged_userfaultfd = 0 # Disable POSIX symlink and hardlink corner cases that lead to lots of filesystem confusion attacks. fs.protected_symlinks = 1 fs.protected_hardlinks = 1 # Disable POSIX corner cases with creating files and fifos unless the directory owner matches. Check your workloads! fs.protected_fifos = 2 fs.protected_regular = 2 # Make sure the default process dumpability is set (processes that changed privileges aren't dumpable). fs.suid_dumpable = 0 1c6040cee29c097382083a052b56a7988a4acf7c 4083 4082 2024-04-26T21:02:11Z KeesCook 3 /* CONFIGs */ CONFIG_LIST_HARDENED wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system. Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kernel-hardening-checker/ kernel-hardening-checker]" tool maintained by Alexander Popov. = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_LIST_HARDENED=y CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_DEBUG_VIRTUAL=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Make sure line disciplines can't be autoloaded (since v5.1). # CONFIG_LDISC_AUTOLOAD is not set # Provide userspace with ptrace ancestry protections. # Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Provide userspace with Landlock MAC interface. # Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list. CONFIG_SECURITY_LANDLOCK=y # Make sure SELinux cannot be disabled trivially. # CONFIG_SECURITY_SELINUX_BOOTPARAM is not set # CONFIG_SECURITY_SELINUX_DEVELOP is not set # CONFIG_SECURITY_WRITABLE_HOOKS is not set # Enable "lockdown" LSM for bright line between the root user and kernel memory. CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y CONFIG_RANDOM_KMALLOC_CACHES=y # Allow for randomization of high-order page allocation freelist. Must be enabled with # the "page_alloc.shuffle=1" command line below). CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Sanity check userspace page table mappings (since v5.17) CONFIG_PAGE_TABLE_CHECK=y CONFIG_PAGE_TABLE_CHECK_ENFORCED=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y # Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled. CONFIG_UBSAN=y CONFIG_UBSAN_TRAP=y CONFIG_UBSAN_BOUNDS=y CONFIG_UBSAN_SANITIZE_ALL=y # CONFIG_UBSAN_SHIFT is not set # CONFIG_UBSAN_DIV_ZERO is not set # CONFIG_UBSAN_UNREACHABLE is not set # CONFIG_UBSAN_BOOL is not set # CONFIG_UBSAN_ENUM is not set # CONFIG_UBSAN_ALIGNMENT is not set # This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set: CONFIG_UBSAN_LOCAL_BOUNDS=y # Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead. CONFIG_KFENCE=y # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Do not ignore compile-time warnings (since v5.15) CONFIG_WERROR=y # Disable DMA between EFI hand-off and the kernel's IOMMU setup. CONFIG_EFI_DISABLE_PCI_DMA=y # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) CONFIG_IOMMU_SUPPORT=y CONFIG_IOMMU_DEFAULT_DMA_STRICT=y # Enable feeding RNG entropy from TPM, if available. CONFIG_HW_RANDOM_TPM=y # Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even # malicious sources should not cause problems. CONFIG_RANDOM_TRUST_BOOTLOADER=y CONFIG_RANDOM_TRUST_CPU=y # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE). CONFIG_SCHED_CORE=y # Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and # minimizes stale data in registers). (Since v5.15) CONFIG_ZERO_CALL_USED_REGS=y # Wipe RAM at reboot via EFI. # For more details, see: # https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/ # https://bugzilla.redhat.com/show_bug.cgi?id=1532058 CONFIG_RESET_ATTACK_MITIGATION=y # This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk CONFIG_STATIC_USERMODEHELPER=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Block TTY stuffing attacks (this will break screen readers, see "dev.tty.legacy_tiocsti" sysctl below). # CONFIG_LEGACY_TIOCSTI is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # CONFIG_STACKLEAK_METRICS is not set # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y # CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. # CONFIG_X86_VSYSCALL_EMULATION is not set CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Support userspace CET Shadow Stack CONFIG_X86_USER_SHADOW_STACK=y # Remove additional (32-bit) attack surface, unless you really need them. # CONFIG_COMPAT is not set # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_X86_X32_ABI is not set # CONFIG_MODIFY_LDT_SYSCALL is not set # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y CONFIG_INTEL_IOMMU_SVM=y CONFIG_AMD_IOMMU=y CONFIG_AMD_IOMMU_V2=y # Straight-Line-Speculation CONFIG_SLS=y # Enable Control Flow Integrity (since v6.1) CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Remove arm32 support to reduce syscall attack surface. # CONFIG_COMPAT is not set # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y # Software Shadow Stack or PAC CONFIG_SHADOW_CALL_STACK=y # Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can # turn off CONFIG_STACKPROTECTOR_STRONG with this enabled. CONFIG_ARM64_PTR_AUTH=y CONFIG_ARM64_PTR_AUTH_KERNEL=y # Available in ARMv8.5 and later. CONFIG_ARM64_BTI=y CONFIG_ARM64_BTI_KERNEL=y CONFIG_ARM64_MTE=y CONFIG_KASAN_HW_TAGS=y CONFIG_ARM64_E0PD=y # Available in ARMv8.7 and later. CONFIG_ARM64_EPAN=y # Enable Control Flow Integrity CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set = kernel command line options = # Make sure CONFIG_HARDENED_USERCOPY stays enabled. hardened_usercopy=1 # Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Randomize kernel stack offset on syscall entry (since v5.13). # See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above. randomize_kstack_offset=on # Randomize page allocator (needs CONFIG_SHUFFLE_PAGE_ALLOCATOR=y too). page_alloc.shuffle=1 # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on # To prevent against L1TF, at the cost of losing hyper threading ('''slow'''). nosmt # Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above). slub_debug=ZF # (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above). iommu.passthrough=0 iommu.strict=1 # Mitigates all known CPU vulnerabilities, disabling SMT *if needed*. mitigations=auto,nosmt == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none # Make sure COMPAT_VDSO stays disabled vdso32=0 = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.) If root absolutely needs values from /proc, use value "1". kernel.kptr_restrict = 2 # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT). kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Make sure the expected default is enabled to enable full ASLR in userpsace. kernel.randomize_va_space = 2 # Block all PTRACE_ATTACH. If you need ptrace to work, then avoid non-ancestor ptrace access to running processes and their credentials, and use value "1". kernel.yama.ptrace_scope = 3 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Disable tty line discipline autoloading (see CONFIG_LDISC_AUTOLOAD). dev.tty.ldisc_autoload = 0 # Disable TIOCSTI which is used to inject keypresses. (This will, however, break screen readers.) dev.tty.legacy_tiocsti = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 # Disable userfaultfd for unprivileged processes. vm.unprivileged_userfaultfd = 0 # Disable POSIX symlink and hardlink corner cases that lead to lots of filesystem confusion attacks. fs.protected_symlinks = 1 fs.protected_hardlinks = 1 # Disable POSIX corner cases with creating files and fifos unless the directory owner matches. Check your workloads! fs.protected_fifos = 2 fs.protected_regular = 2 # Make sure the default process dumpability is set (processes that changed privileges aren't dumpable). fs.suid_dumpable = 0 4605dfba8481eded34ca69bec51e2293e63a0c1d 4084 4083 2024-04-26T21:08:09Z KeesCook 3 /* CONFIGs */ CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system. Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kernel-hardening-checker/ kernel-hardening-checker]" tool maintained by Alexander Popov. = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_LIST_HARDENED=y CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_DEBUG_VIRTUAL=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Make sure line disciplines can't be autoloaded (since v5.1). # CONFIG_LDISC_AUTOLOAD is not set # Provide userspace with ptrace ancestry protections. # Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Provide userspace with Landlock MAC interface. # Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list. CONFIG_SECURITY_LANDLOCK=y # Make sure SELinux cannot be disabled trivially. # CONFIG_SECURITY_SELINUX_BOOTPARAM is not set # CONFIG_SECURITY_SELINUX_DEVELOP is not set # CONFIG_SECURITY_WRITABLE_HOOKS is not set # Enable "lockdown" LSM for bright line between the root user and kernel memory. CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y CONFIG_RANDOM_KMALLOC_CACHES=y # Allow for randomization of high-order page allocation freelist. Must be enabled with # the "page_alloc.shuffle=1" command line below). CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Sanity check userspace page table mappings (since v5.17) CONFIG_PAGE_TABLE_CHECK=y CONFIG_PAGE_TABLE_CHECK_ENFORCED=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y # Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled. CONFIG_UBSAN=y CONFIG_UBSAN_TRAP=y CONFIG_UBSAN_BOUNDS=y CONFIG_UBSAN_SANITIZE_ALL=y # CONFIG_UBSAN_SHIFT is not set # CONFIG_UBSAN_DIV_ZERO is not set # CONFIG_UBSAN_UNREACHABLE is not set # CONFIG_UBSAN_BOOL is not set # CONFIG_UBSAN_ENUM is not set # CONFIG_UBSAN_ALIGNMENT is not set # This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set: CONFIG_UBSAN_LOCAL_BOUNDS=y # Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead. CONFIG_KFENCE=y # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Do not ignore compile-time warnings (since v5.15) CONFIG_WERROR=y # Disable DMA between EFI hand-off and the kernel's IOMMU setup. CONFIG_EFI_DISABLE_PCI_DMA=y # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) CONFIG_IOMMU_SUPPORT=y CONFIG_IOMMU_DEFAULT_DMA_STRICT=y # Enable feeding RNG entropy from TPM, if available. CONFIG_HW_RANDOM_TPM=y # Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even # malicious sources should not cause problems. CONFIG_RANDOM_TRUST_BOOTLOADER=y CONFIG_RANDOM_TRUST_CPU=y # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE). CONFIG_SCHED_CORE=y # Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and # minimizes stale data in registers). (Since v5.15) CONFIG_ZERO_CALL_USED_REGS=y # Wipe RAM at reboot via EFI. # For more details, see: # https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/ # https://bugzilla.redhat.com/show_bug.cgi?id=1532058 CONFIG_RESET_ATTACK_MITIGATION=y # This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk CONFIG_STATIC_USERMODEHELPER=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Block TTY stuffing attacks (this will break screen readers, see "dev.tty.legacy_tiocsti" sysctl below). # CONFIG_LEGACY_TIOCSTI is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Limit sysrq to sync,unmount,reboot. For more details see the [https://docs.kernel.org/admin-guide/sysrq.html sysrq bit field table]. CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=176 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # CONFIG_STACKLEAK_METRICS is not set # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y # CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. # CONFIG_X86_VSYSCALL_EMULATION is not set CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Support userspace CET Shadow Stack CONFIG_X86_USER_SHADOW_STACK=y # Remove additional (32-bit) attack surface, unless you really need them. # CONFIG_COMPAT is not set # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_X86_X32_ABI is not set # CONFIG_MODIFY_LDT_SYSCALL is not set # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y CONFIG_INTEL_IOMMU_SVM=y CONFIG_AMD_IOMMU=y CONFIG_AMD_IOMMU_V2=y # Straight-Line-Speculation CONFIG_SLS=y # Enable Control Flow Integrity (since v6.1) CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Remove arm32 support to reduce syscall attack surface. # CONFIG_COMPAT is not set # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y # Software Shadow Stack or PAC CONFIG_SHADOW_CALL_STACK=y # Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can # turn off CONFIG_STACKPROTECTOR_STRONG with this enabled. CONFIG_ARM64_PTR_AUTH=y CONFIG_ARM64_PTR_AUTH_KERNEL=y # Available in ARMv8.5 and later. CONFIG_ARM64_BTI=y CONFIG_ARM64_BTI_KERNEL=y CONFIG_ARM64_MTE=y CONFIG_KASAN_HW_TAGS=y CONFIG_ARM64_E0PD=y # Available in ARMv8.7 and later. CONFIG_ARM64_EPAN=y # Enable Control Flow Integrity CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set = kernel command line options = # Make sure CONFIG_HARDENED_USERCOPY stays enabled. hardened_usercopy=1 # Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Randomize kernel stack offset on syscall entry (since v5.13). # See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above. randomize_kstack_offset=on # Randomize page allocator (needs CONFIG_SHUFFLE_PAGE_ALLOCATOR=y too). page_alloc.shuffle=1 # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on # To prevent against L1TF, at the cost of losing hyper threading ('''slow'''). nosmt # Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above). slub_debug=ZF # (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above). iommu.passthrough=0 iommu.strict=1 # Mitigates all known CPU vulnerabilities, disabling SMT *if needed*. mitigations=auto,nosmt == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none # Make sure COMPAT_VDSO stays disabled vdso32=0 = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.) If root absolutely needs values from /proc, use value "1". kernel.kptr_restrict = 2 # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT). kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Make sure the expected default is enabled to enable full ASLR in userpsace. kernel.randomize_va_space = 2 # Block all PTRACE_ATTACH. If you need ptrace to work, then avoid non-ancestor ptrace access to running processes and their credentials, and use value "1". kernel.yama.ptrace_scope = 3 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Disable tty line discipline autoloading (see CONFIG_LDISC_AUTOLOAD). dev.tty.ldisc_autoload = 0 # Disable TIOCSTI which is used to inject keypresses. (This will, however, break screen readers.) dev.tty.legacy_tiocsti = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 # Disable userfaultfd for unprivileged processes. vm.unprivileged_userfaultfd = 0 # Disable POSIX symlink and hardlink corner cases that lead to lots of filesystem confusion attacks. fs.protected_symlinks = 1 fs.protected_hardlinks = 1 # Disable POSIX corner cases with creating files and fifos unless the directory owner matches. Check your workloads! fs.protected_fifos = 2 fs.protected_regular = 2 # Make sure the default process dumpability is set (processes that changed privileges aren't dumpable). fs.suid_dumpable = 0 920a8dcbe7c8b55e0bf6786f389b0b1549c3bbdd 4085 4084 2024-04-26T21:10:10Z KeesCook 3 /* sysctls */ clarify userfaultfd, fix typo wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system. Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kernel-hardening-checker/ kernel-hardening-checker]" tool maintained by Alexander Popov. = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_LIST_HARDENED=y CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_DEBUG_VIRTUAL=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Make sure line disciplines can't be autoloaded (since v5.1). # CONFIG_LDISC_AUTOLOAD is not set # Provide userspace with ptrace ancestry protections. # Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Provide userspace with Landlock MAC interface. # Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list. CONFIG_SECURITY_LANDLOCK=y # Make sure SELinux cannot be disabled trivially. # CONFIG_SECURITY_SELINUX_BOOTPARAM is not set # CONFIG_SECURITY_SELINUX_DEVELOP is not set # CONFIG_SECURITY_WRITABLE_HOOKS is not set # Enable "lockdown" LSM for bright line between the root user and kernel memory. CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y CONFIG_RANDOM_KMALLOC_CACHES=y # Allow for randomization of high-order page allocation freelist. Must be enabled with # the "page_alloc.shuffle=1" command line below). CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Sanity check userspace page table mappings (since v5.17) CONFIG_PAGE_TABLE_CHECK=y CONFIG_PAGE_TABLE_CHECK_ENFORCED=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y # Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled. CONFIG_UBSAN=y CONFIG_UBSAN_TRAP=y CONFIG_UBSAN_BOUNDS=y CONFIG_UBSAN_SANITIZE_ALL=y # CONFIG_UBSAN_SHIFT is not set # CONFIG_UBSAN_DIV_ZERO is not set # CONFIG_UBSAN_UNREACHABLE is not set # CONFIG_UBSAN_BOOL is not set # CONFIG_UBSAN_ENUM is not set # CONFIG_UBSAN_ALIGNMENT is not set # This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set: CONFIG_UBSAN_LOCAL_BOUNDS=y # Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead. CONFIG_KFENCE=y # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Do not ignore compile-time warnings (since v5.15) CONFIG_WERROR=y # Disable DMA between EFI hand-off and the kernel's IOMMU setup. CONFIG_EFI_DISABLE_PCI_DMA=y # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) CONFIG_IOMMU_SUPPORT=y CONFIG_IOMMU_DEFAULT_DMA_STRICT=y # Enable feeding RNG entropy from TPM, if available. CONFIG_HW_RANDOM_TPM=y # Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even # malicious sources should not cause problems. CONFIG_RANDOM_TRUST_BOOTLOADER=y CONFIG_RANDOM_TRUST_CPU=y # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE). CONFIG_SCHED_CORE=y # Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and # minimizes stale data in registers). (Since v5.15) CONFIG_ZERO_CALL_USED_REGS=y # Wipe RAM at reboot via EFI. # For more details, see: # https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/ # https://bugzilla.redhat.com/show_bug.cgi?id=1532058 CONFIG_RESET_ATTACK_MITIGATION=y # This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk CONFIG_STATIC_USERMODEHELPER=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Block TTY stuffing attacks (this will break screen readers, see "dev.tty.legacy_tiocsti" sysctl below). # CONFIG_LEGACY_TIOCSTI is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Limit sysrq to sync,unmount,reboot. For more details see the [https://docs.kernel.org/admin-guide/sysrq.html sysrq bit field table]. CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=176 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # CONFIG_STACKLEAK_METRICS is not set # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y # CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. # CONFIG_X86_VSYSCALL_EMULATION is not set CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Support userspace CET Shadow Stack CONFIG_X86_USER_SHADOW_STACK=y # Remove additional (32-bit) attack surface, unless you really need them. # CONFIG_COMPAT is not set # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_X86_X32_ABI is not set # CONFIG_MODIFY_LDT_SYSCALL is not set # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y CONFIG_INTEL_IOMMU_SVM=y CONFIG_AMD_IOMMU=y CONFIG_AMD_IOMMU_V2=y # Straight-Line-Speculation CONFIG_SLS=y # Enable Control Flow Integrity (since v6.1) CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Remove arm32 support to reduce syscall attack surface. # CONFIG_COMPAT is not set # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y # Software Shadow Stack or PAC CONFIG_SHADOW_CALL_STACK=y # Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can # turn off CONFIG_STACKPROTECTOR_STRONG with this enabled. CONFIG_ARM64_PTR_AUTH=y CONFIG_ARM64_PTR_AUTH_KERNEL=y # Available in ARMv8.5 and later. CONFIG_ARM64_BTI=y CONFIG_ARM64_BTI_KERNEL=y CONFIG_ARM64_MTE=y CONFIG_KASAN_HW_TAGS=y CONFIG_ARM64_E0PD=y # Available in ARMv8.7 and later. CONFIG_ARM64_EPAN=y # Enable Control Flow Integrity CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set = kernel command line options = # Make sure CONFIG_HARDENED_USERCOPY stays enabled. hardened_usercopy=1 # Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Randomize kernel stack offset on syscall entry (since v5.13). # See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above. randomize_kstack_offset=on # Randomize page allocator (needs CONFIG_SHUFFLE_PAGE_ALLOCATOR=y too). page_alloc.shuffle=1 # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on # To prevent against L1TF, at the cost of losing hyper threading ('''slow'''). nosmt # Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above). slub_debug=ZF # (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above). iommu.passthrough=0 iommu.strict=1 # Mitigates all known CPU vulnerabilities, disabling SMT *if needed*. mitigations=auto,nosmt == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none # Make sure COMPAT_VDSO stays disabled vdso32=0 = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.) If root absolutely needs values from /proc, use value "1". kernel.kptr_restrict = 2 # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT). kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Make sure the expected default is enabled to enable full ASLR in userspace. kernel.randomize_va_space = 2 # Block all PTRACE_ATTACH. If you need ptrace to work, then avoid non-ancestor ptrace access to running processes and their credentials, and use value "1". kernel.yama.ptrace_scope = 3 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Disable tty line discipline autoloading (see CONFIG_LDISC_AUTOLOAD). dev.tty.ldisc_autoload = 0 # Disable TIOCSTI which is used to inject keypresses. (This will, however, break screen readers.) dev.tty.legacy_tiocsti = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 # Disable dangerous userfaultfd usage. vm.unprivileged_userfaultfd = 0 # Disable POSIX symlink and hardlink corner cases that lead to lots of filesystem confusion attacks. fs.protected_symlinks = 1 fs.protected_hardlinks = 1 # Disable POSIX corner cases with creating files and fifos unless the directory owner matches. Check your workloads! fs.protected_fifos = 2 fs.protected_regular = 2 # Make sure the default process dumpability is set (processes that changed privileges aren't dumpable). fs.suid_dumpable = 0 6934eaf2367664936c4086df46d74ae528d484a4 4086 4085 2024-04-26T21:15:11Z KeesCook 3 /* x86_64 */ CONFIG_X86_KERNEL_IBT wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system. Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kernel-hardening-checker/ kernel-hardening-checker]" tool maintained by Alexander Popov. = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_LIST_HARDENED=y CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_DEBUG_VIRTUAL=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Make sure line disciplines can't be autoloaded (since v5.1). # CONFIG_LDISC_AUTOLOAD is not set # Provide userspace with ptrace ancestry protections. # Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Provide userspace with Landlock MAC interface. # Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list. CONFIG_SECURITY_LANDLOCK=y # Make sure SELinux cannot be disabled trivially. # CONFIG_SECURITY_SELINUX_BOOTPARAM is not set # CONFIG_SECURITY_SELINUX_DEVELOP is not set # CONFIG_SECURITY_WRITABLE_HOOKS is not set # Enable "lockdown" LSM for bright line between the root user and kernel memory. CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y CONFIG_RANDOM_KMALLOC_CACHES=y # Allow for randomization of high-order page allocation freelist. Must be enabled with # the "page_alloc.shuffle=1" command line below). CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Sanity check userspace page table mappings (since v5.17) CONFIG_PAGE_TABLE_CHECK=y CONFIG_PAGE_TABLE_CHECK_ENFORCED=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y # Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled. CONFIG_UBSAN=y CONFIG_UBSAN_TRAP=y CONFIG_UBSAN_BOUNDS=y CONFIG_UBSAN_SANITIZE_ALL=y # CONFIG_UBSAN_SHIFT is not set # CONFIG_UBSAN_DIV_ZERO is not set # CONFIG_UBSAN_UNREACHABLE is not set # CONFIG_UBSAN_BOOL is not set # CONFIG_UBSAN_ENUM is not set # CONFIG_UBSAN_ALIGNMENT is not set # This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set: CONFIG_UBSAN_LOCAL_BOUNDS=y # Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead. CONFIG_KFENCE=y # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Do not ignore compile-time warnings (since v5.15) CONFIG_WERROR=y # Disable DMA between EFI hand-off and the kernel's IOMMU setup. CONFIG_EFI_DISABLE_PCI_DMA=y # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) CONFIG_IOMMU_SUPPORT=y CONFIG_IOMMU_DEFAULT_DMA_STRICT=y # Enable feeding RNG entropy from TPM, if available. CONFIG_HW_RANDOM_TPM=y # Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even # malicious sources should not cause problems. CONFIG_RANDOM_TRUST_BOOTLOADER=y CONFIG_RANDOM_TRUST_CPU=y # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE). CONFIG_SCHED_CORE=y # Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and # minimizes stale data in registers). (Since v5.15) CONFIG_ZERO_CALL_USED_REGS=y # Wipe RAM at reboot via EFI. # For more details, see: # https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/ # https://bugzilla.redhat.com/show_bug.cgi?id=1532058 CONFIG_RESET_ATTACK_MITIGATION=y # This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk CONFIG_STATIC_USERMODEHELPER=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Block TTY stuffing attacks (this will break screen readers, see "dev.tty.legacy_tiocsti" sysctl below). # CONFIG_LEGACY_TIOCSTI is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Limit sysrq to sync,unmount,reboot. For more details see the [https://docs.kernel.org/admin-guide/sysrq.html sysrq bit field table]. CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=176 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # CONFIG_STACKLEAK_METRICS is not set # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y # CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. # CONFIG_X86_VSYSCALL_EMULATION is not set CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Enforce CET Indirect Branch Tracking in the kernel. (Since v5.18) CONFIG_X86_KERNEL_IBT=y # Support userspace CET Shadow Stack CONFIG_X86_USER_SHADOW_STACK=y # Remove additional (32-bit) attack surface, unless you really need them. # CONFIG_COMPAT is not set # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_X86_X32_ABI is not set # CONFIG_MODIFY_LDT_SYSCALL is not set # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y CONFIG_INTEL_IOMMU_SVM=y CONFIG_AMD_IOMMU=y CONFIG_AMD_IOMMU_V2=y # Straight-Line-Speculation CONFIG_SLS=y # Enable Control Flow Integrity (since v6.1) CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Remove arm32 support to reduce syscall attack surface. # CONFIG_COMPAT is not set # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y # Software Shadow Stack or PAC CONFIG_SHADOW_CALL_STACK=y # Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can # turn off CONFIG_STACKPROTECTOR_STRONG with this enabled. CONFIG_ARM64_PTR_AUTH=y CONFIG_ARM64_PTR_AUTH_KERNEL=y # Available in ARMv8.5 and later. CONFIG_ARM64_BTI=y CONFIG_ARM64_BTI_KERNEL=y CONFIG_ARM64_MTE=y CONFIG_KASAN_HW_TAGS=y CONFIG_ARM64_E0PD=y # Available in ARMv8.7 and later. CONFIG_ARM64_EPAN=y # Enable Control Flow Integrity CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set = kernel command line options = # Make sure CONFIG_HARDENED_USERCOPY stays enabled. hardened_usercopy=1 # Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Randomize kernel stack offset on syscall entry (since v5.13). # See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above. randomize_kstack_offset=on # Randomize page allocator (needs CONFIG_SHUFFLE_PAGE_ALLOCATOR=y too). page_alloc.shuffle=1 # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on # To prevent against L1TF, at the cost of losing hyper threading ('''slow'''). nosmt # Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above). slub_debug=ZF # (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above). iommu.passthrough=0 iommu.strict=1 # Mitigates all known CPU vulnerabilities, disabling SMT *if needed*. mitigations=auto,nosmt == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none # Make sure COMPAT_VDSO stays disabled vdso32=0 = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.) If root absolutely needs values from /proc, use value "1". kernel.kptr_restrict = 2 # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT). kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Make sure the expected default is enabled to enable full ASLR in userspace. kernel.randomize_va_space = 2 # Block all PTRACE_ATTACH. If you need ptrace to work, then avoid non-ancestor ptrace access to running processes and their credentials, and use value "1". kernel.yama.ptrace_scope = 3 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Disable tty line discipline autoloading (see CONFIG_LDISC_AUTOLOAD). dev.tty.ldisc_autoload = 0 # Disable TIOCSTI which is used to inject keypresses. (This will, however, break screen readers.) dev.tty.legacy_tiocsti = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 # Disable dangerous userfaultfd usage. vm.unprivileged_userfaultfd = 0 # Disable POSIX symlink and hardlink corner cases that lead to lots of filesystem confusion attacks. fs.protected_symlinks = 1 fs.protected_hardlinks = 1 # Disable POSIX corner cases with creating files and fifos unless the directory owner matches. Check your workloads! fs.protected_fifos = 2 fs.protected_regular = 2 # Make sure the default process dumpability is set (processes that changed privileges aren't dumpable). fs.suid_dumpable = 0 8fce091afc0a333753516b1f2ace26aa38eb3125 4087 4086 2024-04-26T21:17:53Z KeesCook 3 /* x86_64 */ CONFIG_FINEIBT wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system. Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kernel-hardening-checker/ kernel-hardening-checker]" tool maintained by Alexander Popov. = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_LIST_HARDENED=y CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_DEBUG_VIRTUAL=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Make sure line disciplines can't be autoloaded (since v5.1). # CONFIG_LDISC_AUTOLOAD is not set # Provide userspace with ptrace ancestry protections. # Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Provide userspace with Landlock MAC interface. # Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list. CONFIG_SECURITY_LANDLOCK=y # Make sure SELinux cannot be disabled trivially. # CONFIG_SECURITY_SELINUX_BOOTPARAM is not set # CONFIG_SECURITY_SELINUX_DEVELOP is not set # CONFIG_SECURITY_WRITABLE_HOOKS is not set # Enable "lockdown" LSM for bright line between the root user and kernel memory. CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y CONFIG_RANDOM_KMALLOC_CACHES=y # Allow for randomization of high-order page allocation freelist. Must be enabled with # the "page_alloc.shuffle=1" command line below). CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Sanity check userspace page table mappings (since v5.17) CONFIG_PAGE_TABLE_CHECK=y CONFIG_PAGE_TABLE_CHECK_ENFORCED=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y # Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled. CONFIG_UBSAN=y CONFIG_UBSAN_TRAP=y CONFIG_UBSAN_BOUNDS=y CONFIG_UBSAN_SANITIZE_ALL=y # CONFIG_UBSAN_SHIFT is not set # CONFIG_UBSAN_DIV_ZERO is not set # CONFIG_UBSAN_UNREACHABLE is not set # CONFIG_UBSAN_BOOL is not set # CONFIG_UBSAN_ENUM is not set # CONFIG_UBSAN_ALIGNMENT is not set # This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set: CONFIG_UBSAN_LOCAL_BOUNDS=y # Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead. CONFIG_KFENCE=y # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Do not ignore compile-time warnings (since v5.15) CONFIG_WERROR=y # Disable DMA between EFI hand-off and the kernel's IOMMU setup. CONFIG_EFI_DISABLE_PCI_DMA=y # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) CONFIG_IOMMU_SUPPORT=y CONFIG_IOMMU_DEFAULT_DMA_STRICT=y # Enable feeding RNG entropy from TPM, if available. CONFIG_HW_RANDOM_TPM=y # Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even # malicious sources should not cause problems. CONFIG_RANDOM_TRUST_BOOTLOADER=y CONFIG_RANDOM_TRUST_CPU=y # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE). CONFIG_SCHED_CORE=y # Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and # minimizes stale data in registers). (Since v5.15) CONFIG_ZERO_CALL_USED_REGS=y # Wipe RAM at reboot via EFI. # For more details, see: # https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/ # https://bugzilla.redhat.com/show_bug.cgi?id=1532058 CONFIG_RESET_ATTACK_MITIGATION=y # This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk CONFIG_STATIC_USERMODEHELPER=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Block TTY stuffing attacks (this will break screen readers, see "dev.tty.legacy_tiocsti" sysctl below). # CONFIG_LEGACY_TIOCSTI is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Limit sysrq to sync,unmount,reboot. For more details see the [https://docs.kernel.org/admin-guide/sysrq.html sysrq bit field table]. CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=176 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # CONFIG_STACKLEAK_METRICS is not set # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y # CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. # CONFIG_X86_VSYSCALL_EMULATION is not set CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Enforce CET Indirect Branch Tracking in the kernel. (Since v5.18) CONFIG_X86_KERNEL_IBT=y # Support userspace CET Shadow Stack CONFIG_X86_USER_SHADOW_STACK=y # Remove additional (32-bit) attack surface, unless you really need them. # CONFIG_COMPAT is not set # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_X86_X32_ABI is not set # CONFIG_MODIFY_LDT_SYSCALL is not set # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y CONFIG_INTEL_IOMMU_SVM=y CONFIG_AMD_IOMMU=y CONFIG_AMD_IOMMU_V2=y # Straight-Line-Speculation CONFIG_SLS=y # Enable Control Flow Integrity (since v6.1). Disable FINEIBT since it is weaker than pure KCFI. CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set # CONFIG_FINEIBT is not set == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Remove arm32 support to reduce syscall attack surface. # CONFIG_COMPAT is not set # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y # Software Shadow Stack or PAC CONFIG_SHADOW_CALL_STACK=y # Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can # turn off CONFIG_STACKPROTECTOR_STRONG with this enabled. CONFIG_ARM64_PTR_AUTH=y CONFIG_ARM64_PTR_AUTH_KERNEL=y # Available in ARMv8.5 and later. CONFIG_ARM64_BTI=y CONFIG_ARM64_BTI_KERNEL=y CONFIG_ARM64_MTE=y CONFIG_KASAN_HW_TAGS=y CONFIG_ARM64_E0PD=y # Available in ARMv8.7 and later. CONFIG_ARM64_EPAN=y # Enable Control Flow Integrity CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set = kernel command line options = # Make sure CONFIG_HARDENED_USERCOPY stays enabled. hardened_usercopy=1 # Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Randomize kernel stack offset on syscall entry (since v5.13). # See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above. randomize_kstack_offset=on # Randomize page allocator (needs CONFIG_SHUFFLE_PAGE_ALLOCATOR=y too). page_alloc.shuffle=1 # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on # To prevent against L1TF, at the cost of losing hyper threading ('''slow'''). nosmt # Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above). slub_debug=ZF # (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above). iommu.passthrough=0 iommu.strict=1 # Mitigates all known CPU vulnerabilities, disabling SMT *if needed*. mitigations=auto,nosmt == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none # Make sure COMPAT_VDSO stays disabled vdso32=0 = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.) If root absolutely needs values from /proc, use value "1". kernel.kptr_restrict = 2 # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT). kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Make sure the expected default is enabled to enable full ASLR in userspace. kernel.randomize_va_space = 2 # Block all PTRACE_ATTACH. If you need ptrace to work, then avoid non-ancestor ptrace access to running processes and their credentials, and use value "1". kernel.yama.ptrace_scope = 3 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Disable tty line discipline autoloading (see CONFIG_LDISC_AUTOLOAD). dev.tty.ldisc_autoload = 0 # Disable TIOCSTI which is used to inject keypresses. (This will, however, break screen readers.) dev.tty.legacy_tiocsti = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 # Disable dangerous userfaultfd usage. vm.unprivileged_userfaultfd = 0 # Disable POSIX symlink and hardlink corner cases that lead to lots of filesystem confusion attacks. fs.protected_symlinks = 1 fs.protected_hardlinks = 1 # Disable POSIX corner cases with creating files and fifos unless the directory owner matches. Check your workloads! fs.protected_fifos = 2 fs.protected_regular = 2 # Make sure the default process dumpability is set (processes that changed privileges aren't dumpable). fs.suid_dumpable = 0 82658811810afe78936abb01c17af11bce1e2010 4088 4087 2024-04-26T21:29:19Z KeesCook 3 /* arm64 */ CONFIG_UNWIND_PATCH_PAC_INTO_SCS wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system. Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kernel-hardening-checker/ kernel-hardening-checker]" tool maintained by Alexander Popov. = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_LIST_HARDENED=y CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_DEBUG_VIRTUAL=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Make sure line disciplines can't be autoloaded (since v5.1). # CONFIG_LDISC_AUTOLOAD is not set # Provide userspace with ptrace ancestry protections. # Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Provide userspace with Landlock MAC interface. # Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list. CONFIG_SECURITY_LANDLOCK=y # Make sure SELinux cannot be disabled trivially. # CONFIG_SECURITY_SELINUX_BOOTPARAM is not set # CONFIG_SECURITY_SELINUX_DEVELOP is not set # CONFIG_SECURITY_WRITABLE_HOOKS is not set # Enable "lockdown" LSM for bright line between the root user and kernel memory. CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y CONFIG_RANDOM_KMALLOC_CACHES=y # Allow for randomization of high-order page allocation freelist. Must be enabled with # the "page_alloc.shuffle=1" command line below). CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Sanity check userspace page table mappings (since v5.17) CONFIG_PAGE_TABLE_CHECK=y CONFIG_PAGE_TABLE_CHECK_ENFORCED=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y # Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled. CONFIG_UBSAN=y CONFIG_UBSAN_TRAP=y CONFIG_UBSAN_BOUNDS=y CONFIG_UBSAN_SANITIZE_ALL=y # CONFIG_UBSAN_SHIFT is not set # CONFIG_UBSAN_DIV_ZERO is not set # CONFIG_UBSAN_UNREACHABLE is not set # CONFIG_UBSAN_BOOL is not set # CONFIG_UBSAN_ENUM is not set # CONFIG_UBSAN_ALIGNMENT is not set # This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set: CONFIG_UBSAN_LOCAL_BOUNDS=y # Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead. CONFIG_KFENCE=y # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Do not ignore compile-time warnings (since v5.15) CONFIG_WERROR=y # Disable DMA between EFI hand-off and the kernel's IOMMU setup. CONFIG_EFI_DISABLE_PCI_DMA=y # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) CONFIG_IOMMU_SUPPORT=y CONFIG_IOMMU_DEFAULT_DMA_STRICT=y # Enable feeding RNG entropy from TPM, if available. CONFIG_HW_RANDOM_TPM=y # Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even # malicious sources should not cause problems. CONFIG_RANDOM_TRUST_BOOTLOADER=y CONFIG_RANDOM_TRUST_CPU=y # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE). CONFIG_SCHED_CORE=y # Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and # minimizes stale data in registers). (Since v5.15) CONFIG_ZERO_CALL_USED_REGS=y # Wipe RAM at reboot via EFI. # For more details, see: # https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/ # https://bugzilla.redhat.com/show_bug.cgi?id=1532058 CONFIG_RESET_ATTACK_MITIGATION=y # This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk CONFIG_STATIC_USERMODEHELPER=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Block TTY stuffing attacks (this will break screen readers, see "dev.tty.legacy_tiocsti" sysctl below). # CONFIG_LEGACY_TIOCSTI is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Limit sysrq to sync,unmount,reboot. For more details see the [https://docs.kernel.org/admin-guide/sysrq.html sysrq bit field table]. CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=176 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # CONFIG_STACKLEAK_METRICS is not set # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y # CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. # CONFIG_X86_VSYSCALL_EMULATION is not set CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Enforce CET Indirect Branch Tracking in the kernel. (Since v5.18) CONFIG_X86_KERNEL_IBT=y # Support userspace CET Shadow Stack CONFIG_X86_USER_SHADOW_STACK=y # Remove additional (32-bit) attack surface, unless you really need them. # CONFIG_COMPAT is not set # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_X86_X32_ABI is not set # CONFIG_MODIFY_LDT_SYSCALL is not set # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y CONFIG_INTEL_IOMMU_SVM=y CONFIG_AMD_IOMMU=y CONFIG_AMD_IOMMU_V2=y # Straight-Line-Speculation CONFIG_SLS=y # Enable Control Flow Integrity (since v6.1). Disable FINEIBT since it is weaker than pure KCFI. CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set # CONFIG_FINEIBT is not set == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Remove arm32 support to reduce syscall attack surface. # CONFIG_COMPAT is not set # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y # Enable Software Shadow Stack when hardware Pointer Authentication (PAC) isn't available. CONFIG_SHADOW_CALL_STACK=y CONFIG_UNWIND_PATCH_PAC_INTO_SCS=y # Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can # turn off CONFIG_STACKPROTECTOR_STRONG with this enabled. CONFIG_ARM64_PTR_AUTH=y CONFIG_ARM64_PTR_AUTH_KERNEL=y # Available in ARMv8.5 and later. CONFIG_ARM64_BTI=y CONFIG_ARM64_BTI_KERNEL=y CONFIG_ARM64_MTE=y CONFIG_KASAN_HW_TAGS=y CONFIG_ARM64_E0PD=y # Available in ARMv8.7 and later. CONFIG_ARM64_EPAN=y # Enable Control Flow Integrity CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set = kernel command line options = # Make sure CONFIG_HARDENED_USERCOPY stays enabled. hardened_usercopy=1 # Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Randomize kernel stack offset on syscall entry (since v5.13). # See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above. randomize_kstack_offset=on # Randomize page allocator (needs CONFIG_SHUFFLE_PAGE_ALLOCATOR=y too). page_alloc.shuffle=1 # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on # To prevent against L1TF, at the cost of losing hyper threading ('''slow'''). nosmt # Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above). slub_debug=ZF # (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above). iommu.passthrough=0 iommu.strict=1 # Mitigates all known CPU vulnerabilities, disabling SMT *if needed*. mitigations=auto,nosmt == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none # Make sure COMPAT_VDSO stays disabled vdso32=0 = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.) If root absolutely needs values from /proc, use value "1". kernel.kptr_restrict = 2 # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT). kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Make sure the expected default is enabled to enable full ASLR in userspace. kernel.randomize_va_space = 2 # Block all PTRACE_ATTACH. If you need ptrace to work, then avoid non-ancestor ptrace access to running processes and their credentials, and use value "1". kernel.yama.ptrace_scope = 3 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Disable tty line discipline autoloading (see CONFIG_LDISC_AUTOLOAD). dev.tty.ldisc_autoload = 0 # Disable TIOCSTI which is used to inject keypresses. (This will, however, break screen readers.) dev.tty.legacy_tiocsti = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 # Disable dangerous userfaultfd usage. vm.unprivileged_userfaultfd = 0 # Disable POSIX symlink and hardlink corner cases that lead to lots of filesystem confusion attacks. fs.protected_symlinks = 1 fs.protected_hardlinks = 1 # Disable POSIX corner cases with creating files and fifos unless the directory owner matches. Check your workloads! fs.protected_fifos = 2 fs.protected_regular = 2 # Make sure the default process dumpability is set (processes that changed privileges aren't dumpable). fs.suid_dumpable = 0 04705191f11c55215d05c5b2d2dfe3e27101b0a1 0 182 4065 4028 2023-01-25T19:45:15Z KeesCook 3 add calendar wikitext text/x-wiki Want to get involved in the [[Kernel Self Protection Project]]? Here's how: = Join the conversations = * Subscribe to the [http://vger.kernel.org/vger-lists.html#linux-hardening '''upstream''' Linux kernel hardening mailing list], <code>'''linux'''-hardening@vger.kernel.org</code>, where development, maintenance, and administrivia happen. (And visit the [https://lore.kernel.org/linux-hardening/ list archive].) * Subscribe to the [https://www.openwall.com/lists/kernel-hardening/ '''general''' Linux kernel hardening mailing list], <code>'''kernel'''-hardening@lists.openwall.com</code>, where new hardening topics and summaries of completed work are discussed. (And visit the [https://lore.kernel.org/kernel-hardening/ list archive].) ** Note: when sending to <code>kernel-hardening@lists.openwall.com</code>, please also CC <code>linux-hardening@vger.kernel.org</code> too. * (Optional) Join the <code>#linux-hardening</code> IRC channel on [https://libera.chat/ Libera.Chat]. * Come to the every-2-weeks status update meeting. See the [https://calendar.google.com/calendar/embed?src=47005f8f50f21da6133d7239f3cb93d1624d2e1949963ea75dd86d5f2d5721e0%40group.calendar.google.com calendar] for details. = Introduce Yourself = Send an email to the lists to introduce yourself! * What topics are you interested in? * What do you want to learn about? * What experience do you have with security, the kernel, programming, or anything else you think is important. = Pick something to work on = Pick something from the [https://github.com/KSPP/linux/issues issue tracker] (or add a new one), coordinate on the mailing lists, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [https://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Contribute patches = Please send new topics and patch series to both [http://vger.kernel.org/vger-lists.html#linux-hardening linux-hardening@vger.kernel.org] and [https://www.openwall.com/lists/kernel-hardening kernel-hardening@lists.openwall.com] for the widest audience possible. When contributing patches for the Linux kernel, be sure to follow the Linux kernel [https://www.kernel.org/doc/html/latest/process/coding-style.html Coding Style Guide] and read about [https://www.kernel.org/doc/html/latest/process/submitting-patches.html Submitting Patches]. Even if you're only sending your patches to the mailing lists for some early review, it's best to get as much of the coding style and submission semantics correct to avoid reviewers needing to recommend changes in those areas. == grsecurity and other non-upstream patch sources == As with any other Free Software project, it is particularly important that if you're working on upstreaming work from other projects, be sure your patches are giving credit to the original authors, that licenses are compatible, and that copyright notices are retained, etc. In the case of new files, or other places where a copyright notice would be expected to be added, be sure to retain all copyright notices from the other project. This may require some examination of commit history. For example, [https://github.com/linux-scraping/linux-grsecurity/blob/grsec-test/grsecurity/Makefile#L3 grsecurity's copyright notice from their most recent public patch] does not include PaX Team's copyright notice, which is only listed in the patch for GCC plugins. For grsecurity copyright, when more specific details are not easy to find, the following could be used: Copyright (C) 2001-2017 PaX Team, Bradley Spengler, Open Source Security Inc. Additionally, grsecurity has asked that contributors include this in commit messages for non-trivial code ported from grsecurity: $CODE is {verbatim,modified} from Brad Spengler/PaX Team's code in the last public patch of grsecurity/PaX based on my understanding of the code. Changes or omissions from the original code are mine and don't reflect the original grsecurity/PaX code. b78b5cc0c43bd25bdbeb040c4a32324fa1a1bbb5 4066 4065 2023-01-25T19:46:30Z KeesCook 3 wikitext text/x-wiki Want to get involved in the [[Kernel Self Protection Project]]? Here's how: = Join the conversations = * Subscribe to the [http://vger.kernel.org/vger-lists.html#linux-hardening '''upstream''' Linux kernel hardening mailing list], <code>'''linux'''-hardening@vger.kernel.org</code>, where development, maintenance, and administrivia happen. (And visit the [https://lore.kernel.org/linux-hardening/ list archive].) * Come to the every-2-weeks status update meeting. See the [https://calendar.google.com/calendar/embed?src=47005f8f50f21da6133d7239f3cb93d1624d2e1949963ea75dd86d5f2d5721e0%40group.calendar.google.com calendar] for details. * Join the <code>#linux-hardening</code> IRC channel on [https://libera.chat/ Libera.Chat]. * Optionally subscribe to the [https://www.openwall.com/lists/kernel-hardening/ '''general''' Linux kernel hardening mailing list], <code>'''kernel'''-hardening@lists.openwall.com</code>, where new hardening topics and summaries of completed work are discussed. (And visit the [https://lore.kernel.org/kernel-hardening/ list archive].) ** Note: when sending to <code>kernel-hardening@lists.openwall.com</code>, please also CC <code>linux-hardening@vger.kernel.org</code> too. = Introduce Yourself = Send an email to the lists to introduce yourself! * What topics are you interested in? * What do you want to learn about? * What experience do you have with security, the kernel, programming, or anything else you think is important. = Pick something to work on = Pick something from the [https://github.com/KSPP/linux/issues issue tracker] (or add a new one), coordinate on the mailing lists, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [https://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Contribute patches = Please send new topics and patch series to both [http://vger.kernel.org/vger-lists.html#linux-hardening linux-hardening@vger.kernel.org] and [https://www.openwall.com/lists/kernel-hardening kernel-hardening@lists.openwall.com] for the widest audience possible. When contributing patches for the Linux kernel, be sure to follow the Linux kernel [https://www.kernel.org/doc/html/latest/process/coding-style.html Coding Style Guide] and read about [https://www.kernel.org/doc/html/latest/process/submitting-patches.html Submitting Patches]. Even if you're only sending your patches to the mailing lists for some early review, it's best to get as much of the coding style and submission semantics correct to avoid reviewers needing to recommend changes in those areas. == grsecurity and other non-upstream patch sources == As with any other Free Software project, it is particularly important that if you're working on upstreaming work from other projects, be sure your patches are giving credit to the original authors, that licenses are compatible, and that copyright notices are retained, etc. In the case of new files, or other places where a copyright notice would be expected to be added, be sure to retain all copyright notices from the other project. This may require some examination of commit history. For example, [https://github.com/linux-scraping/linux-grsecurity/blob/grsec-test/grsecurity/Makefile#L3 grsecurity's copyright notice from their most recent public patch] does not include PaX Team's copyright notice, which is only listed in the patch for GCC plugins. For grsecurity copyright, when more specific details are not easy to find, the following could be used: Copyright (C) 2001-2017 PaX Team, Bradley Spengler, Open Source Security Inc. Additionally, grsecurity has asked that contributors include this in commit messages for non-trivial code ported from grsecurity: $CODE is {verbatim,modified} from Brad Spengler/PaX Team's code in the last public patch of grsecurity/PaX based on my understanding of the code. Changes or omissions from the original code are mine and don't reflect the original grsecurity/PaX code. 5c87695c643245477d60f0605d14609b839e33a3 4067 4066 2023-02-10T00:31:25Z KeesCook 3 add TZ to calendar link wikitext text/x-wiki Want to get involved in the [[Kernel Self Protection Project]]? Here's how: = Join the conversations = * Subscribe to the [http://vger.kernel.org/vger-lists.html#linux-hardening '''upstream''' Linux kernel hardening mailing list], <code>'''linux'''-hardening@vger.kernel.org</code>, where development, maintenance, and administrivia happen. (And visit the [https://lore.kernel.org/linux-hardening/ list archive].) * Come to the every-2-weeks status update meeting. See the [https://calendar.google.com/calendar/u/0/embed?src=47005f8f50f21da6133d7239f3cb93d1624d2e1949963ea75dd86d5f2d5721e0@group.calendar.google.com&ctz=America/Los_Angeles calendar] for details. * Join the <code>#linux-hardening</code> IRC channel on [https://libera.chat/ Libera.Chat]. * Optionally subscribe to the [https://www.openwall.com/lists/kernel-hardening/ '''general''' Linux kernel hardening mailing list], <code>'''kernel'''-hardening@lists.openwall.com</code>, where new hardening topics and summaries of completed work are discussed. (And visit the [https://lore.kernel.org/kernel-hardening/ list archive].) ** Note: when sending to <code>kernel-hardening@lists.openwall.com</code>, please also CC <code>linux-hardening@vger.kernel.org</code> too. = Introduce Yourself = Send an email to the lists to introduce yourself! * What topics are you interested in? * What do you want to learn about? * What experience do you have with security, the kernel, programming, or anything else you think is important. = Pick something to work on = Pick something from the [https://github.com/KSPP/linux/issues issue tracker] (or add a new one), coordinate on the mailing lists, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [https://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers. = Contribute patches = Please send new topics and patch series to both [http://vger.kernel.org/vger-lists.html#linux-hardening linux-hardening@vger.kernel.org] and [https://www.openwall.com/lists/kernel-hardening kernel-hardening@lists.openwall.com] for the widest audience possible. When contributing patches for the Linux kernel, be sure to follow the Linux kernel [https://www.kernel.org/doc/html/latest/process/coding-style.html Coding Style Guide] and read about [https://www.kernel.org/doc/html/latest/process/submitting-patches.html Submitting Patches]. Even if you're only sending your patches to the mailing lists for some early review, it's best to get as much of the coding style and submission semantics correct to avoid reviewers needing to recommend changes in those areas. == grsecurity and other non-upstream patch sources == As with any other Free Software project, it is particularly important that if you're working on upstreaming work from other projects, be sure your patches are giving credit to the original authors, that licenses are compatible, and that copyright notices are retained, etc. In the case of new files, or other places where a copyright notice would be expected to be added, be sure to retain all copyright notices from the other project. This may require some examination of commit history. For example, [https://github.com/linux-scraping/linux-grsecurity/blob/grsec-test/grsecurity/Makefile#L3 grsecurity's copyright notice from their most recent public patch] does not include PaX Team's copyright notice, which is only listed in the patch for GCC plugins. For grsecurity copyright, when more specific details are not easy to find, the following could be used: Copyright (C) 2001-2017 PaX Team, Bradley Spengler, Open Source Security Inc. Additionally, grsecurity has asked that contributors include this in commit messages for non-trivial code ported from grsecurity: $CODE is {verbatim,modified} from Brad Spengler/PaX Team's code in the last public patch of grsecurity/PaX based on my understanding of the code. Changes or omissions from the original code are mine and don't reflect the original grsecurity/PaX code. 2df8055704f4ee4bc79cccd3977ada9fa110aa19 0 183 4089 4088 2024-04-26T21:31:14Z KeesCook 3 /* sysctls */ update comment for randomize_va_space wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system. Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kernel-hardening-checker/ kernel-hardening-checker]" tool maintained by Alexander Popov. = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_LIST_HARDENED=y CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_DEBUG_VIRTUAL=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Make sure line disciplines can't be autoloaded (since v5.1). # CONFIG_LDISC_AUTOLOAD is not set # Provide userspace with ptrace ancestry protections. # Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Provide userspace with Landlock MAC interface. # Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list. CONFIG_SECURITY_LANDLOCK=y # Make sure SELinux cannot be disabled trivially. # CONFIG_SECURITY_SELINUX_BOOTPARAM is not set # CONFIG_SECURITY_SELINUX_DEVELOP is not set # CONFIG_SECURITY_WRITABLE_HOOKS is not set # Enable "lockdown" LSM for bright line between the root user and kernel memory. CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y CONFIG_RANDOM_KMALLOC_CACHES=y # Allow for randomization of high-order page allocation freelist. Must be enabled with # the "page_alloc.shuffle=1" command line below). CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Sanity check userspace page table mappings (since v5.17) CONFIG_PAGE_TABLE_CHECK=y CONFIG_PAGE_TABLE_CHECK_ENFORCED=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y # Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled. CONFIG_UBSAN=y CONFIG_UBSAN_TRAP=y CONFIG_UBSAN_BOUNDS=y CONFIG_UBSAN_SANITIZE_ALL=y # CONFIG_UBSAN_SHIFT is not set # CONFIG_UBSAN_DIV_ZERO is not set # CONFIG_UBSAN_UNREACHABLE is not set # CONFIG_UBSAN_BOOL is not set # CONFIG_UBSAN_ENUM is not set # CONFIG_UBSAN_ALIGNMENT is not set # This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set: CONFIG_UBSAN_LOCAL_BOUNDS=y # Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead. CONFIG_KFENCE=y # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Do not ignore compile-time warnings (since v5.15) CONFIG_WERROR=y # Disable DMA between EFI hand-off and the kernel's IOMMU setup. CONFIG_EFI_DISABLE_PCI_DMA=y # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) CONFIG_IOMMU_SUPPORT=y CONFIG_IOMMU_DEFAULT_DMA_STRICT=y # Enable feeding RNG entropy from TPM, if available. CONFIG_HW_RANDOM_TPM=y # Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even # malicious sources should not cause problems. CONFIG_RANDOM_TRUST_BOOTLOADER=y CONFIG_RANDOM_TRUST_CPU=y # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE). CONFIG_SCHED_CORE=y # Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and # minimizes stale data in registers). (Since v5.15) CONFIG_ZERO_CALL_USED_REGS=y # Wipe RAM at reboot via EFI. # For more details, see: # https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/ # https://bugzilla.redhat.com/show_bug.cgi?id=1532058 CONFIG_RESET_ATTACK_MITIGATION=y # This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk CONFIG_STATIC_USERMODEHELPER=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Block TTY stuffing attacks (this will break screen readers, see "dev.tty.legacy_tiocsti" sysctl below). # CONFIG_LEGACY_TIOCSTI is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Limit sysrq to sync,unmount,reboot. For more details see the [https://docs.kernel.org/admin-guide/sysrq.html sysrq bit field table]. CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=176 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # CONFIG_STACKLEAK_METRICS is not set # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y # CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. # CONFIG_X86_VSYSCALL_EMULATION is not set CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Enforce CET Indirect Branch Tracking in the kernel. (Since v5.18) CONFIG_X86_KERNEL_IBT=y # Support userspace CET Shadow Stack CONFIG_X86_USER_SHADOW_STACK=y # Remove additional (32-bit) attack surface, unless you really need them. # CONFIG_COMPAT is not set # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_X86_X32_ABI is not set # CONFIG_MODIFY_LDT_SYSCALL is not set # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y CONFIG_INTEL_IOMMU_SVM=y CONFIG_AMD_IOMMU=y CONFIG_AMD_IOMMU_V2=y # Straight-Line-Speculation CONFIG_SLS=y # Enable Control Flow Integrity (since v6.1). Disable FINEIBT since it is weaker than pure KCFI. CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set # CONFIG_FINEIBT is not set == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Remove arm32 support to reduce syscall attack surface. # CONFIG_COMPAT is not set # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y # Enable Software Shadow Stack when hardware Pointer Authentication (PAC) isn't available. CONFIG_SHADOW_CALL_STACK=y CONFIG_UNWIND_PATCH_PAC_INTO_SCS=y # Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can # turn off CONFIG_STACKPROTECTOR_STRONG with this enabled. CONFIG_ARM64_PTR_AUTH=y CONFIG_ARM64_PTR_AUTH_KERNEL=y # Available in ARMv8.5 and later. CONFIG_ARM64_BTI=y CONFIG_ARM64_BTI_KERNEL=y CONFIG_ARM64_MTE=y CONFIG_KASAN_HW_TAGS=y CONFIG_ARM64_E0PD=y # Available in ARMv8.7 and later. CONFIG_ARM64_EPAN=y # Enable Control Flow Integrity CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set = kernel command line options = # Make sure CONFIG_HARDENED_USERCOPY stays enabled. hardened_usercopy=1 # Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Randomize kernel stack offset on syscall entry (since v5.13). # See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above. randomize_kstack_offset=on # Randomize page allocator (needs CONFIG_SHUFFLE_PAGE_ALLOCATOR=y too). page_alloc.shuffle=1 # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on # To prevent against L1TF, at the cost of losing hyper threading ('''slow'''). nosmt # Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above). slub_debug=ZF # (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above). iommu.passthrough=0 iommu.strict=1 # Mitigates all known CPU vulnerabilities, disabling SMT *if needed*. mitigations=auto,nosmt == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none # Make sure COMPAT_VDSO stays disabled vdso32=0 = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.) If root absolutely needs values from /proc, use value "1". kernel.kptr_restrict = 2 # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT). kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Enable all available Address Space Randomization (ASLR) for userspace processes. kernel.randomize_va_space = 2 # Block all PTRACE_ATTACH. If you need ptrace to work, then avoid non-ancestor ptrace access to running processes and their credentials, and use value "1". kernel.yama.ptrace_scope = 3 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Disable tty line discipline autoloading (see CONFIG_LDISC_AUTOLOAD). dev.tty.ldisc_autoload = 0 # Disable TIOCSTI which is used to inject keypresses. (This will, however, break screen readers.) dev.tty.legacy_tiocsti = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 # Disable dangerous userfaultfd usage. vm.unprivileged_userfaultfd = 0 # Disable POSIX symlink and hardlink corner cases that lead to lots of filesystem confusion attacks. fs.protected_symlinks = 1 fs.protected_hardlinks = 1 # Disable POSIX corner cases with creating files and fifos unless the directory owner matches. Check your workloads! fs.protected_fifos = 2 fs.protected_regular = 2 # Make sure the default process dumpability is set (processes that changed privileges aren't dumpable). fs.suid_dumpable = 0 1634a8856f4798dabf9969fc92a8fd83f0ab0e62 4090 4089 2024-04-26T21:42:52Z KeesCook 3 /* sysctls */ warn_limit and oops_limit wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system. Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kernel-hardening-checker/ kernel-hardening-checker]" tool maintained by Alexander Popov. = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_LIST_HARDENED=y CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_DEBUG_VIRTUAL=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Make sure line disciplines can't be autoloaded (since v5.1). # CONFIG_LDISC_AUTOLOAD is not set # Provide userspace with ptrace ancestry protections. # Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Provide userspace with Landlock MAC interface. # Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list. CONFIG_SECURITY_LANDLOCK=y # Make sure SELinux cannot be disabled trivially. # CONFIG_SECURITY_SELINUX_BOOTPARAM is not set # CONFIG_SECURITY_SELINUX_DEVELOP is not set # CONFIG_SECURITY_WRITABLE_HOOKS is not set # Enable "lockdown" LSM for bright line between the root user and kernel memory. CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y CONFIG_RANDOM_KMALLOC_CACHES=y # Allow for randomization of high-order page allocation freelist. Must be enabled with # the "page_alloc.shuffle=1" command line below). CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Sanity check userspace page table mappings (since v5.17) CONFIG_PAGE_TABLE_CHECK=y CONFIG_PAGE_TABLE_CHECK_ENFORCED=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y # Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled. CONFIG_UBSAN=y CONFIG_UBSAN_TRAP=y CONFIG_UBSAN_BOUNDS=y CONFIG_UBSAN_SANITIZE_ALL=y # CONFIG_UBSAN_SHIFT is not set # CONFIG_UBSAN_DIV_ZERO is not set # CONFIG_UBSAN_UNREACHABLE is not set # CONFIG_UBSAN_BOOL is not set # CONFIG_UBSAN_ENUM is not set # CONFIG_UBSAN_ALIGNMENT is not set # This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set: CONFIG_UBSAN_LOCAL_BOUNDS=y # Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead. CONFIG_KFENCE=y # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Do not ignore compile-time warnings (since v5.15) CONFIG_WERROR=y # Disable DMA between EFI hand-off and the kernel's IOMMU setup. CONFIG_EFI_DISABLE_PCI_DMA=y # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) CONFIG_IOMMU_SUPPORT=y CONFIG_IOMMU_DEFAULT_DMA_STRICT=y # Enable feeding RNG entropy from TPM, if available. CONFIG_HW_RANDOM_TPM=y # Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even # malicious sources should not cause problems. CONFIG_RANDOM_TRUST_BOOTLOADER=y CONFIG_RANDOM_TRUST_CPU=y # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE). CONFIG_SCHED_CORE=y # Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and # minimizes stale data in registers). (Since v5.15) CONFIG_ZERO_CALL_USED_REGS=y # Wipe RAM at reboot via EFI. # For more details, see: # https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/ # https://bugzilla.redhat.com/show_bug.cgi?id=1532058 CONFIG_RESET_ATTACK_MITIGATION=y # This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk CONFIG_STATIC_USERMODEHELPER=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Block TTY stuffing attacks (this will break screen readers, see "dev.tty.legacy_tiocsti" sysctl below). # CONFIG_LEGACY_TIOCSTI is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Limit sysrq to sync,unmount,reboot. For more details see the [https://docs.kernel.org/admin-guide/sysrq.html sysrq bit field table]. CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=176 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # CONFIG_STACKLEAK_METRICS is not set # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y # CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. # CONFIG_X86_VSYSCALL_EMULATION is not set CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Enforce CET Indirect Branch Tracking in the kernel. (Since v5.18) CONFIG_X86_KERNEL_IBT=y # Support userspace CET Shadow Stack CONFIG_X86_USER_SHADOW_STACK=y # Remove additional (32-bit) attack surface, unless you really need them. # CONFIG_COMPAT is not set # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_X86_X32_ABI is not set # CONFIG_MODIFY_LDT_SYSCALL is not set # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y CONFIG_INTEL_IOMMU_SVM=y CONFIG_AMD_IOMMU=y CONFIG_AMD_IOMMU_V2=y # Straight-Line-Speculation CONFIG_SLS=y # Enable Control Flow Integrity (since v6.1). Disable FINEIBT since it is weaker than pure KCFI. CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set # CONFIG_FINEIBT is not set == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Remove arm32 support to reduce syscall attack surface. # CONFIG_COMPAT is not set # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y # Enable Software Shadow Stack when hardware Pointer Authentication (PAC) isn't available. CONFIG_SHADOW_CALL_STACK=y CONFIG_UNWIND_PATCH_PAC_INTO_SCS=y # Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can # turn off CONFIG_STACKPROTECTOR_STRONG with this enabled. CONFIG_ARM64_PTR_AUTH=y CONFIG_ARM64_PTR_AUTH_KERNEL=y # Available in ARMv8.5 and later. CONFIG_ARM64_BTI=y CONFIG_ARM64_BTI_KERNEL=y CONFIG_ARM64_MTE=y CONFIG_KASAN_HW_TAGS=y CONFIG_ARM64_E0PD=y # Available in ARMv8.7 and later. CONFIG_ARM64_EPAN=y # Enable Control Flow Integrity CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set = kernel command line options = # Make sure CONFIG_HARDENED_USERCOPY stays enabled. hardened_usercopy=1 # Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Randomize kernel stack offset on syscall entry (since v5.13). # See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above. randomize_kstack_offset=on # Randomize page allocator (needs CONFIG_SHUFFLE_PAGE_ALLOCATOR=y too). page_alloc.shuffle=1 # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on # To prevent against L1TF, at the cost of losing hyper threading ('''slow'''). nosmt # Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above). slub_debug=ZF # (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above). iommu.passthrough=0 iommu.strict=1 # Mitigates all known CPU vulnerabilities, disabling SMT *if needed*. mitigations=auto,nosmt == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none # Make sure COMPAT_VDSO stays disabled vdso32=0 = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.) If root absolutely needs values from /proc, use value "1". kernel.kptr_restrict = 2 # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT). kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Enable all available Address Space Randomization (ASLR) for userspace processes. kernel.randomize_va_space = 2 # Block all PTRACE_ATTACH. If you need ptrace to work, then avoid non-ancestor ptrace access to running processes and their credentials, and use value "1". kernel.yama.ptrace_scope = 3 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Disable tty line discipline autoloading (see CONFIG_LDISC_AUTOLOAD). dev.tty.ldisc_autoload = 0 # Disable TIOCSTI which is used to inject keypresses. (This will, however, break screen readers.) dev.tty.legacy_tiocsti = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Reboot after even 1 WARN or BUG/Oops. Adjust for your tolerances. (Since v6.2) kernel/warn_limit = 1 kernel/oops_limit = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 # Disable dangerous userfaultfd usage. vm.unprivileged_userfaultfd = 0 # Disable POSIX symlink and hardlink corner cases that lead to lots of filesystem confusion attacks. fs.protected_symlinks = 1 fs.protected_hardlinks = 1 # Disable POSIX corner cases with creating files and fifos unless the directory owner matches. Check your workloads! fs.protected_fifos = 2 fs.protected_regular = 2 # Make sure the default process dumpability is set (processes that changed privileges aren't dumpable). fs.suid_dumpable = 0 d511d9d704c949affb805368251de9a0c479bd27 4091 4090 2024-04-26T21:44:05Z KeesCook 3 /* sysctls */ wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system. Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kernel-hardening-checker/ kernel-hardening-checker]" tool maintained by Alexander Popov. = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_LIST_HARDENED=y CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_DEBUG_VIRTUAL=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Make sure line disciplines can't be autoloaded (since v5.1). # CONFIG_LDISC_AUTOLOAD is not set # Provide userspace with ptrace ancestry protections. # Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Provide userspace with Landlock MAC interface. # Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list. CONFIG_SECURITY_LANDLOCK=y # Make sure SELinux cannot be disabled trivially. # CONFIG_SECURITY_SELINUX_BOOTPARAM is not set # CONFIG_SECURITY_SELINUX_DEVELOP is not set # CONFIG_SECURITY_WRITABLE_HOOKS is not set # Enable "lockdown" LSM for bright line between the root user and kernel memory. CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y CONFIG_RANDOM_KMALLOC_CACHES=y # Allow for randomization of high-order page allocation freelist. Must be enabled with # the "page_alloc.shuffle=1" command line below). CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Sanity check userspace page table mappings (since v5.17) CONFIG_PAGE_TABLE_CHECK=y CONFIG_PAGE_TABLE_CHECK_ENFORCED=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y # Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled. CONFIG_UBSAN=y CONFIG_UBSAN_TRAP=y CONFIG_UBSAN_BOUNDS=y CONFIG_UBSAN_SANITIZE_ALL=y # CONFIG_UBSAN_SHIFT is not set # CONFIG_UBSAN_DIV_ZERO is not set # CONFIG_UBSAN_UNREACHABLE is not set # CONFIG_UBSAN_BOOL is not set # CONFIG_UBSAN_ENUM is not set # CONFIG_UBSAN_ALIGNMENT is not set # This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set: CONFIG_UBSAN_LOCAL_BOUNDS=y # Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead. CONFIG_KFENCE=y # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Do not ignore compile-time warnings (since v5.15) CONFIG_WERROR=y # Disable DMA between EFI hand-off and the kernel's IOMMU setup. CONFIG_EFI_DISABLE_PCI_DMA=y # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) CONFIG_IOMMU_SUPPORT=y CONFIG_IOMMU_DEFAULT_DMA_STRICT=y # Enable feeding RNG entropy from TPM, if available. CONFIG_HW_RANDOM_TPM=y # Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even # malicious sources should not cause problems. CONFIG_RANDOM_TRUST_BOOTLOADER=y CONFIG_RANDOM_TRUST_CPU=y # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE). CONFIG_SCHED_CORE=y # Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and # minimizes stale data in registers). (Since v5.15) CONFIG_ZERO_CALL_USED_REGS=y # Wipe RAM at reboot via EFI. # For more details, see: # https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/ # https://bugzilla.redhat.com/show_bug.cgi?id=1532058 CONFIG_RESET_ATTACK_MITIGATION=y # This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk CONFIG_STATIC_USERMODEHELPER=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Block TTY stuffing attacks (this will break screen readers, see "dev.tty.legacy_tiocsti" sysctl below). # CONFIG_LEGACY_TIOCSTI is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Limit sysrq to sync,unmount,reboot. For more details see the [https://docs.kernel.org/admin-guide/sysrq.html sysrq bit field table]. CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=176 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # CONFIG_STACKLEAK_METRICS is not set # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y # CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. # CONFIG_X86_VSYSCALL_EMULATION is not set CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Enforce CET Indirect Branch Tracking in the kernel. (Since v5.18) CONFIG_X86_KERNEL_IBT=y # Support userspace CET Shadow Stack CONFIG_X86_USER_SHADOW_STACK=y # Remove additional (32-bit) attack surface, unless you really need them. # CONFIG_COMPAT is not set # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_X86_X32_ABI is not set # CONFIG_MODIFY_LDT_SYSCALL is not set # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y CONFIG_INTEL_IOMMU_SVM=y CONFIG_AMD_IOMMU=y CONFIG_AMD_IOMMU_V2=y # Straight-Line-Speculation CONFIG_SLS=y # Enable Control Flow Integrity (since v6.1). Disable FINEIBT since it is weaker than pure KCFI. CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set # CONFIG_FINEIBT is not set == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Remove arm32 support to reduce syscall attack surface. # CONFIG_COMPAT is not set # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y # Enable Software Shadow Stack when hardware Pointer Authentication (PAC) isn't available. CONFIG_SHADOW_CALL_STACK=y CONFIG_UNWIND_PATCH_PAC_INTO_SCS=y # Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can # turn off CONFIG_STACKPROTECTOR_STRONG with this enabled. CONFIG_ARM64_PTR_AUTH=y CONFIG_ARM64_PTR_AUTH_KERNEL=y # Available in ARMv8.5 and later. CONFIG_ARM64_BTI=y CONFIG_ARM64_BTI_KERNEL=y CONFIG_ARM64_MTE=y CONFIG_KASAN_HW_TAGS=y CONFIG_ARM64_E0PD=y # Available in ARMv8.7 and later. CONFIG_ARM64_EPAN=y # Enable Control Flow Integrity CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set = kernel command line options = # Make sure CONFIG_HARDENED_USERCOPY stays enabled. hardened_usercopy=1 # Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Randomize kernel stack offset on syscall entry (since v5.13). # See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above. randomize_kstack_offset=on # Randomize page allocator (needs CONFIG_SHUFFLE_PAGE_ALLOCATOR=y too). page_alloc.shuffle=1 # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on # To prevent against L1TF, at the cost of losing hyper threading ('''slow'''). nosmt # Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above). slub_debug=ZF # (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above). iommu.passthrough=0 iommu.strict=1 # Mitigates all known CPU vulnerabilities, disabling SMT *if needed*. mitigations=auto,nosmt == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none # Make sure COMPAT_VDSO stays disabled vdso32=0 = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.) If root absolutely needs values from /proc, use value "1". kernel.kptr_restrict = 2 # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT). kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Enable all available Address Space Randomization (ASLR) for userspace processes. kernel.randomize_va_space = 2 # Block all PTRACE_ATTACH. If you need ptrace to work, then avoid non-ancestor ptrace access to running processes and their credentials, and use value "1". kernel.yama.ptrace_scope = 3 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Disable tty line discipline autoloading (see CONFIG_LDISC_AUTOLOAD). dev.tty.ldisc_autoload = 0 # Disable TIOCSTI which is used to inject keypresses. (This will, however, break screen readers.) dev.tty.legacy_tiocsti = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Reboot after even 1 WARN or BUG/Oops. Adjust for your tolerances. (Since v6.2) # If you want to set oops_limit greater than one, you will need to disable CONFIG_PANIC_ON_OOPS. kernel/warn_limit = 1 kernel/oops_limit = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 # Disable dangerous userfaultfd usage. vm.unprivileged_userfaultfd = 0 # Disable POSIX symlink and hardlink corner cases that lead to lots of filesystem confusion attacks. fs.protected_symlinks = 1 fs.protected_hardlinks = 1 # Disable POSIX corner cases with creating files and fifos unless the directory owner matches. Check your workloads! fs.protected_fifos = 2 fs.protected_regular = 2 # Make sure the default process dumpability is set (processes that changed privileges aren't dumpable). fs.suid_dumpable = 0 02ecdaeb7ab4ece082c0b56416bdcf2f7e3ce5ea 4092 4091 2024-04-26T21:46:58Z KeesCook 3 /* CONFIGs */ CONFIG_KFENCE_SAMPLE_INTERVAL wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system. Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kernel-hardening-checker/ kernel-hardening-checker]" tool maintained by Alexander Popov. = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_LIST_HARDENED=y CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_DEBUG_VIRTUAL=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Make sure line disciplines can't be autoloaded (since v5.1). # CONFIG_LDISC_AUTOLOAD is not set # Provide userspace with ptrace ancestry protections. # Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Provide userspace with Landlock MAC interface. # Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list. CONFIG_SECURITY_LANDLOCK=y # Make sure SELinux cannot be disabled trivially. # CONFIG_SECURITY_SELINUX_BOOTPARAM is not set # CONFIG_SECURITY_SELINUX_DEVELOP is not set # CONFIG_SECURITY_WRITABLE_HOOKS is not set # Enable "lockdown" LSM for bright line between the root user and kernel memory. CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y CONFIG_RANDOM_KMALLOC_CACHES=y # Allow for randomization of high-order page allocation freelist. Must be enabled with # the "page_alloc.shuffle=1" command line below). CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Sanity check userspace page table mappings (since v5.17) CONFIG_PAGE_TABLE_CHECK=y CONFIG_PAGE_TABLE_CHECK_ENFORCED=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y # Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled. CONFIG_UBSAN=y CONFIG_UBSAN_TRAP=y CONFIG_UBSAN_BOUNDS=y CONFIG_UBSAN_SANITIZE_ALL=y # CONFIG_UBSAN_SHIFT is not set # CONFIG_UBSAN_DIV_ZERO is not set # CONFIG_UBSAN_UNREACHABLE is not set # CONFIG_UBSAN_BOOL is not set # CONFIG_UBSAN_ENUM is not set # CONFIG_UBSAN_ALIGNMENT is not set # This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set: CONFIG_UBSAN_LOCAL_BOUNDS=y # Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead. CONFIG_KFENCE=y CONFIG_KFENCE_SAMPLE_INTERVAL=100 # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Do not ignore compile-time warnings (since v5.15) CONFIG_WERROR=y # Disable DMA between EFI hand-off and the kernel's IOMMU setup. CONFIG_EFI_DISABLE_PCI_DMA=y # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) CONFIG_IOMMU_SUPPORT=y CONFIG_IOMMU_DEFAULT_DMA_STRICT=y # Enable feeding RNG entropy from TPM, if available. CONFIG_HW_RANDOM_TPM=y # Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even # malicious sources should not cause problems. CONFIG_RANDOM_TRUST_BOOTLOADER=y CONFIG_RANDOM_TRUST_CPU=y # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE). CONFIG_SCHED_CORE=y # Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and # minimizes stale data in registers). (Since v5.15) CONFIG_ZERO_CALL_USED_REGS=y # Wipe RAM at reboot via EFI. # For more details, see: # https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/ # https://bugzilla.redhat.com/show_bug.cgi?id=1532058 CONFIG_RESET_ATTACK_MITIGATION=y # This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk CONFIG_STATIC_USERMODEHELPER=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Block TTY stuffing attacks (this will break screen readers, see "dev.tty.legacy_tiocsti" sysctl below). # CONFIG_LEGACY_TIOCSTI is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Limit sysrq to sync,unmount,reboot. For more details see the [https://docs.kernel.org/admin-guide/sysrq.html sysrq bit field table]. CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=176 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # CONFIG_STACKLEAK_METRICS is not set # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y # CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. # CONFIG_X86_VSYSCALL_EMULATION is not set CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Enforce CET Indirect Branch Tracking in the kernel. (Since v5.18) CONFIG_X86_KERNEL_IBT=y # Support userspace CET Shadow Stack CONFIG_X86_USER_SHADOW_STACK=y # Remove additional (32-bit) attack surface, unless you really need them. # CONFIG_COMPAT is not set # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_X86_X32_ABI is not set # CONFIG_MODIFY_LDT_SYSCALL is not set # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y CONFIG_INTEL_IOMMU_SVM=y CONFIG_AMD_IOMMU=y CONFIG_AMD_IOMMU_V2=y # Straight-Line-Speculation CONFIG_SLS=y # Enable Control Flow Integrity (since v6.1). Disable FINEIBT since it is weaker than pure KCFI. CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set # CONFIG_FINEIBT is not set == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Remove arm32 support to reduce syscall attack surface. # CONFIG_COMPAT is not set # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y # Enable Software Shadow Stack when hardware Pointer Authentication (PAC) isn't available. CONFIG_SHADOW_CALL_STACK=y CONFIG_UNWIND_PATCH_PAC_INTO_SCS=y # Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can # turn off CONFIG_STACKPROTECTOR_STRONG with this enabled. CONFIG_ARM64_PTR_AUTH=y CONFIG_ARM64_PTR_AUTH_KERNEL=y # Available in ARMv8.5 and later. CONFIG_ARM64_BTI=y CONFIG_ARM64_BTI_KERNEL=y CONFIG_ARM64_MTE=y CONFIG_KASAN_HW_TAGS=y CONFIG_ARM64_E0PD=y # Available in ARMv8.7 and later. CONFIG_ARM64_EPAN=y # Enable Control Flow Integrity CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set = kernel command line options = # Make sure CONFIG_HARDENED_USERCOPY stays enabled. hardened_usercopy=1 # Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Randomize kernel stack offset on syscall entry (since v5.13). # See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above. randomize_kstack_offset=on # Randomize page allocator (needs CONFIG_SHUFFLE_PAGE_ALLOCATOR=y too). page_alloc.shuffle=1 # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on # To prevent against L1TF, at the cost of losing hyper threading ('''slow'''). nosmt # Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above). slub_debug=ZF # (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above). iommu.passthrough=0 iommu.strict=1 # Mitigates all known CPU vulnerabilities, disabling SMT *if needed*. mitigations=auto,nosmt == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none # Make sure COMPAT_VDSO stays disabled vdso32=0 = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.) If root absolutely needs values from /proc, use value "1". kernel.kptr_restrict = 2 # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT). kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Enable all available Address Space Randomization (ASLR) for userspace processes. kernel.randomize_va_space = 2 # Block all PTRACE_ATTACH. If you need ptrace to work, then avoid non-ancestor ptrace access to running processes and their credentials, and use value "1". kernel.yama.ptrace_scope = 3 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Disable tty line discipline autoloading (see CONFIG_LDISC_AUTOLOAD). dev.tty.ldisc_autoload = 0 # Disable TIOCSTI which is used to inject keypresses. (This will, however, break screen readers.) dev.tty.legacy_tiocsti = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Reboot after even 1 WARN or BUG/Oops. Adjust for your tolerances. (Since v6.2) # If you want to set oops_limit greater than one, you will need to disable CONFIG_PANIC_ON_OOPS. kernel/warn_limit = 1 kernel/oops_limit = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 # Disable dangerous userfaultfd usage. vm.unprivileged_userfaultfd = 0 # Disable POSIX symlink and hardlink corner cases that lead to lots of filesystem confusion attacks. fs.protected_symlinks = 1 fs.protected_hardlinks = 1 # Disable POSIX corner cases with creating files and fifos unless the directory owner matches. Check your workloads! fs.protected_fifos = 2 fs.protected_regular = 2 # Make sure the default process dumpability is set (processes that changed privileges aren't dumpable). fs.suid_dumpable = 0 57799ab89c686df21610eea11021fe36a183a1b3 4093 4092 2024-04-26T21:49:00Z KeesCook 3 /* CONFIGs */ CONFIG_SLAB_MERGE_DEFAULT wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system. Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kernel-hardening-checker/ kernel-hardening-checker]" tool maintained by Alexander Popov. = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_LIST_HARDENED=y CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_DEBUG_VIRTUAL=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Make sure line disciplines can't be autoloaded (since v5.1). # CONFIG_LDISC_AUTOLOAD is not set # Provide userspace with ptrace ancestry protections. # Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Provide userspace with Landlock MAC interface. # Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list. CONFIG_SECURITY_LANDLOCK=y # Make sure SELinux cannot be disabled trivially. # CONFIG_SECURITY_SELINUX_BOOTPARAM is not set # CONFIG_SECURITY_SELINUX_DEVELOP is not set # CONFIG_SECURITY_WRITABLE_HOOKS is not set # Enable "lockdown" LSM for bright line between the root user and kernel memory. CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y CONFIG_RANDOM_KMALLOC_CACHES=y # Make cross-slab heap attacks not as trivial when object sizes are the same. (Same as slab_nomerge boot param.) # CONFIG_SLAB_MERGE_DEFAULT is not set # Allow for randomization of high-order page allocation freelist. Must be enabled with # the "page_alloc.shuffle=1" command line below). CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Sanity check userspace page table mappings (since v5.17) CONFIG_PAGE_TABLE_CHECK=y CONFIG_PAGE_TABLE_CHECK_ENFORCED=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y # Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled. CONFIG_UBSAN=y CONFIG_UBSAN_TRAP=y CONFIG_UBSAN_BOUNDS=y CONFIG_UBSAN_SANITIZE_ALL=y # CONFIG_UBSAN_SHIFT is not set # CONFIG_UBSAN_DIV_ZERO is not set # CONFIG_UBSAN_UNREACHABLE is not set # CONFIG_UBSAN_BOOL is not set # CONFIG_UBSAN_ENUM is not set # CONFIG_UBSAN_ALIGNMENT is not set # This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set: CONFIG_UBSAN_LOCAL_BOUNDS=y # Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead. CONFIG_KFENCE=y CONFIG_KFENCE_SAMPLE_INTERVAL=100 # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Do not ignore compile-time warnings (since v5.15) CONFIG_WERROR=y # Disable DMA between EFI hand-off and the kernel's IOMMU setup. CONFIG_EFI_DISABLE_PCI_DMA=y # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) CONFIG_IOMMU_SUPPORT=y CONFIG_IOMMU_DEFAULT_DMA_STRICT=y # Enable feeding RNG entropy from TPM, if available. CONFIG_HW_RANDOM_TPM=y # Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even # malicious sources should not cause problems. CONFIG_RANDOM_TRUST_BOOTLOADER=y CONFIG_RANDOM_TRUST_CPU=y # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE). CONFIG_SCHED_CORE=y # Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and # minimizes stale data in registers). (Since v5.15) CONFIG_ZERO_CALL_USED_REGS=y # Wipe RAM at reboot via EFI. # For more details, see: # https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/ # https://bugzilla.redhat.com/show_bug.cgi?id=1532058 CONFIG_RESET_ATTACK_MITIGATION=y # This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk CONFIG_STATIC_USERMODEHELPER=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Block TTY stuffing attacks (this will break screen readers, see "dev.tty.legacy_tiocsti" sysctl below). # CONFIG_LEGACY_TIOCSTI is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Limit sysrq to sync,unmount,reboot. For more details see the [https://docs.kernel.org/admin-guide/sysrq.html sysrq bit field table]. CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=176 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # CONFIG_STACKLEAK_METRICS is not set # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y # CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. # CONFIG_X86_VSYSCALL_EMULATION is not set CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Enforce CET Indirect Branch Tracking in the kernel. (Since v5.18) CONFIG_X86_KERNEL_IBT=y # Support userspace CET Shadow Stack CONFIG_X86_USER_SHADOW_STACK=y # Remove additional (32-bit) attack surface, unless you really need them. # CONFIG_COMPAT is not set # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_X86_X32_ABI is not set # CONFIG_MODIFY_LDT_SYSCALL is not set # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y CONFIG_INTEL_IOMMU_SVM=y CONFIG_AMD_IOMMU=y CONFIG_AMD_IOMMU_V2=y # Straight-Line-Speculation CONFIG_SLS=y # Enable Control Flow Integrity (since v6.1). Disable FINEIBT since it is weaker than pure KCFI. CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set # CONFIG_FINEIBT is not set == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Remove arm32 support to reduce syscall attack surface. # CONFIG_COMPAT is not set # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y # Enable Software Shadow Stack when hardware Pointer Authentication (PAC) isn't available. CONFIG_SHADOW_CALL_STACK=y CONFIG_UNWIND_PATCH_PAC_INTO_SCS=y # Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can # turn off CONFIG_STACKPROTECTOR_STRONG with this enabled. CONFIG_ARM64_PTR_AUTH=y CONFIG_ARM64_PTR_AUTH_KERNEL=y # Available in ARMv8.5 and later. CONFIG_ARM64_BTI=y CONFIG_ARM64_BTI_KERNEL=y CONFIG_ARM64_MTE=y CONFIG_KASAN_HW_TAGS=y CONFIG_ARM64_E0PD=y # Available in ARMv8.7 and later. CONFIG_ARM64_EPAN=y # Enable Control Flow Integrity CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set = kernel command line options = # Make sure CONFIG_HARDENED_USERCOPY stays enabled. hardened_usercopy=1 # Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Randomize kernel stack offset on syscall entry (since v5.13). # See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above. randomize_kstack_offset=on # Randomize page allocator (needs CONFIG_SHUFFLE_PAGE_ALLOCATOR=y too). page_alloc.shuffle=1 # Disable slab merging (makes many heap overflow attacks more difficult). slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on # To prevent against L1TF, at the cost of losing hyper threading ('''slow'''). nosmt # Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above). slub_debug=ZF # (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above). iommu.passthrough=0 iommu.strict=1 # Mitigates all known CPU vulnerabilities, disabling SMT *if needed*. mitigations=auto,nosmt == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none # Make sure COMPAT_VDSO stays disabled vdso32=0 = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.) If root absolutely needs values from /proc, use value "1". kernel.kptr_restrict = 2 # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT). kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Enable all available Address Space Randomization (ASLR) for userspace processes. kernel.randomize_va_space = 2 # Block all PTRACE_ATTACH. If you need ptrace to work, then avoid non-ancestor ptrace access to running processes and their credentials, and use value "1". kernel.yama.ptrace_scope = 3 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Disable tty line discipline autoloading (see CONFIG_LDISC_AUTOLOAD). dev.tty.ldisc_autoload = 0 # Disable TIOCSTI which is used to inject keypresses. (This will, however, break screen readers.) dev.tty.legacy_tiocsti = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Reboot after even 1 WARN or BUG/Oops. Adjust for your tolerances. (Since v6.2) # If you want to set oops_limit greater than one, you will need to disable CONFIG_PANIC_ON_OOPS. kernel/warn_limit = 1 kernel/oops_limit = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 # Disable dangerous userfaultfd usage. vm.unprivileged_userfaultfd = 0 # Disable POSIX symlink and hardlink corner cases that lead to lots of filesystem confusion attacks. fs.protected_symlinks = 1 fs.protected_hardlinks = 1 # Disable POSIX corner cases with creating files and fifos unless the directory owner matches. Check your workloads! fs.protected_fifos = 2 fs.protected_regular = 2 # Make sure the default process dumpability is set (processes that changed privileges aren't dumpable). fs.suid_dumpable = 0 4137a69764d83eca469abc601719a6bc87ef8d87 4094 4093 2024-04-26T21:49:41Z KeesCook 3 /* kernel command line options */ wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system. Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kernel-hardening-checker/ kernel-hardening-checker]" tool maintained by Alexander Popov. = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_LIST_HARDENED=y CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_DEBUG_VIRTUAL=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Make sure line disciplines can't be autoloaded (since v5.1). # CONFIG_LDISC_AUTOLOAD is not set # Provide userspace with ptrace ancestry protections. # Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Provide userspace with Landlock MAC interface. # Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list. CONFIG_SECURITY_LANDLOCK=y # Make sure SELinux cannot be disabled trivially. # CONFIG_SECURITY_SELINUX_BOOTPARAM is not set # CONFIG_SECURITY_SELINUX_DEVELOP is not set # CONFIG_SECURITY_WRITABLE_HOOKS is not set # Enable "lockdown" LSM for bright line between the root user and kernel memory. CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y CONFIG_RANDOM_KMALLOC_CACHES=y # Make cross-slab heap attacks not as trivial when object sizes are the same. (Same as slab_nomerge boot param.) # CONFIG_SLAB_MERGE_DEFAULT is not set # Allow for randomization of high-order page allocation freelist. Must be enabled with # the "page_alloc.shuffle=1" command line below). CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Sanity check userspace page table mappings (since v5.17) CONFIG_PAGE_TABLE_CHECK=y CONFIG_PAGE_TABLE_CHECK_ENFORCED=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y # Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled. CONFIG_UBSAN=y CONFIG_UBSAN_TRAP=y CONFIG_UBSAN_BOUNDS=y CONFIG_UBSAN_SANITIZE_ALL=y # CONFIG_UBSAN_SHIFT is not set # CONFIG_UBSAN_DIV_ZERO is not set # CONFIG_UBSAN_UNREACHABLE is not set # CONFIG_UBSAN_BOOL is not set # CONFIG_UBSAN_ENUM is not set # CONFIG_UBSAN_ALIGNMENT is not set # This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set: CONFIG_UBSAN_LOCAL_BOUNDS=y # Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead. CONFIG_KFENCE=y CONFIG_KFENCE_SAMPLE_INTERVAL=100 # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Do not ignore compile-time warnings (since v5.15) CONFIG_WERROR=y # Disable DMA between EFI hand-off and the kernel's IOMMU setup. CONFIG_EFI_DISABLE_PCI_DMA=y # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) CONFIG_IOMMU_SUPPORT=y CONFIG_IOMMU_DEFAULT_DMA_STRICT=y # Enable feeding RNG entropy from TPM, if available. CONFIG_HW_RANDOM_TPM=y # Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even # malicious sources should not cause problems. CONFIG_RANDOM_TRUST_BOOTLOADER=y CONFIG_RANDOM_TRUST_CPU=y # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE). CONFIG_SCHED_CORE=y # Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and # minimizes stale data in registers). (Since v5.15) CONFIG_ZERO_CALL_USED_REGS=y # Wipe RAM at reboot via EFI. # For more details, see: # https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/ # https://bugzilla.redhat.com/show_bug.cgi?id=1532058 CONFIG_RESET_ATTACK_MITIGATION=y # This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk CONFIG_STATIC_USERMODEHELPER=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Block TTY stuffing attacks (this will break screen readers, see "dev.tty.legacy_tiocsti" sysctl below). # CONFIG_LEGACY_TIOCSTI is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Limit sysrq to sync,unmount,reboot. For more details see the [https://docs.kernel.org/admin-guide/sysrq.html sysrq bit field table]. CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=176 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # CONFIG_STACKLEAK_METRICS is not set # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y # CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. # CONFIG_X86_VSYSCALL_EMULATION is not set CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Enforce CET Indirect Branch Tracking in the kernel. (Since v5.18) CONFIG_X86_KERNEL_IBT=y # Support userspace CET Shadow Stack CONFIG_X86_USER_SHADOW_STACK=y # Remove additional (32-bit) attack surface, unless you really need them. # CONFIG_COMPAT is not set # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_X86_X32_ABI is not set # CONFIG_MODIFY_LDT_SYSCALL is not set # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y CONFIG_INTEL_IOMMU_SVM=y CONFIG_AMD_IOMMU=y CONFIG_AMD_IOMMU_V2=y # Straight-Line-Speculation CONFIG_SLS=y # Enable Control Flow Integrity (since v6.1). Disable FINEIBT since it is weaker than pure KCFI. CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set # CONFIG_FINEIBT is not set == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Remove arm32 support to reduce syscall attack surface. # CONFIG_COMPAT is not set # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y # Enable Software Shadow Stack when hardware Pointer Authentication (PAC) isn't available. CONFIG_SHADOW_CALL_STACK=y CONFIG_UNWIND_PATCH_PAC_INTO_SCS=y # Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can # turn off CONFIG_STACKPROTECTOR_STRONG with this enabled. CONFIG_ARM64_PTR_AUTH=y CONFIG_ARM64_PTR_AUTH_KERNEL=y # Available in ARMv8.5 and later. CONFIG_ARM64_BTI=y CONFIG_ARM64_BTI_KERNEL=y CONFIG_ARM64_MTE=y CONFIG_KASAN_HW_TAGS=y CONFIG_ARM64_E0PD=y # Available in ARMv8.7 and later. CONFIG_ARM64_EPAN=y # Enable Control Flow Integrity CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set = kernel command line options = # Make sure CONFIG_HARDENED_USERCOPY stays enabled. hardened_usercopy=1 # Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Randomize kernel stack offset on syscall entry (since v5.13). # See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above. randomize_kstack_offset=on # Randomize page allocator (needs CONFIG_SHUFFLE_PAGE_ALLOCATOR=y too). page_alloc.shuffle=1 # Disable slab merging to make some heap overflow attacks more difficult. (See also CONFIG_SLAB_MERGE_DEFAULT) slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on # To prevent against L1TF, at the cost of losing hyper threading ('''slow'''). nosmt # Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above). slub_debug=ZF # (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above). iommu.passthrough=0 iommu.strict=1 # Mitigates all known CPU vulnerabilities, disabling SMT *if needed*. mitigations=auto,nosmt == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none # Make sure COMPAT_VDSO stays disabled vdso32=0 = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.) If root absolutely needs values from /proc, use value "1". kernel.kptr_restrict = 2 # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT). kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Enable all available Address Space Randomization (ASLR) for userspace processes. kernel.randomize_va_space = 2 # Block all PTRACE_ATTACH. If you need ptrace to work, then avoid non-ancestor ptrace access to running processes and their credentials, and use value "1". kernel.yama.ptrace_scope = 3 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Disable tty line discipline autoloading (see CONFIG_LDISC_AUTOLOAD). dev.tty.ldisc_autoload = 0 # Disable TIOCSTI which is used to inject keypresses. (This will, however, break screen readers.) dev.tty.legacy_tiocsti = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Reboot after even 1 WARN or BUG/Oops. Adjust for your tolerances. (Since v6.2) # If you want to set oops_limit greater than one, you will need to disable CONFIG_PANIC_ON_OOPS. kernel/warn_limit = 1 kernel/oops_limit = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 # Disable dangerous userfaultfd usage. vm.unprivileged_userfaultfd = 0 # Disable POSIX symlink and hardlink corner cases that lead to lots of filesystem confusion attacks. fs.protected_symlinks = 1 fs.protected_hardlinks = 1 # Disable POSIX corner cases with creating files and fifos unless the directory owner matches. Check your workloads! fs.protected_fifos = 2 fs.protected_regular = 2 # Make sure the default process dumpability is set (processes that changed privileges aren't dumpable). fs.suid_dumpable = 0 4ba8e0c7cc56df1e97cf45f3383651fdd7c886c0 4095 4094 2024-04-26T21:50:58Z KeesCook 3 /* CONFIGs */ wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system. Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kernel-hardening-checker/ kernel-hardening-checker]" tool maintained by Alexander Popov. = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_LIST_HARDENED=y CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_DEBUG_VIRTUAL=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Make sure line disciplines can't be autoloaded (since v5.1). # CONFIG_LDISC_AUTOLOAD is not set # Provide userspace with ptrace ancestry protections. # Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Provide userspace with Landlock MAC interface. # Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list. CONFIG_SECURITY_LANDLOCK=y # Make sure SELinux cannot be disabled trivially. # CONFIG_SECURITY_SELINUX_BOOTPARAM is not set # CONFIG_SECURITY_SELINUX_DEVELOP is not set # CONFIG_SECURITY_WRITABLE_HOOKS is not set # Enable "lockdown" LSM for bright line between the root user and kernel memory. CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y CONFIG_RANDOM_KMALLOC_CACHES=y # Make cross-slab heap attacks not as trivial when object sizes are the same. (Same as slab_nomerge boot param.) # CONFIG_SLAB_MERGE_DEFAULT is not set # Allow for randomization of high-order page allocation freelist. Must be enabled with # the "page_alloc.shuffle=1" command line below). CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Sanity check userspace page table mappings (since v5.17) CONFIG_PAGE_TABLE_CHECK=y CONFIG_PAGE_TABLE_CHECK_ENFORCED=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y # Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled. CONFIG_UBSAN=y CONFIG_UBSAN_TRAP=y CONFIG_UBSAN_BOUNDS=y CONFIG_UBSAN_SANITIZE_ALL=y # CONFIG_UBSAN_SHIFT is not set # CONFIG_UBSAN_DIV_ZERO is not set # CONFIG_UBSAN_UNREACHABLE is not set # CONFIG_UBSAN_BOOL is not set # CONFIG_UBSAN_ENUM is not set # CONFIG_UBSAN_ALIGNMENT is not set # This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set: CONFIG_UBSAN_LOCAL_BOUNDS=y # Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead. CONFIG_KFENCE=y CONFIG_KFENCE_SAMPLE_INTERVAL=100 # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Do not ignore compile-time warnings (since v5.15) CONFIG_WERROR=y # Disable DMA between EFI hand-off and the kernel's IOMMU setup. CONFIG_EFI_DISABLE_PCI_DMA=y # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) CONFIG_IOMMU_SUPPORT=y CONFIG_IOMMU_DEFAULT_DMA_STRICT=y # Enable feeding RNG entropy from TPM, if available. CONFIG_HW_RANDOM_TPM=y # Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even # malicious sources should not cause problems. CONFIG_RANDOM_TRUST_BOOTLOADER=y CONFIG_RANDOM_TRUST_CPU=y # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE). CONFIG_SCHED_CORE=y # Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and # minimizes stale data in registers). (Since v5.15) CONFIG_ZERO_CALL_USED_REGS=y # Wipe RAM at reboot via EFI. # For more details, see: # https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/ # https://bugzilla.redhat.com/show_bug.cgi?id=1532058 CONFIG_RESET_ATTACK_MITIGATION=y # This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk CONFIG_STATIC_USERMODEHELPER=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Block TTY stuffing attacks (this will break screen readers, see "dev.tty.legacy_tiocsti" sysctl below). # CONFIG_LEGACY_TIOCSTI is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Limit sysrq to sync,unmount,reboot. For more details see the [https://docs.kernel.org/admin-guide/sysrq.html sysrq bit field table]. CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=176 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. # See also kernel.modules_disabled sysctl below. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # CONFIG_STACKLEAK_METRICS is not set # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y # CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. # CONFIG_X86_VSYSCALL_EMULATION is not set CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Enforce CET Indirect Branch Tracking in the kernel. (Since v5.18) CONFIG_X86_KERNEL_IBT=y # Support userspace CET Shadow Stack CONFIG_X86_USER_SHADOW_STACK=y # Remove additional (32-bit) attack surface, unless you really need them. # CONFIG_COMPAT is not set # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_X86_X32_ABI is not set # CONFIG_MODIFY_LDT_SYSCALL is not set # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y CONFIG_INTEL_IOMMU_SVM=y CONFIG_AMD_IOMMU=y CONFIG_AMD_IOMMU_V2=y # Straight-Line-Speculation CONFIG_SLS=y # Enable Control Flow Integrity (since v6.1). Disable FINEIBT since it is weaker than pure KCFI. CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set # CONFIG_FINEIBT is not set == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Remove arm32 support to reduce syscall attack surface. # CONFIG_COMPAT is not set # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y # Enable Software Shadow Stack when hardware Pointer Authentication (PAC) isn't available. CONFIG_SHADOW_CALL_STACK=y CONFIG_UNWIND_PATCH_PAC_INTO_SCS=y # Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can # turn off CONFIG_STACKPROTECTOR_STRONG with this enabled. CONFIG_ARM64_PTR_AUTH=y CONFIG_ARM64_PTR_AUTH_KERNEL=y # Available in ARMv8.5 and later. CONFIG_ARM64_BTI=y CONFIG_ARM64_BTI_KERNEL=y CONFIG_ARM64_MTE=y CONFIG_KASAN_HW_TAGS=y CONFIG_ARM64_E0PD=y # Available in ARMv8.7 and later. CONFIG_ARM64_EPAN=y # Enable Control Flow Integrity CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set = kernel command line options = # Make sure CONFIG_HARDENED_USERCOPY stays enabled. hardened_usercopy=1 # Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Randomize kernel stack offset on syscall entry (since v5.13). # See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above. randomize_kstack_offset=on # Randomize page allocator (needs CONFIG_SHUFFLE_PAGE_ALLOCATOR=y too). page_alloc.shuffle=1 # Disable slab merging to make some heap overflow attacks more difficult. (See also CONFIG_SLAB_MERGE_DEFAULT) slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on # To prevent against L1TF, at the cost of losing hyper threading ('''slow'''). nosmt # Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above). slub_debug=ZF # (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above). iommu.passthrough=0 iommu.strict=1 # Mitigates all known CPU vulnerabilities, disabling SMT *if needed*. mitigations=auto,nosmt == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none # Make sure COMPAT_VDSO stays disabled vdso32=0 = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.) If root absolutely needs values from /proc, use value "1". kernel.kptr_restrict = 2 # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT). kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Enable all available Address Space Randomization (ASLR) for userspace processes. kernel.randomize_va_space = 2 # Block all PTRACE_ATTACH. If you need ptrace to work, then avoid non-ancestor ptrace access to running processes and their credentials, and use value "1". kernel.yama.ptrace_scope = 3 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Disable tty line discipline autoloading (see CONFIG_LDISC_AUTOLOAD). dev.tty.ldisc_autoload = 0 # Disable TIOCSTI which is used to inject keypresses. (This will, however, break screen readers.) dev.tty.legacy_tiocsti = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Reboot after even 1 WARN or BUG/Oops. Adjust for your tolerances. (Since v6.2) # If you want to set oops_limit greater than one, you will need to disable CONFIG_PANIC_ON_OOPS. kernel/warn_limit = 1 kernel/oops_limit = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 # Disable dangerous userfaultfd usage. vm.unprivileged_userfaultfd = 0 # Disable POSIX symlink and hardlink corner cases that lead to lots of filesystem confusion attacks. fs.protected_symlinks = 1 fs.protected_hardlinks = 1 # Disable POSIX corner cases with creating files and fifos unless the directory owner matches. Check your workloads! fs.protected_fifos = 2 fs.protected_regular = 2 # Make sure the default process dumpability is set (processes that changed privileges aren't dumpable). fs.suid_dumpable = 0 74d5b53b5a148670f6aae251534d02b5fe0f0461 4096 4095 2024-04-26T21:53:37Z KeesCook 3 /* sysctls */ kernel.modules_disabled wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system. Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kernel-hardening-checker/ kernel-hardening-checker]" tool maintained by Alexander Popov. = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_LIST_HARDENED=y CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_DEBUG_VIRTUAL=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Make sure line disciplines can't be autoloaded (since v5.1). # CONFIG_LDISC_AUTOLOAD is not set # Provide userspace with ptrace ancestry protections. # Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Provide userspace with Landlock MAC interface. # Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list. CONFIG_SECURITY_LANDLOCK=y # Make sure SELinux cannot be disabled trivially. # CONFIG_SECURITY_SELINUX_BOOTPARAM is not set # CONFIG_SECURITY_SELINUX_DEVELOP is not set # CONFIG_SECURITY_WRITABLE_HOOKS is not set # Enable "lockdown" LSM for bright line between the root user and kernel memory. CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y CONFIG_RANDOM_KMALLOC_CACHES=y # Make cross-slab heap attacks not as trivial when object sizes are the same. (Same as slab_nomerge boot param.) # CONFIG_SLAB_MERGE_DEFAULT is not set # Allow for randomization of high-order page allocation freelist. Must be enabled with # the "page_alloc.shuffle=1" command line below). CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Sanity check userspace page table mappings (since v5.17) CONFIG_PAGE_TABLE_CHECK=y CONFIG_PAGE_TABLE_CHECK_ENFORCED=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y # Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled. CONFIG_UBSAN=y CONFIG_UBSAN_TRAP=y CONFIG_UBSAN_BOUNDS=y CONFIG_UBSAN_SANITIZE_ALL=y # CONFIG_UBSAN_SHIFT is not set # CONFIG_UBSAN_DIV_ZERO is not set # CONFIG_UBSAN_UNREACHABLE is not set # CONFIG_UBSAN_BOOL is not set # CONFIG_UBSAN_ENUM is not set # CONFIG_UBSAN_ALIGNMENT is not set # This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set: CONFIG_UBSAN_LOCAL_BOUNDS=y # Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead. CONFIG_KFENCE=y CONFIG_KFENCE_SAMPLE_INTERVAL=100 # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Do not ignore compile-time warnings (since v5.15) CONFIG_WERROR=y # Disable DMA between EFI hand-off and the kernel's IOMMU setup. CONFIG_EFI_DISABLE_PCI_DMA=y # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) CONFIG_IOMMU_SUPPORT=y CONFIG_IOMMU_DEFAULT_DMA_STRICT=y # Enable feeding RNG entropy from TPM, if available. CONFIG_HW_RANDOM_TPM=y # Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even # malicious sources should not cause problems. CONFIG_RANDOM_TRUST_BOOTLOADER=y CONFIG_RANDOM_TRUST_CPU=y # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE). CONFIG_SCHED_CORE=y # Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and # minimizes stale data in registers). (Since v5.15) CONFIG_ZERO_CALL_USED_REGS=y # Wipe RAM at reboot via EFI. # For more details, see: # https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/ # https://bugzilla.redhat.com/show_bug.cgi?id=1532058 CONFIG_RESET_ATTACK_MITIGATION=y # This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk CONFIG_STATIC_USERMODEHELPER=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Block TTY stuffing attacks (this will break screen readers, see "dev.tty.legacy_tiocsti" sysctl below). # CONFIG_LEGACY_TIOCSTI is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Limit sysrq to sync,unmount,reboot. For more details see the [https://docs.kernel.org/admin-guide/sysrq.html sysrq bit field table]. CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=176 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. # See also kernel.modules_disabled sysctl below. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # CONFIG_STACKLEAK_METRICS is not set # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y # CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. # CONFIG_X86_VSYSCALL_EMULATION is not set CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Enforce CET Indirect Branch Tracking in the kernel. (Since v5.18) CONFIG_X86_KERNEL_IBT=y # Support userspace CET Shadow Stack CONFIG_X86_USER_SHADOW_STACK=y # Remove additional (32-bit) attack surface, unless you really need them. # CONFIG_COMPAT is not set # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_X86_X32_ABI is not set # CONFIG_MODIFY_LDT_SYSCALL is not set # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y CONFIG_INTEL_IOMMU_SVM=y CONFIG_AMD_IOMMU=y CONFIG_AMD_IOMMU_V2=y # Straight-Line-Speculation CONFIG_SLS=y # Enable Control Flow Integrity (since v6.1). Disable FINEIBT since it is weaker than pure KCFI. CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set # CONFIG_FINEIBT is not set == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Remove arm32 support to reduce syscall attack surface. # CONFIG_COMPAT is not set # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y # Enable Software Shadow Stack when hardware Pointer Authentication (PAC) isn't available. CONFIG_SHADOW_CALL_STACK=y CONFIG_UNWIND_PATCH_PAC_INTO_SCS=y # Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can # turn off CONFIG_STACKPROTECTOR_STRONG with this enabled. CONFIG_ARM64_PTR_AUTH=y CONFIG_ARM64_PTR_AUTH_KERNEL=y # Available in ARMv8.5 and later. CONFIG_ARM64_BTI=y CONFIG_ARM64_BTI_KERNEL=y CONFIG_ARM64_MTE=y CONFIG_KASAN_HW_TAGS=y CONFIG_ARM64_E0PD=y # Available in ARMv8.7 and later. CONFIG_ARM64_EPAN=y # Enable Control Flow Integrity CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set = kernel command line options = # Make sure CONFIG_HARDENED_USERCOPY stays enabled. hardened_usercopy=1 # Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Randomize kernel stack offset on syscall entry (since v5.13). # See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above. randomize_kstack_offset=on # Randomize page allocator (needs CONFIG_SHUFFLE_PAGE_ALLOCATOR=y too). page_alloc.shuffle=1 # Disable slab merging to make some heap overflow attacks more difficult. (See also CONFIG_SLAB_MERGE_DEFAULT) slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on # To prevent against L1TF, at the cost of losing hyper threading ('''slow'''). nosmt # Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above). slub_debug=ZF # (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above). iommu.passthrough=0 iommu.strict=1 # Mitigates all known CPU vulnerabilities, disabling SMT *if needed*. mitigations=auto,nosmt == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none # Make sure COMPAT_VDSO stays disabled vdso32=0 = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.) If root absolutely needs values from /proc, use value "1". kernel.kptr_restrict = 2 # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT). kernel.dmesg_restrict = 1 # Disable module loading. For example, this can be set after the system has [https://outflux.net/blog/archives/2009/07/31/blocking-module-loading/ finished booting] and initializing hardware. kernel.disable_modules = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Enable all available Address Space Randomization (ASLR) for userspace processes. kernel.randomize_va_space = 2 # Block all PTRACE_ATTACH. If you need ptrace to work, then avoid non-ancestor ptrace access to running processes and their credentials, and use value "1". kernel.yama.ptrace_scope = 3 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Disable tty line discipline autoloading (see CONFIG_LDISC_AUTOLOAD). dev.tty.ldisc_autoload = 0 # Disable TIOCSTI which is used to inject keypresses. (This will, however, break screen readers.) dev.tty.legacy_tiocsti = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Reboot after even 1 WARN or BUG/Oops. Adjust for your tolerances. (Since v6.2) # If you want to set oops_limit greater than one, you will need to disable CONFIG_PANIC_ON_OOPS. kernel/warn_limit = 1 kernel/oops_limit = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 # Disable dangerous userfaultfd usage. vm.unprivileged_userfaultfd = 0 # Disable POSIX symlink and hardlink corner cases that lead to lots of filesystem confusion attacks. fs.protected_symlinks = 1 fs.protected_hardlinks = 1 # Disable POSIX corner cases with creating files and fifos unless the directory owner matches. Check your workloads! fs.protected_fifos = 2 fs.protected_regular = 2 # Make sure the default process dumpability is set (processes that changed privileges aren't dumpable). fs.suid_dumpable = 0 223ffb485c3b4e162f0c909b2a496a055ffe0a75 4097 4096 2024-04-26T21:54:33Z KeesCook 3 /* CONFIGs */ CONFIG_MODULE_FORCE_LOAD wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system. Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kernel-hardening-checker/ kernel-hardening-checker]" tool maintained by Alexander Popov. = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_LIST_HARDENED=y CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_DEBUG_VIRTUAL=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Make sure line disciplines can't be autoloaded (since v5.1). # CONFIG_LDISC_AUTOLOAD is not set # Provide userspace with ptrace ancestry protections. # Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Provide userspace with Landlock MAC interface. # Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list. CONFIG_SECURITY_LANDLOCK=y # Make sure SELinux cannot be disabled trivially. # CONFIG_SECURITY_SELINUX_BOOTPARAM is not set # CONFIG_SECURITY_SELINUX_DEVELOP is not set # CONFIG_SECURITY_WRITABLE_HOOKS is not set # Enable "lockdown" LSM for bright line between the root user and kernel memory. CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y CONFIG_RANDOM_KMALLOC_CACHES=y # Make cross-slab heap attacks not as trivial when object sizes are the same. (Same as slab_nomerge boot param.) # CONFIG_SLAB_MERGE_DEFAULT is not set # Allow for randomization of high-order page allocation freelist. Must be enabled with # the "page_alloc.shuffle=1" command line below). CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Sanity check userspace page table mappings (since v5.17) CONFIG_PAGE_TABLE_CHECK=y CONFIG_PAGE_TABLE_CHECK_ENFORCED=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y # Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled. CONFIG_UBSAN=y CONFIG_UBSAN_TRAP=y CONFIG_UBSAN_BOUNDS=y CONFIG_UBSAN_SANITIZE_ALL=y # CONFIG_UBSAN_SHIFT is not set # CONFIG_UBSAN_DIV_ZERO is not set # CONFIG_UBSAN_UNREACHABLE is not set # CONFIG_UBSAN_BOOL is not set # CONFIG_UBSAN_ENUM is not set # CONFIG_UBSAN_ALIGNMENT is not set # This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set: CONFIG_UBSAN_LOCAL_BOUNDS=y # Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead. CONFIG_KFENCE=y CONFIG_KFENCE_SAMPLE_INTERVAL=100 # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Do not ignore compile-time warnings (since v5.15) CONFIG_WERROR=y # Disable DMA between EFI hand-off and the kernel's IOMMU setup. CONFIG_EFI_DISABLE_PCI_DMA=y # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) CONFIG_IOMMU_SUPPORT=y CONFIG_IOMMU_DEFAULT_DMA_STRICT=y # Enable feeding RNG entropy from TPM, if available. CONFIG_HW_RANDOM_TPM=y # Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even # malicious sources should not cause problems. CONFIG_RANDOM_TRUST_BOOTLOADER=y CONFIG_RANDOM_TRUST_CPU=y # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE). CONFIG_SCHED_CORE=y # Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and # minimizes stale data in registers). (Since v5.15) CONFIG_ZERO_CALL_USED_REGS=y # Wipe RAM at reboot via EFI. # For more details, see: # https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/ # https://bugzilla.redhat.com/show_bug.cgi?id=1532058 CONFIG_RESET_ATTACK_MITIGATION=y # This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk CONFIG_STATIC_USERMODEHELPER=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Block TTY stuffing attacks (this will break screen readers, see "dev.tty.legacy_tiocsti" sysctl below). # CONFIG_LEGACY_TIOCSTI is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Limit sysrq to sync,unmount,reboot. For more details see the [https://docs.kernel.org/admin-guide/sysrq.html sysrq bit field table]. CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=176 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. # See also kernel.modules_disabled sysctl below. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" # CONFIG_MODULE_FORCE_LOAD is not set == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # CONFIG_STACKLEAK_METRICS is not set # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y # CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. # CONFIG_X86_VSYSCALL_EMULATION is not set CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Enforce CET Indirect Branch Tracking in the kernel. (Since v5.18) CONFIG_X86_KERNEL_IBT=y # Support userspace CET Shadow Stack CONFIG_X86_USER_SHADOW_STACK=y # Remove additional (32-bit) attack surface, unless you really need them. # CONFIG_COMPAT is not set # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_X86_X32_ABI is not set # CONFIG_MODIFY_LDT_SYSCALL is not set # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y CONFIG_INTEL_IOMMU_SVM=y CONFIG_AMD_IOMMU=y CONFIG_AMD_IOMMU_V2=y # Straight-Line-Speculation CONFIG_SLS=y # Enable Control Flow Integrity (since v6.1). Disable FINEIBT since it is weaker than pure KCFI. CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set # CONFIG_FINEIBT is not set == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Remove arm32 support to reduce syscall attack surface. # CONFIG_COMPAT is not set # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y # Enable Software Shadow Stack when hardware Pointer Authentication (PAC) isn't available. CONFIG_SHADOW_CALL_STACK=y CONFIG_UNWIND_PATCH_PAC_INTO_SCS=y # Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can # turn off CONFIG_STACKPROTECTOR_STRONG with this enabled. CONFIG_ARM64_PTR_AUTH=y CONFIG_ARM64_PTR_AUTH_KERNEL=y # Available in ARMv8.5 and later. CONFIG_ARM64_BTI=y CONFIG_ARM64_BTI_KERNEL=y CONFIG_ARM64_MTE=y CONFIG_KASAN_HW_TAGS=y CONFIG_ARM64_E0PD=y # Available in ARMv8.7 and later. CONFIG_ARM64_EPAN=y # Enable Control Flow Integrity CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set = kernel command line options = # Make sure CONFIG_HARDENED_USERCOPY stays enabled. hardened_usercopy=1 # Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Randomize kernel stack offset on syscall entry (since v5.13). # See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above. randomize_kstack_offset=on # Randomize page allocator (needs CONFIG_SHUFFLE_PAGE_ALLOCATOR=y too). page_alloc.shuffle=1 # Disable slab merging to make some heap overflow attacks more difficult. (See also CONFIG_SLAB_MERGE_DEFAULT) slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on # To prevent against L1TF, at the cost of losing hyper threading ('''slow'''). nosmt # Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above). slub_debug=ZF # (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above). iommu.passthrough=0 iommu.strict=1 # Mitigates all known CPU vulnerabilities, disabling SMT *if needed*. mitigations=auto,nosmt == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none # Make sure COMPAT_VDSO stays disabled vdso32=0 = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.) If root absolutely needs values from /proc, use value "1". kernel.kptr_restrict = 2 # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT). kernel.dmesg_restrict = 1 # Disable module loading. For example, this can be set after the system has [https://outflux.net/blog/archives/2009/07/31/blocking-module-loading/ finished booting] and initializing hardware. kernel.disable_modules = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Enable all available Address Space Randomization (ASLR) for userspace processes. kernel.randomize_va_space = 2 # Block all PTRACE_ATTACH. If you need ptrace to work, then avoid non-ancestor ptrace access to running processes and their credentials, and use value "1". kernel.yama.ptrace_scope = 3 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Disable tty line discipline autoloading (see CONFIG_LDISC_AUTOLOAD). dev.tty.ldisc_autoload = 0 # Disable TIOCSTI which is used to inject keypresses. (This will, however, break screen readers.) dev.tty.legacy_tiocsti = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Reboot after even 1 WARN or BUG/Oops. Adjust for your tolerances. (Since v6.2) # If you want to set oops_limit greater than one, you will need to disable CONFIG_PANIC_ON_OOPS. kernel/warn_limit = 1 kernel/oops_limit = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 # Disable dangerous userfaultfd usage. vm.unprivileged_userfaultfd = 0 # Disable POSIX symlink and hardlink corner cases that lead to lots of filesystem confusion attacks. fs.protected_symlinks = 1 fs.protected_hardlinks = 1 # Disable POSIX corner cases with creating files and fifos unless the directory owner matches. Check your workloads! fs.protected_fifos = 2 fs.protected_regular = 2 # Make sure the default process dumpability is set (processes that changed privileges aren't dumpable). fs.suid_dumpable = 0 e30a6cd171c0a2765b34e877c903083d468aed9b 4098 4097 2024-04-26T22:22:58Z KeesCook 3 /* CONFIGs */ CONFIG_SECURITY_SELINUX_DEBUG wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system. Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kernel-hardening-checker/ kernel-hardening-checker]" tool maintained by Alexander Popov. = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_LIST_HARDENED=y CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_DEBUG_VIRTUAL=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Make sure line disciplines can't be autoloaded (since v5.1). # CONFIG_LDISC_AUTOLOAD is not set # Provide userspace with ptrace ancestry protections. # Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Provide userspace with Landlock MAC interface. # Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list. CONFIG_SECURITY_LANDLOCK=y # Make sure SELinux cannot be disabled trivially. # CONFIG_SECURITY_SELINUX_BOOTPARAM is not set # CONFIG_SECURITY_SELINUX_DEVELOP is not set # CONFIG_SECURITY_SELINUX_DEBUG is not set # CONFIG_SECURITY_WRITABLE_HOOKS is not set # Enable "lockdown" LSM for bright line between the root user and kernel memory. CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y CONFIG_RANDOM_KMALLOC_CACHES=y # Make cross-slab heap attacks not as trivial when object sizes are the same. (Same as slab_nomerge boot param.) # CONFIG_SLAB_MERGE_DEFAULT is not set # Allow for randomization of high-order page allocation freelist. Must be enabled with # the "page_alloc.shuffle=1" command line below). CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Sanity check userspace page table mappings (since v5.17) CONFIG_PAGE_TABLE_CHECK=y CONFIG_PAGE_TABLE_CHECK_ENFORCED=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y # Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled. CONFIG_UBSAN=y CONFIG_UBSAN_TRAP=y CONFIG_UBSAN_BOUNDS=y CONFIG_UBSAN_SANITIZE_ALL=y # CONFIG_UBSAN_SHIFT is not set # CONFIG_UBSAN_DIV_ZERO is not set # CONFIG_UBSAN_UNREACHABLE is not set # CONFIG_UBSAN_BOOL is not set # CONFIG_UBSAN_ENUM is not set # CONFIG_UBSAN_ALIGNMENT is not set # This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set: CONFIG_UBSAN_LOCAL_BOUNDS=y # Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead. CONFIG_KFENCE=y CONFIG_KFENCE_SAMPLE_INTERVAL=100 # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Do not ignore compile-time warnings (since v5.15) CONFIG_WERROR=y # Disable DMA between EFI hand-off and the kernel's IOMMU setup. CONFIG_EFI_DISABLE_PCI_DMA=y # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) CONFIG_IOMMU_SUPPORT=y CONFIG_IOMMU_DEFAULT_DMA_STRICT=y # Enable feeding RNG entropy from TPM, if available. CONFIG_HW_RANDOM_TPM=y # Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even # malicious sources should not cause problems. CONFIG_RANDOM_TRUST_BOOTLOADER=y CONFIG_RANDOM_TRUST_CPU=y # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE). CONFIG_SCHED_CORE=y # Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and # minimizes stale data in registers). (Since v5.15) CONFIG_ZERO_CALL_USED_REGS=y # Wipe RAM at reboot via EFI. # For more details, see: # https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/ # https://bugzilla.redhat.com/show_bug.cgi?id=1532058 CONFIG_RESET_ATTACK_MITIGATION=y # This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk CONFIG_STATIC_USERMODEHELPER=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Block TTY stuffing attacks (this will break screen readers, see "dev.tty.legacy_tiocsti" sysctl below). # CONFIG_LEGACY_TIOCSTI is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Limit sysrq to sync,unmount,reboot. For more details see the [https://docs.kernel.org/admin-guide/sysrq.html sysrq bit field table]. CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=176 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. # See also kernel.modules_disabled sysctl below. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" # CONFIG_MODULE_FORCE_LOAD is not set == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # CONFIG_STACKLEAK_METRICS is not set # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y # CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. # CONFIG_X86_VSYSCALL_EMULATION is not set CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Enforce CET Indirect Branch Tracking in the kernel. (Since v5.18) CONFIG_X86_KERNEL_IBT=y # Support userspace CET Shadow Stack CONFIG_X86_USER_SHADOW_STACK=y # Remove additional (32-bit) attack surface, unless you really need them. # CONFIG_COMPAT is not set # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_X86_X32_ABI is not set # CONFIG_MODIFY_LDT_SYSCALL is not set # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y CONFIG_INTEL_IOMMU_SVM=y CONFIG_AMD_IOMMU=y CONFIG_AMD_IOMMU_V2=y # Straight-Line-Speculation CONFIG_SLS=y # Enable Control Flow Integrity (since v6.1). Disable FINEIBT since it is weaker than pure KCFI. CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set # CONFIG_FINEIBT is not set == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Remove arm32 support to reduce syscall attack surface. # CONFIG_COMPAT is not set # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y # Enable Software Shadow Stack when hardware Pointer Authentication (PAC) isn't available. CONFIG_SHADOW_CALL_STACK=y CONFIG_UNWIND_PATCH_PAC_INTO_SCS=y # Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can # turn off CONFIG_STACKPROTECTOR_STRONG with this enabled. CONFIG_ARM64_PTR_AUTH=y CONFIG_ARM64_PTR_AUTH_KERNEL=y # Available in ARMv8.5 and later. CONFIG_ARM64_BTI=y CONFIG_ARM64_BTI_KERNEL=y CONFIG_ARM64_MTE=y CONFIG_KASAN_HW_TAGS=y CONFIG_ARM64_E0PD=y # Available in ARMv8.7 and later. CONFIG_ARM64_EPAN=y # Enable Control Flow Integrity CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set = kernel command line options = # Make sure CONFIG_HARDENED_USERCOPY stays enabled. hardened_usercopy=1 # Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Randomize kernel stack offset on syscall entry (since v5.13). # See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above. randomize_kstack_offset=on # Randomize page allocator (needs CONFIG_SHUFFLE_PAGE_ALLOCATOR=y too). page_alloc.shuffle=1 # Disable slab merging to make some heap overflow attacks more difficult. (See also CONFIG_SLAB_MERGE_DEFAULT) slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on # To prevent against L1TF, at the cost of losing hyper threading ('''slow'''). nosmt # Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above). slub_debug=ZF # (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above). iommu.passthrough=0 iommu.strict=1 # Mitigates all known CPU vulnerabilities, disabling SMT *if needed*. mitigations=auto,nosmt == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none # Make sure COMPAT_VDSO stays disabled vdso32=0 = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.) If root absolutely needs values from /proc, use value "1". kernel.kptr_restrict = 2 # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT). kernel.dmesg_restrict = 1 # Disable module loading. For example, this can be set after the system has [https://outflux.net/blog/archives/2009/07/31/blocking-module-loading/ finished booting] and initializing hardware. kernel.disable_modules = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Enable all available Address Space Randomization (ASLR) for userspace processes. kernel.randomize_va_space = 2 # Block all PTRACE_ATTACH. If you need ptrace to work, then avoid non-ancestor ptrace access to running processes and their credentials, and use value "1". kernel.yama.ptrace_scope = 3 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Disable tty line discipline autoloading (see CONFIG_LDISC_AUTOLOAD). dev.tty.ldisc_autoload = 0 # Disable TIOCSTI which is used to inject keypresses. (This will, however, break screen readers.) dev.tty.legacy_tiocsti = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Reboot after even 1 WARN or BUG/Oops. Adjust for your tolerances. (Since v6.2) # If you want to set oops_limit greater than one, you will need to disable CONFIG_PANIC_ON_OOPS. kernel/warn_limit = 1 kernel/oops_limit = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 # Disable dangerous userfaultfd usage. vm.unprivileged_userfaultfd = 0 # Disable POSIX symlink and hardlink corner cases that lead to lots of filesystem confusion attacks. fs.protected_symlinks = 1 fs.protected_hardlinks = 1 # Disable POSIX corner cases with creating files and fifos unless the directory owner matches. Check your workloads! fs.protected_fifos = 2 fs.protected_regular = 2 # Make sure the default process dumpability is set (processes that changed privileges aren't dumpable). fs.suid_dumpable = 0 32a3b5fb59b149cba5fb482ad7535830852cd9ec 4099 4098 2024-05-01T19:42:11Z KeesCook 3 need to disable fineibt with a boot param, there's no way to disable it with Kconfig yet wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system. Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kernel-hardening-checker/ kernel-hardening-checker]" tool maintained by Alexander Popov. = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_LIST_HARDENED=y CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_DEBUG_VIRTUAL=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Make sure line disciplines can't be autoloaded (since v5.1). # CONFIG_LDISC_AUTOLOAD is not set # Provide userspace with ptrace ancestry protections. # Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Provide userspace with Landlock MAC interface. # Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list. CONFIG_SECURITY_LANDLOCK=y # Make sure SELinux cannot be disabled trivially. # CONFIG_SECURITY_SELINUX_BOOTPARAM is not set # CONFIG_SECURITY_SELINUX_DEVELOP is not set # CONFIG_SECURITY_SELINUX_DEBUG is not set # CONFIG_SECURITY_WRITABLE_HOOKS is not set # Enable "lockdown" LSM for bright line between the root user and kernel memory. CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y CONFIG_RANDOM_KMALLOC_CACHES=y # Make cross-slab heap attacks not as trivial when object sizes are the same. (Same as slab_nomerge boot param.) # CONFIG_SLAB_MERGE_DEFAULT is not set # Allow for randomization of high-order page allocation freelist. Must be enabled with # the "page_alloc.shuffle=1" command line below). CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Sanity check userspace page table mappings (since v5.17) CONFIG_PAGE_TABLE_CHECK=y CONFIG_PAGE_TABLE_CHECK_ENFORCED=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y # Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled. CONFIG_UBSAN=y CONFIG_UBSAN_TRAP=y CONFIG_UBSAN_BOUNDS=y CONFIG_UBSAN_SANITIZE_ALL=y # CONFIG_UBSAN_SHIFT is not set # CONFIG_UBSAN_DIV_ZERO is not set # CONFIG_UBSAN_UNREACHABLE is not set # CONFIG_UBSAN_BOOL is not set # CONFIG_UBSAN_ENUM is not set # CONFIG_UBSAN_ALIGNMENT is not set # This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set: CONFIG_UBSAN_LOCAL_BOUNDS=y # Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead. CONFIG_KFENCE=y CONFIG_KFENCE_SAMPLE_INTERVAL=100 # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Do not ignore compile-time warnings (since v5.15) CONFIG_WERROR=y # Disable DMA between EFI hand-off and the kernel's IOMMU setup. CONFIG_EFI_DISABLE_PCI_DMA=y # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) CONFIG_IOMMU_SUPPORT=y CONFIG_IOMMU_DEFAULT_DMA_STRICT=y # Enable feeding RNG entropy from TPM, if available. CONFIG_HW_RANDOM_TPM=y # Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even # malicious sources should not cause problems. CONFIG_RANDOM_TRUST_BOOTLOADER=y CONFIG_RANDOM_TRUST_CPU=y # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE). CONFIG_SCHED_CORE=y # Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and # minimizes stale data in registers). (Since v5.15) CONFIG_ZERO_CALL_USED_REGS=y # Wipe RAM at reboot via EFI. # For more details, see: # https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/ # https://bugzilla.redhat.com/show_bug.cgi?id=1532058 CONFIG_RESET_ATTACK_MITIGATION=y # This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk CONFIG_STATIC_USERMODEHELPER=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Block TTY stuffing attacks (this will break screen readers, see "dev.tty.legacy_tiocsti" sysctl below). # CONFIG_LEGACY_TIOCSTI is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Limit sysrq to sync,unmount,reboot. For more details see the [https://docs.kernel.org/admin-guide/sysrq.html sysrq bit field table]. CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=176 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. # See also kernel.modules_disabled sysctl below. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" # CONFIG_MODULE_FORCE_LOAD is not set == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # CONFIG_STACKLEAK_METRICS is not set # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y # CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. # CONFIG_X86_VSYSCALL_EMULATION is not set CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Enforce CET Indirect Branch Tracking in the kernel. (Since v5.18) CONFIG_X86_KERNEL_IBT=y # Support userspace CET Shadow Stack CONFIG_X86_USER_SHADOW_STACK=y # Remove additional (32-bit) attack surface, unless you really need them. # CONFIG_COMPAT is not set # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_X86_X32_ABI is not set # CONFIG_MODIFY_LDT_SYSCALL is not set # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y CONFIG_INTEL_IOMMU_SVM=y CONFIG_AMD_IOMMU=y CONFIG_AMD_IOMMU_V2=y # Straight-Line-Speculation CONFIG_SLS=y # Enable Control Flow Integrity (since v6.1). CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Remove arm32 support to reduce syscall attack surface. # CONFIG_COMPAT is not set # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y # Enable Software Shadow Stack when hardware Pointer Authentication (PAC) isn't available. CONFIG_SHADOW_CALL_STACK=y CONFIG_UNWIND_PATCH_PAC_INTO_SCS=y # Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can # turn off CONFIG_STACKPROTECTOR_STRONG with this enabled. CONFIG_ARM64_PTR_AUTH=y CONFIG_ARM64_PTR_AUTH_KERNEL=y # Available in ARMv8.5 and later. CONFIG_ARM64_BTI=y CONFIG_ARM64_BTI_KERNEL=y CONFIG_ARM64_MTE=y CONFIG_KASAN_HW_TAGS=y CONFIG_ARM64_E0PD=y # Available in ARMv8.7 and later. CONFIG_ARM64_EPAN=y # Enable Control Flow Integrity CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set = kernel command line options = # Make sure CONFIG_HARDENED_USERCOPY stays enabled. hardened_usercopy=1 # Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Randomize kernel stack offset on syscall entry (since v5.13). # See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above. randomize_kstack_offset=on # Randomize page allocator (needs CONFIG_SHUFFLE_PAGE_ALLOCATOR=y too). page_alloc.shuffle=1 # Disable slab merging to make some heap overflow attacks more difficult. (See also CONFIG_SLAB_MERGE_DEFAULT) slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on # To prevent against L1TF, at the cost of losing hyper threading ('''slow'''). nosmt # Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above). slub_debug=ZF # (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above). iommu.passthrough=0 iommu.strict=1 # Mitigates all known CPU vulnerabilities, disabling SMT *if needed*. mitigations=auto,nosmt == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none # Make sure COMPAT_VDSO stays disabled vdso32=0 # Disable FineIBT since it is weaker than pure KCFI. cfi=kcfi = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.) If root absolutely needs values from /proc, use value "1". kernel.kptr_restrict = 2 # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT). kernel.dmesg_restrict = 1 # Disable module loading. For example, this can be set after the system has [https://outflux.net/blog/archives/2009/07/31/blocking-module-loading/ finished booting] and initializing hardware. kernel.disable_modules = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Enable all available Address Space Randomization (ASLR) for userspace processes. kernel.randomize_va_space = 2 # Block all PTRACE_ATTACH. If you need ptrace to work, then avoid non-ancestor ptrace access to running processes and their credentials, and use value "1". kernel.yama.ptrace_scope = 3 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Disable tty line discipline autoloading (see CONFIG_LDISC_AUTOLOAD). dev.tty.ldisc_autoload = 0 # Disable TIOCSTI which is used to inject keypresses. (This will, however, break screen readers.) dev.tty.legacy_tiocsti = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Reboot after even 1 WARN or BUG/Oops. Adjust for your tolerances. (Since v6.2) # If you want to set oops_limit greater than one, you will need to disable CONFIG_PANIC_ON_OOPS. kernel/warn_limit = 1 kernel/oops_limit = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 # Disable dangerous userfaultfd usage. vm.unprivileged_userfaultfd = 0 # Disable POSIX symlink and hardlink corner cases that lead to lots of filesystem confusion attacks. fs.protected_symlinks = 1 fs.protected_hardlinks = 1 # Disable POSIX corner cases with creating files and fifos unless the directory owner matches. Check your workloads! fs.protected_fifos = 2 fs.protected_regular = 2 # Make sure the default process dumpability is set (processes that changed privileges aren't dumpable). fs.suid_dumpable = 0 a3fcfb2f897d6635e8e71151f97cce76019a2f5b 4100 4099 2024-06-17T17:42:23Z KeesCook 3 /* sysctls */ fix typos (thanks to Alexander Popov) wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system. Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kernel-hardening-checker/ kernel-hardening-checker]" tool maintained by Alexander Popov. = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_LIST_HARDENED=y CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_DEBUG_VIRTUAL=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Make sure line disciplines can't be autoloaded (since v5.1). # CONFIG_LDISC_AUTOLOAD is not set # Provide userspace with ptrace ancestry protections. # Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Provide userspace with Landlock MAC interface. # Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list. CONFIG_SECURITY_LANDLOCK=y # Make sure SELinux cannot be disabled trivially. # CONFIG_SECURITY_SELINUX_BOOTPARAM is not set # CONFIG_SECURITY_SELINUX_DEVELOP is not set # CONFIG_SECURITY_SELINUX_DEBUG is not set # CONFIG_SECURITY_WRITABLE_HOOKS is not set # Enable "lockdown" LSM for bright line between the root user and kernel memory. CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y CONFIG_RANDOM_KMALLOC_CACHES=y # Make cross-slab heap attacks not as trivial when object sizes are the same. (Same as slab_nomerge boot param.) # CONFIG_SLAB_MERGE_DEFAULT is not set # Allow for randomization of high-order page allocation freelist. Must be enabled with # the "page_alloc.shuffle=1" command line below). CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Sanity check userspace page table mappings (since v5.17) CONFIG_PAGE_TABLE_CHECK=y CONFIG_PAGE_TABLE_CHECK_ENFORCED=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y # Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled. CONFIG_UBSAN=y CONFIG_UBSAN_TRAP=y CONFIG_UBSAN_BOUNDS=y CONFIG_UBSAN_SANITIZE_ALL=y # CONFIG_UBSAN_SHIFT is not set # CONFIG_UBSAN_DIV_ZERO is not set # CONFIG_UBSAN_UNREACHABLE is not set # CONFIG_UBSAN_BOOL is not set # CONFIG_UBSAN_ENUM is not set # CONFIG_UBSAN_ALIGNMENT is not set # This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set: CONFIG_UBSAN_LOCAL_BOUNDS=y # Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead. CONFIG_KFENCE=y CONFIG_KFENCE_SAMPLE_INTERVAL=100 # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Do not ignore compile-time warnings (since v5.15) CONFIG_WERROR=y # Disable DMA between EFI hand-off and the kernel's IOMMU setup. CONFIG_EFI_DISABLE_PCI_DMA=y # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) CONFIG_IOMMU_SUPPORT=y CONFIG_IOMMU_DEFAULT_DMA_STRICT=y # Enable feeding RNG entropy from TPM, if available. CONFIG_HW_RANDOM_TPM=y # Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even # malicious sources should not cause problems. CONFIG_RANDOM_TRUST_BOOTLOADER=y CONFIG_RANDOM_TRUST_CPU=y # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE). CONFIG_SCHED_CORE=y # Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and # minimizes stale data in registers). (Since v5.15) CONFIG_ZERO_CALL_USED_REGS=y # Wipe RAM at reboot via EFI. # For more details, see: # https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/ # https://bugzilla.redhat.com/show_bug.cgi?id=1532058 CONFIG_RESET_ATTACK_MITIGATION=y # This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk CONFIG_STATIC_USERMODEHELPER=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Block TTY stuffing attacks (this will break screen readers, see "dev.tty.legacy_tiocsti" sysctl below). # CONFIG_LEGACY_TIOCSTI is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Limit sysrq to sync,unmount,reboot. For more details see the [https://docs.kernel.org/admin-guide/sysrq.html sysrq bit field table]. CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=176 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. # See also kernel.modules_disabled sysctl below. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" # CONFIG_MODULE_FORCE_LOAD is not set == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # CONFIG_STACKLEAK_METRICS is not set # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y # CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. # CONFIG_X86_VSYSCALL_EMULATION is not set CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Enforce CET Indirect Branch Tracking in the kernel. (Since v5.18) CONFIG_X86_KERNEL_IBT=y # Support userspace CET Shadow Stack CONFIG_X86_USER_SHADOW_STACK=y # Remove additional (32-bit) attack surface, unless you really need them. # CONFIG_COMPAT is not set # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_X86_X32_ABI is not set # CONFIG_MODIFY_LDT_SYSCALL is not set # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y CONFIG_INTEL_IOMMU_SVM=y CONFIG_AMD_IOMMU=y CONFIG_AMD_IOMMU_V2=y # Straight-Line-Speculation CONFIG_SLS=y # Enable Control Flow Integrity (since v6.1). CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Remove arm32 support to reduce syscall attack surface. # CONFIG_COMPAT is not set # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y # Enable Software Shadow Stack when hardware Pointer Authentication (PAC) isn't available. CONFIG_SHADOW_CALL_STACK=y CONFIG_UNWIND_PATCH_PAC_INTO_SCS=y # Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can # turn off CONFIG_STACKPROTECTOR_STRONG with this enabled. CONFIG_ARM64_PTR_AUTH=y CONFIG_ARM64_PTR_AUTH_KERNEL=y # Available in ARMv8.5 and later. CONFIG_ARM64_BTI=y CONFIG_ARM64_BTI_KERNEL=y CONFIG_ARM64_MTE=y CONFIG_KASAN_HW_TAGS=y CONFIG_ARM64_E0PD=y # Available in ARMv8.7 and later. CONFIG_ARM64_EPAN=y # Enable Control Flow Integrity CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set = kernel command line options = # Make sure CONFIG_HARDENED_USERCOPY stays enabled. hardened_usercopy=1 # Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Randomize kernel stack offset on syscall entry (since v5.13). # See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above. randomize_kstack_offset=on # Randomize page allocator (needs CONFIG_SHUFFLE_PAGE_ALLOCATOR=y too). page_alloc.shuffle=1 # Disable slab merging to make some heap overflow attacks more difficult. (See also CONFIG_SLAB_MERGE_DEFAULT) slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on # To prevent against L1TF, at the cost of losing hyper threading ('''slow'''). nosmt # Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above). slub_debug=ZF # (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above). iommu.passthrough=0 iommu.strict=1 # Mitigates all known CPU vulnerabilities, disabling SMT *if needed*. mitigations=auto,nosmt == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none # Make sure COMPAT_VDSO stays disabled vdso32=0 # Disable FineIBT since it is weaker than pure KCFI. cfi=kcfi = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.) If root absolutely needs values from /proc, use value "1". kernel.kptr_restrict = 2 # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT). kernel.dmesg_restrict = 1 # Disable module loading. For example, this can be set after the system has [https://outflux.net/blog/archives/2009/07/31/blocking-module-loading/ finished booting] and initializing hardware. kernel.disable_modules = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Enable all available Address Space Randomization (ASLR) for userspace processes. kernel.randomize_va_space = 2 # Block all PTRACE_ATTACH. If you need ptrace to work, then avoid non-ancestor ptrace access to running processes and their credentials, and use value "1". kernel.yama.ptrace_scope = 3 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Disable tty line discipline autoloading (see CONFIG_LDISC_AUTOLOAD). dev.tty.ldisc_autoload = 0 # Disable TIOCSTI which is used to inject keypresses. (This will, however, break screen readers.) dev.tty.legacy_tiocsti = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Reboot after even 1 WARN or BUG/Oops. Adjust for your tolerances. (Since v6.2) # If you want to set oops_limit greater than one, you will need to disable CONFIG_PANIC_ON_OOPS. kernel.warn_limit = 1 kernel.oops_limit = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 # Disable dangerous userfaultfd usage. vm.unprivileged_userfaultfd = 0 # Disable POSIX symlink and hardlink corner cases that lead to lots of filesystem confusion attacks. fs.protected_symlinks = 1 fs.protected_hardlinks = 1 # Disable POSIX corner cases with creating files and fifos unless the directory owner matches. Check your workloads! fs.protected_fifos = 2 fs.protected_regular = 2 # Make sure the default process dumpability is set (processes that changed privileges aren't dumpable). fs.suid_dumpable = 0 36cc11bdb87f73ea6eff0f58903e502ad1e1da16 4101 4100 2024-06-17T17:43:31Z KeesCook 3 /* sysctls */ fix typos (thanks to Alexander Popov) wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system. Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kernel-hardening-checker/ kernel-hardening-checker]" tool maintained by Alexander Popov. = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_LIST_HARDENED=y CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_DEBUG_VIRTUAL=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Make sure line disciplines can't be autoloaded (since v5.1). # CONFIG_LDISC_AUTOLOAD is not set # Provide userspace with ptrace ancestry protections. # Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Provide userspace with Landlock MAC interface. # Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list. CONFIG_SECURITY_LANDLOCK=y # Make sure SELinux cannot be disabled trivially. # CONFIG_SECURITY_SELINUX_BOOTPARAM is not set # CONFIG_SECURITY_SELINUX_DEVELOP is not set # CONFIG_SECURITY_SELINUX_DEBUG is not set # CONFIG_SECURITY_WRITABLE_HOOKS is not set # Enable "lockdown" LSM for bright line between the root user and kernel memory. CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y CONFIG_RANDOM_KMALLOC_CACHES=y # Make cross-slab heap attacks not as trivial when object sizes are the same. (Same as slab_nomerge boot param.) # CONFIG_SLAB_MERGE_DEFAULT is not set # Allow for randomization of high-order page allocation freelist. Must be enabled with # the "page_alloc.shuffle=1" command line below). CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Sanity check userspace page table mappings (since v5.17) CONFIG_PAGE_TABLE_CHECK=y CONFIG_PAGE_TABLE_CHECK_ENFORCED=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y # Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled. CONFIG_UBSAN=y CONFIG_UBSAN_TRAP=y CONFIG_UBSAN_BOUNDS=y CONFIG_UBSAN_SANITIZE_ALL=y # CONFIG_UBSAN_SHIFT is not set # CONFIG_UBSAN_DIV_ZERO is not set # CONFIG_UBSAN_UNREACHABLE is not set # CONFIG_UBSAN_BOOL is not set # CONFIG_UBSAN_ENUM is not set # CONFIG_UBSAN_ALIGNMENT is not set # This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set: CONFIG_UBSAN_LOCAL_BOUNDS=y # Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead. CONFIG_KFENCE=y CONFIG_KFENCE_SAMPLE_INTERVAL=100 # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Do not ignore compile-time warnings (since v5.15) CONFIG_WERROR=y # Disable DMA between EFI hand-off and the kernel's IOMMU setup. CONFIG_EFI_DISABLE_PCI_DMA=y # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) CONFIG_IOMMU_SUPPORT=y CONFIG_IOMMU_DEFAULT_DMA_STRICT=y # Enable feeding RNG entropy from TPM, if available. CONFIG_HW_RANDOM_TPM=y # Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even # malicious sources should not cause problems. CONFIG_RANDOM_TRUST_BOOTLOADER=y CONFIG_RANDOM_TRUST_CPU=y # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE). CONFIG_SCHED_CORE=y # Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and # minimizes stale data in registers). (Since v5.15) CONFIG_ZERO_CALL_USED_REGS=y # Wipe RAM at reboot via EFI. # For more details, see: # https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/ # https://bugzilla.redhat.com/show_bug.cgi?id=1532058 CONFIG_RESET_ATTACK_MITIGATION=y # This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk CONFIG_STATIC_USERMODEHELPER=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Block TTY stuffing attacks (this will break screen readers, see "dev.tty.legacy_tiocsti" sysctl below). # CONFIG_LEGACY_TIOCSTI is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Limit sysrq to sync,unmount,reboot. For more details see the [https://docs.kernel.org/admin-guide/sysrq.html sysrq bit field table]. CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=176 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. # See also kernel.modules_disabled sysctl below. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" # CONFIG_MODULE_FORCE_LOAD is not set == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # CONFIG_STACKLEAK_METRICS is not set # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y # CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. # CONFIG_X86_VSYSCALL_EMULATION is not set CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Enforce CET Indirect Branch Tracking in the kernel. (Since v5.18) CONFIG_X86_KERNEL_IBT=y # Support userspace CET Shadow Stack CONFIG_X86_USER_SHADOW_STACK=y # Remove additional (32-bit) attack surface, unless you really need them. # CONFIG_COMPAT is not set # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_X86_X32_ABI is not set # CONFIG_MODIFY_LDT_SYSCALL is not set # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y CONFIG_INTEL_IOMMU_SVM=y CONFIG_AMD_IOMMU=y CONFIG_AMD_IOMMU_V2=y # Straight-Line-Speculation CONFIG_SLS=y # Enable Control Flow Integrity (since v6.1). CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Remove arm32 support to reduce syscall attack surface. # CONFIG_COMPAT is not set # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y # Enable Software Shadow Stack when hardware Pointer Authentication (PAC) isn't available. CONFIG_SHADOW_CALL_STACK=y CONFIG_UNWIND_PATCH_PAC_INTO_SCS=y # Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can # turn off CONFIG_STACKPROTECTOR_STRONG with this enabled. CONFIG_ARM64_PTR_AUTH=y CONFIG_ARM64_PTR_AUTH_KERNEL=y # Available in ARMv8.5 and later. CONFIG_ARM64_BTI=y CONFIG_ARM64_BTI_KERNEL=y CONFIG_ARM64_MTE=y CONFIG_KASAN_HW_TAGS=y CONFIG_ARM64_E0PD=y # Available in ARMv8.7 and later. CONFIG_ARM64_EPAN=y # Enable Control Flow Integrity CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set = kernel command line options = # Make sure CONFIG_HARDENED_USERCOPY stays enabled. hardened_usercopy=1 # Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Randomize kernel stack offset on syscall entry (since v5.13). # See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above. randomize_kstack_offset=on # Randomize page allocator (needs CONFIG_SHUFFLE_PAGE_ALLOCATOR=y too). page_alloc.shuffle=1 # Disable slab merging to make some heap overflow attacks more difficult. (See also CONFIG_SLAB_MERGE_DEFAULT) slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on # To prevent against L1TF, at the cost of losing hyper threading ('''slow'''). nosmt # Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above). slub_debug=ZF # (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above). iommu.passthrough=0 iommu.strict=1 # Mitigates all known CPU vulnerabilities, disabling SMT *if needed*. mitigations=auto,nosmt == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none # Make sure COMPAT_VDSO stays disabled vdso32=0 # Disable FineIBT since it is weaker than pure KCFI. cfi=kcfi = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.) If root absolutely needs values from /proc, use value "1". kernel.kptr_restrict = 2 # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT). kernel.dmesg_restrict = 1 # Disable module loading. For example, this can be set after the system has [https://outflux.net/blog/archives/2009/07/31/blocking-module-loading/ finished booting] and initializing hardware. kernel.modules_disabled = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Enable all available Address Space Randomization (ASLR) for userspace processes. kernel.randomize_va_space = 2 # Block all PTRACE_ATTACH. If you need ptrace to work, then avoid non-ancestor ptrace access to running processes and their credentials, and use value "1". kernel.yama.ptrace_scope = 3 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Disable tty line discipline autoloading (see CONFIG_LDISC_AUTOLOAD). dev.tty.ldisc_autoload = 0 # Disable TIOCSTI which is used to inject keypresses. (This will, however, break screen readers.) dev.tty.legacy_tiocsti = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Reboot after even 1 WARN or BUG/Oops. Adjust for your tolerances. (Since v6.2) # If you want to set oops_limit greater than one, you will need to disable CONFIG_PANIC_ON_OOPS. kernel.warn_limit = 1 kernel.oops_limit = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 # Disable dangerous userfaultfd usage. vm.unprivileged_userfaultfd = 0 # Disable POSIX symlink and hardlink corner cases that lead to lots of filesystem confusion attacks. fs.protected_symlinks = 1 fs.protected_hardlinks = 1 # Disable POSIX corner cases with creating files and fifos unless the directory owner matches. Check your workloads! fs.protected_fifos = 2 fs.protected_regular = 2 # Make sure the default process dumpability is set (processes that changed privileges aren't dumpable). fs.suid_dumpable = 0 e13d1e11ed59bd885b918538fabff98c7a7657bc 4102 4101 2024-06-17T17:45:35Z KeesCook 3 /* x86_64 */ Configs renamed (thanks to Alexander Popov) wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system. Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kernel-hardening-checker/ kernel-hardening-checker]" tool maintained by Alexander Popov. = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_LIST_HARDENED=y CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_DEBUG_VIRTUAL=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Make sure line disciplines can't be autoloaded (since v5.1). # CONFIG_LDISC_AUTOLOAD is not set # Provide userspace with ptrace ancestry protections. # Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Provide userspace with Landlock MAC interface. # Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list. CONFIG_SECURITY_LANDLOCK=y # Make sure SELinux cannot be disabled trivially. # CONFIG_SECURITY_SELINUX_BOOTPARAM is not set # CONFIG_SECURITY_SELINUX_DEVELOP is not set # CONFIG_SECURITY_SELINUX_DEBUG is not set # CONFIG_SECURITY_WRITABLE_HOOKS is not set # Enable "lockdown" LSM for bright line between the root user and kernel memory. CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y CONFIG_RANDOM_KMALLOC_CACHES=y # Make cross-slab heap attacks not as trivial when object sizes are the same. (Same as slab_nomerge boot param.) # CONFIG_SLAB_MERGE_DEFAULT is not set # Allow for randomization of high-order page allocation freelist. Must be enabled with # the "page_alloc.shuffle=1" command line below). CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Sanity check userspace page table mappings (since v5.17) CONFIG_PAGE_TABLE_CHECK=y CONFIG_PAGE_TABLE_CHECK_ENFORCED=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y # Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled. CONFIG_UBSAN=y CONFIG_UBSAN_TRAP=y CONFIG_UBSAN_BOUNDS=y CONFIG_UBSAN_SANITIZE_ALL=y # CONFIG_UBSAN_SHIFT is not set # CONFIG_UBSAN_DIV_ZERO is not set # CONFIG_UBSAN_UNREACHABLE is not set # CONFIG_UBSAN_BOOL is not set # CONFIG_UBSAN_ENUM is not set # CONFIG_UBSAN_ALIGNMENT is not set # This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set: CONFIG_UBSAN_LOCAL_BOUNDS=y # Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead. CONFIG_KFENCE=y CONFIG_KFENCE_SAMPLE_INTERVAL=100 # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Do not ignore compile-time warnings (since v5.15) CONFIG_WERROR=y # Disable DMA between EFI hand-off and the kernel's IOMMU setup. CONFIG_EFI_DISABLE_PCI_DMA=y # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) CONFIG_IOMMU_SUPPORT=y CONFIG_IOMMU_DEFAULT_DMA_STRICT=y # Enable feeding RNG entropy from TPM, if available. CONFIG_HW_RANDOM_TPM=y # Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even # malicious sources should not cause problems. CONFIG_RANDOM_TRUST_BOOTLOADER=y CONFIG_RANDOM_TRUST_CPU=y # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE). CONFIG_SCHED_CORE=y # Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and # minimizes stale data in registers). (Since v5.15) CONFIG_ZERO_CALL_USED_REGS=y # Wipe RAM at reboot via EFI. # For more details, see: # https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/ # https://bugzilla.redhat.com/show_bug.cgi?id=1532058 CONFIG_RESET_ATTACK_MITIGATION=y # This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk CONFIG_STATIC_USERMODEHELPER=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Block TTY stuffing attacks (this will break screen readers, see "dev.tty.legacy_tiocsti" sysctl below). # CONFIG_LEGACY_TIOCSTI is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Limit sysrq to sync,unmount,reboot. For more details see the [https://docs.kernel.org/admin-guide/sysrq.html sysrq bit field table]. CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=176 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. # See also kernel.modules_disabled sysctl below. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" # CONFIG_MODULE_FORCE_LOAD is not set == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # CONFIG_STACKLEAK_METRICS is not set # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y # CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. # CONFIG_X86_VSYSCALL_EMULATION is not set CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_MITIGATION_PAGE_TABLE_ISOLATION=y # Enforce CET Indirect Branch Tracking in the kernel. (Since v5.18) CONFIG_X86_KERNEL_IBT=y # Support userspace CET Shadow Stack CONFIG_X86_USER_SHADOW_STACK=y # Remove additional (32-bit) attack surface, unless you really need them. # CONFIG_COMPAT is not set # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_X86_X32_ABI is not set # CONFIG_MODIFY_LDT_SYSCALL is not set # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y CONFIG_INTEL_IOMMU_SVM=y CONFIG_AMD_IOMMU=y CONFIG_AMD_IOMMU_V2=y # Straight-Line-Speculation CONFIG_MITIGATION_SLS=y # Enable Control Flow Integrity (since v6.1). CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Remove arm32 support to reduce syscall attack surface. # CONFIG_COMPAT is not set # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y # Enable Software Shadow Stack when hardware Pointer Authentication (PAC) isn't available. CONFIG_SHADOW_CALL_STACK=y CONFIG_UNWIND_PATCH_PAC_INTO_SCS=y # Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can # turn off CONFIG_STACKPROTECTOR_STRONG with this enabled. CONFIG_ARM64_PTR_AUTH=y CONFIG_ARM64_PTR_AUTH_KERNEL=y # Available in ARMv8.5 and later. CONFIG_ARM64_BTI=y CONFIG_ARM64_BTI_KERNEL=y CONFIG_ARM64_MTE=y CONFIG_KASAN_HW_TAGS=y CONFIG_ARM64_E0PD=y # Available in ARMv8.7 and later. CONFIG_ARM64_EPAN=y # Enable Control Flow Integrity CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set = kernel command line options = # Make sure CONFIG_HARDENED_USERCOPY stays enabled. hardened_usercopy=1 # Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Randomize kernel stack offset on syscall entry (since v5.13). # See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above. randomize_kstack_offset=on # Randomize page allocator (needs CONFIG_SHUFFLE_PAGE_ALLOCATOR=y too). page_alloc.shuffle=1 # Disable slab merging to make some heap overflow attacks more difficult. (See also CONFIG_SLAB_MERGE_DEFAULT) slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on # To prevent against L1TF, at the cost of losing hyper threading ('''slow'''). nosmt # Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above). slub_debug=ZF # (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above). iommu.passthrough=0 iommu.strict=1 # Mitigates all known CPU vulnerabilities, disabling SMT *if needed*. mitigations=auto,nosmt == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none # Make sure COMPAT_VDSO stays disabled vdso32=0 # Disable FineIBT since it is weaker than pure KCFI. cfi=kcfi = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.) If root absolutely needs values from /proc, use value "1". kernel.kptr_restrict = 2 # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT). kernel.dmesg_restrict = 1 # Disable module loading. For example, this can be set after the system has [https://outflux.net/blog/archives/2009/07/31/blocking-module-loading/ finished booting] and initializing hardware. kernel.modules_disabled = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Enable all available Address Space Randomization (ASLR) for userspace processes. kernel.randomize_va_space = 2 # Block all PTRACE_ATTACH. If you need ptrace to work, then avoid non-ancestor ptrace access to running processes and their credentials, and use value "1". kernel.yama.ptrace_scope = 3 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Disable tty line discipline autoloading (see CONFIG_LDISC_AUTOLOAD). dev.tty.ldisc_autoload = 0 # Disable TIOCSTI which is used to inject keypresses. (This will, however, break screen readers.) dev.tty.legacy_tiocsti = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Reboot after even 1 WARN or BUG/Oops. Adjust for your tolerances. (Since v6.2) # If you want to set oops_limit greater than one, you will need to disable CONFIG_PANIC_ON_OOPS. kernel.warn_limit = 1 kernel.oops_limit = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 # Disable dangerous userfaultfd usage. vm.unprivileged_userfaultfd = 0 # Disable POSIX symlink and hardlink corner cases that lead to lots of filesystem confusion attacks. fs.protected_symlinks = 1 fs.protected_hardlinks = 1 # Disable POSIX corner cases with creating files and fifos unless the directory owner matches. Check your workloads! fs.protected_fifos = 2 fs.protected_regular = 2 # Make sure the default process dumpability is set (processes that changed privileges aren't dumpable). fs.suid_dumpable = 0 4acaffb910612666d30397e8b87fdfd00d8ef894 4103 4102 2024-06-17T17:48:53Z KeesCook 3 Randstruct is available under GCC or Clang now wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system. Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kernel-hardening-checker/ kernel-hardening-checker]" tool maintained by Alexander Popov. = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_LIST_HARDENED=y CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_DEBUG_VIRTUAL=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Make sure line disciplines can't be autoloaded (since v5.1). # CONFIG_LDISC_AUTOLOAD is not set # Provide userspace with ptrace ancestry protections. # Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Provide userspace with Landlock MAC interface. # Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list. CONFIG_SECURITY_LANDLOCK=y # Make sure SELinux cannot be disabled trivially. # CONFIG_SECURITY_SELINUX_BOOTPARAM is not set # CONFIG_SECURITY_SELINUX_DEVELOP is not set # CONFIG_SECURITY_SELINUX_DEBUG is not set # CONFIG_SECURITY_WRITABLE_HOOKS is not set # Enable "lockdown" LSM for bright line between the root user and kernel memory. CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y CONFIG_RANDOM_KMALLOC_CACHES=y # Make cross-slab heap attacks not as trivial when object sizes are the same. (Same as slab_nomerge boot param.) # CONFIG_SLAB_MERGE_DEFAULT is not set # Allow for randomization of high-order page allocation freelist. Must be enabled with # the "page_alloc.shuffle=1" command line below). CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Sanity check userspace page table mappings (since v5.17) CONFIG_PAGE_TABLE_CHECK=y CONFIG_PAGE_TABLE_CHECK_ENFORCED=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y # Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled. CONFIG_UBSAN=y CONFIG_UBSAN_TRAP=y CONFIG_UBSAN_BOUNDS=y CONFIG_UBSAN_SANITIZE_ALL=y # CONFIG_UBSAN_SHIFT is not set # CONFIG_UBSAN_DIV_ZERO is not set # CONFIG_UBSAN_UNREACHABLE is not set # CONFIG_UBSAN_BOOL is not set # CONFIG_UBSAN_ENUM is not set # CONFIG_UBSAN_ALIGNMENT is not set # This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set: CONFIG_UBSAN_LOCAL_BOUNDS=y # Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead. CONFIG_KFENCE=y CONFIG_KFENCE_SAMPLE_INTERVAL=100 # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Do not ignore compile-time warnings (since v5.15) CONFIG_WERROR=y # Disable DMA between EFI hand-off and the kernel's IOMMU setup. CONFIG_EFI_DISABLE_PCI_DMA=y # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) CONFIG_IOMMU_SUPPORT=y CONFIG_IOMMU_DEFAULT_DMA_STRICT=y # Enable feeding RNG entropy from TPM, if available. CONFIG_HW_RANDOM_TPM=y # Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even # malicious sources should not cause problems. CONFIG_RANDOM_TRUST_BOOTLOADER=y CONFIG_RANDOM_TRUST_CPU=y # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution. If using GCC, you can check if using CONFIG_RANDSTRUCT_PERFORMANCE=y is better. CONFIG_RANDSTRUCT_FULL=y # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE). CONFIG_SCHED_CORE=y # Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and # minimizes stale data in registers). (Since v5.15) CONFIG_ZERO_CALL_USED_REGS=y # Wipe RAM at reboot via EFI. # For more details, see: # https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/ # https://bugzilla.redhat.com/show_bug.cgi?id=1532058 CONFIG_RESET_ATTACK_MITIGATION=y # This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk CONFIG_STATIC_USERMODEHELPER=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Block TTY stuffing attacks (this will break screen readers, see "dev.tty.legacy_tiocsti" sysctl below). # CONFIG_LEGACY_TIOCSTI is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Limit sysrq to sync,unmount,reboot. For more details see the [https://docs.kernel.org/admin-guide/sysrq.html sysrq bit field table]. CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=176 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. # See also kernel.modules_disabled sysctl below. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" # CONFIG_MODULE_FORCE_LOAD is not set == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # CONFIG_STACKLEAK_METRICS is not set # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. # CONFIG_X86_VSYSCALL_EMULATION is not set CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_MITIGATION_PAGE_TABLE_ISOLATION=y # Enforce CET Indirect Branch Tracking in the kernel. (Since v5.18) CONFIG_X86_KERNEL_IBT=y # Support userspace CET Shadow Stack CONFIG_X86_USER_SHADOW_STACK=y # Remove additional (32-bit) attack surface, unless you really need them. # CONFIG_COMPAT is not set # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_X86_X32_ABI is not set # CONFIG_MODIFY_LDT_SYSCALL is not set # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y CONFIG_INTEL_IOMMU_SVM=y CONFIG_AMD_IOMMU=y CONFIG_AMD_IOMMU_V2=y # Straight-Line-Speculation CONFIG_MITIGATION_SLS=y # Enable Control Flow Integrity (since v6.1). CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Remove arm32 support to reduce syscall attack surface. # CONFIG_COMPAT is not set # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y # Enable Software Shadow Stack when hardware Pointer Authentication (PAC) isn't available. CONFIG_SHADOW_CALL_STACK=y CONFIG_UNWIND_PATCH_PAC_INTO_SCS=y # Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can # turn off CONFIG_STACKPROTECTOR_STRONG with this enabled. CONFIG_ARM64_PTR_AUTH=y CONFIG_ARM64_PTR_AUTH_KERNEL=y # Available in ARMv8.5 and later. CONFIG_ARM64_BTI=y CONFIG_ARM64_BTI_KERNEL=y CONFIG_ARM64_MTE=y CONFIG_KASAN_HW_TAGS=y CONFIG_ARM64_E0PD=y # Available in ARMv8.7 and later. CONFIG_ARM64_EPAN=y # Enable Control Flow Integrity CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set = kernel command line options = # Make sure CONFIG_HARDENED_USERCOPY stays enabled. hardened_usercopy=1 # Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Randomize kernel stack offset on syscall entry (since v5.13). # See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above. randomize_kstack_offset=on # Randomize page allocator (needs CONFIG_SHUFFLE_PAGE_ALLOCATOR=y too). page_alloc.shuffle=1 # Disable slab merging to make some heap overflow attacks more difficult. (See also CONFIG_SLAB_MERGE_DEFAULT) slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on # To prevent against L1TF, at the cost of losing hyper threading ('''slow'''). nosmt # Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above). slub_debug=ZF # (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above). iommu.passthrough=0 iommu.strict=1 # Mitigates all known CPU vulnerabilities, disabling SMT *if needed*. mitigations=auto,nosmt == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none # Make sure COMPAT_VDSO stays disabled vdso32=0 # Disable FineIBT since it is weaker than pure KCFI. cfi=kcfi = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.) If root absolutely needs values from /proc, use value "1". kernel.kptr_restrict = 2 # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT). kernel.dmesg_restrict = 1 # Disable module loading. For example, this can be set after the system has [https://outflux.net/blog/archives/2009/07/31/blocking-module-loading/ finished booting] and initializing hardware. kernel.modules_disabled = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Enable all available Address Space Randomization (ASLR) for userspace processes. kernel.randomize_va_space = 2 # Block all PTRACE_ATTACH. If you need ptrace to work, then avoid non-ancestor ptrace access to running processes and their credentials, and use value "1". kernel.yama.ptrace_scope = 3 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Disable tty line discipline autoloading (see CONFIG_LDISC_AUTOLOAD). dev.tty.ldisc_autoload = 0 # Disable TIOCSTI which is used to inject keypresses. (This will, however, break screen readers.) dev.tty.legacy_tiocsti = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Reboot after even 1 WARN or BUG/Oops. Adjust for your tolerances. (Since v6.2) # If you want to set oops_limit greater than one, you will need to disable CONFIG_PANIC_ON_OOPS. kernel.warn_limit = 1 kernel.oops_limit = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 # Disable dangerous userfaultfd usage. vm.unprivileged_userfaultfd = 0 # Disable POSIX symlink and hardlink corner cases that lead to lots of filesystem confusion attacks. fs.protected_symlinks = 1 fs.protected_hardlinks = 1 # Disable POSIX corner cases with creating files and fifos unless the directory owner matches. Check your workloads! fs.protected_fifos = 2 fs.protected_regular = 2 # Make sure the default process dumpability is set (processes that changed privileges aren't dumpable). fs.suid_dumpable = 0 5f9a983ffbc70a5c3541695a247dc59f7d717bf8 4104 4103 2024-06-17T17:50:28Z KeesCook 3 /* CONFIGs */ note the use of CONFIG_IOMMU_DEFAULT_PASSTHROUGH (thanks to Alexander Popov) wikitext text/x-wiki Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system. Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kernel-hardening-checker/ kernel-hardening-checker]" tool maintained by Alexander Popov. = CONFIGs = # Report BUG() conditions and kill the offending process. CONFIG_BUG=y # Make sure kernel page tables have safe permissions. CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below) CONFIG_DEBUG_RODATA=y (prior to v4.11) CONFIG_STRICT_KERNEL_RWX=y (since v4.11) # Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. # Prior to v4.18, these are: # CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Provides some protections against SYN flooding. CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. CONFIG_LIST_HARDENED=y CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_DEBUG_VIRTUAL=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y # Provide userspace with seccomp BPF API for syscall attack surface reduction. CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Make sure line disciplines can't be autoloaded (since v5.1). # CONFIG_LDISC_AUTOLOAD is not set # Provide userspace with ptrace ancestry protections. # Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Provide userspace with Landlock MAC interface. # Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list. CONFIG_SECURITY_LANDLOCK=y # Make sure SELinux cannot be disabled trivially. # CONFIG_SECURITY_SELINUX_BOOTPARAM is not set # CONFIG_SECURITY_SELINUX_DEVELOP is not set # CONFIG_SECURITY_SELINUX_DEBUG is not set # CONFIG_SECURITY_WRITABLE_HOOKS is not set # Enable "lockdown" LSM for bright line between the root user and kernel memory. CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y CONFIG_RANDOM_KMALLOC_CACHES=y # Make cross-slab heap attacks not as trivial when object sizes are the same. (Same as slab_nomerge boot param.) # CONFIG_SLAB_MERGE_DEFAULT is not set # Allow for randomization of high-order page allocation freelist. Must be enabled with # the "page_alloc.shuffle=1" command line below). CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Sanity check userspace page table mappings (since v5.17) CONFIG_PAGE_TABLE_CHECK=y CONFIG_PAGE_TABLE_CHECK_ENFORCED=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. # The init_on_free is only needed if there is concern about minimizing stale data lifetime. CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) CONFIG_INIT_STACK_ALL_ZERO=y # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y # Perform extensive checks on reference counting. CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y # Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled. CONFIG_UBSAN=y CONFIG_UBSAN_TRAP=y CONFIG_UBSAN_BOUNDS=y CONFIG_UBSAN_SANITIZE_ALL=y # CONFIG_UBSAN_SHIFT is not set # CONFIG_UBSAN_DIV_ZERO is not set # CONFIG_UBSAN_UNREACHABLE is not set # CONFIG_UBSAN_BOOL is not set # CONFIG_UBSAN_ENUM is not set # CONFIG_UBSAN_ALIGNMENT is not set # This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set: CONFIG_UBSAN_LOCAL_BOUNDS=y # Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead. CONFIG_KFENCE=y CONFIG_KFENCE_SAMPLE_INTERVAL=100 # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Do not ignore compile-time warnings (since v5.15) CONFIG_WERROR=y # Disable DMA between EFI hand-off and the kernel's IOMMU setup. CONFIG_EFI_DISABLE_PCI_DMA=y # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) CONFIG_IOMMU_SUPPORT=y CONFIG_IOMMU_DEFAULT_DMA_STRICT=y # CONFIG_IOMMU_DEFAULT_PASSTHROUGH is not set # Enable feeding RNG entropy from TPM, if available. CONFIG_HW_RANDOM_TPM=y # Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even # malicious sources should not cause problems. CONFIG_RANDOM_TRUST_BOOTLOADER=y CONFIG_RANDOM_TRUST_CPU=y # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution. If using GCC, you can check if using CONFIG_RANDSTRUCT_PERFORMANCE=y is better. CONFIG_RANDSTRUCT_FULL=y # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE). CONFIG_SCHED_CORE=y # Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and # minimizes stale data in registers). (Since v5.15) CONFIG_ZERO_CALL_USED_REGS=y # Wipe RAM at reboot via EFI. # For more details, see: # https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/ # https://bugzilla.redhat.com/show_bug.cgi?id=1532058 CONFIG_RESET_ATTACK_MITIGATION=y # This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk CONFIG_STATIC_USERMODEHELPER=y # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR. # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR. # CONFIG_COMPAT_VDSO is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set # Dangerous; enabling this allows replacement of running kernel. # CONFIG_HIBERNATION is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled. # CONFIG_INET_DIAG is not set # Easily confused by misconfigured userspace, keep off. # CONFIG_BINFMT_MISC is not set # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set # Block TTY stuffing attacks (this will break screen readers, see "dev.tty.legacy_tiocsti" sysctl below). # CONFIG_LEGACY_TIOCSTI is not set # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set # Reboot devices immediately if kernel experiences an Oops. CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 # Limit sysrq to sync,unmount,reboot. For more details see the [https://docs.kernel.org/admin-guide/sysrq.html sysrq bit field table]. CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=176 # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. # See also kernel.modules_disabled sysctl below. CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11) CONFIG_STRICT_MODULE_RWX=y (since v4.11) CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" # CONFIG_MODULE_FORCE_LOAD is not set == GCC plugins == # Enable GCC Plugins CONFIG_GCC_PLUGINS=y # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. # When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y # CONFIG_STACKLEAK_METRICS is not set # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set == x86_64 == # Full 64-bit means PAE and NX bit. CONFIG_X86_64=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel and memory. CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. # CONFIG_X86_VSYSCALL_EMULATION is not set CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_MITIGATION_PAGE_TABLE_ISOLATION=y # Enforce CET Indirect Branch Tracking in the kernel. (Since v5.18) CONFIG_X86_KERNEL_IBT=y # Support userspace CET Shadow Stack CONFIG_X86_USER_SHADOW_STACK=y # Remove additional (32-bit) attack surface, unless you really need them. # CONFIG_COMPAT is not set # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # CONFIG_X86_X32_ABI is not set # CONFIG_MODIFY_LDT_SYSCALL is not set # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y CONFIG_INTEL_IOMMU_SVM=y CONFIG_AMD_IOMMU=y CONFIG_AMD_IOMMU_V2=y # Straight-Line-Speculation CONFIG_MITIGATION_SLS=y # Enable Control Flow Integrity (since v6.1). CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == arm64 == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y # Remove arm32 support to reduce syscall attack surface. # CONFIG_COMPAT is not set # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y # Enable Software Shadow Stack when hardware Pointer Authentication (PAC) isn't available. CONFIG_SHADOW_CALL_STACK=y CONFIG_UNWIND_PATCH_PAC_INTO_SCS=y # Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can # turn off CONFIG_STACKPROTECTOR_STRONG with this enabled. CONFIG_ARM64_PTR_AUTH=y CONFIG_ARM64_PTR_AUTH_KERNEL=y # Available in ARMv8.5 and later. CONFIG_ARM64_BTI=y CONFIG_ARM64_BTI_KERNEL=y CONFIG_ARM64_MTE=y CONFIG_KASAN_HW_TAGS=y CONFIG_ARM64_E0PD=y # Available in ARMv8.7 and later. CONFIG_ARM64_EPAN=y # Enable Control Flow Integrity CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set == x86_32 == # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set # CONFIG_HIGHMEM4G is not set CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 # Disable Model-Specific Register writes. # CONFIG_X86_MSR is not set # Randomize position of kernel. CONFIG_RANDOMIZE_BASE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set == arm == # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # For maximal userspace memory area (and maximum ASLR). CONFIG_VMSPLIT_3G=y # If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX. CONFIG_STRICT_MEMORY_RWX=y # Make sure PXN/PAN emulation is enabled. CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set = kernel command line options = # Make sure CONFIG_HARDENED_USERCOPY stays enabled. hardened_usercopy=1 # Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below) # See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above. init_on_alloc=1 init_on_free=1 # Randomize kernel stack offset on syscall entry (since v5.13). # See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above. randomize_kstack_offset=on # Randomize page allocator (needs CONFIG_SHUFFLE_PAGE_ALLOCATOR=y too). page_alloc.shuffle=1 # Disable slab merging to make some heap overflow attacks more difficult. (See also CONFIG_SLAB_MERGE_DEFAULT) slab_nomerge # Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown. pti=on # To prevent against L1TF, at the cost of losing hyper threading ('''slow'''). nosmt # Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above). slub_debug=ZF # (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above). slub_debug=P # (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above). page_poison=1 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above). iommu.passthrough=0 iommu.strict=1 # Mitigates all known CPU vulnerabilities, disabling SMT *if needed*. mitigations=auto,nosmt == x86_64 == # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind. # (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.) vsyscall=none # Make sure COMPAT_VDSO stays disabled vdso32=0 # Disable FineIBT since it is weaker than pure KCFI. cfi=kcfi = sysctls = # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.) If root absolutely needs values from /proc, use value "1". kernel.kptr_restrict = 2 # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT). kernel.dmesg_restrict = 1 # Disable module loading. For example, this can be set after the system has [https://outflux.net/blog/archives/2009/07/31/blocking-module-loading/ finished booting] and initializing hardware. kernel.modules_disabled = 1 # Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Enable all available Address Space Randomization (ASLR) for userspace processes. kernel.randomize_va_space = 2 # Block all PTRACE_ATTACH. If you need ptrace to work, then avoid non-ancestor ptrace access to running processes and their credentials, and use value "1". kernel.yama.ptrace_scope = 3 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Disable tty line discipline autoloading (see CONFIG_LDISC_AUTOLOAD). dev.tty.ldisc_autoload = 0 # Disable TIOCSTI which is used to inject keypresses. (This will, however, break screen readers.) dev.tty.legacy_tiocsti = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Reboot after even 1 WARN or BUG/Oops. Adjust for your tolerances. (Since v6.2) # If you want to set oops_limit greater than one, you will need to disable CONFIG_PANIC_ON_OOPS. kernel.warn_limit = 1 kernel.oops_limit = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 # Disable dangerous userfaultfd usage. vm.unprivileged_userfaultfd = 0 # Disable POSIX symlink and hardlink corner cases that lead to lots of filesystem confusion attacks. fs.protected_symlinks = 1 fs.protected_hardlinks = 1 # Disable POSIX corner cases with creating files and fifos unless the directory owner matches. Check your workloads! fs.protected_fifos = 2 fs.protected_regular = 2 # Make sure the default process dumpability is set (processes that changed privileges aren't dumpable). fs.suid_dumpable = 0 68d06ee87ea7650b958953508c69009ad1dd107a 4108 4104 2024-07-04T20:08:08Z KeesCook 3 Replaced content with "This wiki has moved to the [https://kspp.github.io/Recommended_Settings KSPP project page]" wikitext text/x-wiki This wiki has moved to the [https://kspp.github.io/Recommended_Settings KSPP project page] 7ce82f3de75d8101e0f7edc10ec5a5b1382d0311 0 193 4105 4029 2024-07-04T20:04:47Z KeesCook 3 github move wikitext text/x-wiki #REDIRECT [https://kspp.github.io/|Kernel Self Protection Project] 4c2a35b8894519c6ed1c27d5e920842154f11eab 4106 4105 2024-07-04T20:05:59Z KeesCook 3 wikitext text/x-wiki #REDIRECT [https://kspp.github.io/] 17b0934e7664bfcae960ace6b1294e2dc2f3c769 4107 4106 2024-07-04T20:07:10Z KeesCook 3 wikitext text/x-wiki This wiki has moved to the [https://kspp.github.io/ KSPP project page] 5eed0993c8143a7b39d06c3c8d7d41439427d21f 0 162 4109 4061 2024-07-04T20:08:36Z KeesCook 3 Replaced content with "This wiki has moved to the [https://kspp.github.io/ KSPP project page]" wikitext text/x-wiki This wiki has moved to the [https://kspp.github.io/ KSPP project page] 5eed0993c8143a7b39d06c3c8d7d41439427d21f